|
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux PA-RISC (64-bit) B15511-05 |
|
 Previous |
 Next |
|
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux PA-RISC (64-bit) B15511-05 |
|
|
Previous |
Next |
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issues and their workarounds for Oracle Internet Directory. It includes the following topic:
Oracle Internet Directory10g Release 2 (10.1.2) can use several different versions of the Oracle Database for storing directory data. These include Oracle9i Database Server Release 2, v9.2.0.6 or later and Oracle Database 10g, v10.1.0.4 or later.
In Oracle Application Server 10g Release 2 (10.1.2), the following plug-in features are not supported in the directory server running against Oracle9i Database Server Release 2:
Windows NT Domain external authentication plug-in.
The simple_bind_s() function of the LDAP_PLUGIN package provided as the OID PL/SQL PLUGIN API for connecting back to the directory server as part of plug-in definitions.
This section describes configuration issues and their workarounds for Oracle Internet Directory. It includes the following topics:
Section 17.2.1, "Changing Naming Contexts When Relied on for Partial Replication Is Not Supported"
Section 17.2.3, "Required Attributes Cannot Be Excluded from Partial Replication"
If you are configuring partial replication from specific naming contexts in an Oracle Internet Directory node to fan-out replication nodes, then do not change the names of these naming context entries in the source node.
During installation of Oracle Application Server or third-party products, you are prompted for an Oracle Internet Directory or LDAP port. To find the specific port number assigned to Oracle Internet Directory at installation, see the file $ORACLE_HOME/config/ias.properties. Look for the entries OIDport and OIDsslport.
The default port for enabling LDAP at Oracle Internet Directory installation time is 389. The Oracle Installer always tries that port as its first choice. However, on many UNIX computers, /etc/services includes a line for LDAP reserving port 389. With that line there, the Installer opts instead for a port number between 3060 to 3129, inclusive.
To confirm the port at which Oracle Internet Directory is running, simply run the ldapbind command-line tool, supplying either the host name and port number specified in the portlist.ini file or an alternative port specified during the Oracle Internet Directory installation.
Partial replication enables you to exclude certain attributes from replication. You do this by adding those attributes to the excludedAttributes attribute of the cn=NamingContext entry. However, if you exclude required attributes, then replication fails.
Attributes that cannot be excluded are specified in the Oracle Internet Directory Administrator's Guide. These can include attributes not considered mandatory for user-defined object class definitions. For example, even if cn is an optional attribute for one or more user-defined object class definitions, it still cannot be excluded from partial replication.
When you use the Oracle Application Server tool RepCA to load Oracle Internet Directory schema into an existing Oracle 10.1.0.3 Database, you might see the following error message in the $ORACLE_HOME/assistants/repca/log/repca*log file:
SP2-0332: Cannot create spool file.
This error message can be ignored.
This section describes Oracle Internet Directory upgrade issues and pre-upgrade tasks. It includes the following topics:
Section 17.3.1, "Change or Reset Passwords before Authentication"
Section 17.3.2, "Back Up Your Oracle Database Before Performing Oracle Application Server Upgrade"
If you are upgrading your Oracle Internet Directory v9.0.2.x to 10g Release 2 (10.1.2) and you intend is to use SASL DIGEST-MD5 authentication against your Oracle Internet Directory LDAP server, then you must change or reset all of the passwords for existing users before authentication.
Oracle recommends that you back up your Oracle Database prior to performing an upgrade to Oracle Application Server 10g Release 2 (10.1.2).
During an upgrade from Oracle Application Server 10g (9.0.4) to 10g Release 2 (10.1.2), the Oracle Installer uses opmnctl to stop Oracle Internet Directory in the version 9.0.4 home. If Oracle Internet Directory is running and oidctl, instead of opmnctl, was used to start it, Oracle Installer cannot stop the processes and the upgrade will fail.
As a precaution, before starting the upgrade, run
opmnctl -startall
to ensure all processes are up and running. Then use
opmnctl -stopall
and
opmnctl -status
to ensure they are all successfully stopped before beginning the upgrade.
The correct use of opmnctl and oidctl is described in Oracle Internet Directory Administrator's Guide, in the section of Chapter 4 entitled "Oracle Internet Directory Process Control–Best Practices."
Oracle Enterprise Manager might not display Oracle Internet Directory status correctly unless opmnctl is used to start Oracle Internet Directory.
This section describes tasks you should perform immediately after upgrading to 10g Release 2 (10.1.2). It includes the following topics:
Section 17.4.1, "Set ACL Policy on Groups Container after Upgrade from Release 9.0.2"
Section 17.4.2, "Change Value of orclpkimatchingrule After Upgrade"
When upgrading Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, the following ACL policy needs to be set on the groups container in the realm. The ACL policy should allow members of the group cn=Common Group Attributes,cn=groups,Oracle_Context_DN browse, search, and read access for private and public groups—that is, for groups where orclIsVisible is either not set or is set to TRUE or FALSE. This ACL is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section "Default Privileges for Reading Common Group Attributes".
The "Common Group Attributes" group is used by OracleAS Portal to query private and public groups. The ACI must to be added on the groups container. Change the Realm DN to the DN of the Realm and the DN of groups container in the realm to the appropriate group search base.
dn: DN of groups container in the realm changetype: modify add: orclaci orclaci: access to entry filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (browse) orclaci: access to attr=(*) filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (search, read) orclaci: access to entry filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (browse) orclaci: access to attr=(*) filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (search, read)
After you upgrade to 10.1.2, the default value of the DSA configuration attribute orclpkimatchingrule is incorrectly set to 0. Please use the ldapmodify command to set the value to 2, by typing:
ldapmodify -h host -p port_number -D bind_DN -w bind_DN_password -f file_name
where file_name is the following LDIF file:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify replace: orclpkimatchingrule orclpkimatchingrule: 2
This section describes administration issues and their workarounds for Oracle Internet Directory. It includes the following topics:
The Oracle Internet Directory servers—that is, the directory server, the directory replication server, and the directory integration and provisioning server daemons—can be started only by the operating system user who installed the Oracle Internet Directory software.
Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.
The first type of privileged user, the super user with the DN cn=orcladmin, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the super user (orcladmin) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin account execute the command:
oidpasswd unlock_su_acct=TRUE
The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN cn=orcladmin,cn=users,realm DN. Note that, in contrast to the single super user account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the first type of privileged user, cn=orcladmin, can modify the account password by using Oracle Directory Manager.
If the primary node running either the directory replication server (oidrepld), or the directory integration and provisioning server (odisrv), or both, fails, then the OID Monitor on the secondary node starts these processes on the secondary node after five minutes. However, normal shutdown is not treated as a failover. When the primary node is restarted manually, these servers are not automatically restarted on the primary node.
Partial replication will not replicate changes to the root entry of a naming context made by using ldapmoddn.
To change the ODS database user password, you must use the oidpasswd tool. If you change the ODS database user password by any other means, then Oracle Internet Directory instances fail to start.
The Application Server Control does not display the port status information for Oracle directory servers running only in SSL mode.
Directory operations such as entry add, delete, and modify may fail intermittently with the error message:
DSA Unwilling to perform
This problem usually disappears in a short time. If the failures persist, then restart the Oracle Database and all associated processes as a workaround.
This section describes errors in the documentation for Oracle Internet Directory. It includes these topics:
Section 17.6.1, "Parameters in init$ORACLE_SID.ora are Not Loaded Automatically at Database Startup"
Section 17.6.3, "Figures 27-1, 27-2, and 29-1 are Incorrect"
Section 17.6.7, "All References to the ods_server Role are Incorrect"
Section 17.6.10, "Some Post-Installation Tasks are Described Incorrectly"
Section 17.6.11, "LDIF Example for Dereferencing Alias Entries is Incorrect"
Section 17.6.13, "Incorrect Statement About Installing Multimaster Replication Master"
Section 17.6.14, "Incorrect Statement about Default Value of Grace Logins After Password Expiration"
At startup, the database reads database initialization parameters from spfile$ORACLE_SID.ora rather than from init$ORACLE_SID.ora—unless the user explicitly specifies the latter when starting the database. Thus, wherever the Oracle Internet Directory Administrator's Guide specifies database parameter changes, the subsequent database restart must specify explicitly the init$ORACLE_SID.ora file. For example:
<>SQL> STARTUP PFILE = /u01/oracle/dbs/initmynewdb.ora
For more information, see "Using SQL*Plus to Start Up a Database" in Chapter 3 of Oracle Database Administrator's Guide
The path name and usage for the StopOdiServer.sh tool described in Appendix A, "Syntax for LDIF and Command-Line Tools" in the section "Stopping the Oracle Directory Integration and Provisioning Server Without Using OID Monitor and the OID Control Utility" are displayed incorrectly. The path name should be:
$ORACLE_HOME/ldap/odi/admin/stopodiserver.sh
The usage is:
$ORACLE_HOME/ldap/odi/admin/stopodiserver.sh [ -LDAPhost LDAP_server_host ] [ -LDAPport LDAP_server_port ] [ -binddn super_user_dn (default cn=orcladmin ) ] [ -bindpass bind_password (default=welcome) ] -instance instance_number_to_stop
In Chapter 27 of Oracle Internet Directory Administrator's Guide, Figures 27-1, "Architecture of an Oracle Application Server Cluster (Identity Management) Configuration," and 27-2, "Load Balancing in an Oracle Application Server Cluster (Identity Management) Configuration," the Directory Integration Server is shown running on all the nodes. It should be shown only on Node A.
In Chapter 29 of Oracle Internet Directory Administrator's Guide, Figure 29-1, "Oracle Internet Directory with Basic High Availability Configuration," Node 1 should be running the following server processes:
Oracle Directory Server Instance 1
Oracle Directory Integration Server
Oracle Directory Replication Server
Oracle Database Server Instance 1
Node 2 should be running the following server processes:
Oracle Directory Server Instance 2
Oracle Database Server Instance 2
In Chapter 25 of the Oracle Internet Directory Administrator's Guide, in the section entitled "Adding a Node for Multimaster Replication (Oracle Database Advanced Replication Types Only," there is an error in the ldifwrite command line in "Task 4: Back up the Sponsor Node by Using ldifwrite." The command line is shown as:
ldifwrite -c connect_string \
-b "orclAgreementID=000001,cn=replication_configuration" \
-f output_ldif_file
It should be:
ldifwrite -c connect_string \
-b "orclAgreementID=000001,cn=replication configuration" \
-f output_ldif_file
That is, there should be a space, not a "_" in cn=replication configuration and replication configuration should not be in Italics.
In Oracle Internet Directory Administrator's Guide, the ldapsearch command is frequently shown with the filter in single quotes. This is incorrect because you must use double quotes with the filter. For example, this command line is incorrect:
ldapsearch -h host_name -p port_number -s base -b "" 'objectclass=*' lastchangenumber
This command line is correct:
ldapsearch -h host_name -p port_number -s base -b "" "objectclass=*"lastchangenumber
In Figure B-1 in Oracle Identity Management Concepts and Deployment Planning Guide, two instances of Distributed Configuration Management are shown on each of the hosts. There should be only one instance of Distributed Configuration Management on each host.
In addition, the two paragraphs of text before the figure are incorrect. Please substitute the following two paragraphs:
In Figure B-1, the MASTER Oracle Identity Management node is installed on HOST 1 using a default Identity Management install with Metadata Repository, Oracle Internet Directory, Oracle Directory Integration and Provisioning, Oracle Application Server Single Sign-On and Oracle Delegated Administration Services.
Similarly, the REPLICA Oracle Identity Management node is installed on HOST 2 using a default Identity Management install with Metadata Repository, Oracle Internet Directory, Oracle Directory Integration and Provisioning, Oracle Application Server Single Sign-On, and Oracle Delegated Administration Services.
In Oracle Internet Directory 10g Release 2 (10.1.2), the ods_server role no longer exists. Chapter 32 of Oracle Internet Directory Administrator's Guide and Chapter 5 of Oracle Identity Management Application Developer's Guide incorrectly show the use of the GRANT EXECUTE statement to grant execute permission to ods_server for the plug-in modules. Do not include a line such as
GRANT EXECUTE ON LDAP_PLUGIN_EXAMPLE1 TO ods_server;
in a PL/SQL program to be invoked by a plug-in in 10g Release 2 (10.1.2).
In the section of Chapter 25 of Oracle Internet Directory Administrator's Guide entitled "Installing and Configuring a Multimaster Replication Group," there are errors in Task 4. Please replace "Task 4 (Optional): Load Data into the Directory," with the following text:
Task 4 (Optional): Load Data into the Directory
You can choose either of two ways to load data into the directory:
To add just a small number of entries to the DRG, you can wait until you have completely configured the DRG. Then use ldapadd to load the data to one of the nodes. The entries will then be replicated to the other nodes at the specified time.
To add a large amount of data to load into the DRG, use the bulkload utility:
On the node that is part of the DRG and where you have the ldif file to be loaded onto the directories enter:
bulkload.sh -connect connect_string -check \
-generate file_with_absolute_path_name
|
Note: If data is extracted from Oracle Internet Directory usingldifwrite, then, in addition to other options, use the -restore option to restore the operational attributes.
|
On the same node, enter:
bulkload.sh -connect connect_string_1 -load
Repeat Step b on the same node, each time replacing connect_string_1 with the connect string of another node in the DRG, until you have loaded the data onto all the nodes in the DRG. For example, enter
bulkload.sh –connect connect_string_2 -load
then enter
bulkload.sh –connect connect_string_3 –load
and so on, until you loaded the data onto all the nodes in the DRG.
|
Note:
|
In the section of Chapter 25 of Oracle Internet Directory Administrator's Guide entitled "Configuring an LDAP-Based Replica by Using the ldifwrite Tool," there is an error in the last bulkload.sh command line under "Task 8: Load the Data on the New Consumer." Please remove the argument file_with_absolute_path_name from the command line.
Oracle Internet Directory Administrator's Guide Chapter 3, "Post-Installation Tasks and Information," contains the following errors:
"Task 1: Start the OID Monitor" and "Task 2: Start a Server Instance" are unnecessary. At the end of a successful installation, oidmon and an instance of oidldapd are started.
In "Task 3: Reset the Default Security Configuration," the default password should not be listed as welcome. The default password is the Oracle Application Server Administrator password that was specified during the installation.
In "Task 5: Run the OID Database Statistics Collection Tool," the file path of the tool should be listed as $ORACLE_HOME/ldap/admin/oidstats.sh.
The LDAP example under "Example: Adding an Alias Entry" in Chapter 5, "Oracle Directory Server Administration," in Oracle Internet Directory Administrator's Guide contains the following errors:
All instances of the container o=oracle should be o=MyCompany.
The entry:
dn: cn=John Doe, o=MyCompany, c=us cn: John Doe objectclass: person
should be
dn: cn=John Doe, o=MyCompany, c=us cn: John Doe sn: Doe objectclass: person
Appendixes A and B in Oracle Identity Management Concepts and Deployment Planning Guide provide high-level instructions for installing Oracle Identity Management components with multimaster and fan-out replication, respectively. More detailed information is provided elsewhere. For specific information about installing Oracle Internet Directory with replication, see Oracle Internet Directory Administrator's Guide and Oracle Application Server 10g Installation Guide.
In Chapter 25 of Oracle Internet Directory Administrator's Guide, under "If you are installing Oracle Internet Directory as a Master" in the section "Preliminary Information for Installing and Configuring a Multimaster Replication," Step 4 contains an incorrect statement. Please replace the first two sentences with the following text:
When installing a master, do not check High Availability and Replication in the Select Configuration Options screen for replication. If you do not check High Availability and Replication, Oracle Universal Installer will perform a default Oracle Internet Directory install, that is, it will install a new Oracle Internet Directory as a master node.
In Table A.6, the default value for the number of grace logins after password expirations is listed as 3. The default value is actually 0 (no grace logins allowed). It is recommended that you set it to at least 3 after installing Oracle Internet Directory.
In Table 5-2, "Operation-Based and Attribute-Based Plug-in Procedure Signatures," the values shown in the IN Parameters column for some invocation contexts are incorrect. They should be changed as follows:
The values in the IN Parameters column for "Before ldapadd" should be ldapcontext, DN, Entry.
The values for "With ldapadd" should be ldapcontext, DN, Entry.
The values for "With ldapadd but replacing the default server behavior " should be ldapcontext, DN, Entry
The values for "After ldapadd" should be ldapcontext, Add result, DN, Entry.
All instances of "plugin" should be changed to "plug-in."
Users configuring LDAP-based replication, as described in Chapter 25 of Oracle Internet Directory Administrator's Guide, might also wish to consult "Supplementary Procedures for Configuring LDAP-Based Replicas" in Oracle Application Server 10g Administrator's Guide.
