Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Microsoft Windows (32-Bit) Part Number E10132-04 |
|
|
View PDF |
This chapter describes issues associated with Oracle Product. It includes the following topics:
This section describes general issue and workarounds. It includes the following topic:
Section 28.1.2, "Creating Attribute Uniqueness Constraint Fails if Attribute Name is Not Lowercase"
Section 28.1.3, "Replication Server in New Oracle Internet Directory Instance Fails to Start"
Section 28.1.4, "Replication Wizard Generates Errors After You Click Refresh"
Section 28.1.5, "Do Not Delete Primary Node From the Replicas Page of the Replication Wizard"
Section 28.1.7, "On Windows, Change SSL Port to No-Auth Before Upgrade"
Section 28.1.8, "ODSM Does Not Warn You if You Remove an Equality Matching Rule"
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
When you specify an attribute name for which you want to enforce value uniqueness, the operation fails if the attribute name contains uppercase letters. This occurs whether you use ODSM or the LDAP tools. You might see a message from the server indicating that the attribute is not indexed, even though it actually is indexed.
As a workaround, always use lowercase names when specifying an attribute for which you want to enforce value uniqueness.
If you create a new Oracle Internet Directory instance that uses the same Oracle Database as an existing instance, then try to start the replication server on the new instance, the replication server fails to start. The reason is that the replication server's wallet contains an invalid password. You must change the wallet password using remtool. Proceed as follows:
Connect to the host where the new instance is installed.
Set the ORACLE _HOME and ORACLE_INSTANCE environment variables.
Execute:
remtool -pchgwalpwd -bind newinstance_host:port/replication_dn_pwd
where replication_dn_pwd is, by default, the same as the ODS schema password.
Then start the replication server.
While you are using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control, you might encounter errors after clicking Refresh. To resolve these errors, log out of the wizard and log back in again.
While your are setting up multimaster replication by using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control, the default information about the primary node appears as the first entry on the Replicas page. Due to a bug, the wizard allows you to delete this entry. Do not do so! Deleting the primary node might cause inconsistent results on the subsequent wizard pages.
The replicaid
value of a replica subentry has the form OIDhost_DBSID, where DBSID is the SID of the Oracle Database used by Oracle Internet Directory. Because of a bug, when the SID portion of the replicaid
value contains uppercase characters, Oracle Enterprise Manager Fusion Middleware Control does not display replication information properly. Specifically, replication agreements do not appear on the Oracle Internet Directory home page and the Replication tab of the Shared Parameters page is greyed out, even though replication agreements exist.
As a workaround, use only lowercase characters in the SID. If you have already created the database with uppercase letters in the SID, you must change the DN of the replica subentry so that characters in the SID portion of the replicaid
are all lowercase. The command syntax is:
ldapmoddn -h OIDhost -p OIDport -b "orclreplicaid=OIDhost_oldDBSID,cn=replication configuration" -R "orclreplicaid=OIDhost_newDBSID" -r
For example, the following command changes the SID portion of the replicaid
value in the replica subentry DN from DB456
to db456
:
ldapmoddn -h Linux123 -p 3060 \ -b "orclreplicaid=Linux123_DB456,cn=replication configuration" \ -R "orclreplicaid=Linux123_db456" -r
On Windows, if Oracle Internet Directory's SSL port is configured for SSL Server Authentication Mode in 10g, you must change it to SSL No Authentication Mode prior to the upgrade to 11g Release 1 (11.1.1). If Oracle Directory Integration Platform is connected to Oracle Internet Directory's SSL port using SSL Server Authentication Mode, you must also reconfigure Oracle Directory Integration Platform to connect to Oracle Internet Directory using SSL No Authentication Mode mode prior to the upgrade to 11g Release 1 (11.1.1). For more information, see Oracle Internet Directory Administrator's Guide and Oracle Identity Management Integration Guide in the 10g (10.1.4.0.1) documentation library.
After the upgrade, reconfigure both Oracle Internet Directory and Oracle Directory Integration Platform for SSL Server Authentication Mode mode using wallets. For more information, see Chapter 25, "Configuring Secure Sockets Layer (SSL)" inOracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Chapter 4, "Managing the Oracle Directory Integration Platform" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management in the 11g Release 1 (11.1.1) library.
These changes are not required on Linux or UNIX-based operating systems.
You cannot search for an attribute unless that attribute is indexed. You cannot index an attribute unless it has an equality matching rule. Due to a bug, however, ODSM does not warn you if remove an equality matching rule from an attribute. Avoid doing so if you need to index that attribute.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 28.2.1, "Server Chaining Entry for eDirectory is Missing"
Section 28.2.2, "After Upgrade, Instance-Specific orclmaxldapconns Attribute is Missing"
Section 28.2.3, "After Upgrade, Enabling Referential Integrity Might Require Additional Steps"
Oracle Internet Directory server chaining supports the following external servers:
Microsoft Active Directory
Sun Java System Directory Server, formerly known as SunONE iPlanet
Novell eDirectory
As shipped in 11g Release 1 (11.1.1), the container cn=OID Server Chaining,cn=subconfigsubentry
has no entry for eDirectory. You must create cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
in order to configure server chaining for eDirectory. For detailed information about creating this entry, see Note 821214.1.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com
.
When you upgrade Oracle Internet Directory to 11g Release 1 (11.1.1) from an earlier version, the attribute orclmaxldapconns
is missing from the instance-specific configuration entry. Because of the missing attribute, the maximum number of concurrent connections per server process is always equal to the default value of 1024
. You cannot update this value or list it in searches.
The workaround is to create the attribute orclmaxldapconns
in the schema, then set the value in the desired instance-specific configuration entry. Proceed as follows:
Create an LDIF file with the following content:
dn: cn=subschemasubentry changetype: modify add: attributetypes attributetypes: ( 2.16.840.1.113894.1.1.611 NAME 'orclmaxldapconns' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
Execute the following command:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
Set the orclmaxldapconns value in the desired instance-specific configuration entry. For example, to set orclmaxldapconns
to 2000
in the component oid1
, create an LDIF file with the following content:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentrychangetype: modify replace: orclmaxldapconns orclmaxldapconns: 2000
Then execute the ldapmodify
command as shown in Step 2.
This issue occurs only in upgraded directories and not in fresh installations.
In the "Configuring Referential Integrity" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, you are instructed to use oiddiag
to identify violations in the DIT and correct them if you get an error when attempting to enable referential integrity. Sometimes, however, oiddiag
reports that the DIT contains duplicate entries, but the LDAP tools do not list the duplicates. In that case, you cannot use LDAP tools to rectify the problem. If you encounter this situation, you must use SQL*Plus to delete the entry. Proceed as follows:
Stop all currently running Oracle Internet Directory instances connected to the same Oracle Database.
$ORACLE_INSTANCE/bin/opmnctl stopall
Execute the following SQL*Plus commands to clean up the duplicate DNs.
$ sqlplus /nolog SQL> connect / as sysdba SQL> delete from ct_orclnormdn where attrvalue like '%cn=osdldapd,cn=subregistrysubentry'; SQL> commit;
Restart Oracle Internet Directory on all instances connected to the same Oracle Database.
$ORACLE_INSTANCE/bin/opmnctl startall
After completing these steps, you should be able to enable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control, as described in the "Configuring Referential Integrity" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
This section describes documentation errata. It includes the following topic:
Section 28.3.1, "Incorrect Command for Retrieving ODSM'S Java Keystore Password"
Section 28.3.2, "Missing Documentation for Updating a Trusted Certificate Upon Its Expiration"
Section 28.3.3, "Incorrect Attribute for Hashing Algorithm Specification"
Section 28.3.7, "Wrong Label for orclmaxconnincache on Server Properties Page, Performance Tab"
Section 28.3.8, "Incorrect Default Value Listed for orclsizelimit"
Section 28.3.9, "Not All Dynamic Groups are Included in Group Query Result"
Section 28.3.10, "Only Oracle Database 11.1.0.7 Requires Patches for Database Vault"
Section 28.3.11, "Function Return Codes for DBMS_LDAP_UTL Functions are Incorrect"
Section 28.3.12, "Indexing an Existing Attribute by Using ODSM: Documentation is Inconsistent"
In Appendix O, "Oracle Directory Services Manager Keystore Management," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the command for retrieving ODSM's Java Keystore Password is incorrect. The correct command sequence is as follows:
$ORACLE_HOME/common/bin/wlst.sh connect() listCred( map="ODSMMap", key="ODSMKey.Wallet" )
After the connect()
command, you will be prompted for your WebLogic username and password, and for the server URL. An example server URL is t3://stadd54:7001
.
Appendix O, "Oracle Directory Services Manager Keystore Management," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory should have included information about certificate expiration.
To list the valid dates for the certificate, list its contents as described in Appendix O, "Oracle Directory Services Manager Keystore Management," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
When the certificate has expired, delete it as described in Appendix O.
For general information about certificate expiration, see Chapter 7 of Oracle Fusion Middleware Administrator's Guide. Note, however, that ODSM does not provide a web based user interface for managing its keystore. You must manage ODSM's key store by using keytool
.
In Chapter 29 of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the section entitled "Userpassword Verifiers and Authentication to the Directory" contains the following sentence:
The directory server hashes this password by using the hashing algorithm specified in the DSE attribute userpassword
.
This is incorrect. It should say:
The directory server hashes this password by using the hashing algorithm specified in the DSE attribute orclcryptoscheme
.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, you are instructed to update the registration of an Oracle Internet Directory component in a registered Oracle instance whenever you change orclhostname
, orclnonsslport
, orclnonsslport
, or userpassword
.This content is found in the section of Chapter 8 entitled "Updating the Component Registration of an Oracle Instance by Using opmnctl
," in Table 9-1, and in other places in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
This should be modified to say that when you update one of these attributes by using ldapmodify
or ODSM, you must restart the server and update the registration. When you update one of these attributes using Oracle Enterprise Manager Fusion Middleware Control, however, you must restart the server but you need not refresh registration. Fusion Middleware Control updates the registration of the component for you.
In Appendix P, "Stopping and Starting the Oracle Stack," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the command lines shown for the commands stopManagedWebLogic.sh
and startManagedWebLogic.sh
are incomplete.
The complete command line to stop WebLogic managed components is:
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/stopManagedWebLogic.sh \ {SERVER_NAME} {ADMIN_URL} {USER_NAME} {PASSWORD}
The complete command line to start WebLogic managed components is:
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startManagedWebLogic.sh \ SERVER_NAME {ADMIN_URL}
When executing these scripts:
The default value for DOMAIN_NAME
is IDMDomain
SERVER_NAME
represents the name of the Oracle WebLogic Managed Server. Its default value is wls_ods1
.
You will be prompted for values for USER_NAME
and PASSWORD
if you do not provide them as options when you execute the script.
The value for ADMIN_URL
will be inherited if you do not provide it as an option when you execute the script.
There are errors in the section of Chapter 8 entitled "Updating the Component Registration of an Oracle Instance by Using opmnctl
" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
In Table 8-1, there are two rows with the attribute orclnonsslport
. One of these should be orclsslport
.
In the command syntax and example for opmnctl updatecomponentregistration
, the option -port
should be -Port
.
The Oracle Enterprise Manager Fusion Middleware Control field associated with orclmaxconnincache
is listed as "Size of privilege group membership cache (user)" in Chapter 33, Tuning and Sizing Oracle Internet Directory, in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It is actually "Number of users in privilege group membership cache."
The default value for the instance-specific configuration entry attribute orclsizelimit
in 11g Release 1 (11.1.1) is 10000
. The value is listed incorrectly as 1000
in several places in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, including:
Chapter 33, Tuning and Sizing
Chapter 40, Managing and Monitoring Replication
Table Q–1, Standard Error Messages
It is also listed incorrectly in Chapter 4, Oracle Internet Directory Replication Management Tools, in Oracle Fusion Middleware User Reference for Oracle Identity Management.
In the introduction to the "Managing Dynamic and Static Groups" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, there is a note indicating that when you query for the groups that a user belongs to, dynamic groups are automatically included in the result. Actually, only labeleduri
-based dynamic groups are automatically included in the result. Dynamic groups based on the CONNECT_BY
assertion have to be explicitly queried.
In the Database Vault section of the "Configuring Data Privacy" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, you are instructed to download and install patches for Bug 7244497 and Bug 7291157. You only need to do this for Oracle Database 11.1.0.7. The bugs have been fixed in later versions of Oracle Database.
In Table 11-61, Function Return Codes, in Chapter 11 of Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management, some of the codes are incorrect and some are missing. The following codes should be removed:
Table 28-1 Function Return Codes
Name | Return Code | Description |
---|---|---|
ACCT_TOTALLY_LOCKED_EXCEPTION |
-14 |
Returned by |
AUTH_PASSWD_CHANGE_WARN |
-15 |
This return code is deprecated. |
The following codes should be added:
Table 28-2 Function Return Codes
Name | Return Code | Description |
---|---|---|
ACCT_TOTALLY_LOCKED_EXCEPTION |
9001 |
Returned by |
PWD_EXPIRED_EXCEPTION |
9000 |
Returned by |
PWD_EXPIRE_WARN |
9002 |
Returned by |
PWD_MINLENGTH_ERROR |
9003 |
Returned by |
PWD_NUMERIC_ERROR |
9004 |
Returned by |
PWD_NULL_ERROR |
9005 |
Returned by |
PWD_INHISTORY_ERROR |
9006 |
Returned by |
PWD_ILLEGALVALUE_ERROR |
9007 |
Returned by |
PWD_GRACELOGIN_WARN |
9008 |
Returned by |
PWD_MUSTCHANGE_ERROR |
9009 |
Returned by |
USER_ACCT_DISABLED_ERROR |
9050 |
Returned by |
In the introductory section of Chapter 19, Managing Directory Schema, it is stated that you can use Oracle Directory Services Manager to index an attribute only at the time when you create it, and that you cannot use Oracle Directory Services Manager to index an already existing attribute.
Later in the chapter, the section "Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager" appears to contradict the introductory section.
Actually, both of those sections should be clarified to indicate at you can use ODSM to add an index to an attribute that exists but has not been used yet.