| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for HP-UX PA-RISC (64-Bit) Part Number B32098-02 |
|
|
View PDF |
| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for HP-UX PA-RISC (64-Bit) Part Number B32098-02 |
|
|
View PDF |
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issues and their workarounds. It includes the following topics:
If you use standard database backup and restore procedures, such as those performed by the Oracle Application Server Backup and Recovery Tool, you must perform a full database backup after any of the following administrative tasks:
Using the bulkload bulk management tool
Using the catalog bulk management tool
Installing Oracle Internet Directory
Upgrading Oracle Internet Directory to a major release version or patchset
Installing an LDAP application against Oracle Internet Directory, such as Oracle Collaboration Suite, that modifies the cn=catalogs entry to add orclindexedattribute
If you do not perform a full backup after using the bulkload bulk management tool, you might encounter unrecoverable errors when performing a restore. The bulkload utility performs a direct path load, which does not generate redo logs. If you do not perform a full backup after performing a bulkload, and later perform a restore that attempts to apply archived redo logs, you might encounter errors that cannot be fixed.
If you do not perform a full backup after any of the other four tasks, you might encounter recoverable errors when performing a restore. Performing any of those tasks might create indexes with the NOLOGGING option, which means that redo logs are not created for the index. If you do not perform a full backup after one of these operations, and later perform a restore that attempts to apply archived redo logs, you might see errors upon restart of Oracle Internet Directory. Specifically, you would see ORA-1578 and ORA-2640 errors in oidmon.log or oidldapd*.log. In this case, shut down Oracle Internet Directory and recreate all Oracle Internet Directory database indexes by typing:
bulkload connect="conn_str" index="TRUE"
With the 10g (10.1.4.0.1) release, Oracle Internet Directory introduces a new restriction for Access Control Lists (orclaci and orclentrylevelaci attributes). Specifically, you cannot specify attribute names that are not defined in directory schema. As a result, while adding or migrating entries from previous Oracle Internet Directory releases, the load operation will fail if any entries have attribute names that are not defined in the directory schema.
To avoid this problem, in the LDIF file, comment out any ACLs that have undefined attributes.
For example, the following 10g Release 2 (10.1.2) entry uses undefined attributes that are identified with bold text:
orclaci: access to attr=(orclUserApplnProvStatus,orclUserApplnProvStatusDesc, orclUserProvFailureCount) by group="cn=oracledasedituser,cn=groups, cn=OracleContext,dc=us,dc=oracle,dc=com" (read,search,write,compare) by group="cn=oracledascreateuser,cn=groups,cn=OracleContext,dc=us,dc=oracle, dc=com" (read,search,write,compare) by self (read,search,nowrite,compare) by * (none)
To avoid this problem, comment the entry as follows, before loading or verifying the LDIF file.
# orclaci: access to attr=(orclUserApplnProvStatus,orclUserApplnProvStatusDesc, # orclUserProvFailureCount) by group="cn=oracledasedituser,cn=groups, # cn=OracleContext,dc=us,dc=oracle,dc=com" (read,search,write,compare) by # group="cn=oracledascreateuser,cn=groups,cn=OracleContext,dc=us,dc=oracle, # dc=com" (read,search,write,compare) by self (read,search,nowrite,compare) # by * (none)
When you add a new directory to a directory replication group, you copy entries from an existing directory to the new directory using the ldifwrite and bulkload tools.
Normally, the easiest way to do this is to specify a replication agreement DN as the basedn argument to ldifwrite. This causes the ldifwrite tool to dump all entries that are replicated by the specified replication agreement. Then you can load the entries to another replicated directory using bulkload tool.
In release 10g (10.1.4.0.1), this functionality does not work when the replication agreement DN is orclagreementid=000001,cn=replication configuration, which is the DN of an Advanced replication agreement. The workaround is to explicitly specify the DN of the DIT that you want to copy as the base DN argument to ldifwrite.
This section describes configuration issues and their workarounds. It includes the following topics:
If your server locale is not English, set NLS_LANG to AMERICAN_AMERICA.AL32UTF8 before running bulkload.
This section describes documentation errata. It includes the following topics:
Section 9.3.3, "Errors in oracle.ldap.util.Subscriber.createUser() Documentation"
Section 9.3.4, "Missing Example: How to Decode a Mime-Encoded Header Set by mod_sso"
Section 9.3.5, "Error in Identity Management Grid Control Plug-in Context-Sensitive Help"
Section 9.3.6, "Missing Note: The labeledURI Attribute host:port is for Syntax Purposes Only"
Section 9.3.7, "Missing Example: Listing All the Attributes in the Directory by Using ldapsearch"
Section 9.3.8, "Incorrect Environment Variables in Plug-in Debugging Examples"
Section 9.3.9, "Figure Errors in Replication Concepts Chapter"
The document links from the Related Documents help pages for Identity Management Grid Control Plug-in and Oracle Internet Directory Server Manageability are broken. Please navigate to the documents from http://www.oracle.com/technology/documentation.
The following command line appears in the HTML version of Appendix I of Oracle Internet Directory Administrator's Guide, Section I.6.2, "Tasks To Be Performed on the New Advanced Replication Node," Step 18:
$> sqlplus rep_admin_db_account_name/password@db_conn_str_of_new_nodeSQL> exec dbms_repcat.drop_master_repgroup( gname => 'LDAP_REP' )
There should be a line break before SQL>. That is, the command should be:
$> sqlplus rep_admin_db_account_name/password@db_conn_str_of_new_node SQL> exec dbms_repcat.drop_master_repgroup( gname => 'LDAP_REP' )
There are errors in the description of the
oracle.ldap.util.Subscriber.createUser() method, in both the Oracle Internet Directory API Reference and the chapter entitled "Using the Java API Extensions to JNDI" in the Oracle Identity Management Application Developer's Guide.
In the description of creatUser() in the Oracle Internet Directory API Reference, all instances of the term useMandatoryAttr should be changed to useMandatoryObjectclasses.
The following sentence in the Oracle Internet Directory API Reference is incorrect:
"Objectclasses are automatically picked up and do not need to be included in ModPropertySet."
You must include objectclasses in ModPropertySet when useMandatoryObjectclasses is set to false.
The code sample in the Oracle Internet Directory API Reference contains the line:
User newUser = sub.createUser( ctx, mps, false );
The line should be changed to:
User newUser = sub.createUser( ctx, mps, true );
Otherwise, the code will throw an exception due to the missing objectclass attribute.
Similarly, in the chapter entitled "Using the Java API Extensions to JNDI" in the Oracle Identity Management Application Developer's Guide, the line:
User newUser = sub.createUser( ctx, mps );
should be changed to:
User newUser = sub.createUser( ctx, mps, true );
If the user name or other HTTP header is multibyte and set by mod_osso, then that header must be decoded using mime decoding. The chapter entitled "Developing Applications for Single Sign-On" in the Oracle Identity Management Application Developer's Guide should contain a Java example showing how to do this.
The following code fragment shows how to decode a mime-encoded multibyte user name obtained from a servlet request object:
import javax.mail.internet.MimeUtility; ... String mimeUserName = request.getRemoteUser(); String userName = MimeUtility.decodeText(mimeUserName);
The Directory Server User Statistics Help page contains the following sentence: "You can add a monitored user to the table by using Oracle Directory Monitor or by using the command line." It should say Oracle Directory Manager instead of Oracle Directory Monitor.
The following note should be added to the section entitled "Schema Elements for Creating a Dynamic Group" in the Dynamic Groups chapter of Oracle Internet Directory Administrator's Guide:
|
Note: In the labeledURI attribute, thehost:port section is present for syntax purposes alone. Irrespective of the host and port settings in the labeledURI attribute, the directory server always computes members of dynamic group from the local directory server. It cannot retrieve members from other directory servers. |
This example should be added to the "Directory Entries Administration" chapter in Oracle Internet Directory Administrator's Guide.
Use the following command line to list of all the attributes, including those that do not have values:
ldapsearch -b "cn=subschemasubentry" -s base "objectclass=*"
In the "PL/SQL Server Plug-ins" chapter in Oracle Identity Management Application Developer's Guide and the "Oracle Internet Directory Plug-In for Password Policies" chapter inOracle Internet Directory Administrator's Guide, all pathnames beginning with $ORACLE/ should actually begin with $ORACLE_HOME/.
The chapter entitled "Oracle Internet Directory Replication Concepts" in Oracle Internet Directory Administrator's Guide contains the following errors:
In Figure 29-10, the direction of the arrow labeled 4' should be reversed. Also, four of the numbers in the figure should be changed as shown in Table 9-1.
In the text for Figure 29-12, the sentence beginning with "When Node 4 fails, you can fail over Node 4" should be changed to "When Node 2 fails, you can fail over Node 4.
In the text for Figure 29-14, the excluded subtree, described as cn=user1,cn=hr,c=us, should be cn=users,cn=hr,c=us.
