10g (9.0.4) for Linux x86
Part Number B12261-03
 Home |
 Contents |
| Oracle® Application Server 10g Release Notes 10g (9.0.4) for Linux x86 Part Number B12261-03 |
|
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issues and their workarounds for Oracle Internet Directory. It includes the following topics:
OID Monitor needs information in the database to handle shutdown gracefully.
In a high availability scenario, OID Monitor does not automatically shut down if the database fails. Instead, OID Monitor tries to connect to the database repeatedly so that, when the database starts, OID Monitor can restart the Oracle Internet Directory server instances.
Consequently, OID Monitor cannot be shutdown gracefully if the database is not available. The user must force kill the OID Monitor process by using the appropriate mechanism on the given operating system.
If the database is down for a long time, then OID Monitor cannot restart the other Oracle Internet Directory server instance when the database is restarted. The user must force kill the OID Monitor process and restart it after the database is restarted.
Two separate instances are not required as in previous versions of Oracle Internet Directory.
If loading fails when using bulkload.sh in bulk mode, then you can restore the directory to its original shape by using the following option:
bulkload.sh -connect connect_string -recover
However, when you do this, none of the indexes are created. To recreate indexes, use:
bulkload.sh -connect connect_string -index.
In Oracle Application Server 10g (9.0.4), the following plug-in features are not supported in the directory server running against Oracle9i Database Server Release 9.2:
simple_bind_s() function of LDAP_PLUGIN package provided as the OID PL/SQL PLUGIN API for connecting back to the directory server as part of plug-in definitions
If the ref (referral) attribute is set to a non-empty value in the root DSE entry, then any modification to the root DSE entry is attempted on the directory server referred to in this attribute. To make modifications to the root DSE entry on the original server where the ref attribute has a non-empty value, the managedDSA control should be passed. To pass the control, use the -M option of ldapmodify.
If bulkload.sh operations are interrupted, then the directory administrator can restore the directory to its original state by using the new -recover flag. If the directory is non-empty, then any indexes must be re-created after a rollback. To re-create indexes, use:
bulkload.sh ... -index
This section describes configuration issues and their workarounds for Oracle Internet Directory. It includes the following topics:
Oracle9i Application Server Release 9.0.2 included the Oracle directory server along with infrastructure components Oracle Delegated Administration Services, Oracle Directory Integration Platform, and Oracle9iAS Single Sign-On. These components are certified to work with an upgraded or newly-installed Oracle Application Server 10g release of Oracle Internet Directory.
If you are upgrading to Oracle Application Server 10g in a distributed environment where some of these Oracle9iAS components have been installed on dedicated hardware nodes, then you can minimize service disruption by following these steps:
For those who cannot upgrade the infrastructure first, Oracle Application Server 10g middle-tier components are certified to run against the 9.0.2 infrastructure. However, Oracle does not support running Oracle Application Server 10g infrastructure components--namely, Oracle Delegated Administration Services, Oracle Directory Integration and Provisioning, and OracleAS Single Sign-On--against the 9.0.2 Oracle directory server.
When upgrading Oracle Internet Directory from Release 9.0.2 to Release 9.0.4, the following ACL policy needs to be set on the groups container in the realm. The ACL policy should allow members of the group cn=Common Group Attributes,cn=groups,Oracle_Context_DN browse, search, and read access for private and public groups--that is, for groups where orclIsVisible is either not set or is set to TRUE or FALSE. This ACL is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section "Default Privileges for Reading Common Group Attributes".
The "Common Group Attributes" group is used by OracleAS Portal to query private and public groups. The ACI must to be added on the groups container. Change the Realm DN to the DN of the Realm and the DN of groups container in the realm to the appropriate group search base.
dn: DN of groups container in the realm changetype: modify add: orclaci orclaci: access to entry filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (browse) orclaci: access to attr=(*) filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (search, read)
orclaci: access to entry filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (browse) orclaci: access to attr=(*) filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (search, read)
If the commonUserSearchBase attribute value in the Product Common entry of the Root Oracle Context overlaps with the values for the same attribute in the Realm Oracle Context, then duplicate authpassword verifiers are generated for users in those realms. Hence, the commonUserSearchBase attribute in the Common Product entry (cn=common,cn=products,cn=OracleContext) should not be populated.
During Oracle Internet Directory installation, the Oracle Installer suggests a default value for the default identity management realm. You can choose either this default value or a customized one. However, choosing a DN immediately under the root--that is, a one-level DN--causes problems in the OracleAS Single Sign-On configuration.
If you are configuring partial replication from specific naming contexts in an Oracle Internet Directory node to fan-out replication nodes, then do not change the names of these naming context entries in the source node.
After configuring partial replication from specific naming contexts in an Oracle Internet Directory node to other fan-out replication nodes, you can configure OracleAS Single Sign-On independently against any or all of these nodes. To deploy OracleAS Single Sign-On against a replication node, follow these steps:
$ORACLE_HOME/bin/ldapsearch -h replica host -p port -D cn=orcladmin
-w super user password -b "cn=oraclecontext" -s one "objectclass=orcldbserver" dn
This returns a list of DNs of all the databases registered in Oracle Internet Directory in the form of cn=short database name,cn=oraclecontext. Find the one that corresponds to the underlying database of the replica node.
$ORACLE_HOME/bin/ldapsearch -h replica host -p port -D cn=orcladmin
-w super user password -b "" -s base "objectclass=*" orclreplicaid
repid.ldif as follows:
dn: orclreplicaid=ReplicaID from Step 2, cn=replication configuration changetype: modify replace: seeAlso seeAlso: DB registration DN from Step 1
repid.ldif to the replica host:
$ORACLE_HOME/bin/ldapmodify -h replica host -p port -D cn=orcladmin
-w super user password -v -f repid.ldif
During installation of Oracle Application Server or third-party products, you are prompted for an Oracle Internet Directory or LDAP port. To find the specific port number assigned to Oracle Internet Directory at installation, see the file $ORACLE_HOME/install/portlist.ini f.
The default port for enabling LDAP at Oracle Internet Directory installation time is 389. The Oracle Installer always tries that port as its first choice. However, on many Unix machines, /etc/services includes a line for LDAP reserving port 389. With that line there, the Installer opts instead for a port number between 3060 to 3129, inclusive.
To confirm the port at which Oracle Internet Directory is running, simply run the ldapbind command-line tool, supplying either the host name and port number specified in the portlist.ini file or an alternative port specified during the Oracle Internet Directory installation.
Oracle Internet Directory 10g (9.0.4) enables prompting of users to change their passwords after initial login. Users must change their passwords by using the Oracle Internet Directory Self-Service Console Password Change screen. Using other mechanisms may not satisfy the password change requirement, and users may be prompted to change their password the next time they log in as well.
Partial replication enables you to exclude certain attributes from replication. You do this by adding those attributes to the excludedAttributes attribute of the cn=NamingContext entry. However, if you exclude required attributes, then replication fails.
Attributes that cannot be excluded are specified in the Oracle Internet Directory Administrator's Guide. These can include attributes not considered mandatory for user-defined object class definitions. For example, even if cn is an optional attribute for one or more user-defined object class definitions, it still cannot be excluded from partial replication.
Adding access control information for each type of directory access to the root DSE of each DIT ensures that attempts to access directory data resolve appropriately. Appropriate resolution involves either granting or denying access to the requested resource. Without such top-level policies, attempts to access resources stored in Oracle Internet Directory can result in an "Unresolved" ACI determination as documented in Chapter 14 of the Oracle Internet Directory Administrator's Guide. When an ACI determination is "Unresolved", Oracle Internet Directory grants access to the requested resource.
This section describes administration issues and their workarounds for Oracle Internet Directory. It includes the following topics:
Partial replication does not support changing the root entry of a naming context by using ldapmoddn.
Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.
The first type of privileged user, the super user with the DN cn=orcladmin, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the super user (orcladmin) account is locked--for example, as a result of too many attempts to bind with an incorrect password--then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin account execute the command:
oidpasswd unlock_su_acct=TRUE
The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN cn=orcladmin,cn=users,realm DN. Note that, in contrast to the single super user account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the administrator modifies the account password by using Oracle Directory Manager.
If the primary node running either the directory replication server (oidrepld), or the directory integration and provisioning server (odisrv), or both, fails, then the OID Monitor on the secondary node starts these processes on the secondary node after five minutes. However, when the primary node is restarted, these servers are not automatically restarted on the primary node.
Normal shutdown is not treated as a failover. If all the processes are stopped normally, then the OID Monitor running on the secondary node does not start these processes on the secondary node after five minutes. Moreover, as in the case of a failure, when the primary node is restarted, these servers are not automatically restarted on the primary node.
The Oracle Internet Directory servers--that is, the directory server, the directory replication server, and the directory integration and provisioning server daemons--can be started only by the operating system user who installed the Oracle Internet Directory software.
To change the ODS database user password, you must use the oidpasswd tool. If you change the ODS database user password by any other means, then Oracle Internet Directory instances fail to start.
If one or more Oracle directory servers are running only in SSL mode, then the Application Server Control does not display the port status information for those servers.
This section describes errors in the documentation for Oracle Internet Directory. It includes this topic:
At startup, the database reads database initialization parameters from spfile$ORACLE_SID.ora rather than from init$ORACLE_SID.ora--unless the user explicitly specifies the latter when starting the database. Thus, wherever the Oracle Internet Directory Administrator's Guide specifies database parameter changes, the subsequent database restart must specify explicitly the init$ORACLE_SID.ora file.
|
 Copyright © 2003 Oracle. All Rights Reserved. |
|