2 Oracle Internet Directory

This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:

2.1 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topics:

2.1.1 Substring Filter Not Supported for Collective Attributes

Oracle Internet Directory does not provide support for substring filter for collective attributes. For instance, the following substring filter is not supported:

tenantguid=*234*

However, the equality filter for instance, tenantguid=12345 is supported for collective attributes.

2.1.2 Search on rootDSE lastchangenumber Attribute Works For One Attribute At A Time

If you perform ldapsearch on rootDSE to fetch the lastchangenumber attribute along with other attributes, then lastchangenumber is not retrieved.

For instance, when you run the following command then lastchangenumber attribute is not retrieved:

ldapsearch -p port -D "cn=orcladmin" -w password -b "" -s base "objectclass=*"
changelog lastchangenumber

The workaround for this problem is to perform ldapsearch on rootDSE only for lastchangenumber attribute as follows:

ldapsearch -p <port> -h <hostname> -b ' ' -s base '(objectclass=*)' lastchangenumber

lastchangenumber=4714

2.1.3 Search with Filter Containing AND Operation of Collective Attributes Not Supported

When the search filter contains only collective attribute expressions, and an AND (&) operation is performed, then the server does not return expected results.

For example, if you run the following commands having collective attributes only, then if you run an AND operation, the server fails to return the desired result.

ldapsearch -b 'cn=u1,cn=collandbug' '&(description=coll1 desc) 
(description=coll2 desc)' dn

2.1.4 Oracle Database Requires Patch to Fix Purge Job Problems

Some versions of Oracle Database, such as 10.1.0.5.0rec.jul10, 10.2.0.4.5.psu, 10.2.0.5.1psu, 11.1.0.7.4psu, and 11.2.0.1.2psu require a patch to fix Oracle Internet Directory purge job problems.

Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:

  • Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.

  • Executing change log purge jobs with orclpurgenow set to 1 hangs.

If you are experiencing the preceding purge job problems with any of the listed Oracle Database versions, then apply the latest Patch Set Update (PSU) for your Oracle Database that fixes RDBMS bug 9294838. If so, apply the RDBMS patch for your database. You can apply the patch after you have installed Oracle Internet Directory.

2.1.5 ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field

On the Schema tab, create a custom attribute and a custom objectclass, and also select custom attribute as indexed. Now, on the Data Browser tab if you create an entry of objectclass="custom object class" then it does not allow you to enter the mandatory value in the custom attribute field.

There is no workaround for this issue.

2.1.6 ODSM Adds Fake Entries to the Chained Container and Displays Duplicate Entries During Export

In ODSM, when you set up server chaining with Oracle Directory Server Enterprise Edition (ODSEE) as the backend the following issues emerge:

  • If you create an entry through ODSM, then ODSM pretends to add the entry to the remote server through chaining. However, the entry does not get added on the remote server, ODSEE.

  • If you add the preceding entry directly to the remote backend, and navigate to the parent entry through the Data Explorer tab, and then export to LDIF the same entry, you will see duplicate entries.

2.1.7 Oracle Internet Directory Upgrade from 10.1.4.3 to 11.1.1.9.0 Fails During Configuration on AIX

This issue occurs when you upgrade Oracle Internet Directory from 10.1.4.3 to 11.1.1.9.0 on AIX. The upgrade fails during configuration with the following error:

javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

The workaround for this issue is to add the java option to disable ECDH ciphers while configuring Oracle Internet Directory 11.1.1.9.0, as shown in the following example:

ORACLE_HOME/config.sh -Doracle.ldap.odi.sslsocketfactory.disable-ecc=true

2.1.8 ODSM Problems in Internet Explorer 7

The ODSM interface might not appear as described in Internet Explorer 7.

For example, the Logout link might not be displayed.

If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.

2.1.9 Cloned Oracle Internet Directory Instance Fails or Runs Slowly

In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.

This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.

The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.

For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:

  • Running the faovmdeploy.sh createTopology command to create an Oracle Virtual Machine (VM)

  • Deploying Enterprise Manager agents in different Oracle Virtual Machines

To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:

  1. Set the required environment variables. For example:

    export ORACLE_INSTANCE=/u01/oid/oid_inst
export ORACLE_HOME=/u01/oid/oid_home
export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH
export TNS_ADMIN=$ORACLE_INSTANCE/config

  2. Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:

    sqlplus ods@oiddb
delete from ods_shm where nodename like '%sourceHostname%';
delete from ods_shm_key where nodename like '%sourceHostname%';
delete from ods_guardian where nodename like '%sourceHostname%';
delete from ods_process_status where hostname like '%sourceHostname%';
commit;

  3. Stop and then restart the cloned Oracle Internet Directory component. For example:

    opmnctl stopproc ias-component=oid1
opmnctl startproc ias-component=oid1

  4. Find the cn entries with the undesired Oracle Internet Directory host names. For example:

    ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
"cn=subregistrysubentry" -s sub "objectclass=*" dn
cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry
cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry
cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry

  5. From the results in the previous step, remove the entries with the undesired host names. For example:

    ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
"cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry"
ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
"cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"

  6. Verify that the undesired host names are removed. For example:

    ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
"cn=subregistrysubentry" -s sub "objectclass=*" dn
cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry

See Also:

"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

2.1.10 Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM

Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v

As a workaround for this problem, set the following values, as shown in the next procedure:

  • Set the total amount of operating system physical locked memory allowed (project.max-locked-memory) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a command lists all the supported page sizes on Solaris systems.

  • Set the orclecachemaxsize attribute to less than the project.max-locked-memory and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.

In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":

  1. Log in to the Solaris SPARC system as the root user.

  2. Check the project membership of the OID user.

    If the OID user belongs to the default project:

    1. Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:

      # id -p oracle
uid=2345(oracle) gid=529(dba) projid=3(default)
# projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem
# usermod -K project=oidmaxlkmem oracle

    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:

      # su - oracle

$ id -p oracle
uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem)

$ prctl -n project.max-locked-memory -i project 150
project: 150: oidmaxlkmem
NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
project.max-locked-memory
        privileged      2.00GB      -   deny                             -
        system          16.0EB    max   deny                             -

    If the OID user belongs to a non-default project:

    1. Modify the corresponding project to include the project.max-locked-memory resource control and set the value to 2 GB or higher. For example:

      # id -p oracle
uid=2345(oracle) gid=529(dba) projid=125(oraproj)

# projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj

    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:

      # projects -l oraproj
oraproj
        projid : 125
        comment: ""
        users  : (none)
        groups : (none)
        attribs: project.max-locked-memory=(priv,2147483648,deny)
                 project.max-shm-memory=(priv,34359738368,deny)

# su - oracle
$ id -p
uid=2345(oracle) gid=529(dba) projid=125(oraproj)

$ prctl -n project.max-locked-memory -i project 125
project: 125: oraproj
NAME    PRIVILEGE       VALUE    FLAG   ACTION  RECIPIENT
project.max-locked-memory
        privileged      2.00GB      -   deny    -
        system          16.0EB    max   deny    -

  3. Set the entry cache maximum size (orclecachemaxsize attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.

    For example, using SQL*Plus, set the value to 256 MB:

    sqlplus ods@oiddb
update ds_attrstore set attrval='256m'
  where entryid=940 and attrname='orclecachemaxsize';
commit;

  4. Run the config.sh script to configure Oracle Internet Directory.

2.1.11 Custom Audit Policy Settings Fail When Set Through Enterprise Manager

If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.

To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.

Alternatively, you can set custom audit policies using LDAP command-line tools such as ldapmodify. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

2.1.12 Deleting Mandatory attributeTypes Referenced by objectClass is Successful

If you delete a mandatory attributeTypes under the Oracle Internet Directory schema that is referenced by an objectClass in the schema, no error is returned and the attributeTypes is deleted successfully.This problem also occurs for a DN entry created using the objectClass that uses the mandatory attributeTypes. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.

2.1.13 Oracle Unified Directory 11.1.2.0 orclguid Attribute is Not Mapped for Server Chaining

If you configure Oracle Internet Directory server chaining for Oracle Unified Directory 11.1.2.0 and then search for users, the orclguid attribute is missing from the search results.

The orclguid attribute is missing because Oracle Unified Directory uses the iplanet default mapping (cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry), and the default iplanet mapping does not have orclguid mapped.

2.1.14 ODSM Browser Window Becomes Unusable

Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.

2.1.15 Bulkmodify Might Generate Errors

If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600 errors while performing bulkmodify operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.

2.1.16 Turkish Dotted I Character is Not Handled Correctly

Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.

2.1.17 SQL of OPSS ldapsearch Might Take High CPU%

The SQL of an OPSS one level ldapsearch operation, with filter "orcljaznprincipal=value" and required attributes, might take unreasonably high percentage DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:

  1. Log in to the Oracle Database as user ODS and execute the following SQL:

    BEGIN
DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS',
                              TABNAME=>'CT_ORCLJAZNPRINCIPAL',
                              ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,
                              CASCADE=>TRUE);
END;
/

  2. Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.

2.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

2.2.1 Accept TLS Protocol for SSL support

While configuring Oracle Internet Directory in SSL mode, if SSLv3 is disabled and you try to enable the TLS mode only, then the Oracle Internet Directory configuration hangs. This happens when orclsslciphersuite attribute is populated with unsupported cipher suites.

The workaround is to remove the unsupported cipher suite from the orclsslciphersuite attribute. For more information about the supported cipher suite list, see "Supported Cipher Suites" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

In addition, you must completely disable SSLv3, and enable TLS for configuring Oracle Internet Directory in SSL mode. For enabling only TLS (and disabling SSLv3), you need to modify the value of orclcryptoversion attribute to 28. This value refers to TLS 1.0, TLS 1.1, or TLS 1.2. For more information, see "Supported Protocol Versions" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Run the ldapmodify command to update the value of orclcryptoversion to 28 as follows:

ldapmodify -D "cn=orcladmin" -q -p portNum -h hostname -f ldifFile

Here ldifFile contains:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclcryptoversion
orclcryptoversion: 28

2.2.2 TLSv1.2 Protocols and Ciphers Cannot be Configured from EM

From EM, when you navigate to OID -> Administration -> Server Properties page, on the General tab, change SSL settings link, there is only one protocol version v1. There is no way to configure TLSv1.1,TLSv1.2 Protocols and corresponding ciphers.

The workaround is to use ldapmodify command to configure TLS protocols.

For more information, see "Configuring SSL by Using LDAP Commands" in the Fusion Middleware Administrator's Guide for Oracle Internet Directory.

2.2.3 ODSM Security Page Loads With Error When Accessed from EM

From EM, Directory Service Manager, when you select the Security tab, the Security tab opens in the popup window, but soon after that, an error is thrown on the page as follows:

"An unresolvable error has occurred. Please contact your administrator for more information"

Note:

This issue is intermittent.

As a workaround, when the error screen comes up, clicking on Back, will take us to the ODSM. Further navigation from the same page will not throw any errors.

2.3 Documentation Errata

This section describes documentation errata. It includes the following topics:

2.3.1 New Superuser Account Must be Direct Member of DirectoryAdminGroup Group

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 12.6, "Creating Another Account With Superuser Privileges," does not mention that a new superuser account must be a direct member of the DirectoryAdminGroup group to use all Oracle Directory Services Manager (ODSM) features.

To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the DirectoryAdminGroup group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.

2.3.2 Server Restart After Adding an Encrypted Attribute is Not Documented

The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that if you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.

Note:

The attributes in Table 28-1 "Sensitive Attributes Stored in orclencryptedattributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.

For more information, see the "Configuring Data Privacy" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

2.3.3 Setting Up Oracle Internet Directory SSL Mutual Authentication

Neither the Administrator's Guide for Oracle Internet Directory nor the Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:

https://support.oracle.com/

2.3.4 Replication Instructions in Tutorial for Identity Management are Incomplete

In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.

Specifically, the instructions do not work unless the new consumer node is empty. If the new consumer node has pre-loaded data, then various conflict resolution and invalid attribute name format messages will appear in the replication logs.

For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Administrator's Guide for Oracle Internet Directory.