Oracle® Application Server Release Notes 10g (10.1.4.0.1) for HP-UX Itanium Part Number B32101-06 |
|
|
View PDF |
This chapter describes the issues associated with Oracle Directory Integration Platform. It includes the following topics:
In addition to these release notes, please also see Patch Notes 10g (10.1.4.3.0) and Note 743141.1 Oracle Identity Management 10g (10.1.4.3) Patch Set Notes Addendum for information about Oracle Directory Integration Platform.
This section describes configuration issues and their workarounds for Oracle Directory Integration Platform. It includes the following topics:
Section 13.1.1, "Configuration Requirements for Synchronizations with Domain-Level Mappings"
Section 13.1.8, "Deletions Not Synchronized if a Domain Editing Rule Exists"
Section 13.1.9, "Synchronizing modrdn from Sun Java System Directory Throws a Stack Trace"
Section 13.1.10, "The SearchDeltaSize Parameter is Ignored During Synchronization"
For import and export synchronization with OpenLDAP and for export synchronization to Sun Java System Directory, if you are using domain-level mapping during synchronization and synchronizing attributes that contain the dn
values then you must modify the mapping rules. For example, to synchronize groups with domain-level mappings, you must modify the mappings for member
, uniquemember
, and owner
entries, which typically contain dn
values.
If you plan to create the synchronization profiles using the express configuration operation of the Directory Integration Assistant, then perform the following steps:
Open in a text editor the mapping file for the third-party directory with which you will synchronize:
OpenLDAP export synchronization: $ORACLE_HOME
/ldap/odi/samples/openldapexp.domainmap.master
OpenLDAP export synchronization: $
ORACLE_HOME
/ldap/odi/samples/openldapimp.domainmap.master
Sun Java System Directory export synchronization: $ORACLE_HOME
/ldap/odi/samples/iplanetexp.domainmap.master
Modify the contents of the preceding mapping files for the third-party directory with which you are synchronizing so they read as follows:
member: : :groupofnames:member: :groupofnames: dnconvert(member) uniquemember: : :groupofuniquenames:uniquemember: :groupofuniquenames: dnconvert(uniquemember) owner: : :groupofuniquenames:owner: :groupofuniquenames: dnconvert(owner)
If you have already created synchronization profiles for a third-party directory, then perform the following steps:
Open in a text editor the import and export mapping files for the third-party directory with which you are synchronizing.
Modify the contents of the import and export synchronization mapping files so they read as follows:
member: : :groupofnames:member: :groupofnames: dnconvert(member) uniquemember: : :groupofuniquenames:uniquemember: :groupofuniquenames: dnconvert(uniquemember) owner: : :groupofuniquenames:owner: :groupofuniquenames: dnconvert(owner)
This error occurs because the file size of the Additional Configuration Information file for Synchronization Profiles cannot exceed 4 KB. To resolve this issue, perform the following steps to change the type of the OrclODIPAgentConfigInfo
attribute from DirectoryString
to Binary
:
Run the following command to start Oracle Directory Manager:
oidadmin
In the navigator pane, expand Oracle Internet Directory Servers, and then directory server instance.
Select Schema Management. The Schema Management tab pages appear in the right pane.
In the right pane, select Attributes.
Click the Name column to order the attributes alphabetically.
Locate and select the OrclODIPAgentConfigInfo attribute, and then click Edit.
Change the Syntax option from DirectoryString
to Binary
, and then click OK.
Use Directory Integration Assistant to upload the Additional Configuration Information file.
When you install or reconfigure the Oracle Password Filter for Microsoft Active Directory, you may see the following errors on the command line:
User created failed Delete failed failed
The preceding errors occur when the default password that is used to reconfigure the Oracle Password Filter for Microsoft Active Directory does not meet the password policy requirements of the Microsoft Active Directory domain. To resolve this issue, create a file named password.txt in the directory where you installed the Oracle Password Filter for Microsoft Active Directory. Add to the password.txt file a single line containing a password that meets the password policy requirements of the Microsoft Active Directory domain. To secure the password.txt file, set its file permissions so that only administrative users can access it. Note that the password stored in the password.txt file does not represent a major security risk because its sole purpose is to create and then delete a user to test connectivity between the Oracle Password Filter and Microsoft Active Directory.
In multimaster replication, the last change number is stored locally on an Oracle Internet Directory node. In a high availability environment, if that node fails, and the provisioning profile is moved to another Oracle Internet Directory node, then the last applied change number in the profile becomes invalid. That number in the profile must then be reset manually on the failover node. Even then, however, events may not be propagated or may be duplicated.
After configuring Oracle Directory Integration Platform from Oracle Enterprise Manager, the ConnectDescriptor
property for the Oracle Directory Integration Platform target in the targets.xml file is assigned a blank value. You must perform the following steps to assign the appropriate database connect descriptor to the ConnectorDescriptor
property:
On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME
/network/admint/tnsnames.ora
file in a text editor.
Note the database connect descriptor information in the tnsnames.ora file. For example, the database connect descriptor information in the following tnsnames.ora file is the value assigned to the ASDB
property:
ASDB = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host.mycompany.com) (PORT = 1521)))(CONNECT_DATA = (SERVICE_NAME = database.mycompany.com)))
The database connect descriptor in the preceding statement is the following value:
DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host.mycompany.com) (PORT = 1521)))(CONNECT_DATA = (SERVICE_NAME = database.mycompany.com)))
On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME
/sysman/emd/targets.xml
file in a text editor.
Search for the target with a type of oracle_eps_server
and a name attribute of iasinstance_name
_DIP
.
In the entry, locate the ConnectDescriptor
property and assign to it the database connect descriptor information from the tnsnames.ora file.
Execute the following commands to restart Oracle Enterprise Manager:
$ORACLE_HOME/bin/emctl stop iasconsole $ORACLE_HOME/bin/emctl start iasconsole
Follow the directions in the Oracle Identity Management Integration Guide to restart Oracle Directory Integration Platform.
The Oracle Password Filter for Microsoft Active Directory stores operational information in the Windows registry. Before installing or configuring the Oracle Password Filter for Microsoft Active Directory, Oracle strongly recommends that you perform the following steps to secure the Windows registry:
Create a text file named orclidmpwf.txt that contains the following text:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\orclidmpwf [1 5 17]
Click the Windows Start menu and select Run. The Run dialog box displays.
Enter cmd in the Run dialog box and click OK. The command prompt window opens.
Run the following command to secure the Windows registry:
regini path\orclidmpwf.txt
Type exit and press Enter to close the command prompt window.
If the number of attributes to be synchronized in the source directory contains more than 10 attributes, the synchronization fails with the exception DIP_GEN_CREATECHG_EXCEPTION
. To resolve this issue, apply Patch 5710021.
If a domain editing rule exists, deletions are not synchronized unless all the attributes required in the domain construct rule are specified as required in the mapping file. In case where the required attributes are specified, the 'dn' value is not constructed because the required attributes are not being retrieved from the source directory. To resolve this issue, apply Patch 6263156.
If you specify modrdn
as the change type when synchronizing between Oracle Internet Directory and Sun Java System Directory, an exception is raised in the Sun Java System Directory stack trace file. To resolve this issue, apply Patch 6263156.
When synchronizing with Active Directory, eDirectory, or OpenLDAP, the SearchDeltaSize
parameter is ignored. To resolve this issue, apply Patch 5913124.
In some cases, add operations are not synchronized and synchronization fails with an "objcls is NULL" message in the trace file. To resolve this issue, apply Patch 6319399.
This section describes administration issues and their workarounds for Oracle Directory Integration Platform. It includes the following topics:
In deployments with only a single domain of Microsoft Active Directory, you can simplify the default mapping rule installed with Oracle Directory Integration Platform.
The default mapping rule is:
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
If your deployment has a single domain of Active Directory, then you can simplify the default mapping rule to this:
sAMAccountName: : :user:orclSAMAccountName::orclADUser
If you use time-based change log purging with version 3.0 provisioning profiles, change logs entries are purged before the Oracle directory integration platform propagates the changes to any provisioning-integrated applications. This occurs because Oracle Directory Integration Platform does not create version 3.0 provisioning profile entries in the default cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
change log subscriber container.
To resolve this problem, create a container in the default change log subscriber container for each version 3.0 provisioning profile and assign a value of 0 to each profile's orclLastAppliedChangeNumber
attribute. The following sample LDIF file creates a provisioning profile container in the default change log subscriber container and assigns a value of 0 to the orclLastAppliedChangeNumber
attribute:
dn: cn=profile_name,cn=changelog subscriber,cn=oracle internet directory
orclsubscriberdisable: 0
orcllastappliedchangenumber: 0
objectclass: orclChangeSubscriber
If the Oracle directory integration server and the Oracle Internet Directory LDAP server are installed on a different computers, then the Oracle Internet Directory field will be unavailable in the Oracle Identity Manager Grid Control Plug-in. Perform the following steps to resolve this issue:
On the computer that is running the Oracle Internet Directory LDAP server, open the $
ORACLE_HOME
/sysman/emd/targets.xml
file in a text editor.
Search for the target with a type of oracle_ldap
and note the value assigned to the name
attribute. This value is typically in the form iasinstance_name
_LDAP
.
On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME
/sysman/emd/targets.xml
file in a text editor.
Search for the target with a type of oracle_eps_server
and a name attribute of iasinstance_name
_DIP
.
In the entry, locate the ASSOC_TARGET_NAME
attribute beneath the AssocTargetInstance
node. The value assigned to the ASSOC_TARGET_NAME
attribute will be in the form iasinstance_name
_LDAP
.
Assign to the ASSOC_TARGET_NAME
attribute the same value that is assigned to the name
attribute of the oracle_ldap
target in the targets.xml file on the computer that is running the Oracle Internet Directory LDAP server.
Synchronization from Novell eDirectory or OpenLDAP to Oracle Internet Directory fails when the Oracle Internet Directory container is within the default realm. To resolve this issue, perform the following steps to create the necessary ACLs:
Create a new file in a text editor.
Enter the following statements, which add the Oracle Internet Directory container to the cn=odipgroup,cn=odi,cn=oracle internet directory
group. Be sure to replace host with the host name (without the domain name) that is running the Oracle directory integration server.
dn: cn=odipgroup,cn=odi,cn=oracle internet directory
changetype: modify
add: uniquemember
uniquemember: cn=odisrv+orclhostname=host,cn=registered instances,cn=directory integration platform,cn=products,cn=oraclecontext
Save the file as reconacls.ldif.
Run the following command to upload the reconacls.ldif file:
$ORACLE_HOME/bin/ldapmodify -h OID_host -p OID_port -D "DN of privileged OID user" -w "password of privileged OID user" -v -f reconacls.ldif