Oracle® Application Server Release Notes 10g (10.1.4.0.1) for HP-UX Itanium Part Number B32101-06 |
|
|
View PDF |
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
In addition to these release notes, please also see Patch Notes 10g (10.1.4.3.0) and Note 743141.1 Oracle Identity Management 10g (10.1.4.3) Patch Set Notes Addendum for information about Oracle Internet Directory.
This section describes general issues and their workarounds. It includes the following topics:
Section 9.1.2, "Comment Out ACL Attributes Not Defined in the Schema"
Section 9.1.4, "Data Manipulation at Database Level is Not Supported"
If you use standard database backup and restore procedures, such as those performed by the Oracle Application Server Backup and Recovery Tool, you must perform a full database backup after any of the following administrative tasks:
Using the bulkload
bulk management tool
Using the catalog
bulk management tool
Installing Oracle Internet Directory
Upgrading Oracle Internet Directory to a major release version or patchset
Installing an LDAP application against Oracle Internet Directory, such as Oracle Collaboration Suite, that modifies the cn=catalogs
entry to add orclindexedattribute
If you do not perform a full backup after using the bulkload
bulk management tool, you might encounter unrecoverable errors when performing a restore. The bulkload
utility performs a direct path load, which does not generate redo logs. If you do not perform a full backup after performing a bulkload
, and later perform a restore that attempts to apply archived redo logs, you might encounter errors that cannot be fixed.
If you do not perform a full backup after any of the other four tasks, you might encounter recoverable errors when performing a restore. Performing any of those tasks might create indexes with the NOLOGGING
option, which means that redo logs are not created for the index. If you do not perform a full backup after one of these operations, and later perform a restore that attempts to apply archived redo logs, you might see errors upon restart of Oracle Internet Directory. Specifically, you would see ORA-1578 and ORA-2640 errors in oidmon.log
or oidldapd*.log
. In this case, shut down Oracle Internet Directory and recreate all Oracle Internet Directory database indexes by typing:
bulkload connect="conn_str" index="TRUE"
With the 10g (10.1.4.0.1) release, Oracle Internet Directory introduces a new restriction for Access Control Lists (orclaci
and orclentrylevelaci
attributes). Specifically, you cannot specify attribute names that are not defined in directory schema. As a result, while adding or migrating entries from previous Oracle Internet Directory releases, the load operation will fail if any entries have attribute names that are not defined in the directory schema.
To avoid this problem, in the LDIF file, comment out any ACLs that have undefined attributes.
For example, the following 10g Release 2 (10.1.2) entry uses undefined attributes that are identified with bold text:
orclaci: access to attr=(orclUserApplnProvStatus,orclUserApplnProvStatusDesc, orclUserProvFailureCount) by group="cn=oracledasedituser,cn=groups, cn=OracleContext,dc=us,dc=oracle,dc=com" (read,search,write,compare) by group="cn=oracledascreateuser,cn=groups,cn=OracleContext,dc=us,dc=oracle, dc=com" (read,search,write,compare) by self (read,search,nowrite,compare) by * (none)
To avoid this problem, comment the entry as follows, before loading or verifying the LDIF file.
# orclaci: access to attr=(orclUserApplnProvStatus,orclUserApplnProvStatusDesc, # orclUserProvFailureCount) by group="cn=oracledasedituser,cn=groups, # cn=OracleContext,dc=us,dc=oracle,dc=com" (read,search,write,compare) by # group="cn=oracledascreateuser,cn=groups,cn=OracleContext,dc=us,dc=oracle, # dc=com" (read,search,write,compare) by self (read,search,nowrite,compare) # by * (none)
When you add a new directory to a directory replication group, you copy entries from an existing directory to the new directory using the ldifwrite
and bulkload
tools.
Normally, the easiest way to do this is to specify a replication agreement DN as the basedn
argument to ldifwrite
. This causes the ldifwrite
tool to dump all entries that are replicated by the specified replication agreement. Then you can load the entries to another replicated directory using bulkload
tool.
In release 10g (10.1.4.0.1), this functionality does not work when the replication agreement DN is orclagreementid=000001,cn=replication configuration
, which is the DN of an Advanced replication agreement. The workaround is to explicitly specify the DN of the DIT that you want to copy as the base DN argument to ldifwrite
.
Use only the documented tools, such as command-line tools, Oracle Directory Manager, and Oracle Enterprise Manager 10g Application Server Control to modify data in Oracle Internet Directory. Do not attempt to change Oracle Internet Directory data directly in the Oracle Database.
This section describes configuration issues and their workarounds. It includes the following topic:
If your server locale is not English, set NLS_LANG
to AMERICAN_AMERICA.AL32UTF8
before running bulkload.
This section describes documentation errata. It includes the following topics:
Section 9.3.3, "Errors in oracle.ldap.util.Subscriber.createUser() Documentation"
Section 9.3.4, "Missing Example: How to Decode a Mime-Encoded Header Set by mod_sso"
Section 9.3.5, "Error in Identity Management Grid Control Plug-in Context-Sensitive Help"
Section 9.3.6, "Missing Note: The labeledURI Attribute host:port is for Syntax Purposes Only"
Section 9.3.7, "Missing Example: Listing All the Attributes in the Directory by Using ldapsearch"
Section 9.3.8, "Incorrect Environment Variables in Plug-in Debugging Examples"
Section 9.3.9, "Figure Errors in Replication Concepts Chapter"
Section 9.3.12, "Obsolete Step in SSL Configuration Procedure"
Section 9.3.14, "No Maximum Value Documented for pwdGraceLoginLimit"
Section 9.3.15, "Setting orcldataprivacymode to 1 Prevents OC4J_SECURITY from Starting"
Section 9.3.16, "External Authentication Scripts Have .pls Extension"
Section 9.3.17, "Patch Notes 10g (10.1.4.3.0) Contains Incorrect Instruction to Apply a Patch"
The document links from the Related Documents help pages for Identity Management Grid Control Plug-in and Oracle Internet Directory Server Manageability are broken. Please navigate to the documents from http://www.oracle.com/technology/documentation
.
The following command line appears in the HTML version of Appendix I of Oracle Internet Directory Administrator's Guide, Section I.6.2, "Tasks To Be Performed on the New Advanced Replication Node," Step 18:
$> sqlplus rep_admin_db_account_name/password@db_conn_str_of_new_nodeSQL> exec dbms_repcat.drop_master_repgroup( gname => 'LDAP_REP' )
There should be a line break before SQL>
. That is, the command should be:
$> sqlplus rep_admin_db_account_name/password@db_conn_str_of_new_node SQL> exec dbms_repcat.drop_master_repgroup( gname => 'LDAP_REP' )
There are errors in the description of the oracle.ldap.util.Subscriber.createUser()
method, in both the Oracle Internet Directory API Reference and the chapter entitled "Using the Java API Extensions to JNDI" in the Oracle Identity Management Application Developer's Guide.
In the description of creatUser()
in the Oracle Internet Directory API Reference, all instances of the term useMandatoryAttr
should be changed to useMandatoryObjectclasses
.
The following sentence in the Oracle Internet Directory API Reference is incorrect:
"Objectclasses are automatically picked up and do not need to be included in ModPropertySet."
You must include objectclasses in ModPropertySet
when useMandatoryObjectclasses
is set to false.
The code sample in the Oracle Internet Directory API Reference contains the line:
User newUser = sub.createUser( ctx, mps, false );
The line should be changed to:
User newUser = sub.createUser( ctx, mps, true );
Otherwise, the code will throw an exception due to the missing objectclass
attribute.
Similarly, in the chapter entitled "Using the Java API Extensions to JNDI" in the Oracle Identity Management Application Developer's Guide, the line:
User newUser = sub.createUser( ctx, mps );
should be changed to:
User newUser = sub.createUser( ctx, mps, true );
If the user name or other HTTP header is multibyte and set by mod_osso, then that header must be decoded using mime decoding. The chapter entitled "Developing Applications for Single Sign-On" in the Oracle Identity Management Application Developer's Guide should contain a Java example showing how to do this.
The following code fragment shows how to decode a mime-encoded multibyte user name obtained from a servlet request object:
import javax.mail.internet.MimeUtility; ... String mimeUserName = request.getRemoteUser(); String userName = MimeUtility.decodeText(mimeUserName);
The Directory Server User Statistics Help page contains the following sentence: "You can add a monitored user to the table by using Oracle Directory Monitor or by using the command line." It should say Oracle Directory Manager instead of Oracle Directory Monitor.
The following note should be added to the section entitled "Schema Elements for Creating a Dynamic Group" in the Dynamic Groups chapter of Oracle Internet Directory Administrator's Guide:
Note:
In the labeledURI attribute, thehost
:
port
section is present for syntax purposes alone. Irrespective of the host and port settings in the labeledURI attribute, the directory server always computes members of dynamic group from the local directory server. It cannot retrieve members from other directory servers.This example should be added to the "Directory Entries Administration" chapter in Oracle Internet Directory Administrator's Guide.
Use the following command line to list of all the attributes, including those that do not have values:
ldapsearch -b "cn=subschemasubentry" -s base "objectclass=*"
In the "PL/SQL Server Plug-ins" chapter in Oracle Identity Management Application Developer's Guide and the "Oracle Internet Directory Plug-In for Password Policies" chapter inOracle Internet Directory Administrator's Guide, all pathnames beginning with $ORACLE/
should actually begin with $ORACLE_HOME/
.
The chapter entitled "Oracle Internet Directory Replication Concepts" in Oracle Internet Directory Administrator's Guide contains the following errors:
In Figure 29-10, the direction of the arrow labeled 4' should be reversed. Also, four of the numbers in the figure should be changed as shown in Table 9-1.
In the text for Figure 29-12, the sentence beginning with "When Node 4 fails, you can fail over Node 4" should be changed to "When Node 2 fails, you can fail over Node 4.
In the text for Figure 29-14, the excluded subtree, described as cn=user1,cn=hr,c=us
, should be cn=user
s
,cn=hr,c=us
.
On the first page of the chapter entitled "Backup and Restoration of a Directory" in Oracle Internet Directory Administrator's Guide, the command line in Step 1 is:
ldifwrite connect="connect_string" basedn="naming_context" file="backup.ldif"
It should be:
ldifwrite connect="connect_string" basedn="naming_context" ldiffile="backup.ldif"
In the "Java Server Plug-ins" chapter of Oracle Identity Management Application Developer's Guide, in "Example 2: External Authentication Plug-in for Active Directory," please change:
// Retrieve the Base DN, Attribute and Attribute Value String bdn = opObj.getBaseDN().substring(0, opObj.getBaseDN().lastIndexOf("cn=users,dc=us,dc=oracle,dc=com")-1) +",cn=users,dc=dlin,dc=net";
to:
// Retrieve the Base DN, Attribute and Attribute Value LdapBaseEntry baseEntry = plgObj.getLdapBaseEntry(); String bdn = baseEntry.getDN().substring(0, baseEntry.getDN().lastIndexOf("cn=users,dc=us,dc=oracle,dc=com")-1) +",cn=users,dc=dlin,dc=net";
In the "Secure Sockets Layer (SSL) and the Directory" chapter of Oracle Internet Directory Administrator's Guide, in the section "Configure Oracle Internet Directory for SSL," please delete the following content from Step 13:
On Windows systems, you must perform an extra configuration step. You must change the login account of the Oracle Directory Service from a local system account to the account of the user who owns the wallet. This user must be member of Administrator Group
. Change the account as follows:
On Windows, choose Start, then Settings, then Control Panel, then Administrative Tools, then Services.
Click PROPERTIES/LOGON.
Change from Local System Account to the account you logged in as when you created the Wallet. Stop and restart the service.
Some attribute definitions listed in the online help for Oracle Directory Manager and in Appendix A of Oracle Internet Directory Administrator's Guide are incorrect. Please refer to Oracle Identity Management User Reference and earlier sections of Oracle Internet Directory Administrator's Guide for attribute definitions and defaults. The following errors have been reported:
Table 9-2 Errors in Oracle Directory Manager Help and Appendix A
Attribute | Correct Definition | Incorrect Definition in Help and Appendix A |
---|---|---|
Purge Start ( |
The time when the garbage collector starts to run. The format is yyyymmddhhmmss. Default value is 12:00 a.m. of the day Oracle Internet Directory is installed. |
Time, in seconds, when the Garbage collector runs for the first time. The format is YYYYMMDDHH24MISS. This attribute is optional. The default value is 0, which means that the garbage collector is enabled immediately. |
Password Expiry Time ( |
The maximum time, in seconds, that a password can be valid. Upon reaching this age, the password is considered to have expired. The default is 10368000 seconds (120 days). |
The number of seconds that a given password is valid. If this attribute is not present, or if the value is 0, then the password does not expire. By default, user passwords never expire. |
Password Expiration Warning ( |
The maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. The default value is 604800 seconds (seven days). |
The number of seconds before password expiration that the directory server sends the user a warning. If password expiration is enabled, then, by default, the directory server sends the user a warning three days before the password expires. |
No maximum value is specified for pwdGraceLoginLimit
in Oracle Internet Directory Administrator's Guide. The maximum value is 250.
Chapter 16 of the Oracle Internet Directory Administrator's Guide, "Privacy of Retrieved Sensitive Attribute," states that you should enable privacy mode by changing the value of orcldataprivacymode
from 0 to 1. Doing so, however, prevents OC4J_SECURITY from starting. You should not change the value to 1 if you are using OC4J_SECURITY or Oracle Application Server Single Sign-On.
The "Debugging the External Authentication Plug-in" section of Chapter 34, "Setting Up the Customized External Authentication Plug-in" in Oracle Internet Directory Administrator's Guide refers to the following files under ORACLE_HOME
/ldap/admin/
:
oidspdsu.sql oidspdon.sql oidspdof.sql oidspdsh.sql oidspdde.sql
These filenames are incorrect. The files are actually named:
oidspdsu.pls oidspdon.pls oidspdof.pls oidspdsh.pls oidspdde.pls
There is an error in Section 4.4, "Issues Related to Applying this Patch," in the subsection entitled "To upgrade a Single Sign-On or Oracle Delegated Administration Services cluster"
Step 4 says: "Patch the instance installed in step 1". This step is incorrect and should be ignored.