Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux PA-RISC (64-bit) B15511-05 |
|
Previous |
Next |
This chapter describes issues for both the Oracle Delegated Administration Services (DAS) and the Oracle Internet Directory Self-Service Console. It includes the following topics:
This section describes general issues and their workarounds for Oracle Delegated Administration Services. It includes the following topics:
Oracle Internet Directory 10g Release 2 (10.1.2) enables you to establish a password policy in which users are prompted to change their passwords after initial login. If such a password policy is set, then users must change their passwords by using the Oracle Internet Directory Self-Service Console Password Change screen. Using other mechanisms may not satisfy the password change requirement, and users may be prompted to change their password the next time they log in as well.
In Releases 9.0.2, 9.0.4, and 10.1.2 upgrade, only the orcladmin user can edit realm values. Other users, even those with Oracle Delegated Administration Services configuration privileges cannot edit them. This is because the latter do not have sufficient privileges to read the User Search Base, User Creation Base, Group Search Base, and Group Creation Base. The workaround is to modify the ACLs on these containers and enable anonymous browse access.
A role should contain at least one unique member, so that it would be displayed in the Role Assignment section in Create User page and the Edit User page.
To add a unique member to a role, the syntax of the LDIF file is:
dn: DN_of_role_entry changetype: modify add:uniquemember uniquemember:DN of member entry
Issue this command to modify the file:
ldapmodify -p oid_port -h oid_host -D "cn=orcladmin" -w admin_password -v -f file_name.ldif
This section describes configuration issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:
To configure Oracle Delegated Administration Services in a separate Oracle Home, you perform a standalone installation of it. To do this, select the Identity Management installation type, and, on the Configuration Options screen, select Delegated Administration Services.
Perform the following step to make Oracle Delegated Administration Services 10g Release 2 (10.1.2) work against an installation of Oracle Internet Directory that has been upgraded from Release 9.2 to Release 9.0.4.
Modify the ACL on the container cn=users,
realm DN
and cn=groups,
realm DN
to allow anonymous browse access.
This section describes administration issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:
User entries in Oracle Internet Directory that do not belong to the inetOrgPerson
object class will not appear in the Oracle Internet Directory Self-Service Console. You can assign user entries to an object class by using Oracle Directory Manager or the ldapmodify
command.
See Also: The Oracle Internet Directory Administrator's Guide for information on how to use Oracle Directory Manager and theldapmodify command
|
Assignment of roles to users and groups, and revocation of those roles, are enforced only when a new Self-Service Console is created. After assigning or revoking roles roles, log out of the Console, then log back in.
When Oracle Collaboration Suite users use the Self-Service Console to change their passwords, the field name associated with their voicemail PIN number is incorrectly displayed as 'EmailServerContainer'. To solve this problem:
Use Oracle Directory Manager to navigate to the entry of the following DN: cn=orclpwdverifierconfig,cn=EMailServerContainer, cn=Products,cn=OracleContext,cn=subscriber realm
Select the entry.
Select All for View Properties.
In the displayname text box, enter Voicemail PIN
.
Choose Apply.
Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.
The first type of privileged user, the super user with the DN cn=orcladmin
, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the super user (orcladmin
) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin
account execute the command:
oidpasswd unlock_su_acct=TRUE
The second privileged user is realm-specific. This user governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN cn=orcladmin,cn=users,
realm_DN
. Note that, in contrast to the single super user account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the administrator modifies the realm-specific privileged users account password by using Oracle Directory Manager.
If you are running Oracle Delegated Administration Services in one domain, and OracleAS Portal in another, then follow the instructions in the Oracle Application Server Portal Configuration Guide in Section 6.1.6.2, "Relationship Between OracleAS Portal and Oracle Internet Directory".
This section contains the following troubleshooting topic:
Problem
When you are logged into Oracle Delegated Administration Services in an OracleAS Cluster (Identity Management) environment, and the OracleAS Metadata Repository database or Oracle Internet Directory fails, the load balancer forwards the request to another instance. However, Oracle Delegated Administration Services is still connected to the failed instance.
This means that operations that require a connection to Oracle Internet Directory or OracleAS Metadata Repository will fail. In addition, Oracle Delegated Administration Services may not display error messages for the failures. For example, Oracle Delegated Administration Services will be unable to display users or groups, or perform searches for users.
Solution
Log out of Oracle Delegated Administration Services and log in again. Then retry your operation.
This section contains these topics:
The Oracle Identity Management Integration Guide fails to state that if you create a user entry by using Oracle Directory Manager, and you need that entry to be displayed in Oracle Internet Directory Self-Service Console, then you must explicitly associate the inetorgperson
object class with that entry. If you create the user entry by using Oracle Internet Directory Self-Service Console, then the inetorgperson
object class is automatically associated with that entry.
The online help for the Oracle Internet Directory Self-Service Console incorrectly states that, after searching for a particular realm, you can modify it by selecting it from the search results page and choosing Proceed. However, the search results page enables you only to view, and not to modify, the selected realm. To modify a realm configuration, select the Configuration tab, enter your changes, then choose Submit. For instructions on viewing and modifying configuration settings for a realm, see the chapter on the Oracle Internet Directory Self-Service Console in the Oracle Identity Management Guide to Delegated Administration.