readme_oid.htm

Debian中文参考手册,系统介绍了Debian系统

<!--TOC=h2-"563386"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.3&#32; Database Access Mechanisms</FONT></H3>
<!--/TOC=h2-->
<A NAME="563388"></A>
<P CLASS="BP">
The database being used as the data-store for Oracle Internet Directory should be dedicated for Oracle Internet Directory. Since Oracle Internet Directory itself accesses its backend database as a regular database user, using LDAP enabled features in some other Oracle products has a potential of causing circular dependencies. Oracle recommends that you NOT use the following database access mechanisms for Oracle Internet Directory's own database connections:
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563392"></A>Oracle Net LDAP naming - which allows Oracle Net clients to look up an LDAP server for resolving database service names. Using Oracle Net can prevent Oracle Internet Directory from starting up. 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563394"></A>Enterprise Users and Roles (part of the Advanced Security Option) - which enables the database to refer to an LDAP server to determine which
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563395"></A>Enterprise Roles have been granted to a particular Enterprise User. Oracle Internet Directory cannot login to its own database as an Enterprise User. 
<P>
</UL>

<A NAME="563397"></A>
<!--TOC=h2-"563397"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.4&#32; Running Multiple Instances of the Directory Server</FONT></H3>
<!--/TOC=h2-->
<A NAME="563399"></A>
<P CLASS="BP">
You can run multiple instances of the directory server on the same machine. For example, one server can be running in SSL mode while the other may be running in non-SSL mode. However all instances of the directory server using a given database server MUST run on the same machine. For example: running two directory servers, one on Machine A and another on Machine B, against a database on Machine C is NOT supported. However, running both directory servers on Machine A against a database on Machine B is supported. 
</P>

<A NAME="563404"></A>
<!--TOC=h2-"563404"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5&#32; ORACLE DIRECTORY INTEGRATION PLATFORM ISSUES AND LIMITATIONS</FONT></H3>
<!--/TOC=h2-->

<A NAME="563406"></A>
<!--TOC=h3-"563406"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5.1&#32; Oracle Directory Integration Platform and Replication</FONT></H4>
<!--/TOC=h3-->
<A NAME="563408"></A>
<P CLASS="BP">
If you use the Oracle Directory Integration Platform in a replicated environment consisting of more than one Oracle Internet Directory server node, you must set the <CODE>orcldiprepository</CODE> attribute in DSE root to 1. Setting the attribute to 1 will make the server generate the change log entries for changes coming from the other Oracle Internet Directory nodes. By default the server does not generate these change log entries. The change log entries are required for directory data to be synchronized with third-party directories and metadirectories.
</P>

<A NAME="563413"></A>
<!--TOC=h3-"563413"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5.2&#32; Binary Attributes Cannot Be Synchronized (Bug 1692057)</FONT></H4>
<!--/TOC=h3-->
<A NAME="565243"></A>
<P CLASS="BP">
Binary attributes cannot be imported or exported from the directory.
</P>

<A NAME="565244"></A>
<!--TOC=h3-"565244"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5.3&#32; iPlanet Synchronization Limitations</FONT></H4>
<!--/TOC=h3-->
<A NAME="565280"></A>
<P CLASS="BP">
When synchronizing user data, the iPlanet connector does not synchronize the schema changes automatically. To perform this synchronization, you use <CODE>$ORACLE_HOME/bin/schemasync</CODE>. The schemasync tool is not supported in the 'SSL' mode.
</P>
<A NAME="565284"></A>
<P CLASS="BP">
The SSL mode between the Oracle directory integration server and the iPlanet Directory is not supported in Release 9.2.0.1.0. However, the SSL mode is supported in this release between the Oracle directory integration server and Oracle Internet Directory. Because the Oracle directory integration server can be run from anywhere, it can be co-hosted with the iPlanet Directory. 
</P>
<A NAME="565297"></A>
<P CLASS="BP">
iPlanet connector comes with a default import and export profiles which are used for synchronization. Before using the iPlanet export connector, you must subscribe to Oracle Internet Directory change events. Otherwise, the change events are purged before they are consumed by the iPlanet connector. To subscribe to change events, the default export profile requires setting the <CODE>orclsubscriberdisable</CODE> flag to FALSE. By default, this flag is set to TRUE. To set the "<CODE>orclsubscriberdisable</CODE>" flag to FALSE, use the ldapmodify command-line tool with the LDIF file in <CODE>ORACLE_HOME/ldap/odi/conf/iplpurgedisable.ldif</CODE>.
</P>

<A NAME="565301"></A>
<!--TOC=h3-"565301"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5.4&#32; Limitation in Synchronizing Deletions from iPlanet</FONT></H4>
<!--/TOC=h3-->
<A NAME="565302"></A>
<P CLASS="BP">
If the iPlanet connector is deployed for a two-way synchronization between Oracle Internet Directory and iPlanet Directory Server, then deletion of entries in the iPlanet Directory originally created in Oracle Internet Directory are not propagated to Oracle Internet Directory. Such entries must be deleted in Oracle Internet Directory. 
</P>

<A NAME="565276"></A>
<!--TOC=h3-"565276"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5.5&#32; Configset0 For Starting Oracle Directory Integration ServerIs Reserved For Oracle Directory Provisioning Integration Service </FONT></H4>
<!--/TOC=h3-->
<A NAME="565321"></A>
<P CLASS="BP">
If you use Oracle directory integration server for synchronization--for example, with an iPlanet Directory Server, then use any configset except configset0 when you start the directory integration server. Configset0 is reserved for running the Oracle directory integration server for the Oracle Provisioning Integration Service.
</P>

<A NAME="565334"></A>
<!--TOC=h3-"565334"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.5.6&#32; Data Interface Type DB Not Supported (bug 2193082) </FONT></H4>
<!--/TOC=h3-->
<A NAME="565335"></A>
<P CLASS="BP">
The data interface type, indicating the type of interface used for synchronization between Oracle Internet Directory and connected directory, provides a "DB" option in the user interface. However, selecting that option gives an error message saying that the option is not supported in the directory server. The DB option should not be displayed at all by the user interface.
</P>

<A NAME="563448"></A>
<!--TOC=h2-"563448"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6&#32; Directory Server Limitations</FONT></H3>
<!--/TOC=h2-->

<A NAME="563450"></A>
<!--TOC=h3-"563450"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.1&#32; Non-UTF8 Databases</FONT></H4>
<!--/TOC=h3-->
<A NAME="565352"></A>
<P CLASS="BP">
The Oracle directory server and database tools are no longer restricted to run on a UTF8 database. However, if the character set of the data in the client request differs from that in the directory server database, and if that client data cannot be mapped to the database character set, then there may be data loss during LDAP add, delete, modify, or modifydn operations. Oracle Corporation recommends that the client and database character sets be the same if the database underlying the Oracle directory server is not UTF8.
</P>

<A NAME="565356"></A>
<!--TOC=h3-"565356"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.2&#32; If Directory Is Not Populated by Using the bulkload Utility, then OIDSTATS Must Be Run</FONT></H4>
<!--/TOC=h3-->
<A NAME="565357"></A>
<P CLASS="BP">
If bulkload.sh is not used to populate the directory, then <CODE>$ORACLE_HOME/ldap/admin/oidstats.sh</CODE> must be run. Otherwise, there may be significant search performance degradation. The DBMS_STATS() PL/SQL package may be used instead of oidstats.sh. 
</P>

<A NAME="565364"></A>
<!--TOC=h3-"565364"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.3&#32; Installation of Replicated Directories in a Logical Host Environment</FONT></H4>
<!--/TOC=h3-->
<A NAME="565368"></A>
<P CLASS="BP">
Oracle Internet Directory supports failover in a clustered environment by using logical hosts described in "Managing Failover in Clusters" in the <EM CLASS="Italic">Oracle Internet Directory Administrator's Guide</EM>. Use of logical hosts in a replication environment requires a fresh installation of Oracle Internet Directory. It also requires the use of logical host names while configuring the replication agreement. If you are upgrading from an existing pre-3.0.1 replication environment where host names in the existing replication agreement differ from the logical host names, then replication fails.
</P>

<A NAME="565380"></A>
<!--TOC=h3-"565380"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.4&#32; Transparent Application Failover (TAF) Does Not Work Reliably In Real Application Clusters Configurations </FONT></H4>
<!--/TOC=h3-->
<A NAME="565387"></A>
<P CLASS="BP">
In Oracle Internet Directory Release 9.2.0.1.0, connection-time failover works. Transparent application failover does not always work, but, when it fails, it falls back to connection-time failover.
</P>

<A NAME="565392"></A>
<!--TOC=h3-"565392"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.5&#32; Indexed Attribute Names Cannot Exceed 28 Characters </FONT></H4>
<!--/TOC=h3-->
<A NAME="565393"></A>
<P CLASS="BP">
You cannot use catalog.sh to create an index on an attribute if the attribute has more than 28 characters in its name. 
</P>

<A NAME="565394"></A>
<!--TOC=h3-"565394"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.6&#32; Only Attributes With Supported Matching Rules Can Be Indexed </FONT></H4>
<!--/TOC=h3-->
<A NAME="565398"></A>
<P CLASS="BP">
You must assign a matching rule supported by Oracle Internet Directory to any new attribute definition before indexing that attribute. See the <EM CLASS="Italic">Oracle Internet Directory Administrator's Guide</EM> for more details on using the catalog.sh utility and on supported matching rules and their syntax.
</P>

<A NAME="565408"></A>
<!--TOC=h3-"565408"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.7&#32; Integer Match for Equality of Indexed Attributes Behaves Like a String Match</FONT></H4>
<!--/TOC=h3-->
<A NAME="565409"></A>
<P CLASS="BP">
When an attribute with <CODE>integerMatch</CODE> for EQUALITY is indexed by using catalog.sh, the matching rule of the attribute works like that of a string rather than that of an integer. 
</P>

<A NAME="565410"></A>
<!--TOC=h3-"565410"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.8&#32; Attribute Alias Dereferencing Not Supported in LDAP Operations</FONT></H4>
<!--/TOC=h3-->
<A NAME="565417"></A>
<P CLASS="BP">
Oracle Internet Directory Release 9.2.0.1.0 supports entry alias dereferencing in LDAP operations, but not attribute dereferencing.
</P>

<A NAME="565418"></A>
<!--TOC=h3-"565418"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.9&#32; Syntax Checking Is Not Supported in the Directory Server</FONT></H4>
<!--/TOC=h3-->
<A NAME="565419"></A>
<P CLASS="BP">
The Oracle directory server does not verify the syntax of the attribute values entered by users during entry addition and modification.
</P>

<A NAME="565423"></A>
<!--TOC=h3-"565423"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.10&#32; SSL V2 Clients May Not Be Able to Connect to the Server </FONT></H4>
<!--/TOC=h3-->
<A NAME="565424"></A>
<P CLASS="BP">
LDAP clients using SSL v2 may experience "Can't Contact LDAP server" errors sporadically in attempting to bind to Oracle Internet Directory servers.
</P>

<A NAME="565431"></A>
<!--TOC=h3-"565431"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.6.11&#32; Entry Cache Must Be Disabled for Running Bulk Tools</FONT></H4>
<!--/TOC=h3-->
<A NAME="565432"></A>
<P CLASS="BP">
The entry cache must be disabled in order to run any bulk tools. Otherwise results returned for subsequent queries will be incorrect. 
</P>

<A NAME="565436"></A>
<!--TOC=h2-"565436"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.7&#32; Directory Replication Limitations </FONT></H3>
<!--/TOC=h2-->

<A NAME="565437"></A>
<!--TOC=h3-"565437"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.7.1&#32; Creating New Directory Replication Groups</FONT></H4>
<!--/TOC=h3-->
<A NAME="565443"></A>
<P CLASS="BP">
The section in the <EM CLASS="Italic">Oracle Internet Directory Administrator's Guide </EM>about creating new directory replication groups (DRGs) assumes that there is no pre-existing directory data on any of the nodes being used for the DRG. 
</P>

<A NAME="565444"></A>
<!--TOC=h3-"565444"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.7.2&#32; Adding New Nodes to Existing Directory Replication Groups</FONT></H4>
<!--/TOC=h3-->
<A NAME="565451"></A>
<P CLASS="BP">
In Oracle Internet Directory Release 9.2.0.1.0, you cannot create a directory replication group from an existing, non-replicating single Oracle Internet Directory node by using the documented "add a node" procedure. The procedure assumes you have an existing DRG and wish to increase the number of participating nodes by one. In this case, you need to ensure that there is no pre-existing data on the new node. Any pre-existing data is not replicated back to the other participants in the existing DRG. If it is necessary to replicate pre-existing data, then do the following:
</P>

<OL CLASS="LN1" TYPE="1">

<LI CLASS="LN1" TYPE="1" VALUE="1"><A NAME="565455"></A>Extract the data to an LDIF file by using ldapsearch with the -L option.
<P>


<LI CLASS="LN1" TYPE="1" VALUE="2"><A NAME="565456"></A>Delete all exported entries from the new node.
<P>

<LI CLASS="LN1" TYPE="1" VALUE="3"><A NAME="565457"></A>After the new node is added to the DRG and can replicate new data to the other nodes, reload the exported data by using ldapadd.
<P>
 
</OL>

<A NAME="565461"></A>
<!--TOC=h3-"565461"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.7.3&#32; Do Not Use bulkload.sh to Add Data to a Node That Is Already Part of an Active Replication Agreement</FONT></H4>
<!--/TOC=h3-->
<A NAME="565462"></A>
<P CLASS="BP">
Once a directory server instance is participating in a replication agreement, do not use bulkload.sh to add data into the node. Use ldapadd instead.
</P>

<A NAME="565463"></A>
<!--TOC=h3-"565463"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.7.4&#32; The Directory Replication Server Does Not Preserve Spaces Between RDN Components</FONT></H4>
<!--/TOC=h3-->
<A NAME="565464"></A>
<P CLASS="BP">
The directory replication server does not always preserve the spaces between RDN components in the DN during entry replication. In some rare cases, it may not preserve the case of the letters in the DN. 
</P>

<A NAME="565465"></A>
<!--TOC=h3-"565465"-->
<H4 CLASS="H3"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.7.5&#32; Local System-Specific Metadata Is Not Replicated </FONT></H4>
<!--/TOC=h3-->
<A NAME="565466"></A>
<P CLASS="BP">
Server configuration, replication agreement, audit log, directory server statistics, event, and DSE root-specific data are not included in the data replicated between servers in a directory replication group.
</P>

<A NAME="565470"></A>
<!--TOC=h2-"565470"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.8&#32; Log File Locations </FONT></H3>
<!--/TOC=h2-->
<A NAME="565474"></A>
<P CLASS="BP">
Oracle Internet Directory components output their log and trace information to log files in the ORACLE_HOME environment. <A HREF="README_OID.htm#565484">Table&nbsp;1</a> lists the components and the locations of the log files for these components.
</P>
   
<A NAME="565530">
<H5 CLASS="TT"><FONT FACE="Helvetica,Arial,sans-serif"><EM>
<A NAME="565484"></A>
<STRONG><FONT FACE="Arial, Helvetica, sans-serif"><EM>Table 1 &#32;&nbsp;Components and Their Log File Locations</EM></FONT></STRONG>
 </EM></FONT></H5>

<TABLE CLASS="Formal" BORDER="1" FRAME="HSIDES" RULES="GROUPS" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" dir="ltr" title="">
<THEAD>
<TR CLASS="Formal"><TH CLASS="Formal" align="left" valign="bottom" scope="col">
<A NAME="565488"></A>
<FONT FACE="Arial, Helvetica, sans-serif"><STRONG>Component</STRONG></FONT></TH>
<TH CLASS="Formal" align="left" valign="bottom" scope="col">
<A NAME="565490"></A>
<FONT FACE="Arial, Helvetica, sans-serif"><STRONG>Log File Name </STRONG></FONT></TH>
</TR>
<TBODY>
<TR CLASS="Formal" ALIGN="LEFT" VALIGN="TOP"><TD CLASS="Formal">
<A NAME="565492"></A>
<P CLASS="TB">
LDAP Dispatcher process "oidldapd"</TD>
<TD CLASS="Formal">
<A NAME="565494"></A>
<P CLASS="TB">
<CODE>$ORACLE_HOME/ldap/log/oidldapd</CODE><EM><CODE>XX</CODE></EM><CODE>.log</CODE> where <EM><CODE>XX</CODE></EM> is the server instance number</TD>