6 Oracle Internet Directory
Topics
6.1 Oracle Internet Directory System Requirements and Specifications
You must read through the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the products you are installing.
Important Considerations for OID 14.1.2.1.0 Installation:
The following guidelines apply only to the standalone OID 14.1.2.1.0 upgrade installation scenario.
- Upgrade OID Installation:
Apply the one-off UA patch (search for Bug ID 37465410 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0
ORACLE_HOME
before performing UA READINESS for a standalone OID domain.
The following guidelines apply only to collocated 14.1.2.1.0 OID installations and does not apply to standalone OID 14.1.2.1.0 installations.
- Fresh OID Installation:
- Apply the one-off ADF patch (search for Bug ID 37376076 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0
ORACLE_HOME
after installation and before domain creation.
- Apply the one-off ADF patch (search for Bug ID 37376076 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0
- Upgrade OID Installation:
- Apply the one-off ADF patch (search for Bug ID 37376076 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0
ORACLE_HOME
before performing the reconfiguration step. - Apply the one-off EM patch (search for Bug ID 37476292 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0
ORACLE_HOME
before performing the reconfiguration step.
- Apply the one-off ADF patch (search for Bug ID 37376076 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0
6.2 General Oracle Internet Directory Issues and Workarounds
This section describes general issues and workarounds. It includes the following topics:
-
(Bug 25875893) ODS Schema details not getting auto-filled using Schemas Option
-
(Bug 25814730) OID12cPS3: Startup fails because low system shared memory on Solaris
-
(Bug 19898973)Substring Filter Not Supported for Collective Attributes
-
(Bug 14079791) Search on rootDSE lastchangenumber Attribute Works For One Attribute At A Time
-
(Bug 17348090) Search with Filter Containing AND Operation of Collective Attributes Not Supported
-
(Bug 18695967) ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field
-
(Bug 16964666) Cloned Oracle Internet Directory Instance Fails or Runs Slowly
-
(Bug 16498988) Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM
-
(Bug 8464130)Turkish Dotted I Character is Not Handled Correctly
-
Unable to set up OID replication in Oracle Enterprise Manager
-
Unable to estimate OID tuning and sizing needs in Oracle Enterprise Manager
-
Unable to manage wallet for OID in Oracle Enterprise Manager
-
In IBM AIX, OID Schema Load May Fail While Running the RCU Tool
6.2.1 (Bug 25875893) ODS Schema details not getting auto-filled using Schemas Option
Issue
When you are upgrading from 11g Release 1(11.1.1.9.0) in the Upgrade Assistant, if you select All Schemas Used By a Domain option, the schema details are not auto-populated in ODS Schemas screen.
Workaround
As a workaround, user has to manually provide ODS schema details such as Database Type, string etc.
6.2.2 (Bug 25814730) OID12cPS3: Startup fails because low system shared memory on Solaris
Issue
OID server startup fails on Solaris platforms due to low system shared memory.
Workaround
To fix this issue, you need to increase shared memory on Solaris system platform when DB is collocated. If you are installing only OID, then you need 1.5GB shared memory.
For example, as a root user, if you increase project.max-shm-memory
to 12GB(from 8 GB), the OID instance is brought up.
prctl -n project.max-shm-memory -v 12gb -r -i project default $ prctl -n project.max-shm-memory $$ process: 7423: bash NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 12.0GB - deny - system 16.0EB max deny -
6.2.3 (Bug 26564247)PS3 OID: Help link on ODSM URL does not work
Issue
When you login to ODSM and click on Help, help pages are not accessible.
Workaround
Though the help is not accessible via ODSM help, we can access the pages through OID document library. See Overview of Oracle Directory Service Manager
6.2.4 (Bug 19898973)Substring Filter Not Supported for Collective Attributes
Issue
Oracle Internet Directory does not provide support for substring filter for collective attributes. For instance, the following substring filter is not supported:
tenantguid=*234*
Workaround
However, the equality filter for instance, tenantguid=12345
is supported for collective attributes.
6.2.5 (Bug 14079791) Search on rootDSE lastchangenumber
Attribute Works For One Attribute At A Time
Issue
If you perform ldapsearch
on rootDSE to fetch the lastchangenumber
attribute along with other attributes, then lastchangenumber
is not retrieved.
For instance, when you run the following command then lastchangenumber
attribute is not retrieved:
ldapsearch -p port -D "cn=orcladmin" -w password -b "" -s base "objectclass=*" changelog lastchangenumber
Workaround
The workaround for this problem is to perform ldapsearch
on rootDSE only for lastchangenumber
attribute as follows:
ldapsearch -p <port> -h <hostname> -b ' ' -s base '(objectclass=*)' lastchangenumber lastchangenumber=4714
6.2.6 (Bug 17348090) Search with Filter Containing AND Operation of Collective Attributes Not Supported
Issue
When the search filter contains only collective attribute expressions, and an AND (&) operation is performed, then the server does not return expected results.
For example, if you run the following commands having collective attributes only, then if you run an AND operation, the server fails to return the desired result.
ldapsearch -b 'cn=u1,cn=collandbug' '&(description=coll1 desc) (description=coll2 desc)' dn
Workaround
There is no workaround for this issue.
6.2.7 (Bug 18196425) ODSM Adds Fake Entries to the Chained Container and Displays Duplicate Entries During Export
Issue
In ODSM, when you set up server chaining with Oracle Directory Server Enterprise Edition (ODSEE) as the backend the following issues emerge:
-
If you create an entry through ODSM, then ODSM pretends to add the entry to the remote server through chaining. However, the entry does not get added on the remote server, ODSEE.
-
If you add the preceding entry directly to the remote backend, and navigate to the parent entry through the Data Explorer tab, and then export to LDIF the same entry, you will see duplicate entries.
Workaround
There is no workaround for this issue.
6.2.8 (Bug 18695967) ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field
Issue
On the Schema tab, create a custom attribute and a custom objectclass, and also select custom attribute as indexed. Now, on the Data Browser tab if you create an entry of objectclass="custom object class"
then it does not allow you to enter the mandatory value in the custom attribute field.
Workaround
There is no workaround for this issue.
6.2.9 (Bug 16964666) Cloned Oracle Internet Directory Instance Fails or Runs Slowly
Issue
In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.
This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.
The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.
For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:
-
Running the
faovmdeploy.sh createTopology
command to create an Oracle Virtual Machine (VM) -
Deploying Enterprise Manager agents in different Oracle Virtual Machines
Workaround
To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:
See Also:
"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
6.2.10 (Bug 16498988) Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM
Issue
Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v
Workaround
As a workaround for this problem, set the following values, as shown in the next procedure:
-
Set the total amount of operating system physical locked memory allowed (
project.max-locked-memory
) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. Thepagesize -a
command lists all the supported page sizes on Solaris systems. -
Set the
orclecachemaxsize
attribute to less than theproject.max-locked-memory
and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.
In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":
-
Log in to the Solaris SPARC system as the root user.
-
Check the project membership of the OID user.
If the OID user belongs to the default project:
-
Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=3(default) # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem # usermod -K project=oidmaxlkmem oracle
-
Verify that the value for the resource control
project.max-locked-memory
was set to 2 GB, as expected. For example:# su - oracle $ id -p oracle uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem) $ prctl -n project.max-locked-memory -i project 150 project: 150: oidmaxlkmem NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
If the OID user belongs to a non-default project:
-
Modify the corresponding project to include the
project.max-locked-memory
resource control and set the value to 2 GB or higher. For example:# id -p oracle uid=2345(oracle) gid=529(dba) projid=125(oraproj) # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
-
Verify that the value for the resource control
project.max-locked-memory
was set to 2 GB, as expected. For example:# projects -l oraproj oraproj projid : 125 comment: "" users : (none) groups : (none) attribs: project.max-locked-memory=(priv,2147483648,deny) project.max-shm-memory=(priv,34359738368,deny) # su - oracle $ id -p uid=2345(oracle) gid=529(dba) projid=125(oraproj) $ prctl -n project.max-locked-memory -i project 125 project: 125: oraproj NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
-
-
Set the entry cache maximum size (
orclecachemaxsize
attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.For example, using SQL*Plus, set the value to 256 MB:
sqlplus ods@oiddb update ds_attrstore set attrval='256m' where entryid=940 and attrname='orclecachemaxsize'; commit;
-
Run the
config.sh
script to configure Oracle Internet Directory.
6.2.11 ODSM Browser Window Becomes Unusable
Issue
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
Workaround
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
6.2.12 (Bug 8464130)Turkish Dotted I Character is Not Handled Correctly
Issue
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in ODSM and in command-line utilities.
Workaround
There is no workaround for this issue.
6.2.13 (Bug 10383377) SQL of OPSS ldapsearch Might Take High CPU%
Issue
The SQL of an OPSS one level ldapsearch
operation, with filter "orcljaznprincipal=
value
" and required attributes, might take unreasonably high percentage DB CPU.
Workaround
If this search performance impacts the overall performance of the machine and other processes, you can resolve the issue by performing the following steps in the Oracle Database:
6.2.14 Unable to set up OID replication in Oracle Enterprise Manager
Issue
The wizard for setting up replication is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Administration menu.
Workaround
You can use the command line tools for setting up LDAP-based replication. See Command-line Tools to Setup and Modify Replication in Administering Oracle Internet Directory.
6.2.15 Unable to estimate OID tuning and sizing needs in Oracle Enterprise Manager
Issue
The wizard for estimating sizing and tuning needs is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Administration menu.
Workaround
For recommendations on sizing and tuning Oracle Internet Directory, see Tuning and Sizing Oracle Internet Directory in Administering Oracle Internet Directory.
6.2.16 Unable to manage wallet for OID in Oracle Enterprise Manager
Issue
The wallet option is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Security menu.
Workaround
You can use the orapki tool or the keystore service to create a wallet, see Wallet Management and Keystore Management in Administering Oracle Fusion Middleware.
6.2.17 In IBM AIX, OID Schema Load May Fail While Running the RCU Tool
Issue
Impacted Platforms: IBM AIX
After successful installation of Oracle Internet Directory 12c on AIX operating system, the OID schema load using the RCU tool fails with the following error:
Error initializing SQLPlusEngine:
java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException:
java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException:
java.io.IOException: java.io.IOException: Error initializing sqlplus.
at oracle.sysman.assistants.common.dbutil.sqlplus.SQLPlusEngine.setDefaultEngineSettings(SQLPlusEngine.java:2144)
at oracle.sysman.assistants.common.dbutil.sqlplus.SQLPlusEngine.initialize(SQLPlusEngine.java:352)
at oracle.sysman.assistants.rcu.backend.action.SQLPlusAction.perform(SQLPlusAction.java:214)
at oracle.sysman.assistants.rcu.backend.task.AbstractCompTask.execute(AbstractCompTask.java:255)
at oracle.sysman.assistants.rcu.backend.task.ActualTask.run(TaskRunner.java:346)
at java.lang.Thread.run(Thread.java:785)
Oracle Internet Directory 12c is bundled with IBM AIX Database client 12.1.0.2.0 version. The issue is related to the IOCP API symbols dependency in IBM AIX Database 12.1.0.2 client library. Enable the IOCP module in the machine where OID server is installed to resolve this issue.
Workaround
On IBM AIX in IBM POWER Systems (64-Bit), enable I/O completion ports
(IOCP) before initiating the install process. To enable IOCP ports, set the status
of the IOCP port to Available
.
To check if the IOCP module is enabled, run the lsdev
command:
$ lsdev | grep iocp
By default, IOCP is set to Defined
, and hence not
enabled. The following sample output shows the IOCP status is set to
Defined
:
iocp0 Defined I/O Completion Ports
To enable IOCP, set the IOCP status to Available
using
the following procedure:
-
Log in as
root
and run the following command:# smitty iocp
-
Select Change / Show Characteristics of I/O Completion Ports.
-
Change the configured state at system restart from
Defined
toAvailable
. -
Run the
lsdev
command to confirm the IOCP status is set toAvailable
:$ lsdev | grep iocp iocp0 Available I/O Completion Ports
-
Perform a system restart to make the changes permanent.
6.3 Oracle Internet Directory Configuration Issues and Workarounds
This section describes configuration issues and their workarounds. It includes the following topics:
6.3.1 Warning When Creating a Remote Oracle Internet Directory Instance
Issue
When you create an Oracle Internet Directory instance targeted to a remote node, on first machine, the following warning is displayed in the Administration Server logs:
<Warning> <Management> <BEA-141296> <Unable to contact Node Manager on "oidhost2".
Activation for system component "oid2" is deferred until "oidhost2" becomes available.
java.lang.RuntimeException: Node Manager is not available on machine oidhost2
Workaround
This warning can be ignored.
6.4 Documentation Errata
This section describes documentation errata. It includes the following topics:
6.4.1 Replication Instructions in Tutorial for Identity Management are Incomplete
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Setting up Oracle Internet Directory Replication, is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty. If the new consumer node has pre-loaded data, then various conflict resolution and invalid attribute name format messages will appear in the replication logs.
For more information, see Rules for Configuring LDAP-Based Replication in the Oracle Fusion Middleware Administering Oracle Internet Directory.