1. Release Notes for Oracle Identity Management
  2. Oracle Unified Directory

5 Oracle Unified Directory

Known issues and workarounds for Oracle Unified Directory include general issues and known issues related with Oracle Unified Directory, Oracle Unified Directory Services Manager, and related directory components.

Topics

Note:

5.1 Supported Interfaces for Directory Virtualization Features

This section lists the Interfaces that are supported for Directory Virtualization features.

Note:

To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus license.

Table 1 lists the supported interfaces for virtualization workflow elements in this release:

Note:

The Dynamic Tree, and Flat Tree workflow elements are not supported in this release. If you encounter any functions in the interfaces for these workflow elements, do not execute them as they are not supported.

Table 5-1 Oracle Unified Directory Virtualization Features

Workflow Element Configure with Command Line Configure with OUDSM Additional Information

Join

Yes

Yes

See Configuring a Virtual Directory View of Your Repositories in Oracle® Fusion Middleware Administering Oracle Unified Directory.

HideByFilter

Yes

No

See Filtering Search Results Using the HideByFilter in Oracle® Fusion Middleware Administering Oracle Unified Directory.

GetRidOfDuplicates

Yes

No

See Eliminating Duplicate Entries from Search Results Using the GetRidOfDuplicates in Oracle® Fusion Middleware Administering Oracle Unified Directory.

Active Directory Password Update

Yes

No

See Updating User Passwords Stored in Active Directory in Oracle® Fusion Middleware Administering Oracle Unified Directory.

RDBMS

Yes

No

See Configuring Access to Identity Data Stored in an RDBMS in Oracle® Fusion Middleware Administering Oracle Unified Directory.

VirtualMemberOf

Yes

No

SeeAdding the memberof User Attribute to person Entries in Oracle® Fusion Middleware Administering Oracle Unified Directory.

5.2 Oracle Unified Directory System Requirements and Specifications

You must read through the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the products you are installing.

Before performing any installation, you should read the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the products you are installing. The following documents are available on Oracle Technology Network (OTN):

The following sections describe additional information specific to Oracle Unified Directory installation requirements:

5.2.1 Hardware Requirements

You must bear in mind the minimum hardware requirements for installation that are recommended for this release.

As a general guideline, the following hardware is recommended:

Table 5-2 Recommended Hardware

Hardware Component Requirement

RAM

Evaluation purposes: At least 256 MB of free memory for a small database.

Production: Minimum of 2 GB.

Local disk space

Evaluation purposes: For a small database and sufficient space for log files, your system should have at least 100 MB of free local disk space. Preferably, you should have at least 1 GB of disk space.

Production: For a typical production deployment with a maximum of 250,000 entries and no binary attributes, such as images, 4 GB of disk space might be sufficient for the database only. You might need an additional 1 GB of disk space for log files. You need to determine disk space for the change log database (DB), which is dependent on the load (updates per second) and on the replication purge delay (that is, the time the server should keep information about internal updates). The change log DB can grow up to 30-40 GB with loads of 1,000 modifications per second.

When you use global index replication, ensure that you have enough disk space for the replication change logs. By default, the change log stores changes from the last 100 hours. The configuration should be based on the expected size of the service. For example, you would need 150 GB for 5,000 modify/seconds.

For optimal performance, your system must have sufficient RAM memory for the JVM heap and database cache. The server also provides ready-to-use tuning. For more information about setting the JVM heap and database cache, see Configuring the JVM, Java Options, and Database Cache in Oracle® Fusion Middleware Installing Oracle Unified Directory.

Your system should also have enough disk space to store the generated log files. The server log files can consume up to 1 GB of disk space with default server settings. In replicated environments, the change log database can grow up to 30-40 GB with loads of 1,000 mods/sec. For information about setting the log file size, see Configuring Log Rotation Policies in Oracle® Fusion Middleware Administering Oracle Unified Directory.

You can configure Oracle Unified Directory in such a way that it uses substantially less, or more, disk space depending on your applications and performance needs. Any setup considerations must determine the amount of memory for the server's database and log files.

On Solaris and Linux systems, the operating system should be configured to have at least twice as much virtual memory as JVM heap. To achieve this, you might need to increase the size of the operating system swap space.

5.2.2 Software Requirements

You must bear in mind the software requirements that are to be met before beginning the installation.

In addition to the operating system, application server, and JDK requirements described in this document:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html.

You must ensure to resolve the following operating system specific requirements:

5.2.2.1 File Descriptor Requirements (Linux Systems)

The recommendation described in this section affects Linux systems only. All other supported platforms are not impacted.

To ensure optimal server performance, the total number of client connections, database files, and log files must not exceed the maximum file descriptor limit on the operating system (ulimit -n). By default, the directory server allows an unlimited number of connections but is restricted by the file descriptor limit on the operating system. Linux systems limit by default the number of file descriptors that any one process may open to 1024 per process.

After the directory server has exceeded the file descriptor limit of 1024 per process, any new process and worker threads will be blocked. For example, if the directory server attempts to open an Oracle Berkeley Java Edition database file when the operating system has exceeded the file descriptor limit, the directory server will no longer be able to open a connection that can lead to a corrupted database exception. Likewise, if you have a directory server that exceeds the file descriptor limit set by the operating system, the directory server can become unresponsive as the LDAP connection handler consumes all of the CPU's processing in attempting to open a new connection.

To fix this condition, set the maximum file descriptor limit to 65535 per process on Linux machines.

To view the maximum file descriptor limit, run the following command:

/sbin/sysctl -a | grep file-max

If the file-max value is lower than 65535, then perform the following steps:

  1. Using any text editor, create or edit the /etc/sysctl.conf file, and add or edit lines similar to the following:
    fs.file-max = 65536
  2. Enter the following command to change the current values of the kernel parameters:
    /sbin/sysctl -p
  3. Enter the command /sbin/sysctl -a | grep file-max to confirm that the values are set correctly.
  4. Using any text editor, edit the /etc/security/limits.conf file, and add the following lines:
    soft nofile 1024
hard nofile 65535

Note:

When you specify the values in the /etc/sysctl.conf or /etc/security/limits.conf file, they persist when you restart the system.

5.2.2.2 Specific Requirements for Installation in Solaris Zones

This section describes the specific requirements for installation of Oracle Unified Directory on Solaris Zones.

The Oracle Unified Directory software treats global, full local, and sparse zones as an independent physical system. Installing the server in any type of Solaris zone is therefore like installing on an independent system. The software does not share services or file locations with other zones.

5.2.3 Certified Languages

You can find here the list of languages supported, called certified languages.

Oracle Unified Directory 12c (12.2.1.3.0) is certified for the following languages:

  • Chinese (Simplified)

  • Chinese (Traditional)

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Spanish

  • Portuguese (Brazilian)

Note:

Certain error messages (specifically, the SEVERE and FATAL messages) are displayed in English only.

5.3 Software Environment Limitations and Recommendations

This section describes the limitations that might affect the initial deployment of your directory server.

The Oracle Unified Directory 12c (12.2.1.3.0) software has some limitations that might affect the initial deployment of your directory server. Follow the recommendations for deployments in this section.

Administrators also should appropriately tune the Oracle Unified Directory directory server and its Java Virtual Machine (JVM) to ensure that adequately sized hardware is made available to support heavy write operations. See Configuring the JVM, Java Options, and Database Cache in Oracle Fusion Middleware Installing Oracle Unified Directory.

This section describes the following topics:

5.3.1 OUD 12c (12.2.1.3.0) Limitations

This section lists the limitations of Oracle Unified Directory 12c (12.2.1.3.0). They are as follows:

  • The Oracle Unified Directory directory server provides full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.

  • For Enterprise User Security, Oracle Unified Directory is validated to store and manage users and groups locally, and also for proxying to other external directory servers. The list of supported external directory servers is documented in the certification matrix. See Viewing the Certification Matrix in Oracle Fusion Middleware Installing Oracle Unified Directory.

  • Oracle Unified Directory Server in proxy mode provides the best search performance when the search queries ask for the specific required attributes (rather than all the attributes) of an entry.

5.3.2 Viewing the Certification Matrix

This section describes the procedure to view the certification matrix.

To view the certification matrix:

  1. Access the Oracle Fusion Middleware Supported System Configurations landing page:
  2. Scroll down to System Requirements and Supported Platforms for Oracle Identity and Access Management 12c Release 2 (12.2.1.3.0).
  3. Click the xls link to view the certification matrix and then click the Interop tab for the list of supported external directory servers.

5.3.3 Software Recommendations

This section lists the recommendations for using Oracle Unified Directory (12.2.1.3.0).

The recommendations that are to be followed are:

  • The directory server provides better performance when the database files are cached entirely into memory.

  • The default settings of the Oracle Unified Directory directory server are targeted initially at evaluators or developers who are running equipment with a limited amount of resources. For this reason, you should tune the Java virtual machine (JVM) and the directory server itself to improve scalability and performance, particularly for write operations. See Configuring the JVM, Java Options, and Database Cache in Oracle Fusion Middleware Installing Oracle Unified Directory.

  • If you want to import large LDIF files by using the import-ldif command, then it is recommended that you use the --skipDNvalidation option. However, if you are not certain that the LDIF file is valid, using this option is not advised.

5.4 Oracle Unified Directory (OUD) Known Issues and Workarounds

The following sections describe known issues and limitations with the Oracle Unified Directory 12c (12.2.1.3.0) core server at the time of this release.

5.4.1 PBKDF2WithHmacSHA512–based password storage schemes might fail due to JDK bug

Issue

If you are using the following password storage schemes that are based on PBKDF2WithHmacSHA512 algorithm, then you might experience unpredictable results. This problem occurs owing to an issue with JDK 8.

  • cn=PBKDF2 HMAC SHA-512,cn=Password Storage Schemes,cn=config

  • cn=EUS PBKDF2 SHA-512,cn=Password Storage Schemes,cn=config

If you are using the preceding schemes on a heavily-loaded server, then you might not be able to bind to Oracle Unified Directory.

Workaround

This issue is fixed in JDK 9. This fix has been backported to JDK 8. Oracle recommends that you to apply the JDK patch if you are using the preceding PBKDF2WithHmacSHA512–based password storage schemes in your configuration. For more information about applying this patch, you can contact My Oracle Support.

5.4.2 (Bug 25363559) Disabling the Deprecated File-Based Access, Admin Access, and Error Loggers

Issue

Bug Number: 25363559

In this release, Oracle Unified Directory provides new set of "Oracle" log publishers, which write diagnostic log files in the Oracle Diagnostic Logging (ODL) format. So, file-based access, admin access and error loggers have been deprecated in favor of the corresponding Oracle access, admin access and error loggers. However, for backward compatibility reasons, they are also enabled by default, along with the corresponding Oracle loggers. So, it is recommended to disable the file-based access, admin access and error loggers.

Workaround

Disable the deprecated file-based loggers (File-Based Access Logger, File-Based Admin Access Logger, and File-Based Error Logger) and rely on the corresponding Oracle loggers.

To disable a log publisher, set its enabled property to false. For example, to disable the File-Based Access Logger, run the following command:

$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \ 
  set-log-publisher-prop --publisher-name "File-Based Access Logger" \
  --set enabled:false

5.4.3 (Bug 20109035) OUD upgrade fails to set the purging flag in the ds-sync-hist index

Issue

Bug Number: 20109035

When the ds-sync-hist flag of the ds-cfg-purging is set to false, the OUD upgrade fails to set the purging flag in the ds-sync-hist index.

Workaround

Set the ds-cfg-purging flag of the ds-sync-hist index to true. Then rebuild the ds-sync-hist index: 

./dsconfig set-local-db-index-prop --element-name userRoot --index-name 
ds-sync-hist --set purging:true 
 
./rebuild-index -b "dc=example,dc=com" -i ds-sync-hist

5.4.4 (Bug 19786556) During modification of a large static group, the administrative limit might be exceeded

Issue

Bug Number: 19786556

Misleading additional information occurs when a static large group is modified.

Workaround

Increasing the member-lookthrough-limit property. See Managing Static Groups With More Than 100,000 Members in Oracle® Fusion Middleware Administering Oracle Unified Directory.

5.4.5 (Bug 19778292) The dsreplication initialize-all command fails

Issue

Bug Number: 19778292

When you run the dsreplication initialize-all command, a failure can occur if one of the remote servers to initialize is stopped or is too slow.

Workaround

Rerun the dsreplication initialize-all command.

5.4.6 (Bug 19767906) ECL changes are delayed by the clock difference between servers in topology

Issue

Bug Number: 19767906

Although there are two servers in the replication topology, results are returned from one server only. This error occurs during data transfer between the replication servers.

Workaround

There is currently no workaround for this issue.

5.4.7 (Bug 19260923) Using the signal SIGSTOP causes failures

Issue

Bug Number: 19260923

When you use the signal SIGSTOP to pause the server, it can disable the backend upon using SIGSCONT to resume server processing. This problem occurs because SIGSTOP is not supported by OUD.

Workaround

Set BDB JE latch timeout to a duration longer than the duration between SIGSTOP and SIGCONT. The following is an example: dsconfig set-workflow-element-prop --add je-property:je.env.latchTimeout="12 h"

5.4.8 (Bug 17874888) Removing the data-sync privilege for a user removes all privileges for that user

Issue

Bug Number: 17874888

The data-sync privilege was not an operational privilege and consequently the OUD server does not recognize this privilege. For example, if the root user is created as follows:

dn: cn=myroot,cn=Root DNs,cn=config
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: ds-cfg-root-dn-user
objectClass: organizationalPerson
userPassword: admin-password
cn: myroot
sn: myroot
ds-cfg-alternate-bind-dn: cn=myroot
givenName: My Root User
ds-privilege-name: -data-sync

then the OUD server does not recognize the privilege, and cannot remove it. Instead, the OUD server removes all privileges for this user.

Workaround

All references to this privilege in the OUD server configuration should be removed. For example:

$ ldapmodify -h localhost -p 4444 --useSSL
dn: cn=myroot,cn=Root DNs,cn=config
changetype:modify
delete:ds-privilege-name
ds-privilege-name: -data-sync

5.4.9 (Bug 17797663) Pass-Through Authentication subject to limitations when configured with Kerberos authentication provider.

Issue

Bug Number: 17797663

When pass-through authentication (PTA) is configured with a Kerberos authentication provider, certain conditions must be met in order for the bind to succeed.

Workaround

Configure PTA to meet the following conditions:

  • The user provider must be a local backend.

  • The PTA suffix, the user suffix, and the authentication suffix must be the same. The easiest way to configure the suffixes to be the same is to define the PTA suffix, and leave the other suffixes undefined.

5.4.10 (Bug 17689711) Enabling the changelog for a suffix on two servers will unexpectedly enable replication on the suffix

Issue

Bug Number: 17689711

You may encounter this issue when you have two servers containing two suffixes: one suffix already configured for replication (for example dc=example,dc=com), and the other suffix not configured for replication (for example cn=companyname.) When you enable the changelog for cn=companyname in both servers, replication is automatically configured for the cn=companyname suffix because the servers themselves have already been defined and configured for replication.

Workaround

There is currently no workaround for this issue.

5.4.11 (Bug 14772631) If an AddOutboundTransformation definition contains a dot, then a search request might fail

Issue

Bug Number: 14772631

When you configure an AddOutboundTransformation with virtualAttr={%sn%.%cn%@o.com}where the definition contains a dot, then a search request with a filter on the virtualAttr parameter might not work correctly.

For instance, the sn and cn backend attribute values contain a dot, such as "sn:sn.light" and "cn:cn.light." Here, a search request with a filter on the virtualAttr, for example "virtualAttr=sn.light.cn.light@o.com" might not work correctly.

Workaround

There is currently no workaround for this issue.

5.4.12 (Bug 14080885) The moveplan interface does not have a field to update the path for keystore pin file

Issue

Bug Number: 14080885

The moveplan interface does not have a field to update the path for keystore pin file during the cloning process.

Workaround

Use the dsconfig command on the cloned instance to update the key-store-pin-file value of JKS Key Manager Provider.

5.4.13 (Bug 14652478) The runInstaller command fails to check for appropriate OS

Issue

Bug Number: 14652478

On Oracle Linux Enterprise 6, the runInstaller command may require i686 packages to be present on the system. Although the missing packages are not directly required for OUD to operate properly, they are required during the installation process.

Workaround

Prior to running the runInstaller command, install the required i686 packages. See Section 1.1 System Requirements and Certification in Oracle® Fusion Middleware Installing Oracle Unified Directory

5.4.14 (Bug 14065106) Translation is not supported for some error message and online Help

Issue

Bug Number: 14065106

The messages and Help for oudCopyConfig,oudExtractMovePlan, and oudPasteConfig command-line tools of Oracle Unified Directory are only available in English.

Workaround

There is currently no workaround for this issue.

5.4.15 (Bug 14055062) If the value for parameter -j,--rootUserPasswordFile is provided as a relative path, commands fail

Issue

Bug Number: 14055062

On Windows system, if the value for parameter -j, --rootUserPasswordFile is provided as a relative path, then oud-setup, oud-proxy-setup, and oud-replication-gateway-setup commands fail.

Workaround

Provide an absolute path for -j, --rootUserPasswordFile parameter.

For example:

-j C:\local\Password.txt

5.4.16 (Bug 13996369) The gicadm command does not import a catalog

Issue

Bug Number: 13996369

The gicadm command does not import a catalog when you specify a relative path.

Workaround

Specify an absolute path to import a catalog.

5.4.17 (Bug 13965857) If you specify an alternative location for a cloned server instance, the cloned server instance is not completely configured

Issue

Bug Number: 13965857

The -tih, -targetInstanceHomeLoc option of the oudPasteConfig command allows you to specify the location of the cloned server instance. If you specify an alternative location, for the cloned server instance, the instance is still created in the default location (TARGET_ORACLE_HOME/../TARGET_INSTANCE_NAME) and no error message is generated. However, the cloned server is configured partially as some custom parameters are not updated in the cloned server instance.

Workaround

To successfully clone the server instance, as the -tih parameter is mandatory, you must explicitly provide the default location for the -tih parameter as follows:

-tih TARGET_ORACLE_HOME/../TARGET_INSTANCE_NAME

5.4.18 (Bug 13954545) The ldapsearch.bat client incorrectly handles a trailing asterisk character

Issue

Bug Number: 13954545

On a Windows system with a JDK 1.7 (previous to Update 11) JVM instance running, the ldapsearch.bat client might not handle the trailing "*" correctly.

Workaround

Download the latest JDK version to leverage the fixes and updates that are added to the Java SE platform.

5.4.19 (Bug 12291860) No SNMP trap is sent if the server is stopped using the stop-ds command with no credentials

Issue

Bug Number: 12291860

On Windows systems, no SNMP trap is sent if the server is stopped by using stop-ds with no credentials. The server is, however, stopped correctly.

The SNMP trap is sent if the server is stopped by using stop-ds -D bindDN -p password.

Workaround

There is currently no workaround for this issue.

5.4.20 (Bug 12280658) The ModDN operation is not supported if DNs are indexed in the global index catalog (GIC)

Issue

Bug Number: 12280658

When a distribution is using a GIC, and the GIC indexes the entry DNs, the ModifyDN operation is not supported.

If DNs are not indexed in the global index catalog, the modify DN operation is supported. Otherwise, only the modify RDN operation is supported.

Workaround

Although indexing the DN is recommended for performance reasons, as a workaround in this situation, do not index the DN.

5.4.21 (Bug 12266690) Load balancing routes are deleted without warning

Issue

Bug Number: 12266690

If you delete the load balancing workflow element or the load balancing algorithm, the load balancing routes are also deleted without any warning.

Workaround

There is currently no workaround for this issue.

5.4.22 (Bug 11718654) Error Occurs in Replicated Topology with a Heavy Workload

Issue

Bug Number: 11718654

In a replicated topology, if the server has a heavy workload, then the following error message is recorded in the error log: "The server failed to obtain a read lock on the parent entry dc=example, dc=com after multiple attempts."

Workaround

Configure a larger database cache. See Tuning the Server Configuration in Oracle® Fusion Middleware Administering Oracle Unified Directory.

5.5 Oracle Unified Directory Services Manager (Oracle Unified Directory Services Manager) Known Issues and Workarounds

The following sections describe known issues with Oracle Unified Directory Services Manager at the time of Oracle Unified Directory 12c (12.2.1.3.0) release.

Note:

If Oracle Unified Directory has recently been updated, you might encounter a problem when you try to invoke Oracle Unified Directory Services Manager. During an Oracle Unified Directory update operation, Oracle Unified Directory Services Manager is also updated, and the Oracle Unified Directory Services Manager URL can change. This problem usually occurs if you used your browser to invoke the earlier version of Oracle Unified Directory Services Manager.

Therefore, to invoke the updated version of Oracle Unified Directory Services Manager, first clear your browser's cache and cookies.

This section describes the following known issues and workarounds:

5.5.1 (Bug 17582404) ADF error is displayed in WebLogic Server logs.

Issue

Bug Number: 17582404

When accessing an entry in the data view, the following error message appears in the WebLogic Server logs:

<Oct 9, 2013 8:04:17 AM PDT> <Error>
<oracle.adf.controller.internal.binding.TaskFlowRegionInitialConditions>
<ADFC-64007> <ADFc: Task flow binding parameter 'entryObject' of type
'oracle.idm.directoryservices.odsm.model.oid.UserEntry' on binding
'oidDBdetailtaskflow' is not serializable, potential for incorrect
application behavior or data loss.>

Workaround

The error does not affect the WebLogic Server functionality. You can safely ignore the message.

5.5.2 (Bugs 18789805/18915580/18905879/18884612/18874750) Modification Issues with Join Workflow Element

Issue

Bug Number: 18789805/18915580/18905879/18884612/18874750

The results of modification of certain elements and parameters in JOIN Workflow Element in OUDSM are not saved.

The list of parameters that are not saved are:

  • "Attribute Storage", "Attribute Retrieval" for both Primary and Secondary Participant

  • join suffix value

  • join condition

  • bind priority in the Participant Relations

  • LDAP operations

Workaround

Use dsconfig to do the modification.

5.5.3 (Bug 18871434) Join DN attribute does not return in Advanced Search in OUDSM

Issue

Bug Number: 18871434

In OUDSM, query using advanced search does not return the Join DN attribute. Using ldapsearch, the search returns the join dn attribute.

Workaround

Use ldapsearch to get the Join DN attribute.

5.5.4 (Bug 19028533) Adv Search: Issue with Search in pick attributes table

Issue

Bug Number: 19028533

On the Advanced Search page, the search operation on the Attribute picker window for the "Fetched Attributes" and "Sort Results On" sections, returns error: "An unresolvable error has occurred. Contact your administrator for more information."

Workaround

Manually select the attribute by scrolling down the Select Attribute table.

5.5.5 (Bug 17462792) Subtabs may not display as designed on Solaris

Issue

Bug Number: 17462792

When accessing the Directory Service Manager tab or Topology Manager tab using Firefox on a Solaris system, the subtabs may not display as expected.

Workaround

Click the forward arrows (>>) or back arrows (<<) to open a menu, and then navigate among the subtabs.

5.5.6 (Bug 17262682) Default browser settings may not allow OUDSM URL to be accessible on Windows 2008 R2

Issue

Bug Number: 17262682

After installing OUD and OUDSM on Windows 2008 R2, when you try to access the OUDSM URL, the message "Starting Oracle Directory Services Manager..." displays, but the OUDSM application does not load in the browser as expected. This can occur when you use Microsoft Internet Explorer version 8 or 9 browsers.

Workaround

  1. Verify that JavaScript is enabled.

  2. Add the OUDSM URL in the trusted sites.

    Go to Tools-> Internet Options -> Security -> Trusted sites -> Sites -> Add. Then click Add to add the OUDSM URL to a site.

5.5.7 (Bug 16946878) Alerts not sent as designed

Issue

Bug Number: 16946878

On the Alert Handler Properties page, the Disabled Alert Type and Enabled Alert Type fields do not work as designed. Regardless of the setting for either field, alerts are never sent as expected.

Workaround

Use dsconfig set-alert-handler-prop to add or remove enabled-alert-type or disabled-alert-type values.

Use dsconfig set-alert-handler-prop --add enabled-alert-type: alert type value to add enabled-alert-type alert type value.

Use dsconfig set-alert-handler-prop set-alert-handler-prop --remove enabled-alert-type:alert type value to remove enabled-alert-type alert type value.

Example:

# dsconfig -h slc03roj -p 4444 -D "cn=Directory Manager" -j /tmp/oud -n -X set-alert-handler-prop --handler-name "SMTP Alert handler name" --remove enabled-alert-type:org.opends.server.DirectoryServerShutdown

5.5.8 (Bug 16056177) On the Advanced Search page, when you click an entry in the Search Results table, some buttons do not behave as expected

Issue

Bug Number: 16056177

On the Advanced Search page, when you click an entry in the Search Results table, the Show Attributes button does not appear if Optional Attributes is already expanded. However, if you collapse Optional Attibutes and then expand, the Show Attributes button appears. But, when you click the button the Select Attributes dialog box is blank.

Workaround

To view the entry details, you can select the same entry from the Data Browser tab.

5.5.9 (Bug 15928439) Java NullPointer exception occurs if a changelog entry does not contain a specified objectclass

Issue

Bug Number: 15928439

When this NullPointer exception is encountered, the contents of that particular changelog entry cannot be accessed from OUDSM. You can continue to use OUDSM to perform other tasks and access other entries.

Workaround

To access a changelog entry with no objectclasse specified, use a different LDAP client.

5.5.10 (Bug 12363352) In the screenreader mode, focus for some buttons does not work as expected

Issue

Bug Number: 12363352

When you are in the screenreader mode, the Create, Apply, and Cancel buttons in the OUDSM interface do not get focus after modification.

Workaround

Press the Tab key until you get the focus on the required button. Alternatively, you can use the mouse to activate the required button.

5.6 Related Oracle Directory Components Known Issues and Workarounds

This section describes the known issues and its workarounds for Oracle Directory Integration Platform and Oracle Identity Governance Framework.

Topics

5.6.1 Oracle Directory Integration Platform

Known issues and workarounds for Oracle Directory Integration Platform include general issues and configuration issues.

Topics

5.6.1.1 General Oracle Directory Integration Platform Issues and Workarounds
5.6.1.1.1 Enabling the Domain-Wide Administration Port on Oracle WebLogic Server Prevents use of the DIP Command Line Interface

Issue

Be aware that enabling the domain-wide administration port on any WebLogic server running Directory Integration Platform will prevent you from using the DIP command line interface using a standard administrator account. Entering DIP commands will result in an error similar to the following:

User: "weblogic", failed to be authenticated

Workaround

Administrators can still use the Enterprise Manager (EM) GUI to configure and manage Oracle Directory Integration Platform.

5.6.1.1.2 LDIF Files That Contain Non-ASCII Characters Will Cause the testProfile Command Option to Fail if the LDIF File has Native Encoding

Issue

When running DIP Tester from a command-line, the manageSyncProfiles testProfile command will fail if the -ldiffile option is specified and the LDIF file contains non-ASCII characters.

Workaround

Note that LDIF files with UTF-8 encoding are not impacted by this limitation. If an LDIF file containing multibyte characters cannot be saved with UTF-8 encoding, then use the following workaround:

  1. From a command-line, add the entry using the ldapadd command and include the -E option to specify the locale. For the required command syntax, see ldapadd Command Reference in Oracle Fusion Middleware Reference for Oracle Identity Management.

  2. Get the specific changeNumber for the last add operation.

  3. Execute the testProfile command using the changeNumber from the previous step.

    For more information, see the section Running DIP Tester From the WLST Command-Line Interface in Oracle Fusion Middleware Administering Oracle Directory Integration Platform.

5.6.1.1.3 Running the testProfile Command with LDIF Files Option Fails in Advance Mode

Issue

When running DIP Tester from a command-line in advance mode, the manageSyncProfiles testProfile command will fail if the -ldiffile option is specified and may synchronize the wrong operation.

Workaround

To resolve this issue, run the manageSyncProfile updatechgnum command. See Running DIP Tester From the WLST Command-Line Interface" in the Oracle Fusion Middleware Administering Oracle Directory Integration Platform.

5.6.1.1.4 Some Changes May Not Get Synchronized Due to Race Condition in Heavily-Loaded Source Directory

Issued

If the source directory is heavily-loaded, a race condition may occur where database commits cannot keep pace with updates to the lastchangenumber. If this race condition occurs, Oracle Directory Integration Platform may not be able to synchronize some of the changes.

Note:

This issue only occurs if you are using Oracle Internet Directory as the back-end directory.

Workaround

To resolve this issue, perform the following steps to enable database commits to keep pace with the lastchangenumber:

  1. Increase the value of the synchronization profile's Scheduling Interval.

  2. Control the number of times the search is performed on the source directory during a synchronization cycle by setting the searchDeltaSize parameter in the profile. Oracle suggests starting with a value of 10, then adjusting the value as needed.

5.6.1.1.5 manageSyncProfiles Utility Prompts for Connected Directory Password

Issue

When you run the manageSyncProfiles utility to synchronize with a database, the manageSyncProfiles register prompts for the connected directory password.

Workaround

Ensure that you specify the connected database password and not the directory password.

5.6.1.1.6 The Oracle Password Filter for Microsoft Active Directory Installation Screens Displays 11g Version

There is no impact to functionality and no user action is needed.

5.6.1.1.7 Resource Usage Charts will not be Displayed

The DIP home page does not display the resource usage charts in Oracle Directory Integration Platform 12c (12.2.1.3).

5.6.1.2 Oracle Directory Integration Platform Configuration Issues and Workarounds
5.6.1.2.1 Specify the Service Name While Creating Synchronization Profiles

When you create the synchronization profile, ensure that you specify the database service name and not the SID.

Examples:

To connect to a database, use the form host:port:serviceName for the odip.profile.condirurl connection detail property in a directory synchronization profile.

Specify the database service name for Database Service ID in the Create Synchronization Profile page in Oracle Enterprise Manager Fusion Middleware Control. See Creating Synchronization Profiles in Oracle Fusion Middleware Administering Oracle Directory Integration Platform.

5.6.1.2.2 If Oracle Internet Directory is the Back-End Directory then do not use localhost as Oracle Internet Directory Hostname When Configuring Oracle Directory Integration Platform

When configuring Oracle Directory Integration Platform against an existing Oracle Internet Directory using the Configuration Wizard, you must specify the hostname for Oracle Internet Directory using only its fully qualified domain name (such as myhost.example.com). Do not use localhost as the Oracle Internet Directory hostname even if Oracle Directory Integration Platform and Oracle Internet Directory are collocated on the same host.

If you use localhost as the Oracle Internet Directory hostname, you will not be able to start the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform.

5.6.1.2.3 You may Need to Restart the Directory Integration Platform After Running dipConfigurator Against Oracle Unified Directory

After running dipConfigurator against an Oracle Unified Directory (OUD) endpoint, if you are unable to open the Directory Integration Platform (DIP) UI in Enterprise Manger, stop and start DIP to fix the UI problem.

5.6.1.2.4 When Configuring a Profile, you may Need to Scroll Past a Section of Whitespace to View Mapping Rules

If you are using Internet Explorer to view the Directory Integration Platform (DIP) UI, you may need to scroll past a large blank space to see the profile mapping rules section. This issue is not known to affect other browsers.

5.6.1.2.5 Specify the Host Name and Port Number for an Oracle RAC Database

Issue

While configuring Oracle Directory Integration Platform for Oracle Internet Directory as the back-end directory, If you only specify the URL for the RAC database in the dbconfig file, then the following error messages appear: 

Error occurred in configuring DataSource. 
Error occurred in rolling back DataSource changes. 
Error occurred in configuring DataSource. 
Error occurred during DIP configuration Step - DataSourceConfigurationStep. 
Error occurred in DIP configuration against OID as backend.

Workaround

To resolve this issue, specify the URL, DB_HOST , and DB_PORT for the Oracle RAC database in the dbconfig file.

5.6.1.3 Provisioning Issues
5.6.1.3.1 Modification may not Propagate Using Interface Protocol (Inbound) Version 3.0

Issue

When an inbound provisioning profile with interface protocol version 3.0 is configured with Oracle Internet Directory (Back-End Directory), then modification fails to propagate.

Workaround

See https://support.oracle.com/.

5.6.1.3.2 Provisioning from Oracle Internet Directory (Back-End Directory) to an Application May Fail

Issue

If you delete a provisioning profile for Oracle Internet Directory, and recreate it with same name, then the provisioning from Oracle Internet Directory to an application may fail.

Workaround

To resolve this issue, create a provisioning profile and specify a new name.

For more information on creating a provisioning profile, see About manageProvProfiles Command in Oracle Fusion Middleware Administering Oracle Directory Integration Platform.

5.6.2 Oracle Identity Governance Framework

Known issues and workarounds for Oracle Identity Governance Framework include general issues and known issues related with Identity Governance Framework and Library Oracle Virtual Directory (LibOVD).

Topics

5.6.2.1 LibOVD Known Issues and Workarounds

Known issues related with LibOVD for release 12c (12.2.1.3.0).

Topics

5.6.2.1.1 libovdconfig.bat script Does Not Support a Space in File Path

Issue

On the Microsoft Windows platform, the libovdconfig.bat script does not work if the path to your Java installation in the -jreLoc option includes a space character. For example, C:\Program Files\Java\jdk1.7.0_21.

Workaround

Provide the path to your Java installation in DOS 8.3 format.

For example:

-jreloc C:\Progra~1\Java\jdk1.7.0_21

5.6.2.1.2 Users with Same Name in Multiple Identity Stores

Issue

If a user name is present in more than one LDAP repository and the virtualize property is set to use LibOVD, then the data in only one of those repositories is returned when you query that user name with the Identity Directory API.

Workaround

Currently, there is no workaround for this issue.

5.6.2.2 Oracle Identity Governance Framework Documentation Changes

Identity Governance Framework introduces some behavioral changes in the 12c (12.2.1.3.0) release. This includes deprecated and desupported features and components.

Deprecated Chapters or Books

By deprecate, we mean that the feature is no longer being enhanced but is still supported for the full life of the 12c (12.2.1.3.0) release. By desupported, we mean that Oracle will no longer fix bugs related to that feature and may remove the code altogether. Where indicated, a deprecated feature may be desupported in a future major release.