This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 2.1.1, "Substring Filter Not Supported for Collective Attributes"
Section 2.1.2, "Search on rootDSE lastchangenumber
Attribute Works For One Attribute At A Time"
Section 2.1.3, "Search with Filter Containing AND Operation of Collective Attributes Not Supported"
Section 2.1.4, "Oracle Database Requires Patch to Fix Purge Job Problems"
Section 2.1.5, "ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field"
Section 2.1.9, "Cloned Oracle Internet Directory Instance Fails or Runs Slowly"
Section 2.1.10, "Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM"
Section 2.1.11, "Custom Audit Policy Settings Fail When Set Through Enterprise Manager"
Section 2.1.12, "Deleting Mandatory attributeTypes
Referenced by objectClass
is Successful"
Section 2.1.16, "Turkish Dotted I Character is Not Handled Correctly"
Section 2.1.17, "SQL of OPSS ldapsearch Might Take High CPU%"
Oracle Internet Directory does not provide support for substring filter for collective attributes. For instance, the following substring filter is not supported:
tenantguid=*234*
However, the equality filter for instance, tenantguid=12345
is supported for collective attributes.
lastchangenumber
Attribute Works For One Attribute At A TimeIf you perform ldapsearch
on rootDSE to fetch the lastchangenumber
attribute along with other attributes, then lastchangenumber
is not retrieved.
For instance, when you run the following command then lastchangenumber
attribute is not retrieved:
ldapsearch -p port -D "cn=orcladmin" -w password -b "" -s base "objectclass=*" changelog lastchangenumber
The workaround for this problem is to perform ldapsearch
on rootDSE only for lastchangenumber
attribute as follows:
ldapsearch -p <port> -h <hostname> -b ' ' -s base '(objectclass=*)' lastchangenumber lastchangenumber=4714
When the search filter contains only collective attribute expressions, and an AND (&) operation is performed, then the server does not return expected results.
For example, if you run the following commands having collective attributes only, then if you run an AND operation, the server fails to return the desired result.
ldapsearch -b 'cn=u1,cn=collandbug' '&(description=coll1 desc) (description=coll2 desc)' dn
Some versions of Oracle Database, such as 10.1.0.5.0rec.jul10, 10.2.0.4.5.psu, 10.2.0.5.1psu, 11.1.0.7.4psu, and 11.2.0.1.2psu require a patch to fix Oracle Internet Directory purge job problems.
Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:
Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.
Executing change log purge jobs with orclpurgenow
set to 1 hangs.
If you are experiencing the preceding purge job problems with any of the listed Oracle Database versions, then apply the latest Patch Set Update (PSU) for your Oracle Database that fixes RDBMS bug 9294838. If so, apply the RDBMS patch for your database. You can apply the patch after you have installed Oracle Internet Directory.
On the Schema tab, create a custom attribute and a custom objectclass, and also select custom attribute as indexed. Now, on the Data Browser tab if you create an entry of objectclass="custom object class"
then it does not allow you to enter the mandatory value in the custom attribute field.
There is no workaround for this issue.
In ODSM, when you set up server chaining with Oracle Directory Server Enterprise Edition (ODSEE) as the backend the following issues emerge:
If you create an entry through ODSM, then ODSM pretends to add the entry to the remote server through chaining. However, the entry does not get added on the remote server, ODSEE.
If you add the preceding entry directly to the remote backend, and navigate to the parent entry through the Data Explorer tab, and then export to LDIF the same entry, you will see duplicate entries.
This issue occurs when you upgrade Oracle Internet Directory from 10.1.4.3 to 11.1.1.9.0 on AIX. The upgrade fails during configuration with the following error:
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
The workaround for this issue is to add the java option to disable ECDH ciphers while configuring Oracle Internet Directory 11.1.1.9.0, as shown in the following example:
ORACLE_HOME
/config.sh -Doracle.ldap.odi.sslsocketfactory.disable-ecc=true
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.
This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.
The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.
For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:
Running the faovmdeploy.sh createTopology
command to create an Oracle Virtual Machine (VM)
Deploying Enterprise Manager agents in different Oracle Virtual Machines
To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:
Set the required environment variables. For example:
export ORACLE_INSTANCE=/u01/oid/oid_inst export ORACLE_HOME=/u01/oid/oid_home export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH export TNS_ADMIN=$ORACLE_INSTANCE/config
Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:
sqlplus ods@oiddb delete from ods_shm where nodename like '%sourceHostname%'; delete from ods_shm_key where nodename like '%sourceHostname%'; delete from ods_guardian where nodename like '%sourceHostname%'; delete from ods_process_status where hostname like '%sourceHostname%'; commit;
Stop and then restart the cloned Oracle Internet Directory component. For example:
opmnctl stopproc ias-component=oid1 opmnctl startproc ias-component=oid1
Find the cn
entries with the undesired Oracle Internet Directory host names. For example:
ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
From the results in the previous step, remove the entries with the undesired host names. For example:
ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry" ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
Verify that the undesired host names are removed. For example:
ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
See Also:
"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v
As a workaround for this problem, set the following values, as shown in the next procedure:
Set the total amount of operating system physical locked memory allowed (project.max-locked-memory
) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a
command lists all the supported page sizes on Solaris systems.
Set the orclecachemaxsize
attribute to less than the project.max-locked-memory
and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.
In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":
Log in to the Solaris SPARC system as the root user.
Check the project membership of the OID user.
If the OID user belongs to the default project:
Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=3(default) # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem # usermod -K project=oidmaxlkmem oracle
Verify that the value for the resource control project.max-locked-memory
was set to 2 GB, as expected. For example:
# su - oracle $ id -p oracle uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem) $ prctl -n project.max-locked-memory -i project 150 project: 150: oidmaxlkmem NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
If the OID user belongs to a non-default project:
Modify the corresponding project to include the project.max-locked-memory
resource control and set the value to 2 GB or higher. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=125(oraproj) # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
Verify that the value for the resource control project.max-locked-memory
was set to 2 GB, as expected. For example:
# projects -l oraproj oraproj projid : 125 comment: "" users : (none) groups : (none) attribs: project.max-locked-memory=(priv,2147483648,deny) project.max-shm-memory=(priv,34359738368,deny) # su - oracle $ id -p uid=2345(oracle) gid=529(dba) projid=125(oraproj) $ prctl -n project.max-locked-memory -i project 125 project: 125: oraproj NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
Set the entry cache maximum size (orclecachemaxsize
attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.
For example, using SQL*Plus, set the value to 256 MB:
sqlplus ods@oiddb update ds_attrstore set attrval='256m' where entryid=940 and attrname='orclecachemaxsize'; commit;
Run the config.sh
script to configure Oracle Internet Directory.
If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.
To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.
Alternatively, you can set custom audit policies using LDAP command-line tools such as ldapmodify
. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
attributeTypes
Referenced by objectClass
is SuccessfulIf you delete a mandatory attributeTypes
under the Oracle Internet Directory schema that is referenced by an objectClass
in the schema, no error is returned and the attributeTypes
is deleted successfully.This problem also occurs for a DN entry created using the objectClass
that uses the mandatory attributeTypes
. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.
orclguid
Attribute is Not Mapped for Server ChainingIf you configure Oracle Internet Directory server chaining for Oracle Unified Directory 11.1.2.0 and then search for users, the orclguid
attribute is missing from the search results.
The orclguid
attribute is missing because Oracle Unified Directory uses the iplanet default mapping (cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
), and the default iplanet mapping does not have orclguid
mapped.
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600
errors while performing bulkmodify
operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
The SQL of an OPSS one level ldapsearch
operation, with filter "orcljaznprincipal=
value
" and required attributes, might take unreasonably high percentage DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:
Log in to the Oracle Database as user ODS
and execute the following SQL:
BEGIN DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS', TABNAME=>'CT_ORCLJAZNPRINCIPAL', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, CASCADE=>TRUE); END; /
Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 2.2.2, "TLSv1.2 Protocols and Ciphers Cannot be Configured from EM"
Section 2.2.3, "ODSM Security Page Loads With Error When Accessed from EM"
While configuring Oracle Internet Directory in SSL mode, if SSLv3 is disabled and you try to enable the TLS mode only, then the Oracle Internet Directory configuration hangs. This happens when orclsslciphersuite
attribute is populated with unsupported cipher suites.
The workaround is to remove the unsupported cipher suite from the orclsslciphersuite
attribute. For more information about the supported cipher suite list, see "Supported Cipher Suites" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
In addition, you must completely disable SSLv3, and enable TLS for configuring Oracle Internet Directory in SSL mode. For enabling only TLS (and disabling SSLv3), you need to modify the value of orclcryptoversion
attribute to 28
. This value refers to TLS 1.0, TLS 1.1, or TLS 1.2. For more information, see "Supported Protocol Versions" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Run the ldapmodify
command to update the value of orclcryptoversion
to 28
as follows:
ldapmodify -D "cn=orcladmin" -q -p portNum -h hostname -f ldifFile
Here ldifFile
contains:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclcryptoversion orclcryptoversion: 28
From EM, when you navigate to OID -> Administration -> Server Properties page, on the General tab, change SSL settings link, there is only one protocol version v1. There is no way to configure TLSv1.1,TLSv1.2 Protocols and corresponding ciphers.
The workaround is to use ldapmodify
command to configure TLS protocols.
For more information, see "Configuring SSL by Using LDAP Commands" in the Fusion Middleware Administrator's Guide for Oracle Internet Directory.
From EM, Directory Service Manager, when you select the Security tab, the Security tab opens in the popup window, but soon after that, an error is thrown on the page as follows:
"An unresolvable error has occurred. Please contact your administrator for more information"
Note:
This issue is intermittent.As a workaround, when the error screen comes up, clicking on Back, will take us to the ODSM. Further navigation from the same page will not throw any errors.
This section describes documentation errata. It includes the following topics:
Section 2.3.1, "New Superuser Account Must be Direct Member of DirectoryAdminGroup
Group"
Section 2.3.2, "Server Restart After Adding an Encrypted Attribute is Not Documented"
Section 2.3.3, "Setting Up Oracle Internet Directory SSL Mutual Authentication"
Section 2.3.4, "Replication Instructions in Tutorial for Identity Management are Incomplete"
DirectoryAdminGroup
GroupIn the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 12.6, "Creating Another Account With Superuser Privileges," does not mention that a new superuser account must be a direct member of the DirectoryAdminGroup
group to use all Oracle Directory Services Manager (ODSM) features.
To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the DirectoryAdminGroup
group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup
group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that if you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.
Note:
The attributes in Table 28-1 "Sensitive Attributes Stored in orclencryptedattributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.For more information, see the "Configuring Data Privacy" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Neither the Administrator's Guide for Oracle Internet Directory nor the Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty. If the new consumer node has pre-loaded data, then various conflict resolution and invalid attribute name format messages will appear in the replication logs.
For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Administrator's Guide for Oracle Internet Directory.