| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for Solaris Operating System (x86) and Solaris Operating System (x86-64) Part Number B32092-01 |
|
|
View PDF |
| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for Solaris Operating System (x86) and Solaris Operating System (x86-64) Part Number B32092-01 |
|
|
View PDF |
This chapter describes the issues associated with Oracle Directory Integration Platform. It includes the following topics:
This section describes configuration issues and their workarounds for Oracle Directory Integration Platform. It includes the following topics:
For import and export synchronization with OpenLDAP and for export synchronization to Sun Java System Directory, if you are using domain-level mapping during synchronization and synchronizing attributes that contain the dn values then you must modify the mapping rules. For example, to synchronize groups with domain-level mappings, you must modify the mappings for member, uniquemember, and owner entries, which typically contain dn values.
If you plan to create the synchronization profiles using the express configuration operation of the Directory Integration Assistant, then perform the following steps:
Open in a text editor the mapping file for the third-party directory with which you will synchronize:
OpenLDAP export synchronization: $ORACLE_HOME/ldap/odi/samples/openldapexp.domainmap.master
OpenLDAP export synchronization:$ORACLE_HOME/ldap/odi/samples/openldapimp.domainmap.master
Sun Java System Directory export synchronization: $ORACLE_HOME/ldap/odi/samples/iplanetexp.domainmap.master
Modify the contents of the preceding mapping files for the third-party directory with which you are synchronizing so they read as follows:
member: : :groupofnames:member: :groupofnames: dnconvert(member) uniquemember: : :groupofuniquenames:uniquemember: :groupofuniquenames: dnconvert(uniquemember) owner: : :groupofuniquenames:owner: :groupofuniquenames: dnconvert(owner)
If you have already created synchronization profiles for a third-party directory, then perform the following steps:
Open in a text editor the import and export mapping files for the third-party directory with which you are synchronizing.
Modify the contents of the import and export synchronization mapping files so they read as follows:
member: : :groupofnames:member: :groupofnames: dnconvert(member) uniquemember: : :groupofuniquenames:uniquemember: :groupofuniquenames: dnconvert(uniquemember) owner: : :groupofuniquenames:owner: :groupofuniquenames: dnconvert(owner)
This error occurs because the file size of the Additional Configuration Information file for Synchronization Profiles cannot exceed 4 KB. To resolve this issue, perform the following steps to change the type of the OrclODIPAgentConfigInfo attribute from DirectoryString to Binary:
Run the following command to start Oracle Directory Manager:
oidadmin
In the navigator pane, expand Oracle Internet Directory Servers, and then directory server instance.
Select Schema Management. The Schema Management tab pages appear in the right pane.
In the right pane, select Attributes.
Click the Name column to order the attributes alphabetically.
Locate and select the OrclODIPAgentConfigInfo attribute, and then click Edit.
Change the Syntax option from DirectoryString to Binary, and then click OK.
Use Directory Integration Assistant to upload the Additional Configuration Information file.
When you install or reconfigure the Oracle Password Filter for Microsoft Active Directory, you may see the following errors on the command line:
User created failed Delete failed failed
The preceding errors occur when the default password that is used to reconfigure the Oracle Password Filter for Microsoft Active Directory does not meet the password policy requirements of the Microsoft Active Directory domain. To resolve this issue, create a file named password.txt in the directory where you installed the Oracle Password Filter for Microsoft Active Directory. Add to the password.txt file a single line containing a password that meets the password policy requirements of the Microsoft Active Directory domain. To secure the password.txt file, set its file permissions so that only administrative users can access it. Note that the password stored in the password.txt file does not represent a major security risk because its sole purpose is to create and then delete a user to test connectivity between the Oracle Password Filter and Microsoft Active Directory.
In multimaster replication, the last change number is stored locally on an Oracle Internet Directory node. In a high availability environment, if that node fails, and the provisioning profile is moved to another Oracle Internet Directory node, then the last applied change number in the profile becomes invalid. That number in the profile must then be reset manually on the failover node. Even then, however, events may not be propagated or may be duplicated.
After configuring Oracle Directory Integration Platform from Oracle Enterprise Manager, the ConnectDescriptor property for the Oracle Directory Integration Platform target in the targets.xml file is assigned a blank value. You must perform the following steps to assign the appropriate database connect descriptor to the ConnectorDescriptor property:
On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME/network/admint/tnsnames.ora file in a text editor.
Note the database connect descriptor information in the tnsnames.ora file. For example, the database connect descriptor information in the following tnsnames.ora file is the value assigned to the ASDB property:
ASDB = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host.mycompany.com)(PORT = 1521)))(CONNECT_DATA = (SERVICE_NAME = database.mycompany.com)))
The database connect descriptor in the preceding statement is the following value:
DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host.mycompany.com)(PORT = 1521)))(CONNECT_DATA = (SERVICE_NAME = database.mycompany.com)))
On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME/sysman/emd/targets.xml file in a text editor.
Search for the target with a type of oracle_eps_server and a name attribute of iasinstance_name_DIP.
In the entry, locate the ConnectDescriptor property and assign to it the database connect descriptor information from the tnsnames.ora file.
Execute the following commands to restart Oracle Enterprise Manager:
$ORACLE_HOME/bin/emctl stop iasconsole $ORACLE_HOME/bin/emctl start iasconsole
Follow the directions in the Oracle Identity Management Integration Guide to restart Oracle Directory Integration Platform.
The Oracle Password Filter for Microsoft Active Directory stores operational information in the Windows registry. Before installing or configuring the Oracle Password Filter for Microsoft Active Directory, Oracle strongly recommends that you perform the following steps to secure the Windows registry:
Create a text file named orclidmpwf.txt that contains the following text:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\orclidmpwf [1 5 17]
Click the Windows Start menu and select Run. The Run dialog box displays.
Enter cmd in the Run dialog box and click OK. The command prompt window opens.
Run the following command to secure the Windows registry:
regini path\orclidmpwf.txt
Type exit and press Enter to close the command prompt window.
This section describes administration issues and their workarounds for Oracle Directory Integration Platform. It includes the following topics:
In deployments with only a single domain of Microsoft Active Directory, you can simplify the default mapping rule installed with Oracle Directory Integration Platform.
The default mapping rule is:
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
If your deployment has a single domain of Active Directory, then you can simplify the default mapping rule to this:
sAMAccountName: : :user:orclSAMAccountName::orclADUser
If you use time-based change log purging with version 3.0 provisioning profiles, change logs entries are purged before the Oracle directory integration platform propagates the changes to any provisioning-integrated applications. This occurs because Oracle Directory Integration Platform does not create version 3.0 provisioning profile entries in the default cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory change log subscriber container.
To resolve this problem, create a container in the default change log subscriber container for each version 3.0 provisioning profile and assign a value of 0 to each profile's orclLastAppliedChangeNumber attribute. The following sample LDIF file creates a provisioning profile container in the default change log subscriber container and assigns a value of 0 to the orclLastAppliedChangeNumber attribute:
dn: cn=profile_name,cn=changelog subscriber,cn=oracle internet directory
orclsubscriberdisable: 0
orcllastappliedchangenumber: 0
objectclass: orclChangeSubscriber
If the Oracle directory integration server and the Oracle Internet Directory LDAP server are installed on a different computers, then the Oracle Internet Directory field will be unavailable in the Oracle Identity Manager Grid Control Plug-in. Perform the following steps to resolve this issue:
On the computer that is running the Oracle Internet Directory LDAP server, open the $ORACLE_HOME/sysman/emd/targets.xml file in a text editor.
Search for the target with a type of oracle_ldap and note the value assigned to the name attribute. This value is typically in the form iasinstance_name_LDAP.
On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME/sysman/emd/targets.xml file in a text editor.
Search for the target with a type of oracle_eps_server and a name attribute of iasinstance_name_DIP.
In the entry, locate the ASSOC_TARGET_NAME attribute beneath the AssocTargetInstance node. The value assigned to the ASSOC_TARGET_NAME attribute will be in the form iasinstance_name_LDAP.
Assign to the ASSOC_TARGET_NAME attribute the same value that is assigned to the name attribute of the oracle_ldap target in the targets.xml file on the computer that is running the Oracle Internet Directory LDAP server.
Synchronization from Novell eDirectory or OpenLDAP to Oracle Internet Directory fails when the Oracle Internet Directory container is within the default realm. To resolve this issue, perform the following steps to create the necessary ACLs:
Create a new file in a text editor.
Enter the following statements, which add the Oracle Internet Directory container to the cn=odipgroup,cn=odi,cn=oracle internet directory group. Be sure to replace host with the host name (without the domain name) that is running the Oracle directory integration server.
dn: cn=odipgroup,cn=odi,cn=oracle internet directory
changetype: modify
add: uniquemember
uniquemember: cn=odisrv+orclhostname=host,cn=registered instances,cn=directory integration platform,cn=products,cn=oraclecontext
Save the file as reconacls.ldif.
Run the following command to upload the reconacls.ldif file:
$ORACLE_HOME/bin/ldapmodify -h OID_host -p OID_port -D "DN of privileged OID user" -w "password of privileged OID user" -v -f reconacls.ldif
