38 Oracle Virtual Directory

This chapter describes issues associated with Oracle Virtual Directory. It includes the following topics:

38.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

38.1.1 Oracle Virtual Directory Fails to Start When Unsupported Ciphersuite for Listener SSL Config is Selected in Enterprise Manager

When you create an Oracle LDAP listener in Enterprise Manager, and then edit the listener's Change SSL setting by selecting Enable SSL for any SSL authorization, Enterprise Manager selects the ciphersuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256. If this ciphersuite is selected, then Oracle Virtual Directory will fail to start-up entirely.

Oracle Virtual Directory supports the following protocols:

  • TLSv1

  • SSLv2Hello

  • SSLv3

Note:

For a complete list of the supported ciphers for each protocol, refer to the following location:

http://www.openssl.org/docs/apps/ciphers.html

To work around this issue, manually uncheck all of the ciphers listed for Enterprise Manager when configuring the ciphersuites.

38.1.2 EUS Adapter Creation Failed

When creating an EUS adapter using the wizard in Oracle Directory Services Manager, an error message periodically displays stating the adapters and ACLs were not created successfully.

To work around this issue, proceed as follows:

  • If the error occurred while you were loading ACLs, and only partial ACLs were loaded during EUS configuration, then you can manually load the remaining ACLs by running this command:

    $ORACLE_HOME/bin/ldapmodify -c -v -h <ovd_host> -p <ovd_port> -D cn=orcladmin -w <orcladmin_password> -f
    $ORACLE_HOME/ovd/eus/eusACLTemplate.ldif
    
  • If the error occurred during any other step, then manually clean up the partial configuration from Oracle Virtual Directory by using the following steps, and then reconfigure Oracle Virtual Directory for EUS.

    1. Delete all of the Local Store and LDAP EUS adapters created.

    2. Delete the LSA EUS adapter data files from the local file system.

    3. Undeploy the EUS py mapping based on your directory type (if it exists).

    4. Click the EUS wizard icon again to reconfigure.

38.1.3 Manually Edit adapters.os_xml File When Creating DB Adapter For Sybase

Creating a Database Adapter with Sybase as back-end causes Oracle Virtual Directory to fail with an Invalid Database Connection error.

To work around this issue, you can manually edit the adapters.os_xml file using the same Database connection information.

38.1.4 ODSM Version Does Not Change in Enterprise Manager after Patching ODSM to 11.1.1.6.0

The Oracle Directory Services Manager version shown in Enterprise Manager is the application version, which does not change when you patch Oracle Directory Services Manager.

The Oracle Lifecycle team requires all Enterprise Manager components to retain the same application version. However, because customers want to know which Oracle Directory Services Manager version they are using, Oracle Directory Services Manager maintains the actual (patch) version and Enterprise Manager maintains the application version, which causes this mismatch.

This issue is a known issue, starting with version 11.1.1.3.0.

38.1.5 ODSM Bug Requires Editing of odsmSkin.css File

Due to a misplaced comment in the file odsmSkin.css, some labels on the Oracle Directory Services Manager home page are not displayed correctly. Specifically, the labels in the diagram on the right are misplaced or missing.

To work around this issue, proceed as follows:

  1. Stop the wls_ods1 managed server and the WebLogic Administration server.

  2. Edit the file:

    MW_HOME/user_projects/domains/DOMAIN_HOME/servers/MANAGED_SERVER_NAME/tmp/_WL_user/ODSM_VERSION_NUMBER/RANDOM_CHARACTERS/war/skins/odsmSkin.css
    

    For example:

    wlshome/user_projects/domains/base_domain/servers/wls_ods1/tmp/_WL_user/odsm_11.1.1.2.0/z5xils/war/skins/odsmSkin.css
    

    Before editing, the odsmSkin.css file looks like this:

    @agent ie /*========== Fix for bug#7456880 ==========*/
    {
      af|commandImageLink::image,
      af|commandImageLink::image-hover,
      af|commandImageLink::image-depressed
      {
        vertical-align:bottom;
      }
    }
    

    Move the comment:

    /*========== Fix for bug#7456880 ==========*/
    

    so that it is above the line

    @agent ie
    

    After editing, the file should look like this:

    /*========== Fix for bug#7456880 ==========*/
    @agent ie
    {
      af|commandImageLink::image,
      af|commandImageLink::image-hover,
      af|commandImageLink::image-depressed
      {
        vertical-align:bottom;
      }
    } 
    
  3. Restart the WebLogic Administration server and the wls_ods1 managed server.

38.1.6 Oracle Directory Services Manager Browser Window is Not Usable

In some circumstances, after you launch Oracle Directory Services Manager from Fusion Middleware Control, then select a new Oracle Directory Services Manager task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

As a work around, go to the URL: http://host:port/odsm, where host and port specify the location where Oracle Directory Services Manager is running, for example, http://myserver.example.com:7005/odsm. You can then use the Oracle Directory Services Manager window to log in to a server.

38.1.7 Exceptions May Occur in Oracle Directory Services Manager When Managing Multiple Oracle Virtual Directory Components and One is Stopped

Under certain circumstances, when managing multiple Oracle Virtual Directory components from the same Oracle Directory Services Manager session, exception or error messages may appear if you stop one of the Oracle Virtual Directory components. For example, you are managing Oracle Virtual Directory components named ovd1 and ovd2 from the same Oracle Directory Services Manager session. Both ovd1 and ovd2 are configured and running. If you stop ovd1, an exception or Target Unreachable message may appear when you try to navigate Oracle Directory Services Manager.

To work around this issue, exit the current Oracle Directory Services Manager session, close the web browser, and then reconnect to Oracle Virtual Directory components in a new Oracle Directory Services Manager session.

38.1.8 Identifying the DN Associated with an Access Control Point in Oracle Directory Services Manager

When you create an Access Control Point (ACP) using Oracle Directory Services Manager, the Relative Distinguished Name (RDN) of the DN where you created the ACP appears in the navigation tree on the left side of the screen. For example, if you create an ACP at the DN of cn=ForExample,dc=us,dc=sales,dc=west, then cn=ForExample appears in the navigation tree. After clicking an ACP in the navigation tree, its settings appear in the right side of the screen and the RDN it is associated with appears at the top of the page.

To identify the DN associated with an ACP, move the cursor over ("mouse-over") the ACP entry in the navigation tree. The full DN associated with the ACP will be displayed in a tool-tip dialog box.

Mousing-over ACPs in the navigation tree is useful when you have multiple ACPs associated with DNs that have identical RDNs, such as:

ACP 1 = cn=ForExample,dc=us,dc=sales,dc=west

ACP 2 = cn=ForExample,dc=us,dc=sales,dc=east

38.1.9 Issues With Oracle Virtual Directory Metrics in Fusion Middleware Control

This topic describes issues with Oracle Virtual Directory metrics in Fusion Middleware Control, including:

38.1.9.1 Configuring Operation-Specific Plug-Ins to Allow Performance Metric Reporting in Fusion Middleware Control After Upgrading to 11g Release 1 (11.1.1)

If you upgraded an Oracle Virtual Directory Release 10g installation with plug-ins configured to execute on specific operations, such as add, bind, get, and so on, to 11g Release 1 (11.1.1), you may have to update those operation-specific plug-ins before you can use Fusion Middleware Control to view performance metrics.

After upgrading to 11g Release 1 (11.1.1) and performing some initial operations to verify the upgrade was successful, check the Oracle Virtual Directory home page in Fusion Middleware Control. You should see data for the Current Load and Average Response Time and Operations metrics.

If you do not see any data for these metrics, you must update the plug-ins configured to execute on specific operations. The work-around is to add the Performance Monitor plug-in to the operation-specific plug-in's configuration chain.

Perform the following steps to add the Performance Monitor plug-in to the operation-specific plug-in's configuration chain:

  1. If the operation-specific plug-in is a Global-level plug-in, edit the server.os_xml file located in the ORACLE_INSTANCE/config/OVD/NAME_OF_OVD_COMPONENT/ directory.

    If the operation-specific plug-in is an adapter-level plug-in, edit the adapters.os_xml file located in the ORACLE_INSTANCE/config/OVD/NAME_OF_OVD_COMPONENT/ directory.

    Note:

    If multiple adapters are configured, you must perform steps 2 and 3 for every adapter configuration in the adapters.os_xml file.

  2. Locate the pluginChains element in the file. For example, if the Dump Transactions plug-in is configured to execute on the get operation, you will see something similar to the following:

    Example 38-1 Dump Transactions Plug-In Configured for get Operation

      <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
       <plugins>
          <plugin>
            <name>Dump Transactions</name>
            <class>com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions</class>
            <initParams>
              <param name="loglevel" value="info"/>
            </initParams>
          </plugin>
          <plugin>
            <name>Performance Monitor</name>
            <class>com.octetstring.vde.chain.plugins.performance.MonitorPerformance</class>
            <initParams/>
          </plugin>
       </plugins>
       <default>
          <plugin name="Performance Monitor"/>
       </default>
       <get>
          <plugin name="Dump Transactions">
            <namespace>ou=DB,dc=oracle,dc=com </namespace>
          </plugin>
        </get>
      </pluginChains>
    
  3. Add the following Performance Monitor plug-in element within the operation-specific configuration chain:

    <plugin name="Performance Monitor"/>
    

    For example:

    Example 38-2 Adding the Performance Monitor to the Operation-Specific Plug-In Configuration Chain

     <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
       <plugins>
          <plugin>
            <name>Dump Transactions</name>
            <class>com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions</class>
            <initParams>
              <param name="loglevel" value="info"/>
            </initParams>
          </plugin>
          <plugin>
            <name>Performance Monitor</name>
            <class>com.octetstring.vde.chain.plugins.performance.MonitorPerformance</class>
            <initParams/>
          </plugin>
       </plugins>
       <default>
          <plugin name="Performance Monitor"/>
       </default>
       <get>
          <plugin name="Dump Transactions">
            <namespace>ou=DB,dc=oracle,dc=com </namespace>
          </plugin>
          <plugin name="Performance Monitor"/>
        </get>
      </pluginChains>
    
  4. Save the file.

  5. Restart Oracle Virtual Directory.

38.1.10 Using a Wildcard when Performing an LDAPSEARCH on a TimesTen Database Causes an Operational Error

Currently, a TimesTen bug is preventing wildcard searches (such as "cn=t*") from working in a Database adapter with TimesTen.

To work around this problem, enable the Case Insensitive Search option and create the necessary linguistic indexes for any database columns used in the search.

For more information, see the related TimesTen Enhancement Request, Bug# 9885055 and Section 12.2.2 "Creating Database Adapters for Oracle TimesTen In-Memory Database" in the Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

38.1.11 ODSM Version 11.1.1.4.0 Does Not Support OVD Versions 11.1.1.2.0 or 11.1.1.3.0

Oracle Directory Services Manager Version 11.1.1.4.0 does not support Oracle Virtual Directory Versions 11.1.1.2.0 or 11.1.1.3.0.

Changes introduced in Oracle Directory Services Manager Version 11.1.1.4.0 improve configuration auditing, and these changes require that you use Oracle Virtual Directory 11.1.1.4.0.

38.1.12 ODSM Version 11.1.1.5.0 Does Not Support OVD Versions 11.1.1.2.0, 11.1.1.3.0, or 11.1.1.4.0

Oracle Directory Services Manager Version 11.1.1.5.0 does not support Oracle Virtual Directory Versions 11.1.1.2.0, 11.1.1.3.0, or 11.1.1.4.0.

Changes introduced in Oracle Directory Services Manager Version 11.1.1.5.0 improve configuration auditing, and these changes require that you use Oracle Virtual Directory 11.1.1.5.0.

38.1.13 ODSM Version 11.1.1.6.0 Does Not Support OVD Versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0, or 11.1.1.5.0

Oracle Directory Services Manager Version 11.1.1.6.0 does not support Oracle Virtual Directory Versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0, or 11.1.15.0.

Changes introduced in Oracle Directory Services Manager Version 11.1.1.6.0 improve configuration auditing, and these changes require that you use Oracle Virtual Directory 11.1.1.6.0.

38.1.14 Users with Non-ASCII Names Might Encounter Problems when Using ODSM with SSO

When Oracle Directory Services Manager is configured to use Oracle Access Manager 11g Release 1 (11.1.1.2) for single sign-on, a user whose name contains non-ASCII characters might observe the following issues after logging in:

  • The user name displayed on the Home page is garbled.

  • Single sign-on connections to Oracle Virtual Directory servers do not appear in the list of connections.

38.1.15 Creating an Attribute/Object Class Throws NPE Error

After upgrading Oracle Directory Services Manager, creating an attribute or an objectclass causes an NPE error.

Workaround:

Refresh the entries by clicking Refresh every time the creation fails.

38.1.16 Patch Required to Enable Account Lockout Feature

An additional Patch 10365116 is required to enable the Account Lockout functionality.

In addition, Oracle Virtual Directory may not update the AD badpasswdcount until the account is fully locked out, which means AD badpasswdcount shows the correct number when it reaches the bad password count setting in AD.

38.1.17 ODSM Problems in Internet Explorer 7

The Oracle Directory Services Manager interface might not appear as described in Internet Explorer 7.

For example, the Logout link might not be displayed.

If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.

38.1.18 Strings Related to New Enable User Account Lockout Feature on EUS Wizard Are Not Translated

The new Enable User Account Lockout feature (and related messages) provided in the Oracle Virtual Directory EUS wizard have not been translated.

38.1.19 All Connections Created In ODSM 11.1.1.1.0 Are Lost After Upgrading to OVD or OID Version 11.1.1.7.0

Due to some deployment changes made to Oracle Directory Services Manager version 11.1.1.2.0, any connections created in Oracle Directory Services Manager version 11.1.1.1.0 will be lost when you upgrade to Oracle Virtual Directory version 11.1.1.7.0 or Oracle Internet Directory version 11.1.1.7.0.

Oracle Directory Services Manager resumes caching connection details the first time you connect again after upgrading to Oracle Virtual Directory version 11.1.1.7.0 or Oracle Internet Directory version 11.1.1.7.0.

38.1.20 Incorrect ODSM Version Displays in Enterprise Manager Console After OVD Upgrade

The Oracle Directory Services Manager version automatically displays as 11.1.1.2.0 in the Enterprise Manager console for all patch set releases. This Oracle Directory Services Manager version number does not increment to match the patch set version when you upgrade.

38.1.21 Connection Issues to OVD

In non-Linux environments, if you have any issues connecting to Oracle Virtual Directory from Oracle Directory Services Manager, LDAP tools, or any other applications, you must disable NIO in the non-SSL listener by using the following steps:

  1. From a command window, stop Oracle Virtual Directory:

    $ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
    
  2. Edit the $ORACLE_INSTANCE/config/OVD/ovd1/listeners.os_xml file as follows:

    1. Locate this LDAP non-SSL listener section:

      <ldap id="LDAP Endpoint" version="0">
            <port>6501</port>
            <host>0.0.0.0</host>
            .........
            .........
             <tcpNoDelay>true</tcpNoDelay>
             <readTimeout>0</readTimeout>
          </socketOptions>
       </ldap>
      
    2. Modify the section by adding <useNIO>false</useNIO>, as indicated:

       <ldap id="LDAP Endpoint" version="0">
            <port>6501</port>
            <host>0.0.0.0</host>
            .........
            .........
             <tcpNoDelay>true</tcpNoDelay>
             <readTimeout>0</readTimeout>
          </socketOptions>
          <useNIO>false</useNIO>
       </ldap>
      
  3. Start Oracle Virtual Directory:

    $ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1
    

This modification should resolve the connection issues.

38.1.22 ODSM Version 11.1.1.70 Does Not Support OVD Versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0, or 11.1.1.6.0

Oracle Directory Services Manager Version 11.1.1.7.0 does not support Oracle Virtual Directory Versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0, or 11.1.1.6.0.

Changes introduced in Oracle Directory Services Manager Version 11.1.1.7.0 improve configuration auditing, and these changes require that you use Oracle Virtual Directory 11.1.1.7.0.

38.1.23 Modify Completes When Updating a Mandatory Attribute to Null

If a modify operation adds an attribute with an empty value, and the attribute type does not allow empty values, the operation no longer returns an error. For example, ldapmodify ADD sn with an empty value previously returned an Invalid Syntax error and now it does not return any errors. Other modify operation failures are properly reported.

38.1.24 Online Help Section is Not Working

The Oracle Directory Services Manager online help section does not work in Internet Explorer 10 (IE10) web browsers.

38.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

38.2.1 Configuring an OVD/OID Adapter For SSL Mutual Authentication

Neither Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory nor Oracle Fusion Middleware Administrator's Guide describes how to set up an Oracle Virtual Directory/Oracle Internet Directory adapter for SSL Mutual Authentication. This information is provided in Note 1449118.1 and Note 1311791.1, which are available on My Oracle Support at:

https://support.oracle.com/

38.3 Documentation Errata

This section describes documentation errata in the Administrator's Guide for Oracle Virtual Directory. It includes the following topics:

38.3.1 Deploying Oracle Unified Directory with Oracle Virtual Directory

You can deploy Oracle Unified Directory as an LDAP data source with Oracle Virtual Directory. For information about how to deploy Oracle Unified Directory with Oracle Virtual Directory, see "Creating LDAP Adapters" in the Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory.