1. Release Notes for Oracle Identity Management
  2. Oracle Internet Directory

6 Oracle Internet Directory

This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:

Topics

6.1 Oracle Internet Directory System Requirements and Specifications

You must read through the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the products you are installing.

Important Considerations for OID 14.1.2.1.0 Installation:

The following guidelines apply only to the standalone OID 14.1.2.1.0 upgrade installation scenario.

  • Upgrade OID Installation:

    Apply the one-off UA patch (search for Bug ID 37465410 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0 ORACLE_HOME before performing UA READINESS for a standalone OID domain.

The following guidelines apply only to collocated 14.1.2.1.0 OID installations and does not apply to standalone OID 14.1.2.1.0 installations.

  • Fresh OID Installation:
    • Apply the one-off ADF patch (search for Bug ID 37376076 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0 ORACLE_HOME after installation and before domain creation.
  • Upgrade OID Installation:
    • Apply the one-off ADF patch (search for Bug ID 37376076 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0 ORACLE_HOME before performing the reconfiguration step.
    • Apply the one-off EM patch (search for Bug ID 37476292 at https://support.oracle.com) manually using OPatch to the OID 14.1.2.1.0 ORACLE_HOME before performing the reconfiguration step.

6.2 General Oracle Internet Directory Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

6.2.1 (Bug 25875893) ODS Schema details not getting auto-filled using Schemas Option

Issue

When you are upgrading from 11g Release 1(11.1.1.9.0) in the Upgrade Assistant, if you select All Schemas Used By a Domain option, the schema details are not auto-populated in ODS Schemas screen.

Workaround

As a workaround, user has to manually provide ODS schema details such as Database Type, string etc.

6.2.2 (Bug 25814730) OID12cPS3: Startup fails because low system shared memory on Solaris

Issue

OID server startup fails on Solaris platforms due to low system shared memory.

Workaround

To fix this issue, you need to increase shared memory on Solaris system platform when DB is collocated. If you are installing only OID, then you need 1.5GB shared memory.

For example, as a root user, if you increase project.max-shm-memory to 12GB(from 8 GB), the OID instance is brought up. 

prctl -n project.max-shm-memory -v 12gb -r -i project default
$ prctl -n project.max-shm-memory $$
process: 7423: bash 

NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
project.max-locked-memory
        privileged      12.0GB      -   deny                          -
        system          16.0EB    max   deny                          -

6.2.3 (Bug 26564247)PS3 OID: Help link on ODSM URL does not work

Issue

When you login to ODSM and click on Help, help pages are not accessible.

Workaround

Though the help is not accessible via ODSM help, we can access the pages through OID document library. See Overview of Oracle Directory Service Manager

6.2.4 (Bug 19898973)Substring Filter Not Supported for Collective Attributes

Issue

Oracle Internet Directory does not provide support for substring filter for collective attributes. For instance, the following substring filter is not supported:

tenantguid=*234*

Workaround

However, the equality filter for instance, tenantguid=12345 is supported for collective attributes.

6.2.5 (Bug 14079791) Search on rootDSE lastchangenumber Attribute Works For One Attribute At A Time

Issue

If you perform ldapsearch on rootDSE to fetch the lastchangenumber attribute along with other attributes, then lastchangenumber is not retrieved.

For instance, when you run the following command then lastchangenumber attribute is not retrieved: 

ldapsearch -p port -D "cn=orcladmin" -w password -b "" -s base "objectclass=*"
changelog lastchangenumber

Workaround

The workaround for this problem is to perform ldapsearch on rootDSE only for lastchangenumber attribute as follows: 

ldapsearch -p <port> -h <hostname> -b ' ' -s base '(objectclass=*)' lastchangenumber

lastchangenumber=4714

6.2.6 (Bug 17348090) Search with Filter Containing AND Operation of Collective Attributes Not Supported

Issue

When the search filter contains only collective attribute expressions, and an AND (&) operation is performed, then the server does not return expected results.

For example, if you run the following commands having collective attributes only, then if you run an AND operation, the server fails to return the desired result.

ldapsearch -b 'cn=u1,cn=collandbug' '&(description=coll1 desc) 
(description=coll2 desc)' dn

Workaround

There is no workaround for this issue.

6.2.7 (Bug 18196425) ODSM Adds Fake Entries to the Chained Container and Displays Duplicate Entries During Export

Issue

In ODSM, when you set up server chaining with Oracle Directory Server Enterprise Edition (ODSEE) as the backend the following issues emerge:

  • If you create an entry through ODSM, then ODSM pretends to add the entry to the remote server through chaining. However, the entry does not get added on the remote server, ODSEE.

  • If you add the preceding entry directly to the remote backend, and navigate to the parent entry through the Data Explorer tab, and then export to LDIF the same entry, you will see duplicate entries.

Workaround

There is no workaround for this issue.

6.2.8 (Bug 18695967) ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field

Issue

On the Schema tab, create a custom attribute and a custom objectclass, and also select custom attribute as indexed. Now, on the Data Browser tab if you create an entry of objectclass="custom object class" then it does not allow you to enter the mandatory value in the custom attribute field.

Workaround

There is no workaround for this issue.

6.2.9 (Bug 16964666) Cloned Oracle Internet Directory Instance Fails or Runs Slowly

Issue

In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.

This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.

The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.

For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:

  • Running the faovmdeploy.sh createTopology command to create an Oracle Virtual Machine (VM)

  • Deploying Enterprise Manager agents in different Oracle Virtual Machines

Workaround

To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:

  1. Set the required environment variables. For example:
    export ORACLE_INSTANCE=/u01/oid/oid_inst
export ORACLE_HOME=/u01/oid/oid_home
export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH
export TNS_ADMIN=$ORACLE_INSTANCE/config
  2. Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:
    sqlplus ods@oiddb
delete from ods_shm where nodename like '%sourceHostname%';
delete from ods_shm_key where nodename like '%sourceHostname%';
delete from ods_guardian where nodename like '%sourceHostname%';
delete from ods_process_status where hostname like '%sourceHostname%';
commit;
  3. Stop and then restart the cloned Oracle Internet Directory component. For example:
    opmnctl stopproc ias-component=oid1
opmnctl startproc ias-component=oid1
  4. Find the cn entries with the undesired Oracle Internet Directory host names. For example:
    ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
"cn=subregistrysubentry" -s sub "objectclass=*" dn
cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry
cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry
cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
  5. From the results in the previous step, remove the entries with the undesired host names. For example:
    ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
"cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry"
ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
"cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
  6. Verify that the undesired host names are removed. For example:
    ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
"cn=subregistrysubentry" -s sub "objectclass=*" dn
cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry

See Also:

"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

6.2.10 (Bug 16498988) Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM

Issue

Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v

Workaround

As a workaround for this problem, set the following values, as shown in the next procedure:

  • Set the total amount of operating system physical locked memory allowed (project.max-locked-memory) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a command lists all the supported page sizes on Solaris systems.

  • Set the orclecachemaxsize attribute to less than the project.max-locked-memory and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.

In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":

  1. Log in to the Solaris SPARC system as the root user.

  2. Check the project membership of the OID user.

    If the OID user belongs to the default project:

    1. Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:

      # id -p oracle
uid=2345(oracle) gid=529(dba) projid=3(default)
# projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem
# usermod -K project=oidmaxlkmem oracle

    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example: 

      # su - oracle

$ id -p oracle
uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem)

$ prctl -n project.max-locked-memory -i project 150
project: 150: oidmaxlkmem
NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
project.max-locked-memory
        privileged      2.00GB      -   deny                             -
        system          16.0EB    max   deny                             -

    If the OID user belongs to a non-default project:

    1. Modify the corresponding project to include the project.max-locked-memory resource control and set the value to 2 GB or higher. For example: 

      # id -p oracle
uid=2345(oracle) gid=529(dba) projid=125(oraproj)

# projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj

    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example: 

      # projects -l oraproj
oraproj
        projid : 125
        comment: ""
        users  : (none)
        groups : (none)
        attribs: project.max-locked-memory=(priv,2147483648,deny)
                 project.max-shm-memory=(priv,34359738368,deny)

# su - oracle
$ id -p
uid=2345(oracle) gid=529(dba) projid=125(oraproj)

$ prctl -n project.max-locked-memory -i project 125
project: 125: oraproj
NAME    PRIVILEGE       VALUE    FLAG   ACTION  RECIPIENT
project.max-locked-memory
        privileged      2.00GB      -   deny    -
        system          16.0EB    max   deny    -

  3. Set the entry cache maximum size (orclecachemaxsize attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.

    For example, using SQL*Plus, set the value to 256 MB:

    sqlplus ods@oiddb
update ds_attrstore set attrval='256m'
  where entryid=940 and attrname='orclecachemaxsize';
commit;

  4. Run the config.sh script to configure Oracle Internet Directory.

6.2.11 ODSM Browser Window Becomes Unusable

Issue

Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

Workaround

As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.

6.2.12 (Bug 8464130)Turkish Dotted I Character is Not Handled Correctly

Issue

Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in ODSM and in command-line utilities.

Workaround

There is no workaround for this issue.

6.2.13 (Bug 10383377) SQL of OPSS ldapsearch Might Take High CPU%

Issue

The SQL of an OPSS one level ldapsearch operation, with filter "orcljaznprincipal=value" and required attributes, might take unreasonably high percentage DB CPU.

Workaround

If this search performance impacts the overall performance of the machine and other processes, you can resolve the issue by performing the following steps in the Oracle Database:

  1. Log in to the Oracle Database as user ODS and execute the following SQL:
    BEGIN
DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS',
                              TABNAME=>'CT_ORCLJAZNPRINCIPAL',
                              ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,
                              CASCADE=>TRUE);
END;
/
  2. Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.

6.2.14 Unable to set up OID replication in Oracle Enterprise Manager

Issue

The wizard for setting up replication is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Administration menu.

Workaround

You can use the command line tools for setting up LDAP-based replication. See Command-line Tools to Setup and Modify Replication in Administering Oracle Internet Directory.

6.2.15 Unable to estimate OID tuning and sizing needs in Oracle Enterprise Manager

Issue

The wizard for estimating sizing and tuning needs is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Administration menu.

Workaround

For recommendations on sizing and tuning Oracle Internet Directory, see Tuning and Sizing Oracle Internet Directory in Administering Oracle Internet Directory.

6.2.16 Unable to manage wallet for OID in Oracle Enterprise Manager

Issue

The wallet option is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Security menu.

Workaround

You can use the orapki tool or the keystore service to create a wallet, see Wallet Management and Keystore Management in Administering Oracle Fusion Middleware.

6.2.17 In IBM AIX, OID Schema Load May Fail While Running the RCU Tool

Issue

Impacted Platforms: IBM AIX

After successful installation of Oracle Internet Directory 12c on AIX operating system, the OID schema load using the RCU tool fails with the following error:

Error initializing SQLPlusEngine:
java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException: 
java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException: java.io.IOException: 
java.io.IOException: java.io.IOException: Error initializing sqlplus.
at oracle.sysman.assistants.common.dbutil.sqlplus.SQLPlusEngine.setDefaultEngineSettings(SQLPlusEngine.java:2144)
at oracle.sysman.assistants.common.dbutil.sqlplus.SQLPlusEngine.initialize(SQLPlusEngine.java:352)
at oracle.sysman.assistants.rcu.backend.action.SQLPlusAction.perform(SQLPlusAction.java:214)
at oracle.sysman.assistants.rcu.backend.task.AbstractCompTask.execute(AbstractCompTask.java:255)
at oracle.sysman.assistants.rcu.backend.task.ActualTask.run(TaskRunner.java:346)
at java.lang.Thread.run(Thread.java:785)

Oracle Internet Directory 12c is bundled with IBM AIX Database client 12.1.0.2.0 version. The issue is related to the IOCP API symbols dependency in IBM AIX Database 12.1.0.2 client library. Enable the IOCP module in the machine where OID server is installed to resolve this issue.

Workaround

On IBM AIX in IBM POWER Systems (64-Bit), enable I/O completion ports (IOCP) before initiating the install process. To enable IOCP ports, set the status of the IOCP port to Available.

To check if the IOCP module is enabled, run the lsdev command: 

$ lsdev | grep iocp

By default, IOCP is set to Defined, and hence not enabled. The following sample output shows the IOCP status is set to Defined: 

iocp0      Defined       I/O Completion Ports

To enable IOCP, set the IOCP status to Available using the following procedure:

  1. Log in as root and run the following command: 

    # smitty iocp

  2. Select Change / Show Characteristics of I/O Completion Ports.

  3. Change the configured state at system restart from Defined to Available.

  4. Run the lsdev command to confirm the IOCP status is set to Available: 

    $ lsdev | grep iocp 
iocp0      Available       I/O Completion Ports

  5. Perform a system restart to make the changes permanent.

6.3 Oracle Internet Directory Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

6.3.1 Warning When Creating a Remote Oracle Internet Directory Instance

Issue

When you create an Oracle Internet Directory instance targeted to a remote node, on first machine, the following warning is displayed in the Administration Server logs:

 <Warning> <Management> <BEA-141296> <Unable  to contact Node Manager on "oidhost2". 
Activation for system component "oid2"  is deferred until "oidhost2" becomes available.  
java.lang.RuntimeException: Node Manager is not available on machine oidhost2 

Workaround

This warning can be ignored.

6.4 Documentation Errata

This section describes documentation errata. It includes the following topics:

6.4.1 Replication Instructions in Tutorial for Identity Management are Incomplete

In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Setting up Oracle Internet Directory Replication, is missing important information.

Specifically, the instructions do not work unless the new consumer node is empty. If the new consumer node has pre-loaded data, then various conflict resolution and invalid attribute name format messages will appear in the replication logs.

For more information, see Rules for Configuring LDAP-Based Replication in the Oracle Fusion Middleware Administering Oracle Internet Directory.