Oracle® Application Server Release Notes 10g (10.1.4.0.1) for IBM zSeries Based Linux Part Number B32086-06 |
|
|
View PDF |
This chapter describes issues for both the Oracle Delegated Administration Services (DAS) and the Oracle Internet Directory Self-Service Console. It includes the following topics:
In addition to these release notes, please also see Patch Notes 10g (10.1.4.3.0) and Note 743141.1 Oracle Identity Management 10g (10.1.4.3) Patch Set Notes Addendum for information about Oracle Delegated Administration Services.
This section describes general issues and their workarounds for Oracle Delegated Administration Services. It includes the following topics:
Section 12.1.2, "Using Single Wildcard Characters to Search for Entries Fails to Return Results"
Section 12.1.4, "Attributes Set to "Searchable" Always Appear on the Search Result Page"
By default, the installation process does not enable SSL for Oracle Delegated Administration Services. Following the installation process, Oracle recommends that you enable SSL mode for Oracle Delegated Administration Services by following the instructions in Oracle Application Server Administrator's Guide.
If you enter a single percent sign (%) or asterisk (*) wildcard character when searching for users or groups in the Oracle Internet Directory Self-Service Console, no results are returned. To return a list of all users or groups, do not enter any characters in the search box in the Search for Users or Search for Groups windows.
When an Oracle Delegated Administration services instance is configured to use SSL, or if you change the host and port where the instance is deployed, the Oracle Internet Directory Self-Service Console link does not work in Oracle Identity Manager Grid Control Plug-in.
To resolve this issue, perform the following steps to manually configure the Oracle Internet Directory Self-Service Console link on the Oracle Identity Manager Grid Control Plug-in page.
Start Oracle Enterprise Manager 10g Grid Control Console.
Click the Targets tab, and then click the Identity Management subtab.
Select the Oracle Delegated Administration Services instance that you need to update and click Configure.
Modify the properties as necessary.
When configuring a user entry, you can define a particular attribute as searchable (or not). When configuring Search Table Columns, you can define whether a selected attribute is displayed in the Search Results. Search results work in combination with two Configure User Entry fields:
Searchable check box for an attribute
mail
in this example
Selected Attributes in "Configure Search Table Columns"
Selected Attributes:No
in this example
Result: You can search using the Searchable attribute mail
, and the email address appears as a column in the Search Result despite specifying Selected Attributes:No
in "Configure Search Table Columns".
You can search using any of the attributes that are configured for searches in the user entry. The value of searchable attributes appears in the Search Results. Otherwise, further filtering is not possible.
This section describes administration issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:
To disable password change and reset functionality, assign a value of false to the RESET_PASSWD_ENABLED
parameter in the $ORACLE_HOME
/ldap/das/das.properties
file. This removes the Forgot Your Password? link from the Oracle Internet Directory Self-Service Console home page and the Manage My Password link from the My Profile tab.
Disabling password change and reset functionality only applies to users; the Forgot Your Password? link on the Oracle Internet Directory Self-Service Console home page and the Manage My Password link on the My Profile tab are always available to administrators, regardless of the value assigned to the RESET_PASSWD_ENABLED
parameter.
Various application, including OracleAS Portal, use Oracle Delegated Administration Services to reset Oracle Application Server Single Sign-On passwords. Users can reset their own passwords by clicking on a link in the source application, which opens the Reset My Single Sign-On Password page in Oracle Internet Directory Self-Service Console. However, when users click the OK button after resetting their passwords, or if they click the Cancel button to abort the password change process, they are redirected to the Oracle Delegated Administration Services home page instead of to the referring application page.
To redirect users to a location other than the Oracle Delegated Administration Services home page, append a query string containing the correct return URLs to the link on the referring application page. Include in the query string two name=value pairs for the doneURL
and the cancelURL
attributes. The doneURL
attribute identifies the redirect URL to call when users click the OK button and the cancelURL
attribute identifies the redirect URL to call when users click the Cancel button. The following example demonstrates how to build a URL to the Change Application Password page that includes the doneURL
and the cancelURL
attributes:
http://host:port/oiddas/ui/oracle/ldap/AppStep1ResetPwd? cancelURL=http://www.domain.com&doneURL=http://www.domain.com
This section describes online Help issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:
From the Provisioning Console, no help topic appears when you click the Directory tab, Applications sub tab, Manage Settings button, then Help.
The information on the Manage Settings function is currently missing from the manual and cannot be accessed. The book will be updated to include the missing information for the next product release.
Content for Manage Settings
This topic explains how to manage application settings and properties for provisioning-integrated applications. These settings include the Default Provisioning Policy (required or not required) and Event Propagation Interval.
Note:
The available provisioning-enabled applications will vary, depending on your environment. In Oracle Application Server 10g (10.1.4.0.1), only components that are part of Oracle Collaboration Suite can be provisioned with the Provisioning Console.To manage application settings and properties
Click the Directory tab, then click Applications.
On the Manage Settings: Select Installed Application page, click the option beside the application to manage.
Choose Edit.
In the Manage Settings: Edit Application Properties page:
Select the Default Provisioning Policy for your environment
Enter the Event Propagation Interval
Click OK.
ou
Attribute is Not Allowed In User EntriesThe Oracle Identity Management Guide to Delegated Administration, chapter on managing users and groups with the Oracle Internet Directory Self-Service Console discusses the organizational unit (ou
) attribute in the context of setting up parent DNs in an Identity Management realm. However, the online help does not make clear that this attribute cannot be configured like other attributes in the user entry configuration.
A future release of the manual will include the following description in the chapter on troubleshooting. This will be included in the online help with the next release of the product.
In Oracle Delegated Administration Services (and Oracle Internet Directory Self-Service Console), the predefined list for the organizational unit (ou
) attribute is reserved for specifying parent DN's.
The ou
attribute values must be mapped according to the guidelines for configuring the parent DN for entries in an Identity Management realm. For more information, see the procedure on configuring the parent DN for entries in a realm.
The ou
attribute cannot be configured like other attributes in the user entry configuration. The organizational unit (ou
) attribute cannot have simple text values. You cannot add the organizational unit (ou
) attribute as a searchable and self-editable field for creating new users.
This section describes documentation issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:
Problem
With Oracle Delegated Administration Services running in two browser windows during the same session, certain combinations of events might produce unexpected results from the user's perspective. For example:
Attempting to update a group in one browser window and a user in a different window might produce an error
Attempting to update 2 different users in separate browser windows during the same session will result in one of two things depending on the exact sequence of operations. For example, if User1 is changed in window 1 and User2 is changed in window 2:
When User1
changes are submitted last, the entry for User2
is replaced with User1 details and User1 changes are lost.
If User1 changes are submitted first, and then User2 changes are submitted, User1 changes are lost and User2 is updated as expected.
Cause
Oracle Delegated Administration Services maintains only one context per browser session. There is no way for Oracle Delegated Administration Services to be aware that a single browser session is using multiple windows.
Oracle Delegated Administration Services allows only one selected user per session. Any changes occur to the current user entry in the session. Each browser window caches the values that it has displayed and sends these back as updates. Changing the current entry in one browser window and updating it with values cached in a second browser window, could produce unexpected results.
Action
A future release of the manual will include this information in the chapter on troubleshooting.
Oracle recommends that you use only a single browser window per session.
The Oracle Identity Management Guide to Delegated Administration, chapter on managing users and groups with the Oracle Internet Directory Self-Service Console discusses creating user entries. In this topic, there is a list of the special characters that cannot be used in a user ID when creating a new user. However, this list contains several characters that are considered legal for a user ID.
Incorrect
The User ID field cannot contain spaces or any of the following characters:( ) * + , ; < > \ ~ & ' % ? / = ^ | ~
Correct
Alpha and numeric characters, and the following special characters are allowed within the User ID field:
/ & % space ? = ^ |
However, the User ID field cannot contain any of the following characters:
" ( ) + , ; < > \ ~
The following information will appear in the next release of the Oracle Identity Management Guide to Delegated Administration. See the chapter on troubleshooting.
Problem
When users enter a value in the old_password field, Oracle Delegated Administration Services is not passing the old password value to the Oracle Internet Directory pre_modify plugin.
Cause
Oracle Delegated Administration Services and Oracle Internet Directory are working as designed. You cannot use a custom password policy pre_mod plugin for something that the standard product does not support.
Oracle Delegated Administration Services uses ldapcompare to check the password and a proxy bind as the user. With a proxy bind, there is no reason to send a user's old password to Oracle Internet Directory. Oracle Internet Directory is providing the old password to the plug-in, but in this case it does not have the password.
In contrast, Oracle Application Server SSO binds as the user and then changes the password. The same pre_modify plugin receives a value using the SSO password.jsp. However, password.jsp only appears if a user's password is about to expire.
See Also:
Knowledge Base Note 601469.1.To locate the Knowledge Base note 601469.1
Go to My Oracle Support and login as usual:
https://support.oracle.com
Click Knowledge (upper-left corner).
In the Search Knowledge Base field (upper right corner), enter 601469.1
.
Click the title on the results page: OIDDAS Not Passing The Old_password To Custom Pre_modify Password Policy Plugin...
Review the article.