This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 25.1.1, "Cloned Oracle Internet Directory Instance Fails or Runs Slowly"
Section 25.1.2, "Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM"
Section 25.1.3, "Custom Audit Policy Settings Fail When Set Through Enterprise Manager"
Section 25.1.4, "Deleting Mandatory attributeTypes Referenced by objectClass is Successful"
Section 25.1.6, "ODSM is Not Displaying Online Help Correctly in Internet Explorer 11"
Section 25.1.9, "Turkish Dotted I Character is Not Handled Correctly"
Section 25.1.10, "OIDCMPREC Might Modify Operational Attributes"
Section 25.1.12, "Apply Patch to Oracle Database 11.2.0.1.0 to Fix Purge Job Problem"
Section 25.1.13, "SQL of OPSS ldapsearch Might Take High %CPU"
In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.
This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.
The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.
For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:
Running the faovmdeploy.sh createTopology command to create an Oracle Virtual Machine (VM)
Deploying Enterprise Manager agents in different Oracle Virtual Machines
To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:
Set the required environment variables. For example:
export ORACLE_INSTANCE=/u01/oid/oid_inst export ORACLE_HOME=/u01/oid/oid_home export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH export TNS_ADMIN=$ORACLE_INSTANCE/config
Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:
sqlplus ods@oiddb delete from ods_shm where nodename like '%sourceHostname%'; delete from ods_shm_key where nodename like '%sourceHostname%'; delete from ods_guardian where nodename like '%sourceHostname%'; delete from ods_process_status where hostname like '%sourceHostname%'; commit;
Stop and then restart the cloned Oracle Internet Directory component. For example:
opmnctl stopproc ias-component=oid1 opmnctl startproc ias-component=oid1
Find the cn entries with the undesired Oracle Internet Directory host names. For example:
ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
From the results in the previous step, remove the entries with the undesired host names. For example:
ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry" ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
Verify that the undesired host names are removed. For example:
ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
See Also:
"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v
As a workaround for this problem, set the following values, as shown in the next procedure:
Set the total amount of operating system physical locked memory allowed (project.max-locked-memory) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a command lists all the supported page sizes on Solaris systems.
Set the orclecachemaxsize attribute to less than the project.max-locked-memory and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.
In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":
Log in to the Solaris SPARC system as the root user.
Check the project membership of the OID user.
If the OID user belongs to the default project:
Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=3(default) # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem # usermod -K project=oidmaxlkmem oracle
Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:
# su - oracle
$ id -p oracle
uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem)
$ prctl -n project.max-locked-memory -i project 150
project: 150: oidmaxlkmem
NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
project.max-locked-memory
privileged 2.00GB - deny -
system 16.0EB max deny -
If the OID user belongs to a non-default project:
Modify the corresponding project to include the project.max-locked-memory resource control and set the value to 2 GB or higher. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=125(oraproj) # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:
# projects -l oraproj
oraproj
projid : 125
comment: ""
users : (none)
groups : (none)
attribs: project.max-locked-memory=(priv,2147483648,deny)
project.max-shm-memory=(priv,34359738368,deny)
# su - oracle
$ id -p
uid=2345(oracle) gid=529(dba) projid=125(oraproj)
$ prctl -n project.max-locked-memory -i project 125
project: 125: oraproj
NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
project.max-locked-memory
privileged 2.00GB - deny -
system 16.0EB max deny -
Set the entry cache maximum size (orclecachemaxsize attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.
For example, using SQL*Plus, set the value to 256 MB:
sqlplus ods@oiddb update ds_attrstore set attrval='256m' where entryid=940 and attrname='orclecachemaxsize'; commit;
Run the config.sh script to configure Oracle Internet Directory.
If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.
To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.
Alternatively, you can set custom audit policies using LDAP command-line tools such as ldapmodify. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
attributeTypes Referenced by objectClass is SuccessfulIf you delete a mandatory attributeTypes under the Oracle Internet Directory schema that is referenced by an objectClass in the schema, no error is returned and the attributeTypes is deleted successfully.This problem also occurs for a DN entry created using the objectClass that uses the mandatory attributeTypes. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.
orclguid Attribute is Not Mapped for Server ChainingIf you configure Oracle Internet Directory server chaining for Oracle Unified Directory 11.1.2.0 and then search for users, the orclguid attribute is missing from the search results.
The orclguid attribute is missing because Oracle Unified Directory uses the iplanet default mapping (cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry), and the default iplanet mapping does not have orclguid mapped.
In Internet Explorer 11, the Oracle Directory Services Manager (ODSM) online Help does not display properly. Instead of showing the left pane with the navigation tree and the right pane with the Help contents, ODSM displays only links.
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600 errors while performing bulkmodify operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
By default, the oidcmprec tool excludes operational attributes during comparison.That is, oidcmprec does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.
The oidrealm tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/.
If you use Oracle Database 11.2.0.1.0 with Oracle Internet Directory, apply Patch 9952216 (11.2.0.1.3 PSU) to the Oracle Database after you install Oracle Internet Directory:
Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:
Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.
Executing change log purge jobs with orclpurgenow set to 1 hangs.
The SQL of an OPSS one level ldapsearch operation, with filter "orcljaznprincipal=value" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:
Log in to the Oracle Database as user ODS and execute the following SQL:
BEGIN
DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS',
TABNAME=>'CT_ORCLJAZNPRINCIPAL',
ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,
CASCADE=>TRUE);
END;
/
Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.
If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.
See Also:
Note 1313395.1 on My Oracle Support (formerly MetaLink): https://support.oracle.com
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
This section describes configuration issues and workarounds. It includes the following topic:
If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.
The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.
This section describes documentation errata. It includes the following topics:
Section 25.3.1, "Description of the orclrevpwd Attribute Needs Clarification"
Section 25.3.2, "LDAP Commands Do Not Support the -k|-K Option"
Section 25.3.3, "Description of the orclOIDSCExtGroupContainer Attribute Needs Clarification"
Section 25.3.4, "Setting Up LDAP Replication Needs Clarification"
Section 25.3.5, "Password Expired Response Control is Not Documented"
Section 25.3.6, "Configuring the SSO Server for ODSM Integration Needs Clarification"
Section 25.3.7, "Determining Expired Users in Oracle Internet Directory"
Section 25.3.8, "New Superuser Account Must be Direct Member of DirectoryAdminGroup Group"
Section 25.3.9, "SSL Authentication Mode 1 and Anonymous SSL Ciphers Need Clarification"
Section 25.3.10, "Documentation of Replication Server Control and Failover is Incomplete"
Section 25.3.11, "Server Restart After Adding an Encrypted Attribute is Not Documented"
Section 25.3.12, "PASSWORD_VERIFY_FUNCTION Must be Set to NULL to Work with RCU is Not Documented"
Section 25.3.13, "Setting Up Oracle Internet Directory SSL Mutual Authentication"
Section 25.3.14, "Replication Instructions in Tutorial for Identity Management are Incomplete"
orclrevpwd Attribute Needs ClarificationIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the description of the orclrevpwd attribute in the "Managing Password Verifiers " chapter needs clarification. The "Introduction to Password Verifiers for Authenticating to the Directory" section should include the following information.
Oracle Internet Directory stores the user password in a reversible encrypted format in the orclrevpwd configuration attribute. The orclrevpwd attribute is generated only if the orclpwdencryptionenable attribute in the password policy entry is set to 1.
The orclrevpwd attribute is maintained securely within Oracle Internet Directory server and cannot be queried, even if you modify the attribute's access control policies (ACIs). Oracle Directory Integration Platform, however, is allowed to query the orclrevpwd attribute so that password synchronization can function.
-k|-K OptionIn the Oracle Fusion Middleware Reference for Oracle Identity Management, Chapter 3, "Oracle Internet Directory Data Management Tools," documents the -k|-K option for LDAP commands. However, this option is not valid for the LDAP commands and should not be used.
orclOIDSCExtGroupContainer Attribute Needs ClarificationIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the description of the orclOIDSCExtGroupContainer attribute in the "Configuring Server Chaining" chapter needs clarification.
The description states that this attribute "is optional if the external user container and the external group container are the same." However, the attribute is required, and the description should include the following information:
If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), the value for the orclOIDSCExtGroupContainer attribute must be the same as the value used for the user container (orclOIDSCExtUserContainer attribute).
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Chapter 40, "Setting Up Replication," does not document the following requirements.
To setup replication for a directory that has more than 100,000 entries, you must use the command-line tools (ldifwrite and bulkload). Use the Replication Wizard in Oracle Enterprise Manager Fusion Middleware Control (automatic bootstrapping method) only for a directory that has fewer than 100,000 entries.
If you have a deployment with a combination of Oracle Internet Directory 10g nodes and 11gR1 nodes, replication from the 10g node to an 11gR1 node must be setup before replication between the 11gR1 nodes is setup. For example, consider a deployment as follows:
Two Oracle Internet Directory 10g nodes with a supplier node and consumer node
Two new Oracle Internet Directory 11gR1 nodes (nodes 1 and 2) with LDAP multimaster replication
To setup replication for this deployment:
Setup LDAP one-way replication from one of the 10g nodes to 11gR1 node 1.
Setup replication bootstrap (if fewer than 100,000 entries) and then start the replication server on the 11gR1 node 1. (If the diretory has more than 100,000 entries, use the command-line tools.)
When the replication is complete, setup LDAP multimaster replication between 11gR1 node 1 and node 2.
Setup the replication bootstrap (if fewer than 100,000 entries) on 11gR1 node 2 and then start the replication server.
Both the Oracle Fusion Middleware Reference for Oracle Identity Management and the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management do not document the Oracle Internet Directory password expired response control:
Object Identifier: 2.16.840.1.113894.1.8.20
Name: OID_PWDEXPIRED_CONTROL
Description: Password policy control. The response control that the server sends when the password has expired, there are no grace logins remaining, and the client sends a request control.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 7.4.3, "Configuring the SSO Server for ODSM Integration," does not document that to improve performance for SSO-ODSM integration, you should configure the ODSM URLs as follows:
Protected: /odsm/odsm-sso.jsp
Unprotected: /odsm/faces/odsm.jspx
Excluded: /odsm/.../
Setting the CSS, JavaScript, and graphics (/odsm/.../) files to excluded prevents these files from being validated by Oracle Access Manager, which can improve the performance of your deployment.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully explain the concept of expired users and how to determine if a user is in the expired state.
In some situations, you might want to determine expired users and then take a specific action, such as deleting those users from the directory.
Note:
Oracle Internet Directory expired users are not indicated by a specific attribute. An expired user is in a transient state that depends on the system time, the maximum inactive time allowed, and the user's last successful login time. The expired state is determined during a bind or password compare operation for the user.
To determine the expired users, your Oracle Internet Directory deployment must be configured as follows:
The tracking of each user's last successful login time must be enabled by setting the orclPwdTrackLogin attribute to 1.
The orclpwdmaxinactivitytime attribute must be set to a value other than 0 (the default). This attribute specifies the inactive time in seconds before a user's account is automatically considered to be expired.
To determine if a user's account is considered to be expired:
Determine the time stamp of the user's last successful login from the orcllastlogintime attribute.
Subtract the user's orcllastlogintime value from the current system time. If the result is greater than the orclpwdmaxinactivitytime value, then the user is considered to be in the expired state.
If you wish, delete the expired user from the directory.
For more information, see the "Managing Password Policies" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
DirectoryAdminGroup GroupIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 12.6, "Creating Another Account With Superuser Privileges," does not mention that a new superuser account must be a direct member of the DirectoryAdminGroup group to use all Oracle Directory Services Manager (ODSM) features.
To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the DirectoryAdminGroup group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the first bullet of the note in Section 27.1.3, "SSL Authentication Modes," mentions that you must have at least one Oracle Internet Directory server instance configured for the default authentication mode and anonymous SSL ciphers. This statement is true only for specific deployments.
The first bullet of the note should be revised as follows:
By default, the SSL authentication mode is set to 1 (encryption only, no authentication).
If you are using Oracle Delegated Administration Services 10g or other client applications such as legacy versions of Oracle Forms and Oracle Reports that expect to communicate with Oracle Internet Directory on an encrypted SSL port configured for anonymous SSL ciphers, then at least one Oracle Internet Directory server instance must be configured for this default authentication mode.
Otherwise, authentication mode 1 and anonymous SSL ciphers are not required for Oracle Internet Directory to function. The type of SSL ports that are made available and the ciphers that the SSL port will accept depend on your specific deployment requirements.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully describe the replication server (oidrepld) process control and failover in an Oracle Maximum Availability Architecture (MAA), including how to enable failover by setting the orclfailoverenabled attribute.
The orclfailoverenabled attribute is an OID Monitor configuration entry ("cn=configset,cn=oidmon,cn=subconfigsubentry") that configures failover.
This attribute specifies the failover time in minutes before the OID Monitor will start failed processes on a surviving node. The default failover time is 5 minutes. A value of zero (0) disables failover for Oracle Internet Directory processes.
Additional information is provided in Note 1538250.1, which is available on My Oracle Support at:
See Also:
The "Understanding Process Control of Oracle Internet Directory Components" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that if you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.
Note:
The attributes in Table 28-1 "Sensitive Attributes Stored in orclencryptedattributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.
For more information, see the "Configuring Data Privacy" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that for Oracle Internet Directory to work with the Repository Creation Utility (RCU) for Oracle database version 11.2.x, the default PASSWORD_VERIFY_FUNCTION clause in the database must be set to NULL (which is the default value).
Neither the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor the Oracle Fusion Middleware Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty.
For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.