Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for Solaris Operating System (SPARC) B14500-14 |
|
Previous |
Next |
This chapter describes issues for both the Oracle Delegated Administration Services (DAS) and the Oracle Internet Directory Self-Service Console. It includes the following topics:
This section describes general issues and their workarounds for Oracle Delegated Administration Services. It includes the following topics:
In Releases 9.0.2, 9.0.4, and 10.1.2 upgrade, only the orcladmin
user can edit realm values. Other users, even those with Oracle Delegated Administration Services configuration privileges cannot edit them. This is because the latter do not have sufficient privileges to read the User Search Base, User Creation Base, Group Search Base, and Group Creation Base. The workaround is to modify the ACLs on these containers and enable anonymous browse access.
A role should contain at least one unique member, so that it would be displayed in the Role Assignment section in Create User page and the Edit User page.
To add a unique member to a role, the syntax of the LDIF file is:
dn: DN_of_role_entry changetype: modify add:uniquemember uniquemember:DN of member entry
Issue this command to modify the file:
ldapmodify -p oid_port -h oid_host -D "cn=orcladmin" -w admin_password -v -f file_name.ldif
Various application, including OracleAS Portal, use Oracle Delegated Administration Services to reset Oracle Application Server Single Sign-On passwords. Users can reset their own passwords by clicking on a link in the source application, which opens the Reset My Single Sign-On Password page in Oracle Internet Directory Self-Service Console. However, when users click the OK button after resetting their passwords, or if they click the Cancel button to abort the password change process, they are redirected to the Oracle Delegated Administration Services home page instead of to the referring application page.
To redirect users to a location other than the Oracle Delegated Administration Services home page, append a query string containing the correct return URLs to the link on the referring application page. Include in the query string two name=value pairs for the doneURL
and the cancelURL
attributes. The doneURL
attribute identifies the redirect URL to call when users click the OK button and the cancelURL
attribute identifies the redirect URL to call when users click the Cancel button. The following example demonstrates how to build a URL to the Change Application Password page that includes the doneURL
and the cancelURL
attributes:
http://host:port/oiddas/ui/oracle/ldap/DASStep1ResetPwd? cancelURL=http://www.domain.com&doneURL=http://www.domain.com
You can create a one-level realm in Oracle Internet Directory where the realm DN is the root DSE (DSA-Specific Entry). With a one-level realm, the root DSE becomes the subscriber search base in Oracle Internet Directory. Oracle Application Server Single Sign-On and Oracle Delegated Administration Services function correctly in one-level realm scenarios. However, when Oracle Delegated Administration Services attempts to retrieve a user's resource access descriptor (RAD), a NullPointerExection
is thrown from oracle.ldap.util.User.getExtendedProperties()
. This exception is also thrown for Oracle Application Server Forms and Reports Services when integrated with one-level Oracle Internet Directory realms or if you call the oracle.ldap.util.User.getExtendedProperties()
method from a custom application.
This problem will be fixed in a future patch release.
Upgrading Oracle Application Server to 10g Release 2 (10.1.2) may overwrite any customized ordering of user attribute categories that you have configured for Oracle Delegated Administration Services. If this occurs, you must use the Configure Attribute Categories window in the Oracle Internet Directory Self-Service Console to reorder your category list following the upgrade process.
To reorder your category list with the Configure Attribute Categories window, see the "Configuring User Entries" topic in Chapter 5, "Managing Users and Groups with the Oracle Internet Directory Self-Service Console" of the Oracle Identity Management Guide to Delegated Administration.
This section describes administration issues and their workarounds for Oracle Delegated Administration Services. It includes the following topic:
Assignment of roles to users and groups, and revocation of those roles, are enforced only when a new Self-Service Console is created. After assigning or revoking roles, log out of the Console, then log back in.
When Oracle Collaboration Suite users use the Self-Service Console to change their passwords, the field name associated with their voicemail PIN number is incorrectly displayed as 'EmailServerContainer'. To solve this problem:
Use Oracle Directory Manager to navigate to the entry of the following DN: cn=orclpwdverifierconfig,cn=EMailServerContainer, cn=Products,cn=OracleContext,cn=subscriber realm
Select the entry.
Select All for View Properties.
In the displayname text box, enter Voicemail PIN
.
Choose Apply.
Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.
The first type of privileged user, the super user with the DN cn=orcladmin
, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the super user (orcladmin
) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin
account execute the command:
oidpasswd unlock_su_acct=TRUE
The second privileged user is realm-specific. This user governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN cn=orcladmin,cn=users,
realm_DN
. Note that, in contrast to the single super user account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the administrator modifies the realm-specific privileged users account password by using Oracle Directory Manager.
On some distributed installations of Oracle Internet Directory, the Oracle Internet Directory Self-Service Console displays two time zone fields in the Create User and Edit User windows. To remove the duplicate field:
Launch Oracle Directory Manager and log in as orcladmin
.
In the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Entry Management.
Expand the following DN in the subtree beneath Entry Management: realm_DN
, cn=oraclecontext, cn=Products, cn=DAS,cn=Attribute Configuration, cn=User Configuration, cn=categories, cn=Basic Info
.
Select cn=Basic Info
beneath the cn=categories
node.
In the Properties tab page, locate the orcldasattrname
attribute and remove the orcltimezone;;;7
value.
Click Apply.
Restart Oracle Delegated Administration Services and log in to the Oracle Internet Directory Self-Service Console.
Select the Configuration tab, then select User Entry.
Click Refresh Page.