This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topic:
Section 38.1.3, "Turkish Dotted I Character is Not Handled Correctly"
Section 38.1.4, "OIDCMPREC Might Modify Operational Attributes"
Section 38.1.6, "Do Not Use Replication Wizard to Change the Primary Replica"
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600
errors while performing bulkmodify
operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
By default, the oidcmprec
tool excludes operational attributes during comparison.That is, oidcmprec
does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.
The oidrealm
tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/
.
If you want to change the primary replica in LDAP-based multimaster replication, do not use the Change Primary option in the Fusion Middleware Control replication wizard. Instead, use the command line tool remtool
, as follows:
remtool -pchgmaster -multimaster
See Also:
The "Oracle Internet Directory Replication Management Tools" chapter in Oracle Fusion Middleware User Reference for Oracle Identity Management for more information aboutremtool
.This section describes configuration issues and workarounds. It includes the following topics:.
If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.
The old wallet contains the hostname of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.
This section describes documentation errata. It includes the following topic:
Section 38.3.1, "Function Return Codes for DBMS_LDAP_UTL Functions are Incorrect"
Section 38.3.4, "Use Bulk Tools or LDAP Tools with Replication"
Section 38.3.5, "You Can Start WebLogic Server in the Background"
Section 38.3.6, "The orclldapconntimeout Attribute Must Be Specified in Minutes, not Seconds."
Section 38.3.8, "Database Copy Procedure is Missing Some Details"
Section 38.3.11, "Template File for Setting a Uniqueness Constraint"
Section 38.3.12, "Incorrect Example of Search for Published Naming Contexts"
Section 38.3.13, "None is a Valid Value for orclcryptoscheme"
Section 38.3.14, "Syntax for ManageHiq.purge and ManageHiq.retry is Incorrect"
Section 38.3.15, "Value for orclplugintype is Incorrect in Plug-in Examples"
In Table 11-61, Function Return Codes, in Chapter 11 of Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management, some of the codes are incorrect and some are missing. The following codes should be removed:
Table 38-1 Function Return Codes
Name | Return Code | Description |
---|---|---|
ACCT_TOTALLY_LOCKED_EXCEPTION |
-14 |
Returned by |
AUTH_PASSWD_CHANGE_WARN |
-15 |
This return code is deprecated. |
The following codes should be added:
Table 38-2 Function Return Codes
Name | Return Code | Description |
---|---|---|
ACCT_TOTALLY_LOCKED_EXCEPTION |
9001 |
Returned by |
PWD_EXPIRED_EXCEPTION |
9000 |
Returned by |
PWD_EXPIRE_WARN |
9002 |
Returned by |
PWD_MINLENGTH_ERROR |
9003 |
Returned by |
PWD_NUMERIC_ERROR |
9004 |
Returned by |
PWD_NULL_ERROR |
9005 |
Returned by |
PWD_INHISTORY_ERROR |
9006 |
Returned by |
PWD_ILLEGALVALUE_ERROR |
9007 |
Returned by |
PWD_GRACELOGIN_WARN |
9008 |
Returned by |
PWD_MUSTCHANGE_ERROR |
9009 |
Returned by |
USER_ACCT_DISABLED_ERROR |
9050 |
Returned by |
The following statement appears at the beginning of the "DSML Syntax" appendix in the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management:
Directory Services Mark-up Language (DSML) is deprecated in Oracle Fusion Middleware 11g Release 1 (11.1.1) and might not be supported in future releases.
The statement is incorrect. Please ignore it.
In the ldifwrite
section of the "Oracle Internet Directory Data Management Tools" chapter in Oracle Fusion Middleware User Reference for Oracle Identity Management, several examples use the option file
. This is incorrect. The option is actually ldiffile
. For example:
ldifwrite connect="nldap" basedn="ou=Europe, o=imc, c=us" ldiffile="output1.ldif"
ldifwrite connect="nldap" basedn="cn=includednamingcontext000001, \ cn=replication namecontext,orclagreementid=000001, \ orclreplicaid=node replica identifier,cn=replication configuration" \ ldiffile="output2.ldif"
The following note appears in the bulkload
sections of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Oracle Fusion Middleware User Reference for Oracle Identity Management:
"NOTE: If a directory server instance is participating in a replication agreement, do not use the bulkload
tool to add data into the node. Instead, use ldapadd
."
This note is incorrect. You can use either bulk tools or LDAP tools, depending on the circumstances. The following rules apply when you add data to a node that is part of a DRG.
When you add new entries to all nodes in the DRG, you can use either bulk tools or LDAP tools. For more than 20K entries, bulk tools are significantly faster. If you use LDAP tools, add the entries to only one node in the DRG and let replication propagate the entries. If you use bulk tools, generate the intermediate file only once from the LDIF file and use that intermediate file to load the entries onto all the nodes in the DRG.
When you copy existing entries from one node to another in the same replication group, use bulk tools. Use the bulkload
option restore=true
when you upload the data.
If the LDIF file contains operational attributes, which it does when created with ldifwrite
, use bulkload
to add the entries.
If the replication agreement is a partial replication agreement, use ldifwrite
with the base DN as the replication agreement DN to write the entries to the LDIF file. Then use bulkload
with the restore=true
option to load the data.
The "Starting and Stopping the Oracle Stack" appendix to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory includes the following command for starting the WebLogic Administration Server:
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startWebLogic.sh \ SERVER_NAME {ADMIN_URL}
If you start the Oracle WebLogic Administration Server from the command line as shown, it runs in the foreground and prints output to the screen. You can, however, run the server in the background by using nohup
at the beginning of the command line. This sends all output to the file nohup.out
and prevents the script from prompting you for USER_NAME
and PASSWORD
. To pass parameters to StartWebLogic.sh
when using nohup
, you can use a boot identity file, as described in the "Starting and Stopping Servers" chapter of Oracle Fusion Middleware Managing Server Startup and Shutdown for Oracle WebLogic Server.
In Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Table 9-5, Configuration Attributes on Server Properties Page, Performance Tab, incorrectly describes LDAP Idle Connection Timeout as being specified in seconds. Actually, this field, and the corresponding attribute, orclldapconntimeout
, must be specified in minutes.
The same error occurs in Table 18-7, "Configuration Attributes on Server Properties Page, Performance Tab," in the Oracle Internet Directory chapter of Oracle Fusion Middleware Performance and Tuning Guide.
In Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management, Section 1.1, the third bullet item:
Oracle Directory Integration Services
Should be:
Oracle Directory Synchronization Services
Some details are missing from Appendix L, "Adding a Directory Node by Using the Database Copy Procedure," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Step 13g says:
If you have performed a database copy from a node that has Advanced replication configured with another node, you must delete the LDAP_REP replication group in the new node. To do so, execute the following command:
sqlplus rep_admin_db_account_name/password SQL> exec dbms_repcat.drop_master_repgroup( gname => 'LDAP_REP' ) SQL> shutdown immediate
Before you perform that step, first execute following commands:
sqlplus / as sydba dbms_defer_sys.delete_tran(null,null); dbms_defer_sys.delete_error(null,null); dbms_repcat.purge_master_log(null,null,null);
Step 14 says:
Copy the initialization parameter file initLDAP.ora
from the sponsor node (rst-sun) to the new node under the UNIX directory $ORACLE_HOME/dbs
using FTP or another appropriate tool. Ensure that the contents of the copied file initLDAP.ora
are valid after copying.
In addition, also copy the file orclpw
ORACLE_SID
(the database password file) from the sponsor node to the new node.
Step 28b says:
Start up Oracle Internet Directory and the replication server on all the nodes, including the new node and the sponsor node.
Use the following command to start replication server:
oidctl connect=nldap server=OIDREPLD instance=1 \ flags="-p new_node_port -h new_node_host" start
In addition, also execute resumeasr
or oidrrsme.sql
.
Section 12.5, "Creating Another Account With Superuser Privileges," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory is misleading and contains a command-line error. It should say the following:
The Superuser, cn=orcladmin, gets its privileges from membership in several privileged groups. You can query for those groups by using the following ldapsearch command:
ldapsearch -h host -p port -D "cn=orcladmin" -q -b "" -L \ -s sub "(|(uniquemember=cn=orcladmin)(member=cn=orcladmin)" dn
To create a second account with Superuser privilege, create another user entry that belongs to the same groups. Also add the user as member of the group cn=directoryadmingroup,cn=oracle internet directory
.
After you have created additional users with Superuser privileges, you no longer need to use cn=orcladmin
to administer Oracle Internet Directory. The privileged accounts should be sufficient. The attribute orclsuname
, however, must have the value cn=orcladmin
.
Section 12.6, "Managing the Superuser by Using ldapmodify," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, describes how to modify the Superuser's name and password. The information about changing the password is correct. You should never change the Superuser's name, however. The value of orclsuname
must remain cn=orcladmin
Section 17.4, "Managing an Attribute Uniqueness Constraint Entry by Using the Command Line," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
refers to a nonexistent template file called uniquenessConstraint.ldif
. The file should look like this:
# Use this LDIF file to set up a uniqueness constraint on the nickname # attribute within the user search base. # Before running the script, change the following parameters in the LDIF file. # <userid_attribute> - Specify the name of the attribute that holds the user # id. This value should be the same as the orclcommonusernickname attribute # configured for the realm.# <dn _f_user_serach_base> - Specify the user search base in which the # uniqueness constraint should be enforced. # dn: cn=<userid_attribute> ,cn=unique,cn=common,cn=Products, cn=OracleContext changetype: add objectclass: orclUniqueConfig orcluniqueattrname: <userid _ttribute> orcluniquesubtree: <dn_of_user_search_base> orcluniqueenable:1
Use the ldapmodify
tool to set up the uniqueness constraint, as follows:
ldapmodify -p oid_port -h oid_host -D cn=orcladmin\ -q -f UniquenessConstraint.ldif
In Section 11.2, "Searching for Published Naming Contexts," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the ldapsearch
command line is incorrect. It should be:
ldapsearch -p 3060 -q -D cn=orcladmin -b "" -s base -L "objectclass=*" \ namingcontexts
Note:
This command will not return anything unless naming contexts have been published.Section29.1.2, "Hashing Schemes for Creating Userpassword Verifiers," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, should contain the value None
, which is valid as a value for orclcryptoscheme
. When orclcryptoscheme
is set to None
, passwords are stored in cleartext.
Section 4.1.1, "Syntax for ManageHiq.retry and ManageHiq.purge" in Oracle Fusion Middleware User Reference for Oracle Identity Management contains errors. Specifically, the exec
command is missing from the command lines. The syntax is actually as follows:
$ sqlplus /nologSQL> connect ods; SQL> Enter password SQL> Set serveroutput ON SQL> exec ManageHiq.retry(SupplierNode, EqualChgNo, StartChgNo, EndChgNo) SQL> exit $ sqlplus /nologSQL> connect ods; SQL> Enter password SQL> Set serveroutput ON SQL> exec (ManageHiq.purgeSupplierNode, EqualChgNo, StartChgNo, EndChgNo) SQL> exit
Section 42.2.1, "Loading and Registering the PL/SQL Program" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Step 2, contains examples of plug-in configuration files. The value for the attribute orclplugintype
is specified as configuration
. It should be specified as operational
.
The "Managing and Monitoring Replication" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not clearly state that you must always deactivate replication before you delete or modify a replication agreement.
The following sections of the chapter should contain that information:
Viewing or Modifying a Replication Setup by Using the Replication Wizard
Deleting an LDAP-Based Replication Agreement by Using the Replication Wizard
Configuring Replication Agreement Attributes by Using ldapmodify
Instructions for activating and deactivating replication are provided in the same chapter, in the section entitled "Activating or Inactivating a Replication Server by Using Fusion Middleware Control."