This appendix lists the major differences between Oracle Internet Directory Release 10g (10.1.4.0.1) and 11g Release 1 (11.1.1). It contains the following topics:
10g Oracle Internet Directory Instance Creation
In 10g (10.1.4.0.1) and earlier releases, configuration information for an instance of Oracle Internet Directory was stored in a configuration set, which had a DN of the form:
cn=configsetN,cn=osdldapd,cn=subconfigsubentry
where N is an integer. You created a new Oracle Internet Directory instance by creating a new configsetN entry and then executing:
oidctl connect=connStr config=N inst=InstNum flags="...." start
to start the instance.
11g Oracle Internet Directory Instance Creation
In 11g Release 1 (11.1.1), the procedure for creating an instance has changed. Configuration information for an Oracle Internet Directory instance now resides in an instance-specific configuration entry, which has a DN of the form
cn=componentname,cn=osdldapd,cn=subconfigsubentry
where componentname is the name of a Oracle Fusion Middleware system component of Type=OID, for example, oid1. You do not manually create an instance-specific configuration entry. Instead, you create a Oracle Fusion Middleware component of Type=OID. Creating the Oracle Internet Directory component automatically generates an instance-specific configuration entry.
Note:
The entry inconfigset0 still exists in 11g, but it is read-only and used to store default attribute values for seeding new instance-specific configuration entries.The first Oracle Internet Directory system component is created during installation. The first Oracle Internet Directory system component, oid1 by default, is created during installation with the Oracle instance name asinst_1 by default. The corresponding configuration entry for this component is cn=oid1,cn=osdldapd,cn=subconfigsubentry. There are two ways to create an additional Oracle Internet Directory instance:
Adding another component of Type=OID by using opmnctl createcomponent. For example:
opmnctl createcomponent -componentType OID \ -componentName componentName -Db_info "DBHostName:Port:DBSvcName" \ -Namespace "dc=domain"
See "Creating an Oracle Internet Directory Component by Using opmnctl" for more information.
Adding an Oracle Internet Directory instance within an existing component of Type=OID by using oidctl add. See "Creating and Starting an Oracle Internet Directory Server Instance by Using OIDCTL" for more information.
The recommended method is to use opmnctl to add a system component. If you create an instance by adding a component with opmnctl, you must use opmnctl or Oracle Enterprise Manager Fusion Middleware Control, not oidctl, to stop and start the instance. See "Starting the Oracle Internet Directory Server by Using opmnctl" and "Starting the Oracle Internet Directory Server by Using Oracle Enterprise Manager Fusion Middleware Control".
You can update the configuration attributes of the instance by using Fusion Middleware Control, LDAP tools, or Oracle Directory Services Manager. See Chapter 9, "Managing System Configuration Attributes."
If you use opmnctl to add a system component with oid2 as the component name, then an additional instance with componentname=oid2 is configured within the given Oracle instance, which is asinst_1 by default. This instance of Oracle Internet Directory can be started and stopped by using the opmnctl command with ias-component=oid2 or by using Fusion Middleware Control. The instance-specific configuration entry for this instance is cn=oid2,cn=osdldapd,cn=subconfigsubentry and the configuration attributes in that entry can be updated to customize the instance. For more information about instance-specific configuration attributes, see "Attributes of the Instance-Specific Configuration Entry".
Note:
You can useoidctl to create an instance if you are running Oracle Internet Directory as a standalone server, not part of a WebLogic domain. When you create an instance with oidctl, you must use oidmon and oidctl to stop and start the instance. An Oracle Internet Directory instance created with oidctl cannot be registered with a WebLogic server, so you cannot use Oracle Enterprise Manager Fusion Middleware Control to manage the instance. See Appendix B, "Managing Oracle Internet Directory Instances by Using OIDCTL."Use oidctl or Oracle Enterprise Manager Fusion Middleware Control to start replication on an instance the first time. After that, opmnctl stops and starts replication when it stops and starts the component. If you must stop and start the Oracle Internet Directory Replication Server for administration purposes, use oidctl or Oracle Enterprise Manager Fusion Middleware Control.
In 11g Release 1 (11.1.1), OIDMON monitors and reports the status of all Oracle Internet Directory processes (dispatcher, directory server, and replication server) to OPMN. This monitoring by OIDMON enables Fusion Middleware Control to report Oracle Internet Directory status accurately.
Oracle Internet Directory configuration information is stored in configuration attributes in the DIT. For a complete listing of configuration attributes, their locations, and procedures for managing them, see Chapter 9, "Managing System Configuration Attributes."
In 10g (10.1.4.0.1), many configurable Oracle Internet Directory attributes resided in the DSE Root and in the configset entry, for example, cn=configset0,cn=osdldapd,cn=subconfigsubentry. In 11g Release 1 (11.1.1), most of these have been moved to the instance-specific configuration entry or the DSA configuration entry.
Most attributes that resided in the instance-specific configuration set at 10g (10.1.4.0.1) are now stored in the instance-specific configuration entry in 11g Release 1 (11.1.1). In addition, some attributes that resided in the DSA configuration entry are now instance-specific and have been moved to the instance-specific configuration entry.
Notes:
During an upgrade to 11g, attributes are created in their new locations with default values. An attribute's value prior to the upgrade is not preserved unless the attribute is in the same location in 11g.
If you manage attributes from the command line, ensure that the DNs specified on the command line or in LDIF files reflect the 11g locations of the attributes.
Table A-1 lists 10g attributes, their locations in 10g and in 11g, and their default values in 11g. In the following table, "Instance Specific" implies that the attribute is located in the instance-specific configuration entry, for example cn=oid1,cn=osdldapd,cn=subconfigsubentry and DSA Config is cn=dsaconfig,cn=configsets,cn=oracle internet directory. Attributes in the DSA Config entry are shared by all Oracle Internet Directory instances and components.
Table A-1 New Locations of 10g Attributes
| Attribute | 10g Location | 11g Location | 11g Default Value |
|---|---|---|---|
|
Root DSE |
Instance Specific |
1 |
|
|
DSA Config |
DSA Config |
0 |
|
|
Root DSE |
Instance Specific |
0 |
|
|
DSA Config |
Instance Specific |
0 |
|
|
Root DSE |
Instance Specific |
511 |
|
|
Root DSE |
Instance Specific |
1 |
|
|
Root DSE |
Instance Specific |
100000 |
|
|
DSA Config |
Instance Specific |
1000000 |
|
|
Root DSE |
Instance Specific |
200000000 |
|
|
Root DSE |
Instance Specific |
1 |
|
|
Root DSE |
Instance Specific |
0 |
|
|
DSA Config |
Instance Specific |
0 |
|
|
Root DSE |
DSA Config |
1 |
|
|
Configset |
Instance Specific |
2 |
|
|
DSA Config |
Instance Specific |
100000 |
|
|
DSA Config |
Instance Specific |
30 |
|
|
Root DSE |
DSA Config |
0 |
|
|
DSA Config |
Instance Specific |
0 |
|
|
DSA Config |
Instance Specific |
100000000 |
|
|
DSA Config |
DSA Config |
2 |
|
|
DSA Config |
DSA Config |
0 |
|
|
Configset |
Instance Specific |
auth-conf |
|
|
Configset |
Instance Specific |
Rc4-56, des, 3des, rc4, rc4-40 |
|
|
Configset |
Instance Specific |
DIGEST MD5, EXTERNAL |
|
|
DSA Config |
Instance Specific |
0 |
|
|
Root DSE |
Instance Specific |
rw |
|
|
Configset |
Instance Specific |
1 |
|
|
Root DSE |
Instance Specific |
10000 |
|
|
DSA Config |
DSA Config |
objectclass |
|
|
DSA Config |
DSA Config |
0 |
|
|
Configset |
Instance Specific |
1 |
|
|
Configset |
Instance Specific |
0 |
|
|
Configset |
Instance Specific |
3 |
|
|
Configset |
Instance Specific |
File: |
|
|
DSA Config |
DSA Config |
||
|
Root DSE |
Instance Specific |
1 |
|
|
Root DSE |
Instance Specific |
0 |
|
|
DSA Config |
Instance Specific |
30 |
|
|
Root DSE |
Instance Specific |
3600 |
|
|
DSA Config |
1 |
During installation of Oracle Internet Directory, Oracle Identity Management 11g Installer follows specific steps in assigning the SSL and non-SSL port. First, it attempts to use 3060 as the non-SSL port. If that port is unavailable, it tries ports in the range 3061 to 3070, then 13060 to 13070. Similarly, it attempts to use 3131 as its SSL port, then ports in the range 3132 to 3141, then 13131 to 13141.
If you want Oracle Internet Directory to use privileged ports, you can override the defaults during installation by using staticports.ini. (See Oracle Fusion Middleware Installation Guide for Oracle Identity Management.) You can also reset the port numbers after installation. See "Enable Oracle Internet Directory to run on Privileged Ports".
Note:
If you perform an upgrade from an earlier version of Oracle Internet Directory to 11g Release 1 (11.1.1), your port numbers from the earlier version are retained.In 10g, you could enable debugging either by using a debug option when you invoked the server or by setting orcldebugflag, which was in the root DSE.
In 11g, you cannot enable debugging by using debug options when you invoke the server. You enable debugging of the directory server by changing the attribute orcldebugflag, which is now in the instance-specific configuration entry, which has a DN of the form:
cn=componentname,cn=osdldapd,cn=subconfigsubentry
You can change orcldebugflag either by using the Server Properties page, Logging tab, in Fusion Middleware Control or by using ldapmodify. For example, you could use the following LDIF file to configure the Oracle Internet Directory instance in system component oid1 for heavy trace debugging.
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify modify: orcldebugflag orcldebugflag: 1
See Chapter 22, "Managing Logging" for more information.
You enable debugging of the replication server by changing the attribute orcldebuglevel in the replication configuration set
Table 39-4, "Replication Configuration Set Attributes" lists and describes the attributes of the replication configuration set, which has the following DN:
cn=configset0,cn=osdrepld,cn=subconfigsubentry
You can use either ldapmodify or the Shared Properties, Replication tab, in Fusion Middleware Control to change orcldebuglevel. See Chapter 39, "Managing Replication Configuration Attributes" for more information.
Most commands now require that the environment variable ORACLE_INSTANCE be set.
New options have been added to opmnctl and oidctl.
Several Oracle Internet Directory administration tools and bulk tools take a connect argument that specifies the Oracle Database to connect to. In 10g, if you did not include a connect argument on the command line, the command would take the value of the environment variable ORACLE_SID by default. In 11g Release 1 (11.1.1), you must use the connect argument to specify the database. Oracle Internet Directory and Oracle Database are not installed in the same ORACLE_HOME, so ORACLE_SID is irrelevant. Therefore, you must use the connect argument to specify the database, for example connect=oiddb.
In Oracle Fusion Middleware 11g Release 1 (11.1.1), files that are updatable are installed under ORACLE_INSTANCE and most product binaries are stored under ORACLE_HOME. As a result, the path names of most configuration files and log files are different than in 10g (10.1.4.0.1). Table A-2 lists some examples:
Table A-2 Some Path Names that Changed
| Filename | 10g (10.1.4.0.1) Location | 11g Release 1 (11.1.1) Location |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bulkload intermediate files |
|
|
|
|
|
|
|
|
|
|
Oracle Directory Manager and Oracle Internet Directory Grid Control Plug-in no longer exist in 11g Release 1 (11.1.1). They have been replaced by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control.
See the following sections for more information:
As of release 11g Release 1 (11.1.1), Oracle Internet Directory uses an audit framework that is integrated with Oracle Fusion Middleware.
You can configure auditing by using Oracle Enterprise Manager Fusion Middleware Control or the WebLogic Scripting Tool, wlst.
The attribute orclAudFilterPreset has replaced the audit levels used in 10g (10.1.4.0.1). You can set it to None, Low, Medium, All, or Custom.
There is no longer any need for an Oracle Internet Directory garbage collector.
See Also:
Chapter 21, "Managing Auditing."Referential Integrity has been completely reimplemented. You can configure it from the command line or by using Oracle Enterprise Manager Fusion Middleware Control.
Server chaining now supports Novell eDirectory, as well as Microsoft Active Directory and Sun Java System Directory Server, formerly known as SunONE iPlanet. The attributes mapUIDtoADAttribute, showExternalGroupEntries, showExternalUserEntries, and addOrcluserv2ToADUsers have been added since Oracle Internet Directory 10g (10.1.4.0.1).
You can set up and manage LDAP-based replication by using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control. A separate Replication page enables you to adjust attributes that control the replication server.
You can now use LDAP-based replication for multimaster directory replication groups. You no longer need Oracle Database Advanced Replication-based replication for this purpose. If you want to replicate Oracle Single Sign-On, however, you still must use Oracle Database Advanced Replication-based replication.
In 10g (10.1.4.0.1), the Oracle Directory Integration Platform server was under the control of OIDMON, like the LDAP and replication servers. For 11g Release 1 (11.1.1), Oracle Directory Integration Platform has been reimplemented as a J2EE application, and is started and stopped separately from Oracle Internet Directory servers.
Oracle Fusion Middleware 11g Release 1 (11.1.1) does not include Oracle Single Sign-On or Oracle Delegated Administration Services. Oracle Internet Directory 11g Release 1 (11.1.1), however, is compatible with Oracle Single Sign-On 10g (10.1.4.3.0) or later and Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.
In Oracle Application Server 10g, Java applications ran in instances of Oracle Containers for Java. In the current release, they run in instances of WebLogic. Oracle Directory Services Manager and Oracle Directory Integration Platform are Java components that run in WebLogic managed servers.
The Oracle Internet Directory LDAP and replication servers, as C programs, are system components and are not affected by this change. The Java server plug-ins run in a JVM within the oidldapd server itself. This is implemented using the Java Native Interface (JNI).