This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 23.1.1, "Cloned Oracle Internet Directory Instance Fails or Runs Slowly"
Section 23.1.2, "Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM"
Section 23.1.3, "Custom Audit Policy Settings Fail When Set Through Enterprise Manager"
Section 23.1.4, "Deleting Mandatory attributeTypes
Referenced by objectClass
is Successful"
Section 23.1.6, "ODSM is Not Displaying Online Help Correctly in Internet Explorer 11"
Section 23.1.8, "In ldapdelete Command -V Should Be The Last Parameter"
Section 23.1.9, "Upgrading from 10.1.2.0.2 Infrastructure to Application Server 11g Infrastructure"
Section 23.1.11, "Turkish Dotted I Character is Not Handled Correctly"
Section 23.1.12, "OIDCMPREC Might Modify Operational Attributes"
Section 23.1.14, "Apply Patch to Oracle Database 11.2.0.1.0 to Fix Purge Job Problem"
Section 23.1.15, "SQL of OPSS ldapsearch Might Take High %CPU"
In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.
This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.
The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.
For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:
Running the faovmdeploy.sh createTopology
command to create an Oracle Virtual Machine (VM)
Deploying Enterprise Manager agents in different Oracle Virtual Machines
To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:
Set the required environment variables. For example:
export ORACLE_INSTANCE=/u01/oid/oid_inst export ORACLE_HOME=/u01/oid/oid_home export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH export TNS_ADMIN=$ORACLE_INSTANCE/config
Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:
sqlplus ods@oiddb delete from ods_shm where nodename like '%sourceHostname%'; delete from ods_shm_key where nodename like '%sourceHostname%'; delete from ods_guardian where nodename like '%sourceHostname%'; delete from ods_process_status where hostname like '%sourceHostname%'; commit;
Stop and then restart the cloned Oracle Internet Directory component. For example:
opmnctl stopproc ias-component=oid1 opmnctl startproc ias-component=oid1
Find the cn
entries with the undesired Oracle Internet Directory host names. For example:
ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
From the results in the previous step, remove the entries with the undesired host names. For example:
ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry" ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
Verify that the undesired host names are removed. For example:
ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
See Also:
"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v
As a workaround for this problem, set the following values, as shown in the next procedure:
Set the total amount of operating system physical locked memory allowed (project.max-locked-memory
) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a
command lists all the supported page sizes on Solaris systems.
Set the orclecachemaxsize
attribute to less than the project.max-locked-memory
and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.
In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":
Log in to the Solaris SPARC system as the root user.
Check the project membership of the OID user.
If the OID user belongs to the default project:
Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=3(default) # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem # usermod -K project=oidmaxlkmem oracle
Verify that the value for the resource control project.max-locked-memory
was set to 2 GB, as expected. For example:
# su - oracle $ id -p oracle uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem) $ prctl -n project.max-locked-memory -i project 150 project: 150: oidmaxlkmem NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
If the OID user belongs to a non-default project:
Modify the corresponding project to include the project.max-locked-memory
resource control and set the value to 2 GB or higher. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=125(oraproj) # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
Verify that the value for the resource control project.max-locked-memory
was set to 2 GB, as expected. For example:
# projects -l oraproj oraproj projid : 125 comment: "" users : (none) groups : (none) attribs: project.max-locked-memory=(priv,2147483648,deny) project.max-shm-memory=(priv,34359738368,deny) # su - oracle $ id -p uid=2345(oracle) gid=529(dba) projid=125(oraproj) $ prctl -n project.max-locked-memory -i project 125 project: 125: oraproj NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
Set the entry cache maximum size (orclecachemaxsize
attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.
For example, using SQL*Plus, set the value to 256 MB:
sqlplus ods@oiddb update ds_attrstore set attrval='256m' where entryid=940 and attrname='orclecachemaxsize'; commit;
Run the config.sh
script to configure Oracle Internet Directory.
If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.
To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.
Alternatively, you can set custom audit policies using LDAP command-line tools such as ldapmodify
. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
attributeTypes
Referenced by objectClass
is SuccessfulIf you delete a mandatory attributeTypes
under the Oracle Internet Directory schema that is referenced by an objectClass
in the schema, no error is returned and the attributeTypes
is deleted successfully.This problem also occurs for a DN entry created using the objectClass
that uses the mandatory attributeTypes
. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.
orclguid
Attribute is Not Mapped for Server ChainingIf you configure Oracle Internet Directory server chaining for Oracle Unified Directory 11.1.2.0 and then search for users, the orclguid
attribute is missing from the search results.
The orclguid
attribute is missing because Oracle Unified Directory uses the iplanet default mapping (cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
), and the default iplanet mapping does not have orclguid
mapped.
In Internet Explorer 11, the Oracle Directory Services Manager (ODSM) online Help does not display properly. Instead of showing the left pane with the navigation tree and the right pane with the Help contents, ODSM displays only links.
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
For certain platforms command ldapdelete considers everything after -v,
as parameter. A typical ldapdelete command looks like this:
ldapdelete -h hostname -p portname -v 's' -D cn=orcladmin -w welcome1
For Linux x86-64 and Microsoft Windows x64 the command mentioned here works fine. However, for Solaris Operating System (SPARC 64-Bit), AIX Based Systems (64-Bit), HP-UX PA-RISC (64-Bit), HP-UX Itanium platforms the above command fails.
Use the flag -v
as the last parameter when running the ldapdelete command. For example:
ldapdelete -h hostname -p portname -D cn=orcladmin -w welcome1 -v 's'
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600
errors while performing bulkmodify
operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
By default, the oidcmprec
tool excludes operational attributes during comparison.That is, oidcmprec
does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.
The oidrealm
tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/
.
If you use Oracle Database 11.2.0.1.0 with Oracle Internet Directory, apply Patch 9952216 (11.2.0.1.3 PSU) to the Oracle Database after you install Oracle Internet Directory:
Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:
Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.
Executing change log purge jobs with orclpurgenow
set to 1 hangs.
The SQL of an OPSS one level ldapsearch
operation, with filter "orcljaznprincipal=
value
" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:
Log in to the Oracle Database as user ODS
and execute the following SQL:
BEGIN DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS', TABNAME=>'CT_ORCLJAZNPRINCIPAL', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, CASCADE=>TRUE); END; /
Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.
If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.
See Also:
Note 1313395.1 on My Oracle Support (formerly MetaLink): https://support.oracle.com
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
This section describes configuration issues and workarounds. It includes the following topic:
If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.
The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.
This section describes documentation errata. It includes the following topics:
Section 23.3.1, "Description of the orclrevpwd
Attribute Needs Clarification"
Section 23.3.2, "LDAP Commands Do Not Support the -k|-K
Option"
Section 23.3.3, "Description of the orclOIDSCExtGroupContainer
Attribute Needs Clarification"
Section 23.3.4, "Setting Up LDAP Replication Needs Clarification"
Section 23.3.5, "Password Expired Response Control is Not Documented"
Section 23.3.6, "Configuring the SSO Server for ODSM Integration Needs Clarification"
Section 23.3.7, "Determining Expired Users in Oracle Internet Directory"
Section 23.3.8, "New Superuser Account Must be Direct Member of DirectoryAdminGroup
Group"
Section 23.3.9, "SSL Authentication Mode 1 and Anonymous SSL Ciphers Need Clarification"
Section 23.3.10, "Documentation of Replication Server Control and Failover is Incomplete"
Section 23.3.11, "Server Restart After Adding an Encrypted Attribute is Not Documented"
Section 23.3.12, "PASSWORD_VERIFY_FUNCTION Must be Set to NULL to Work with RCU is Not Documented"
Section 23.3.13, "Setting Up Oracle Internet Directory SSL Mutual Authentication"
Section 23.3.14, "Replication Instructions in Tutorial for Identity Management are Incomplete"
orclrevpwd
Attribute Needs ClarificationIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the description of the orclrevpwd
attribute in the "Managing Password Verifiers " chapter needs clarification. The "Introduction to Password Verifiers for Authenticating to the Directory" section should include the following information.
Oracle Internet Directory stores the user password in a reversible encrypted format in the orclrevpwd
configuration attribute. The orclrevpwd
attribute is generated only if the orclpwdencryptionenable
attribute in the password policy entry is set to 1.
The orclrevpwd
attribute is maintained securely within Oracle Internet Directory server and cannot be queried, even if you modify the attribute's access control policies (ACIs). Oracle Directory Integration Platform, however, is allowed to query the orclrevpwd
attribute so that password synchronization can function.
-k|-K
OptionIn the Oracle Fusion Middleware Reference for Oracle Identity Management, Chapter 3, "Oracle Internet Directory Data Management Tools," documents the -k|-K
option for LDAP commands. However, this option is not valid for the LDAP commands and should not be used.
orclOIDSCExtGroupContainer
Attribute Needs ClarificationIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the description of the orclOIDSCExtGroupContainer
attribute in the "Configuring Server Chaining" chapter needs clarification.
The description states that this attribute "is optional if the external user container and the external group container are the same." However, the attribute is required, and the description should include the following information:
If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), the value for the orclOIDSCExtGroupContainer
attribute must be the same as the value used for the user container (orclOIDSCExtUserContainer
attribute).
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Chapter 40, "Setting Up Replication," does not document the following requirements.
To setup replication for a directory that has more than 100,000 entries, you must use the command-line tools (ldifwrite
and bulkload
). Use the Replication Wizard in Oracle Enterprise Manager Fusion Middleware Control (automatic bootstrapping method) only for a directory that has fewer than 100,000 entries.
If you have a deployment with a combination of Oracle Internet Directory 10g nodes and 11gR1 nodes, replication from the 10g node to an 11gR1 node must be setup before replication between the 11gR1 nodes is setup. For example, consider a deployment as follows:
Two Oracle Internet Directory 10g nodes with a supplier node and consumer node
Two new Oracle Internet Directory 11gR1 nodes (nodes 1 and 2) with LDAP multimaster replication
To setup replication for this deployment:
Setup LDAP one-way replication from one of the 10g nodes to 11gR1 node 1.
Setup replication bootstrap (if fewer than 100,000 entries) and then start the replication server on the 11gR1 node 1. (If the diretory has more than 100,000 entries, use the command-line tools.)
When the replication is complete, setup LDAP multimaster replication between 11gR1 node 1 and node 2.
Setup the replication bootstrap (if fewer than 100,000 entries) on 11gR1 node 2 and then start the replication server.
Both the Oracle Fusion Middleware Reference for Oracle Identity Management and the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management do not document the Oracle Internet Directory password expired response control:
Object Identifier: 2.16.840.1.113894.1.8.20
Name: OID_PWDEXPIRED_CONTROL
Description: Password policy control. The response control that the server sends when the password has expired, there are no grace logins remaining, and the client sends a request control.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 7.4.3, "Configuring the SSO Server for ODSM Integration," does not document that to improve performance for SSO-ODSM integration, you should configure the ODSM URLs as follows:
Protected: /odsm/odsm-sso.jsp
Unprotected: /odsm/faces/odsm.jspx
Excluded: /odsm/.../
Setting the CSS, JavaScript, and graphics (/odsm/.../
) files to excluded prevents these files from being validated by Oracle Access Manager, which can improve the performance of your deployment.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully explain the concept of expired users and how to determine if a user is in the expired state.
In some situations, you might want to determine expired users and then take a specific action, such as deleting those users from the directory.
Note:
Oracle Internet Directory expired users are not indicated by a specific attribute. An expired user is in a transient state that depends on the system time, the maximum inactive time allowed, and the user's last successful login time. The expired state is determined during a bind or password compare operation for the user.
To determine the expired users, your Oracle Internet Directory deployment must be configured as follows:
The tracking of each user's last successful login time must be enabled by setting the orclPwdTrackLogin
attribute to 1.
The orclpwdmaxinactivitytime
attribute must be set to a value other than 0 (the default). This attribute specifies the inactive time in seconds before a user's account is automatically considered to be expired.
To determine if a user's account is considered to be expired:
Determine the time stamp of the user's last successful login from the orcllastlogintime
attribute.
Subtract the user's orcllastlogintime
value from the current system time. If the result is greater than the orclpwdmaxinactivitytime
value, then the user is considered to be in the expired state.
If you wish, delete the expired user from the directory.
For more information, see the "Managing Password Policies" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
DirectoryAdminGroup
GroupIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 12.6, "Creating Another Account With Superuser Privileges," does not mention that a new superuser account must be a direct member of the DirectoryAdminGroup
group to use all Oracle Directory Services Manager (ODSM) features.
To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the DirectoryAdminGroup
group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup
group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the first bullet of the note in Section 27.1.3, "SSL Authentication Modes," mentions that you must have at least one Oracle Internet Directory server instance configured for the default authentication mode and anonymous SSL ciphers. This statement is true only for specific deployments.
The first bullet of the note should be revised as follows:
By default, the SSL authentication mode is set to 1 (encryption only, no authentication).
If you are using Oracle Delegated Administration Services 10g or other client applications such as legacy versions of Oracle Forms and Oracle Reports that expect to communicate with Oracle Internet Directory on an encrypted SSL port configured for anonymous SSL ciphers, then at least one Oracle Internet Directory server instance must be configured for this default authentication mode.
Otherwise, authentication mode 1 and anonymous SSL ciphers are not required for Oracle Internet Directory to function. The type of SSL ports that are made available and the ciphers that the SSL port will accept depend on your specific deployment requirements.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully describe the replication server (oidrepld) process control and failover in an Oracle Maximum Availability Architecture (MAA), including how to enable failover by setting the orclfailoverenabled
attribute.
The orclfailoverenabled
attribute is an OID Monitor configuration entry ("cn=configset,cn=oidmon,cn=subconfigsubentry"
) that configures failover.
This attribute specifies the failover time in minutes before the OID Monitor will start failed processes on a surviving node. The default failover time is 5 minutes. A value of zero (0) disables failover for Oracle Internet Directory processes.
Additional information is provided in Note 1538250.1, which is available on My Oracle Support at:
See Also:
The "Understanding Process Control of Oracle Internet Directory Components" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that if you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.
Note:
The attributes in Table 28-1 "Sensitive Attributes Stored in orclencryptedattributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.
For more information, see the "Configuring Data Privacy" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that for Oracle Internet Directory to work with the Repository Creation Utility (RCU) for Oracle database version 11.2.x, the default PASSWORD_VERIFY_FUNCTION clause in the database must be set to NULL (which is the default value).
Neither the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor the Oracle Fusion Middleware Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty.
For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.