ldapsearch with LDIF Files

Search for the existence of a list of userids that will be in the file

# ldapsearch -h hostname -p port -f filename.txt -D “cn=orcladmin” -w “password” -s sub -b “base_dn” “(uid=%s)”

where filename.txt contains userids
testuser1
testuser2

The lines in filename.txt are read one by one, and the value found is inserted where %s is in the search filter.

Advertisements

ldapsearch with LDIF Files

Search for the existence of a list of userids that will be in the file

# ldapsearch -h hostname -p port -f filename.txt -D “cn=orcladmin” -w “password” -s sub -b “base_dn” “(uid=%s)”

where filename.txt contains userids
testuser1
testuser2

The lines in filename.txt are read one by one, and the value found is inserted where %s is in the search filter.

Index OID attribute

An attribute is only searchable in OID if it is indexed. Search containing a non-indexed attribute in the ldap filter will return error as shown below
ldap_search: DSA is unwilling to perform
ldap_search: additional info:
LDAP Error 53 : [LDAP: error code 53 – Function Not Implemented, search filter attribute assistant is not indexed/cataloged]

Index using catalog. Running OID catalog tool for indexes all existing attribute values.
Set ORACLE_HOME and ORACLE_INSTANCE
$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” add=true attribute=”verificationflag”
$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” delete=true attribute=”verificationflag”

Index can be done using odsm also. If you have new attribute and there is no data associated with it. Indexing can be done from ODSM. Values added after the index creation are indexed.
Navigate to schema->Attribute->attribute_name
Select the attribute, check indexed.

OID backup and restore

  1. Backup OID schema ODS from database.
  2. Set ORACL_HOME & ORACLE_INSTANCE variables
  3. Backup OID schema by executing below command
    $ORACLE_HOME/ldap/bin/ldapsearch -h <hostname> -p <port> -D cn=orcladmin -w <paswd> -L -b cn=subschemasubentry -s base -v “objectclass=*” > oidschemebk.ldif

Backup:
$ORACLE_HOME/ldap/bin/ldifwrite connect=”OIDDB” basedn=”dc=domain” ldiffile=”OID_backup.ldif”

Restore:
$ORACLE_HOME/ldap/bin/bulkdelete connect=”OIDDB” basedn=”dc=domain”
$ORACLE_HOME/ldap/bin/bulkload connect=”OIDDB” check=”TRUE” generate=”TRUE” load=”TRUE” restore=”TRUE” append=”TRUE” file=”OID_backup.ldif

Where connect is connect string of OID defined in tnsnames.ora

DIP: wls_ods out of memory

Bug 13977226  DIP wls_ods1 outofmemory (OOM) error when using database or eBS profile. The ODIP managed server (WLS_ODS) crashes with an out of memory error. A lot of instances of “oracle.dms.jmx.MetricMBeanInfo” occupy the majority of the heap. These are caused by unclosed JDBC connections. One or more of the following classes is being used:
DBConnector, PLSQLReader, PLSQLWriter, ProvAppToOIDSync_2_0 and ProvOIDToAppSync_2_0
Most likely eBS provisioning or a database profile.
Product (Component)Range of versions believed to be affectedVersions >= 11.1.1.1 but BELOW 11.1.1.9Versions confirmed as being affected
•    11.1.1.7
•    11.1.1.6
•    11.1.1.5
•    11.1.1.4
•    11.1.1.3
•    11.1.1.2
•    11.1.1.1
Platforms affectedGeneric (all / most platforms affected)

FIX:
Patch 13977226: WLS_ODS1 OUTOFMEMORY (OOM) CONDITION FOR THE MANAGED SERVER
The following are the bugs fixed by this patch:
  13977226: WLS_ODS1  OUTOFMEMORY (OOM) CONDITION FOR THE MANAGED SERVER

Weblogic Exit on out of memory

If weblogic server is crashing frequently with out of memory errors below work around can be helpful till root cause of issue is found.

  1. Configure node manager with CrashRecoveryEnabled=true
  2. Configure weblogic for exit on out of memory as given below

Navigate to $IDMDomain/bin
Add -XX:+ExitOnOutOfMemoryError parameter
a) Edit startManagedWebLogic.sh
Add below lines before export JAVA_OPTION
JAVA_OPTIONS=”-XX:+ExitOnOutOfMemoryError ${JAVA_OPTIONS}”
OR
b) Open weblogic console, navigate to Home >Summary of Servers >managed_server>Configuration>Server start
Add below line in argument
-XX:+ExitOnOutOfMemoryError
Restart managed server

So when ever there is out of memory error, on first occurrence weblogic server will exit and node manager will restart the server. However, you must investigate for root cause of out of memory error for permanent fix.


Synchronizing Deletions from Microsoft Active Directory

To synchronize deletions in Microsoft Active Directory with Oracle Internet Directory, you must grant the necessary privilege to the Microsoft Active Directory user account that the Oracle directory integration server uses to perform synchronizations with Microsoft Active Directory. Microsoft Active Directory deletions can be synchronized with Oracle Internet Directory by querying for them in Microsoft Active Directory.

For the USN-Changed (ActiveChgImp) approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have “List Content” and “Read Properties” permission to the cn=Deleted Objects container of a given domain. In order to set these permissions, you must use the dsacls.exe command which was previously known as Active Directory Application Mode or ADAM.

Follow below steps to execute dsacls command:

1. Open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

2. At the command prompt, type the following and press enter after each command:

· dsacls <deleted_object_dn> /takeownership

Ex: dsacls “CN=deleted objects, dc = domain” /takeownership

· dsacls <deleted_object_dn> /G <user_or_group>:LC

Ex: dsacls “CN=deleted objects, dc = domain” /G ldapaccess:LC

· dsacls <deleted_object_dn> /G <user_or_group>:RP

Ex: dsacls “CN=deleted objects, dc = domain” /G ldapaccess:RP

Parameter

Description

deleted_object_dn

The distinguished name of the deleted directory object.

user_or_group

The user or group for whom the permissions apply.

(user account used to access AD from OID)

If you create a matching filter for the ActiveChgImp profile (for the USN-Changed profile) be sure to include only the following key Microsoft Active Directory attributes:

  • ObjectGUID
  • ObjectSID
  • ObjectDistName
  • USNChanged

If you specify any attributes in a matching filter other than the preceding key attributes, deletions in Microsoft Active Directory are not propagated to Oracle Internet Directory.