Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86-64 Part Number E14770-33 |
|
|
PDF · Mobi · ePub |
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topic:
Section 26.1.3, "Turkish Dotted I Character is Not Handled Correctly"
Section 26.1.4, "OIDCMPREC Might Modify Operational Attributes"
Section 26.1.6, "Apply Patch to Oracle Database 11.2.0.1.0 to Fix Purge Job Problem"
Section 26.1.7, "SQL of OPSS ldapsearch Might Take High %CPU"
Section 26.1.10, "ODSM Bug Requires Editing of odsmSkin.css File"
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600
errors while performing bulkmodify
operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
By default, the oidcmprec
tool excludes operational attributes during comparison.That is, oidcmprec
does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.
The oidrealm
tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/
.
If you use Oracle Database 11.2.0.1.0 with Oracle Internet Directory, apply Patch 9952216 (11.2.0.1.3 PSU) to Oracle Database. Purge jobs do not function properly without this patch.
The SQL of an OPSS one level ldapsearch
operation, with filter "orcljaznprincipal=
value
" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:
Log in to the Oracle Database as user ODS
and execute the following SQL:
BEGIN DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS', TABNAME=>'CT_ORCLJAZNPRINCIPAL', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, CASCADE=>TRUE); END; /
Flush the sharedpool.
If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.
See Also:
Note 1313395.1 on My Oracle Support (formerly MetaLink),http://metalink.oracle.com
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
Due to a misplaced comment in the file odsmSkin.css
, some labels on the ODSM home page are not displayed correctly. Specifically, the labels in the diagram on the right are misplaced or missing.
To work around this issue, proceed as follows:
Stop the wls_ods1 managed server.
Edit the file:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/MANAGED_SERVER_NAME/tmp/_WL_user/ODSM_VERSION_NUMBER/RANDOM_CHARACTERS/war/skins/odsmSkin.css
For example:
wlshome/user_projects/domains/base_domain/servers/wls_ods1/tmp/_WL_user/odsm_11.1.1.2.0/z5xils/war/skins/odsmSkin.css
Before editing, the odsmSkin.css
file looks like this:
@agent ie /*========== Fix for bug#7456880 ==========*/ { af|commandImageLink::image, af|commandImageLink::image-hover, af|commandImageLink::image-depressed { vertical-align:bottom; } }
Move the comment:
/*========== Fix for bug#7456880 ==========*/
so that it is above the line
@agent ie
After editing, the file should look like this:
/*========== Fix for bug#7456880 ==========*/ @agent ie { af|commandImageLink::image, af|commandImageLink::image-hover, af|commandImageLink::image-depressed { vertical-align:bottom; } }
Restart the wls_ods1 managed server.
This section describes configuration issues and workarounds. It includes the following topics:.
If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.
The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.
When you configure Oracle Internet Directory (OID) for privileged ports as mentioned in Section "Configure the First Oracle Internet Directory Instance" of Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, the config wizard prompts the following when you run oracleRoot.sh
:
Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
If you select yes, the script execution fails with the following error:
/u01/app/fmw/idm/oracleRoot.sh: line 47: syntax error: unexpected end of file
To workaround this issue, modify oracleRoot.sh
file located in the ORACLE_HOME
directory. Modify the following line:
fi# This command path is not already provided in the existing root.sh:
TO
fi # This command path is not already provided in the existing root.sh:
Rerun oracleRoot.sh
to continue configuring Oracle Internet Directory.
This section describes documentation errata. It includes the following topics:
Section 26.3.1, "Bulkdelete Deletes Entries, not Attributes"
Section 26.3.2, "ODSM Section Should Refer to Oracle Internet Directory"
Section 26.3.3, "Incorrect Bug Numbers in Prerequisites for Rolling Upgrade"
Section 26.3.5, "Setting Up Oracle Internet Directory SSL Mutual Authentication"
Section 26.3.6, "ODSM Schema Tab is Available to Non-Super User"
Section 26.3.10, "Incorrect LDIF File for Enabling Referential Integrity"
Section 26.3.12, "Oracle Internet Directory Wallets Must be Auto Login"
Section 26.3.13, "List of bulkmodify Limitations is Incomplete"
Section 26.3.14, "orclpwdmaxinactivity Attribute Should be orclpwdmaxinactivitytime"
Section 26.3.15, "Replication Instructions in Tutorial for Identity Management are Incomplete"
The section on bulkdelete in the "Performing Bulk Operations" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory is entitled "Deleting Entries or Attributes of Entries by Using bulkdelete." This title is misleading. You can only use bulkdelete to delete entire entries or subtrees. The first sentence in that section is also misleading and should be ignored.
The Chapter 7 section of Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory entitled "Single Sign-On Integration with Oracle Directory Services Manager" contains references to Oracle Virtual Directory. It should actually refer to Oracle Internet Directory.
The bug fix numbers listed in the Prerequisites section of the "Performing Rolling Upgrades" appendix to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are incorrect. They should be as follows:
If you have Oracle Internet Directory Version 11.1.1.2.0, apply the fix for bug number 10431688 on each Middleware Oracle home.
If you have Oracle Internet Directory Version 11.1.1.3.0, apply the fix for bug number 10431664 on each Middleware Oracle home.
In Oracle Internet Directory 11g (11.1.1.3) and (11.1.1.4), the default value of orclcryptoscheme
is SSHA. The documentation is incorrect in the following places:
Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Table 9-3, "Attributes of the DSE."
Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Chapter 30, "Managing Password Verifiers," in the section "Hashing Schemes for Creating Userpassword Verifiers."
Oracle Fusion Middleware Reference for Oracle Identity Management, Chapter 8, "LDAP Attribute Reference," entry for orclcryptoscheme
.
Neither Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor Oracle Fusion Middleware Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:
Section 7.4.1.2, "Non-Super User Access to Oracle Directory Services Manager," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, states that if you log in as a user other than the super user, you can access only the Home and Data Browser tabs. Actually, you can access the Schema tab as well.
Two errors have been noted in Appendix P, "Starting and Stopping the Oracle Stack."
In Step 2 of P.1 "Starting the Stack,"
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startManagedWebLogic.sh
should be
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startWebLogic.sh
In Step 3 of P.1 "Starting the Stack,"
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startNodeManager.sh
should be
MW_HOME/wlserver_10.3/server/startNodeManager.sh
In Chapter 10, "Managing IP Addresses," the opmnctl updatecomponentregistration
command is missing the -Sport
option. Both -Port
and -Sport
are required for this command.
You must update the registration of an Oracle Internet Directory component in a registered Oracle instance by running opmnctl
updatecomponentregistration
whenever you change any of the following instance parameters:
Table 26-1 Attribute Changes Requiring Update of Component Registration
Attribute | Section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory |
---|---|
|
"Attributes of the Instance-Specific Configuration Entry" in Chapter 9 |
|
"Attributes of the Instance-Specific Configuration Entry" in Chapter 9 |
|
"Attributes of the Instance-Specific Configuration Entry" in Chapter 9 |
|
"Changing the Password for the EMD Administrator Account" in Chapter 12 |
In versions of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory released in January, 2011 or earlier, there are several statements to the effect that you do not need to run opmnctl
updatecomponentregistration
if you use Oracle Enterprise Manager Fusion Middleware Control or WLST to change the parameter. This is not true. You must always run the command after changing any of these parameters. The syntax is:
ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -adminHost hostname -adminPort weblogic_port -adminUsername weblogic_admin -componentType OID -componentName compName -Port non-sslport -Sport sslport
For more information, see:
"Updating the Component Registration of an Oracle Instance by Using opmnctl" in the "Managing Oracle Internet Directory Instances" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
"Updating the Component Registration of an Oracle Instance by Using opmnctl" in the "Managing Oracle Internet Directory Instances" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
In versions of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory prior to January 2011, the LDIF file shown in the "Enabling Referential Integrity by Using the Command Line" section in the "Configuring Referential Integrity" is incorrect. The file should look like this:
dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory changetype: modify replace: orclRIenabled orclRIenabled: 2
In the "Syntax for remtool," "Arguments to remtool," and "Syntax for remtool -pthput" sections of the remtool
reference in Chapter 4 of Oracle Fusion Middleware Reference for Oracle Identity Management, the -interval time_in_seconds
option should be enclosed in brackets ([]
) because it is optional.
The sample output in the section "Listing DRG Information at Intervals" is missing the line:
Interval for refreshing stats is X seconds
Step 4 of Section 26.2.1, "Creating a Wallet by Using Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory implies that selecting Auto Login is optional. Actually, selecting Auto Login is required for all Oracle Internet Directory wallets.
Section 15.4, "Modifying Attributes of a Large Number of Entries By Using bulkmodify," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Section 3.3, "bulkmodify," in Oracle Fusion Middleware Reference for Oracle Identity Management both contain incomplete lists of bulkmodify limitations. The limitations are as follows:
The bulkmodify
tool does not allow add
or replace
operations on the following attributes:
dn
(use ldapmoddn
instead)
cn
(use ldapmodify
instead)
userpassword
(use ldapmodify
instead)
orclpassword
(use ldapmodify
instead)
orclentrylevelaci
(use ldapmodify
instead)
orclaci
(use ldapmodify
instead)
orclcertificatehash
orclcertificatematch
any binary attribute
any operational attribute
It does not allow replace
operation on the attribute objectclass
.
It does not allow add
for single-valued attributes.
Both Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Oracle Fusion Middleware Reference for Oracle Identity Management refer to the attribute orclpwdmaxinactivity
. The actual name of the attribute is orclpwdmaxinactivitytime
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information. Specifically, the instructions do not work unless the new consumer node is empty. For more information, see Section 39.1.7, "Rules for Configuring LDAP-Based Replication," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.