Upgrade OID 11.1.1.7 to 11.1.1.9

Download Patch : 20995629

Backup Oracle home
tar -cvf OracleIDM1_backup.tar Oracle_IDM1

Backup OID instance
tar -cvf oid_inst1_backup.tar oid_inst1

Install patch 20995629
Execute from Disk1 ./runInstaller

clip_image001

clip_image002

clip_image003

clip_image004

clip_image005

clip_image006

clip_image007

clip_image008

clip_image009

clip_image010

clip_image011

Upgrade database schema using patch set assistant

clip_image002

clip_image004

clip_image006

clip_image008

image

clip_image012

clip_image014

clip_image016

clip_image018

 

Verify the upgrade
Check Binaries: Execute $ORACLE_HOME/OPatch/opatch lsinventory
Check Schema: select comp_name,owner,version from schema_version_registry where owner = ‘ODS’;

Reset The Last Applied Change Number in a Provisioning Profile

Issue faced
EBS provisioning profile trying to retrieve number of changes are more than size limit. Time to search all changes taken more than 3600ms i.e maximum time allowed for a search to complete.

image

You can check above configuration from enterprise manager or check “orcltimelimit “ “orclsizelimit” in cn=oid,cn=osdldapd,cn=subconfigsubentry

Verification

ldapsearch -h <hostname> -p <port> -D cn=orcladmin -w xxxxxx -b “” -s base “objectclass=*” lastchangenumber

ldapsearch -h <hostname> -p <port> -D cn=orcladmin -w xxxxxx -b “cn=provisioning profiles,cn=changelog subscriber,cn=oracle internet directory” -s sub objectclass=* | grep orcllastappliedchangenumber

lastchangenumber – orcllastappliedchangenumber > Maximum number of entries to be returned by search

Solution

Reset the last applied change number in provisioning profile.

oidprovtool operation=modify ldap_host=”<hostname>” ldap_port=”<port>” \
ldap_user_dn=”cn=orcladmin” ldap_user_password=”xxxx” application_dn= \
“orclApplicationCommonName=PROD,cn=EBusiness,cn=Products,cn=OracleContext,dc=domain”\
lastchangenumber=”XXXX”

At prompt, enter following details
Interface Connection information –> <Apps_DB_host>:<Apps_DB_Port>:<Apps_SID>:<Apps_schema_user>:<apps_password>

ldapsearch with LDIF Files

Search for the existence of a list of userids that will be in the file

# ldapsearch -h hostname -p port -f filename.txt -D “cn=orcladmin” -w “password” -s sub -b “base_dn” “(uid=%s)”

where filename.txt contains userids
testuser1
testuser2

The lines in filename.txt are read one by one, and the value found is inserted where %s is in the search filter.

ldapsearch with LDIF Files

Search for the existence of a list of userids that will be in the file

# ldapsearch -h hostname -p port -f filename.txt -D “cn=orcladmin” -w “password” -s sub -b “base_dn” “(uid=%s)”

where filename.txt contains userids
testuser1
testuser2

The lines in filename.txt are read one by one, and the value found is inserted where %s is in the search filter.

Index OID attribute

An attribute is only searchable in OID if it is indexed. Search containing a non-indexed attribute in the ldap filter will return error as shown below
ldap_search: DSA is unwilling to perform
ldap_search: additional info:
LDAP Error 53 : [LDAP: error code 53 – Function Not Implemented, search filter attribute assistant is not indexed/cataloged]

Index using catalog. Running OID catalog tool for indexes all existing attribute values.
Set ORACLE_HOME and ORACLE_INSTANCE
$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” add=true attribute=”verificationflag”
$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” delete=true attribute=”verificationflag”

Index can be done using odsm also. If you have new attribute and there is no data associated with it. Indexing can be done from ODSM. Values added after the index creation are indexed.
Navigate to schema->Attribute->attribute_name
Select the attribute, check indexed.

OID backup and restore

  1. Backup OID schema ODS from database.
  2. Set ORACL_HOME & ORACLE_INSTANCE variables
  3. Backup OID schema by executing below command
    $ORACLE_HOME/ldap/bin/ldapsearch -h <hostname> -p <port> -D cn=orcladmin -w <paswd> -L -b cn=subschemasubentry -s base -v “objectclass=*” > oidschemebk.ldif

Backup:
$ORACLE_HOME/ldap/bin/ldifwrite connect=”OIDDB” basedn=”dc=domain” ldiffile=”OID_backup.ldif”

Restore:
$ORACLE_HOME/ldap/bin/bulkdelete connect=”OIDDB” basedn=”dc=domain”
$ORACLE_HOME/ldap/bin/bulkload connect=”OIDDB” check=”TRUE” generate=”TRUE” load=”TRUE” restore=”TRUE” append=”TRUE” file=”OID_backup.ldif

Where connect is connect string of OID defined in tnsnames.ora

Synchronizing Deletions from Microsoft Active Directory

To synchronize deletions in Microsoft Active Directory with Oracle Internet Directory, you must grant the necessary privilege to the Microsoft Active Directory user account that the Oracle directory integration server uses to perform synchronizations with Microsoft Active Directory. Microsoft Active Directory deletions can be synchronized with Oracle Internet Directory by querying for them in Microsoft Active Directory.

For the USN-Changed (ActiveChgImp) approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have “List Content” and “Read Properties” permission to the cn=Deleted Objects container of a given domain. In order to set these permissions, you must use the dsacls.exe command which was previously known as Active Directory Application Mode or ADAM.

Follow below steps to execute dsacls command:

1. Open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

2. At the command prompt, type the following and press enter after each command:

· dsacls <deleted_object_dn> /takeownership

Ex: dsacls “CN=deleted objects, dc = domain” /takeownership

· dsacls <deleted_object_dn> /G <user_or_group>:LC

Ex: dsacls “CN=deleted objects, dc = domain” /G ldapaccess:LC

· dsacls <deleted_object_dn> /G <user_or_group>:RP

Ex: dsacls “CN=deleted objects, dc = domain” /G ldapaccess:RP

Parameter

Description

deleted_object_dn

The distinguished name of the deleted directory object.

user_or_group

The user or group for whom the permissions apply.

(user account used to access AD from OID)

If you create a matching filter for the ActiveChgImp profile (for the USN-Changed profile) be sure to include only the following key Microsoft Active Directory attributes:

  • ObjectGUID
  • ObjectSID
  • ObjectDistName
  • USNChanged

If you specify any attributes in a matching filter other than the preceding key attributes, deletions in Microsoft Active Directory are not propagated to Oracle Internet Directory.