Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86-64 Part Number E14770-43 |
|
|
PDF · Mobi · ePub |
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 24.1.1, "Custom Audit Policy Settings Fail When Set Through Enterprise Manager"
Section 24.1.2, "Deleting Mandatory attributeType
Referenced by objectClass
is Successful"
Section 24.1.6, "Turkish Dotted I Character is Not Handled Correctly"
Section 24.1.7, "OIDCMPREC Might Modify Operational Attributes"
Section 24.1.9, "Apply Patch to Oracle Database 11.2.0.1.0 to Fix Purge Job Problem"
Section 24.1.10, "SQL of OPSS ldapsearch Might Take High %CPU"
If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.
To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.
Alternatively, you can set custom audit policies using LDAP command-line tools such as ldapmodify
. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
attributeType
Referenced by objectClass
is SuccessfulIf you delete a mandatory attributeType
under the Oracle Internet Directory schema that is referenced by an objectClass
in the schema, no error is returned and the attributeType
is deleted successfully.This problem also occurs thing for a DN entry created using the objectClass
that uses that mandatory attributeType
. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.
orclguid
Attribute is Not Mapped for Server ChainingIf you configure Oracle Internet Directory server chaining for Oracle Unified Directory 11.1.2.0 and then search for users, the orclguid
attribute is missing from the search results.
The orclguid
attribute is missing because Oracle Unified Directory uses the iplanet default mapping (cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
), and the default iplanet mapping does not have orclguid
mapped.
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600
errors while performing bulkmodify
operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
By default, the oidcmprec
tool excludes operational attributes during comparison.That is, oidcmprec
does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.
The oidrealm
tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/
.
If you use Oracle Database 11.2.0.1.0 with Oracle Internet Directory, apply Patch 9952216 (11.2.0.1.3 PSU) to Oracle Database. Purge jobs do not function properly without this patch.
The SQL of an OPSS one level ldapsearch
operation, with filter "orcljaznprincipal=
value
" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:
Log in to the Oracle Database as user ODS
and execute the following SQL:
BEGIN DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS', TABNAME=>'CT_ORCLJAZNPRINCIPAL', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, CASCADE=>TRUE); END; /
Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.
If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.
See Also:
Note 1313395.1 on My Oracle Support (formerly MetaLink):https://support.oracle.com
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
This section describes configuration issues and workarounds. It includes the following topic:
If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.
The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.
When you configure Oracle Internet Directory (OID) for privileged ports as mentioned in Section "Configure the First Oracle Internet Directory Instance" of Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, the config wizard prompts the following when you run oracleRoot.sh
:
Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
If you select yes, the script execution fails with the following error:
/u01/app/fmw/idm/oracleRoot.sh: line 47: syntax error: unexpected end of file
To workaround this issue, modify oracleRoot.sh
file located in the ORACLE_HOME
directory. Modify the following line:
fi# This command path is not already provided in the existing root.sh:
TO
fi # This command path is not already provided in the existing root.sh:
Rerun oracleRoot.sh
to continue configuring Oracle Internet Directory.
This section describes documentation errata. It includes the following topics:
Section 24.3.1, "Setting Up Oracle Internet Directory SSL Mutual Authentication"
Section 24.3.2, "Replication Instructions in Tutorial for Identity Management are Incomplete"
Section 24.3.3, "Documentation of -P and -Q Options to LDAP Commands is Incomplete"
Section 24.3.4, "New Configuration Attribute orclcompatibleversion is Missing from Documentation"
Neither the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor the Oracle Fusion Middleware Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty.
For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Repository Creation Utility User's Guide documents the -P
and -Q
options to ldapbind
and other LDAP commands. The -P
option requires you to specify a wallet password on the command line. The -Q
option enables you to provide a password in response to a prompt, which is more secure than typing it on the command line.
The Oracle Fusion Middleware Repository Creation Utility User's Guide does not explain how to use these options when there is no password. This omission is significant because Oracle Internet Directory relies on AutoLogin wallets for SSL configuration, and AutoLogin wallets have no passwords.
When there is no wallet password, specify the password on the command line as a null string, using quote characters. For example:
-P ""
If you are using -Q
, when prompted for the password, hit Enter.
See Also:
Section 7.5, "Using Command-Line Utilities to Manage Oracle Internet Directory" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
Section 1.1, "Using Passwords with Command-Line Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management
The Oracle Fusion Middleware Repository Creation Utility User's Guide does not mention orclcompatibleversion
, a new multivalued attribute of the DSE. Beginning with version 11.1.1.6, orclcompatibleversion
contains the Oracle Internet Directory version. Do not modify this attribute. It must be present for Oracle Internet Directory 11.1.1.6 or 11.1.1.7 to work with its schema.
The older attribute orcldirectoryversion
still exists, but it is no longer updated to indicate the Oracle Internet Directory version.
For more information, see "orclCompatibleVersion" in the Oracle Fusion Middleware Reference for Oracle Identity Management.