25 Oracle Directory Integration and Provisioning

This chapter describes the issues associated with Oracle Directory Integration and Provisioning. It includes the following topics:

• Section 25.1, "Configuration Issues and Workarounds"

• Section 25.2, "Administration Issues and Workarounds"

25.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for Oracle Directory Integration and Provisioning. It includes the following topics:

• Section 25.1.1, "Two Oracle Internet Directory Plug-in Features Are not Supported after Upgrade to Oracle Internet Directory 10g Release 2 (10.1.2)"

25.1.1 Two Oracle Internet Directory Plug-in Features Are not Supported after Upgrade to Oracle Internet Directory 10g Release 2 (10.1.2)

In Oracle Application Server 10g Release 2 (10.1.2), the following plug-in features are not supported if Oracle Internet Directory is running against Oracle9i Database Server Release 9.2:

• Microsoft Windows NT Domain external authentication plug-in.

• The simple_bind_s() function of LDAP_PLUGIN package provided as the OID PL/SQL PLUGIN API for connecting back to the directory server as part of plug-in definitions.

25.2 Administration Issues and Workarounds

This section describes administration issues and their workarounds for Oracle Directory Integration and Provisioning. It includes the following topics:

• Section 25.2.1, "Default Mapping Rule Can Be Simplified in Single-Domain Microsoft Active Directory Deployments"

• Section 25.2.2, "Directory Integration and Provisioning Assistant Does not Support SSL Mode 2"

• Section 25.2.3, "Shell Script-based Profile Configuration Tools Are Being Deprecated"

• Section 25.2.4, "In a High Availability Environment Using Multimaster Replication, Provisioning Events May not Be Propagated or May Be Duplicated"

• Section 25.2.5, "The Oracle Directory Integration and Provisioning Server May not Shut Down if It Is Stopped and Immediately Restarted"

• Section 25.2.6, "Oracle Directory Integration and Provisioning Server Not Sending Provisioning Events Due to Purged Change Log Entries"

25.2.1 Default Mapping Rule Can Be Simplified in Single-Domain Microsoft Active Directory Deployments

In deployments with only a single domain of Microsoft Active Directory, you can simplify the default mapping rule installed with Oracle Directory Integration and Provisioning.

The default mapping rule is:

sAMAccountName,userPrincipalName: :
:user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname

If your deployment has a single domain of Active Directory, then you can simplify the default mapping rule to this:

sAMAccountName: : :user:orclSAMAccountName::orclADUser

25.2.2 Directory Integration and Provisioning Assistant Does not Support SSL Mode 2

In 10g Release 2 (10.1.2), you can use the Directory Integration and Provisioning Assistant with either a non-SSL connection or an SSL connection with no authentication, namely SSL Mode 1, which provides encryption on the connection. You cannot use the Assistant with SSL mode 2 in which one-way (server only) SSL authentication is required.

25.2.3 Shell Script-based Profile Configuration Tools Are Being Deprecated

Shell script-based profile configuration tools ldapcreateConn.sh, ldapdeleteConn.sh, and ldapUploadAgentFile.sh are being deprecated as of 10g Release 2 (10.1.2).Oracle recommends that you use the Java-based Oracle Directory Integration and Provisioning Server Administration tool for configuring profiles.

25.2.4 In a High Availability Environment Using Multimaster Replication, Provisioning Events May not Be Propagated or May Be Duplicated

In multimaster replication, the last change number is stored locally on an Oracle Internet Directory node. In a high availability environment, if that node fails, and the provisioning profile is moved to another Oracle Internet Directory node, then the last applied change number in the profile becomes invalid. That number in the profile must then be reset manually on the failover node. Even then, however, events may not be propagated or may be duplicated.

25.2.5 The Oracle Directory Integration and Provisioning Server May not Shut Down if It Is Stopped and Immediately Restarted

To determine whether to shut down, the Oracle Directory Integration and Provisioning server polls the registration entry stored under cn=odisrv,cn=subregistrysubentry. It does this every 30 seconds. If you stop, then restart, the server within 30 seconds, then the old server instance may not shut down before the new instance starts. To alleviate this, wait for 30 seconds before restarting the server.

25.2.6 Oracle Directory Integration and Provisioning Server Not Sending Provisioning Events Due to Purged Change Log Entries

If you use time-based change log purging with version 3.0 provisioning profiles, change logs entries are purged before the Oracle directory integration and provisioning server propagates the changes to any provisioning-integrated applications. This occurs because Oracle Directory Integration and Provisioning does not create version 3.0 provisioning profile entries in the default cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory change log subscriber container.

To resolve this problem, create a container in the default change log subscriber container for each version 3.0 provisioning profile and assign a value of 0 to each profile's orclLastAppliedChangeNumber attribute. The following sample LDIF file creates a provisioning profile container in the default change log subscriber container and assigns a value of 0 to the orclLastAppliedChangeNumber attribute:

dn: cn=profile_name,cn=changelog subscriber,cn=oracle internet directory
orclsubscriberdisable: 0
orcllastappliedchangenumber: 0
objectclass: orclChangeSubscriber