Skip Headers
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for Linux x86
B19312-04
  Go To Documentation Library
Home
Go To Table Of Contents
Contents

Previous
Previous
Next
Next
 

18 Oracle Delegated Administration Services

This chapter describes issues for both the Oracle Delegated Administration Services (DAS) and the Oracle Internet Directory Self-Service Console. It includes the following topics:

18.1 General Issues and Workarounds

This section describes general issues and their workarounds for Oracle Delegated Administration Services. It includes the following topics:

18.1.1 Realm Values Cannot Be Edited with Oracle Delegated Administration Services Configuration Privileges in Releases 9.0.2, 9.0.4, and 10.1.2

In Releases 9.0.2, 9.0.4, and 10.1.2 upgrade, only the orcladmin user can edit realm values. Other users, even those with Oracle Delegated Administration Services configuration privileges cannot edit them. This is because the latter do not have sufficient privileges to read the User Search Base, User Creation Base, Group Search Base, and Group Creation Base. The workaround is to modify the ACLs on these containers and enable anonymous browse access.

18.1.2 Roles with No Members Are not Displayed in Role Assignment Section in Create/edit User

A role should contain at least one unique member, so that it would be displayed in the Role Assignment section in Create User page and the Edit User page.

To add a unique member to a role, the syntax of the LDIF file is:

dn: DN_of_role_entry  changetype: modify  add:uniquemember  uniquemember:DN of member entry 

Issue this command to modify the file:

ldapmodify -p oid_port -h oid_host -D "cn=orcladmin" -w admin_password -v -f file_name.ldif 

18.1.3 Resetting Oracle Application Server Single Sign-On Passwords Redirects Users to Oracle Delegated Administration Services Home Page

Various application, including OracleAS Portal, use Oracle Delegated Administration Services to reset Oracle Application Server Single Sign-On passwords. Users can reset their own passwords by clicking on a link in the source application, which opens the Reset My Single Sign-On Password page in Oracle Internet Directory Self-Service Console. However, when users click the OK button after resetting their passwords, or if they click the Cancel button to end the password change process, they are redirected to the Oracle Delegated Administration Services home page instead of to the referring application page.

To redirect users to a location other than the Oracle Delegated Administration Services home page, append a query string containing the correct return URLs to the link on the referring application page. Include in the query string two name=value pairs for the doneURL and the cancelURL attributes. The doneURL attribute identifies the redirect URL to call when users click the OK button and the cancelURL attribute identifies the redirect URL to call when users click the Cancel button. The following example demonstrates how to build a URL to the Change Application Password page that includes the doneURL and the cancelURL attributes:

http://host:port/oiddas/ui/oracle/ldap/DASStep1ResetPwd?
cancelURL=http://www.domain.com&doneURL=http://www.domain.com 

18.1.4 Exception Thrown in One-Level Realm Scenarios

You can create a one-level realm in Oracle Internet Directory where the realm DN is the root DSE (DSA-Specific Entry). With a one-level realm, the root DSE becomes the subscriber search base in Oracle Internet Directory. Oracle Application Server Single Sign-On and Oracle Delegated Administration Services function correctly in one-level realm scenarios. However, when Oracle Delegated Administration Services attempts to retrieve a user's resource access descriptor (RAD), a NullPointerExection is thrown from oracle.ldap.util.User.getExtendedProperties(). This exception is also thrown for Oracle Application Server Forms and Reports Services when integrated with one-level Oracle Internet Directory realms or if you call the oracle.ldap.util.User.getExtendedProperties() method from a custom application.

This problem will be fixed in a future patch release.

18.1.5 Upgrading Oracle Application Server to 10g Release 2 (10.1.2) May Overwrite Custom Ordering of User Attribute Categories in Oracle Delegated Administration Services

Upgrading Oracle Application Server to 10g Release 2 (10.1.2) may overwrite any customized ordering of user attribute categories that you have configured for Oracle Delegated Administration Services. If this occurs, you must use the Configure Attribute Categories window in the Oracle Internet Directory Self-Service Console to reorder your category list following the upgrade process.

To reorder your category list with the Configure Attribute Categories window, see the "Configuring User Entries" topic in Chapter 5, "Managing Users and Groups with the Oracle Internet Directory Self-Service Console" of the Oracle Identity Management Guide to Delegated Administration.

18.2 Administration Issues and Workarounds

This section describes administration issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:

18.2.1 Enforcing Assignment and Revocation of Privileges Requires Starting a New Self-Service Console Session

Assignment of roles to users and groups, and revocation of those roles, are enforced only when a new Self-Service Console is created. After assigning or revoking roles, log out of the Console, then log back in.

18.2.2 Unified Messaging Voicemail PIN Field Mislabeled in Oracle Internet Directory Self-Service Console

When Oracle Collaboration Suite users use the Self-Service Console to change their passwords, the field name associated with their voicemail PIN number is incorrectly displayed as 'EmailServerContainer'. To solve this problem:

  1. Use Oracle Directory Manager to navigate to the entry of the following DN: cn=orclpwdverifierconfig,cn=EMailServerContainer, cn=Products,cn=OracleContext,cn=subscriber realm

  2. Select the entry.

  3. Select All for View Properties.

  4. In the displayname text box, enter Voicemail PIN.

  5. Choose Apply.

18.2.3 Unlocking Privileged User Accounts

Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.

The first type of privileged user, the super user with the DN cn=orcladmin, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the super user (orcladmin) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin account execute the command:

oidpasswd unlock_su_acct=TRUE 

The second privileged user is realm-specific. This user governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN cn=orcladmin,cn=users,realm_DN. Note that, in contrast to the single super user account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the administrator modifies the realm-specific privileged users account password by using Oracle Directory Manager.

18.2.4 Create/Edit User Windows in Oracle Internet Directory Self-Service Console Display Two Time Zone Fields

On some distributed installations of Oracle Internet Directory, the Oracle Internet Directory Self-Service Console displays two time zone fields in the Create User and Edit User windows. To remove the duplicate field:

  1. Launch Oracle Directory Manager and log in as orcladmin.

  2. In the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Entry Management.

  3. Expand the following DN in the subtree beneath Entry Management: realm_DN, cn=oraclecontext, cn=Products, cn=DAS,cn=Attribute Configuration, cn= User Configuration, cn= categories, cn=Basic Info.

  4. Select cn=Basic Info beneath the cn=categories node.

  5. In the Properties tab page, locate the orcldasattrname attribute and remove the orcltimezone;;;7 value.

  6. Click Apply.

  7. Restart Oracle Delegated Administration Services and log in to the Oracle Internet Directory Self-Service Console.

  8. Select the Configuration tab, then select User Entry.

  9. Click Refresh Page.