OID Question

Similar Messages

• OID questions

  Hi,
  We are in the process of replacing TNSNAMES.ORA with OID (ver 9.2.0) , a couple of things that I am
  wondering about is:
  1. Is there some way to log the activities in OID?, i.e. where you can get the information: "I have been contected for name resolution xxx times of witch yyy where successfull"
  2. What about duplicates?, oidadmin happily replaces an existing SID with a new entry without any warnings, can this
  be prevented?
  3. Is there anyone that has seen the memory consumtions by the "oidldapd" process go up over time? , memory leak?
  any input you may have on these issues are appreciated. regards /Curt

  The rttMonJitterStatsTable is indexed by the IP SLA collector ID then the rttMonJitterStatsStartTimeIndex which is the value of sysUpTime at the time the row in the table was collected.
  If all you are interested in is the latest jitter collection results, consider using rttMonLatestJitterOperMaxOfPositivesSD instead.  The rttMonLatestJitterOperTable is indexed only by the collector ID (1 in your case).
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• OID Question and Database Naming

  Is OID required for database name resolution? For example, we want to connect to SID1 and we have an LDAP server running. Do we make an entry in OID to resolve the name SID1 or do we make an entry in the LDAP server or both?

  You can setup enterprise security user and authenticate users with OID user id and password.
  You can use dbms_lap to sync all users initially. And for future db id, create user in OID.

• Questions on SSO and OID implementation on oracle EBIZ R12.0.6 ID 376811.1

  Hello Guys,
  IS ORACLE 10g enterprise edition is same oracle identity management because I am bit confused what is going on when we logged an SR we have been told to use oracle 10g AS (10.1.3.5) but in the note its always says oracle 10g AS 10.1.4.X. which is in turn an Identity management so we need install oracle 10gAS (10.1.3.5) then on top of that we install oracle identity management which comprises of OSSO and OID . is it correct ??
  in reference note 376811.1
  please advise
  thanks
  MN

  Hello Hussien,
  Anyways I upgraded to 10.1.3.5 patch_set 10gAs on ebiz r12.0.6
  I have other question regarding the doc ID 376811.1
  in there is section
  Pre-Install Task 4: Apply the latest certified Application Server Patchset
  Oracle E-Business Suite Release 12 is certified with the Application Server Patch Sets listed in the table below:
  Certified AS Patchset Download Location One-off Patch details (if any)
  Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2) 5983637 8811442
  Oracle Identity Management 10g Release 3 Patch Set 2 (10.1.4.3) 7215628 8811442
  Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 2 (10.1.2.2.0) 4960210
  Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 3 (10.1.2.3.0)
  5983622
  Follow the installation instructions provided in the patch README to install the patch on your Identity Management Server and to check supported operating systems.
  Oracle always recommends latest certified AS patchset for E-Business Suite customer
  I installed oracle 10gas 10.1.4.0.1 its up and running so do i need to just apply the patchset oracle Identity management 10gR3 patcheset (10.1.4.3)
  or  I have to apply  both 10.1.4.3 and the oracle Application server 10g release 2 (10.1.2)patch set 3(10.1.2.3.0) ???
  because in enterprise manager application server control it says version 10.1.2.0.2 and identity management components show 10.1.4.0.1 .
  thanks in advance.

• Question about mapping AD to OID

  I'm trying to determine the correct entries for the activechg.map file.
  I have 2 issues to resolve:
  1. Most of the user accounts are in the AD users folder but I also have user accounts in an AD OU named "Cust Ser Reps". So do I need the following entires in the map file?
  CN=Users,DC=norris,DC=intra:cn=Users,dc=norris,dc=intra
  OU=Cust Ser Reps,DC=norris,DC=intra:cn=Users,dc=norris,dc=intra
  2. I have a second AD domain (swtp.intra) that resides in a different forest from norris.intra. There is a 2-way external trust between them. How do I map this domain to OID? The OID is only setup for dc=norris,dc=intra.
  Thanks for your help.
  Tom

  Hi Thomas
  The answer to question one is "yes" that is exaclty how you do it. If you have users in different parts of the tree you can modify your Domain mapping rules by adding the second tree and both will be synced with OID.
  To answer your second question, if you have a forest of AD servers then you should only sync with the Global Catalog Server. This will ensure that all changes made to any of the AD servers in the forest are synced with OID. You can read more about this in Chapter 43 of the OID admin guide.
  If you have multiple independant AD servers then you need to create a new DIP profile for each one that you want to sync with using ODM to create the new profiles.
  Jay

• OID Licensing Question (with ODS EE)

  Hello.  I am currently using OID (11.1.1.6) for my naming service (instead of tnsnames).  According to Oracle you are granted a restricted-use license for using OID "... if users use the Directory Naming feature to configure Oracle Net Services."  Since this is what I am doing, I I am under the impression that I do not have to license Oracle on the server with OID as long as it is the only thing on that server (which it is).
  My company is looking at purchasing "Employee" Oracle Directory Services Enterprise Edition licenses (environment is all Oracle DB Enterpirse Edition, 10gR2 and 11gR2) so that we can setup chaining between OID and Microsoft AD so that user roles/permissions can be assigned through AD via AD groups.
  My question is: since I will no longer be using OID strictly for connection resolution, and even though we will purchase ODS EE, will I be forced to license my server that is only running OID?  I would think that this wouldn't be the case, but I always prefer to know ahead of time when it comes to Oracle and licensing. 
  Any help would be greatly appreciated.
  Thanks,
  DC

  Hi Saad;
  I belive you can get the bestest answer from oracle support only. By the way you can also og a SR and confirm your issue wiht oracle support too.
  Regard
  Helios

• OID First Time Full Reconciliation - group/role reconciliation question

  My client has some roles/groups created in OID. The initial set of users lies over there. I have to bring the initial load of users into OIM. The existing set of users is around 5000. But some users belong to different groups/roles. Now if I want to do a first time reconciliation to bring all these initial set of user profiles and accounts into OIM; where do I need to specify the groups/roles in OID resource object?
  I went through the OID connector guide. But in there, in the section "3.1 Performing First-Time Reconciliation", it doesn't mention anywhere to create any multivalued attribute/child form or anything. What are the steps that are needed to be taken? If I just reconcile the group/role lookup values, will it populate those values within the user process form? If so, which fields will co-relate with that?
  Thanks,
  - oidm.

  Thanks Raj. But I think I am a bit lost over here.
  So you mean to say I don't need to run the scheduled tasks which are related to populating the groups/roles lookups for first time full reconciliation? And also you mean to say that we only need these lookups at the time of provisioning user profiles to target system?
  I have to create identities within OIM from OID so I have to run the 'OID User Trusted Recon Task' and not 'OID User Target Recon Task'.
  Basically, my question is how will the roles/groups be depicted in the user account when I will do a trusted source reconciliation? If so, which fields in process form will hold those values? Do I need to run the lookup reconciliation tasks for the same or not?
  Thanks,
  - oidm.

• OID 9.2 general config questions

  I am just re-installing Oracle Internet Directory after I corrupted the configuration. Arghh! Please comment on the following questions based on feasibility in a development environment -- that's often different than best practices.
  1) May the Database Server (9.2) and Internet Directory (9.2) be installed using the same Oracle Home?
  2) Can OID register itself for Enterprise User Security (eg. the OID repository is in 'iasdb' and the enterprise user logs into 'iasdb')?
  3) Do Thawte certificates work for OID 9.2? (I read an earlier post that Thawte had an algorithm bug.)
  4) Does registering the database with Enterprise Security Manager work or is it required to register the database with the Database Configuration Assistant?
  Thanks for your time,
  Barth

  HTML is recognized by more users at this point. I posted a
  problem with getting a registry error with flash 9. This didn't
  happen with 8 and they need to address it. If they don't, go with
  HTML.

• Question on OID Security Provider?

  1. I find two offical documents on config OID security provider, which one is correct?
  http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBBHAGJ
  http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13952/taskhelp/security/ConfigureOracleInternetDirectoryATNProvider.html
  The main differences are:
  a. whether to change cn to uid at Groups related fields?
  for example:All Groups Filter to (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
  b. whether to modify jps-config.xml file?
  2. I config provider successful based on http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBBHAGJ, I can find all user and group of OID at weblogic console. My question is why can't I delete or change group of user which at OID. When I add new user via weblogic console wizard I can't find OID provider at Authentication Provider list. What matter with it? a bug or somthing wrong with my configuration, even it is build-in design?

  a. whether to change cn to uid at Groups related fields?
  If the group name attribute for the static group object in the LDAP directory structure is a type other than cn, change that type in the settings for the All Groups Filter and Group Name From Filter attributes.
  For OID, Static group attribute is CN if i am not wrong. So I believe we dont need to change the All Groups Filter.
  b. whether to modify jps-config.xml file?
  I believe NO.
  why can't I delete or change group of user which at OID. When I add new user via weblogic console wizard I can't find OID provider at Authentication Provider list.
  The Weblogic OID Provider is read only, we cant modify anything on OID. Its not the bug, you get the same behaviour with the other providers as well.
  Hope it answers.

• OID audit question

  Hello, people!
  I have question about auditing in Oracle Internet Directory.
  1. I turn audit on in my OID.
  2. Restart OID.
  3. Searching for Audit Log Entries by Using ldapsearch. The DN for the audit log container is cn=auditlog. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog as the base of the search. Work fine.
  4. But when i add some user to some group, i get record like:
  orclSequence=348,cn=auditlog
  objectclass=top
  objectclass=orclauditoc
  orcluserdn=cn=orcladmin
  orcleventtype=Modify
  orclauditmessage=Modifying entry cn=XMLP_ADMIN,cn=Groups,dc=rd,dc=local
  orclsequence=348
  orclopresult=Success
  orcleventtime=20091125141137z
  Did any one knows, how determine what changes done?
  Thanks,
  Jeff.

  it will be good if you are adding HR as OU , in case if you have IT or someother Organization Unit it will can be easily added and identified.
  Once you add it as OU autimatically all required class will be added automatically , further if you have any custom attribute you can add your own custom class

• OID config question

  Experts for OID, need your help with following:
  OID will be used to store accounts from a local Active Directory. (sync between AD and OID user accounts)
  Question: When installing OID, need your suggestions for following entries during OID installation
  1. LDAP v3 Name Space: ?? (Is dc=localdomain fine??)
  2. OID information Realm: ?? (Is dc=localdomain fine??)
  Following is the information about AD, whose users will be inside OID or synched with.
  The AD domain is adauth.local
  so user accounts are [email protected]
  These users are in a AD OU called as "internal"

  Hi,
  Keep both the entries(LDAP v3 Name Space and OID information Realm) as dc=localdomain,dc=adauth,dc=local at OID end.
  Regards,
  Kishore

• OID: ldap Name Space question

  Experts for OID, need your help with following:
  OID will be used to store user accounts
  (will later sync from a local Active Directory, so all users in AD will appear in OID)
  Following is the information about Active Directory.
  The AD domain is adauth.local
  so user accounts are [email protected]
  Question: When installing OID, need your suggestions for following entries during OID installation
  1. LDAP v3 Name Space: dc=adauth,dc=local (is this ok?)
  2. OID information Realm: dc=adauth,dc=local (is this ok?)
  Are above entries for LDAP Name Space ok during OID installation?
  I am trying to match AD LDAP Name space with OID, since OID will sync from AD user accounts.
  Is this ok?

  I'd still follow the points that are listed in your article David.  This is in the Exchange 2013 post. 
  Scenario: NetBIOS name of domain controller differs from subdomain of its DNS domain name
  It does ask for the additional steps to be taken, and while it may work without I would not go against the documentation. 
  The other thing you can do, is to do a cross forest migration to a new forest that is not disjoint.  I know that is a lot of work but then you will not run into these issues.  The same thing applies for customers who have a single label domain. 
  It's DNS name is not "contoso.com", the DNS name is "contoso".  Yes you can do that, but it is not a good place to be in.....
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• AD-OID and  WNA Question

  Two questions:
  Is it necessary to configure AD-OID integration to use Windows Native Authentication?
  Can I populate OID with my Active Directory users once and still use WNA?
  Thanks,
  Jim

  Update to my original post:
  After successfully configuring AD-OID synchronization and WNA on a Win2003 Server (and opening multiple SRs in the process), I learned that it IS possible to bootstrap the users once from AD into OID.
  Bootstrapping is required to import the users' krb5principalname and orclsamaccount attributes into OID, which are used by the SSO server to authenticate their kerberos tickets.
  Synchronization between AD-OID is not required for WNA to work, but it helps if you expect to add new users from AD into OID.
  HTH,
  Jim

• AD OID mapping rule questions

  Hi,
  Can someone please tell me how to map the first and last names from AD to OID in the mapping file. Currently I have the following and wanted to make sure if it's correct:
  sn,SAMAccountName: : :person:sn: :person:sn|SAMAccountName
  givenName: : :person:givenName: :person
  # Map the userprincipalname to the nickname attr by default
  #userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
  # Map the SamAccountName to the nickname attr if required
  # If this rule is enabled, userprincipalname rule needs to be disabled
  sAMAccountName: : :user:uid: :inetorgperson:sAMAccountName
  The other question I have is why we need to disable userprincipalname rule when the following is enabled. As I am also trying to enable WNA/SSO too, what other rules I need for that in my mapping file.
  sAMAccountName: : :user:uid: :inetorgperson:sAMAccountName
  Thanks

  I have these first two rules here and they seem to be working fine. But I think you will have trouble with the third one with WNA authentication.
  About the two last rules for uid, the reason you can only have onle one of these is that both are storing a value on the uid attribute. You need to choose wether you want to use the samaccountname or the userprincipalname on it.
  I remember seeing somewhere that for WNA authentication to work the uid should be in the format [email protected], so you would need to map userprincipalname to uid instead of samaccountname, I am not absolutely sure about this since I have never setup WNA.
  And also you would need to populate the krbprincipalname. I think this one is automatically copied to the orclsamaccountname attribute, which is required. I have a rule like this here:
  userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
  There are some walktroughs on Oracle By Examples that I found very usefull. This one is for WNA:
  http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
  Regards,
  Luis

• [Urgent] Some questions about OID/OSSO 10g - 11g upgrade

  Dear all,
  We are under doing upgrading assessment of OID/OSSO 10g to 11g for a customer. After reviewed the 'upgrading guide', we still have some questions as below:
  1.     Whether the ‘10g DIP profiles’ will be still available after the OID 11g upgrade? Currently there are some sync of AD<->OID and DB->OID.
  2.     Whether the ‘WNA’ function will still work after the upgrade?
  3.     Is there a big change of OID API from 10g to 11g? If so, I think a big effort maybe on application modification.
  4.     I found that there is a OAM Basic version for OSSO 10g upgrade. So if this OAM Basic will migrate the OSSO configuration (like external application) automatically, or it must be re-configed after the upgrade?
  5.     Currently customer config OID 10g as BPEL/ESB’s identity store. So does BPEL/ESB 10g is certificated with OID 11g also? I didn’t find the certification so far.
  Thank you in advance and any comment are welcome.

  Dear all,
  We are under doing upgrading assessment of OID/OSSO 10g to 11g for a customer. After reviewed the 'upgrading guide', we still have some questions as below:
  1.     Whether the ‘10g DIP profiles’ will be still available after the OID 11g upgrade? Currently there are some sync of AD<->OID and DB->OID.
  2.     Whether the ‘WNA’ function will still work after the upgrade?
  3.     Is there a big change of OID API from 10g to 11g? If so, I think a big effort maybe on application modification.
  4.     I found that there is a OAM Basic version for OSSO 10g upgrade. So if this OAM Basic will migrate the OSSO configuration (like external application) automatically, or it must be re-configed after the upgrade?
  5.     Currently customer config OID 10g as BPEL/ESB’s identity store. So does BPEL/ESB 10g is certificated with OID 11g also? I didn’t find the certification so far.
  Thank you in advance and any comment are welcome.