OID which stands for Oracle Internet Directory is part of Identity Management in Infrastructure Tier of Fusion Middleware. If you are planning to configure 10g Application Server with Apps 11i or R12 , This note might be useful for you in understanding OID . Looking at importance of OID, I am going to discuss on few important things about OID today .
OID is part of infrastructure tier in 10g Application Server (Identity Mangement from 10.1.4 onwards)
What is OID ?
Oracle Internet Directory (OID) is Oracle’s Implementation of LDAP (Light weight Directory Access Protocol) which is ldap version 3 compliant. OID is special kind of database repository in which information is stored in Tree structure also called DIT (Directory Information Tree).
Similar to OID , Microsoft has its own LDAP server called Active Directory (AD) and Sun’s LDAP server is called as iPlanet .
Where is OID code in oracle_home ?
OID code & its corresponding log files are stored in directories under $ORACLE_HOME/ldap directory in Infrastructure Tier . This is same tier where your SSO server sits.
OID logs are stored at $ORACLE_HOME/ldap/log (This location is quite important for apps dba’s for troubleshooting OID Issues). Few executables like oidctl, oidadmin, oidca, oidldapd are in ORACLE_HOME/bin .
What are default ports for OID ?
You may see different ports for OID depending on OID server version but most common is 389 non ssl OID port & 636 for SSL OID port (These are also default ldap server ports). If you don’t know which ports your OID is using refer portlist.ini in $ORACLE_HOME/install (Note that this file will not list updated port if you change OID ports after Installation)
You should an entry like
Oracle Internet Directory port = 389
Oracle Internet Directory (SSL) port = 636
How to start OID ?
OID process is controlled by opmn (Oracle process monitor & notification server) so you by default use opmnctl command
To Start OID opmnctl startproc ias-component=OID
To Stop OID opmnctl stopproc ias-component=OID
OID can also be started without OPMN by
First start oidmon (OID Monitor Process)
Then use oidctl (OID control)
To stop OID without OPMN
First stop oid process using oidctl then stop oidmon (OID monitoring process)
When you start services using opmnctl , it inturn start oidmon & oidctl .
How to troubleshoot OID issues ??
Where to check for OID Logs ??
What is OID Replication Server ??
What is Integration & Provisioning Server in OID ??
Coming soon …..
Related Posts for OID
- Oracle Internet Directory OID
- Oracle Internet Directory - Basics II
- Integrate OID with AD Part I
- OID to OID/Active Directory/iPlanet other LDAP Server Integration
- Multi Master OID Replication
- OID Architecture
- Oracle Internet Directory , OID Troubleshooting
- Server Chaining in OID
- OID Quesries/ Scripts FAQ
- OIDADMIN Client
- Oracle Identity Management (OID) 11g installation Issues on Linux
- OID 11g - Oracle Directory Services Manager (ODSM)
Popularity: 12% [?]
Download R12 VMware Documentation
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth for Money 
42 users commented in " Oracle Internet Directory OID "
Follow-up comment rss or Leave a TrackbackHi Atul,
I want’s to know what are the attributes will syn between Active directory and OID.
Thanks
Muralidhar Muddada
Muddada,
This is configurable & you can configure what all attributes you want to synch by using profiles
Check OID admin guide
Atul
Hi Atul,
You might need to correct your stmt : OID which stands for Oracle Internet Directory is expected to be part of Oracle Apps Release 12 - OID is NOT a part of Apps, instead OID is a part of Oracle Database (or IAS - only executables). You can use OID for Identity Management in 11i or R12.
Regards
Pavan PVJ
Thanks Pavan for correcting this . Yes OID is not part of Apps 11i or R12. Its part of Infrastructure Tier (IM) for Fusion Middleware.
Its related to integration R12 with third party portal (here the Portal is websphere) , third party LDAP (Microsoft active directory).
SSO is going to be implemented but it is also delegated to Websphere portal . R12 will be a partner application which is going to accessed thruough Websphere.
My queries are as follows:
1. How to address the whole scenario ?
2. is this required to implement OID ?
3. IS it required to implement SSO separately for oracle?
4. Is it required to install 10iAS ?
5. How to integrate r12 with Webshpere?
6.How to integrate r12 with LDAP?
7 Is there any stadard adapter available for integration of each product?
As this scenario involves SSO , portal LDAP I am not able to make separate as all these has tobe integrated in the same scenario.
Your valueable Input is required
Regards
You have to understand requirement completely from end users on what is their definition of integration.
It may be possible that all they need is just R12 portlets to be available on IBM websphere portal and user clicks on link and need to authenticate for R12 (means No SSO)
1. How to address the whole scenario ?
Install OID & SSO (IdM 10.1.4), and integrate it with R12.
Integrate OID with AD for LDAP Integration (pointers available on this site) and delegate R12 FND authentication to OID
Integrate Oracle SSO with IBM websphere - I am not sure about this bit. I know you can integrate Oracle Access manager with IBM webspehere but not sure about right way to integrate Oracle 10g AS SSO with IBM Websphere (Not sure if thats even requirement)
2. is this required to implement OID ?
Only If you wish to synch FND_USER in R12 with AD or you wish to keep same/partial user in R12 that of AD
3. IS it required to implement SSO separately for oracle?
If you need single sign on solution between IBM Web Sphere and R12
4. Is it required to install 10iAS ?
If you need SSO or LDAP integration
5. How to integrate r12 with Webshpere?
What you wish to achive with this integration ?
6.How to integrate r12 with LDAP?
This is via OID
7 Is there any stadard adapter available for integration of each product?
OID to R12 (FND_USER) and OID to AD -> Yes
Thakns alot for your response .
Webshepre is the portal to be used . Orcale portal is not used and SSO has to be implemetded . In Websphere including R12 few other applications will be integarted . When ever user is logingin to any of the application automaticaly he can login to other application and no need of entering password repeatadely. Websphere will be integrated to Active Directory(3rd party LDAP) for password . Third party SSo will be used . In this case is it required to install oracle SSO for integration with third party SSO ? If so can u plz explain the steps briefly what should be the approach ?
Thanks and regards
Integrate OID with AD and then FND_USER/R12 with OID
Integrate third party sso server with Oracle 10g Single Sign-On Server and Orcle SSO with R12
Hi Atual,
Well, is there any script or utility to get S/W version information, about EBS All inlcuding S/W’s (like Diagnost, Autocongif,form,report,EBS,DB ect..) in 1 script or using any utility. it should get info in 1 shot.
and same for 10gAS inlcuing S/W’s (I’Mgnt ,AS, OID,SSO,FORm,REPORT,PORTal ect..)
Thnks Man
Check this , you can find some here (Not all you are looking for) Metalink Note
468311.1 Script to find Apache, Java, Jinitiator, Forms version for Oracle E-Business Suite R12
Few are listed here
http://www.teachmeoracle.com/version.html
With regards to your response above under:
Atul in April 9th, 2008 at 10:03 am
“It may be possible that all they need is just R12 portlets to be available on IBM websphere portal and user clicks on link and need to authenticate for R12″
—
Does it have JSR 168 / 286 portlets that can be provided to be integrated with Web sphere portal 6.0?
Can have a case when after SSO the user clicks on JSR portlets in WS-Portal and rest authoristaion is done in R12 and then the portlet gets displayed on the WS-portal for the user to use.
Dear Atual,
I wanna Thank you to lot of support with U and ur website comments.
now ths issue is
http://oradevds2.india.com:7777/sso/pages/home.jsp.
I am Getting SSO page then i Enter orcladmin/oracle123
i login to R12 application.
when i log out i am not getting single sign out page.
if i use R12 EBS user, on SSO i cant . authintication fails. Except orcladmin can login secussfully to EBS using SSO
1) Sign out page not appear. after logout again getting SSO page.
2) i use bi-directional provision templete. there is no EBS user in OID.
Syed,
I replied to your comment in some other post and I am going to be bit harsh here that you need to read some documentation (as suggested in reply to your other comment)
For exisitng users in ebs you manually need to migrate them to apps r12. All new users (created after ebs-oid integration) should synch automatically.
Hi, Atul
As per pervious comments and the doc u directed i have doen each and every thing , more than 90% i secussfull
but when At the time of loading data to OID.
Following tables do not have all indexes
CT_ORCLGUID
bulkload -connect asdb1 -check=true -generate=true file=/export/home/oracle/users.ldif
bulkload -connect asdb1 -load=true file=/export/home/oracle/users.ldif
….
….
….
….
orclmailfolderdn…
orclrealmname…
orcldasispersonal…
orclmailaci…
shadowflag…
orclcalendarresourcenumber…
ctcalorgunit3…
gecos…
orclassignedpermissions…
orclmaillistsuspendedmember…
orcldbaqpointerattr…
ctcalorganization…
secretary…
————————————————————
Data loaded successfully
————————————————————
————————————————————
Verifying indexes …
————————————————————
————————————————————
Following tables do not have all indexes
————————————————————
CT_ORCLGUID
————————————————————
Generating Database Statistics …
————————————————————
…Setting OID server mode to read-write on “target” node…
[…] wish to integrate OBIEE (analytics) with Oracle Single Sign-On Server To know more about OID click here and here […]
Hi Atul,
I want to integrate OID with oracle BI Publisher so do we need SSO is that is mandatory to SSO with LDAP .
Regards
Balakrishna.
Balu,
If you want to integrate BIEE with OID then SSO server in not compulsory.
Check http://onlineappsdba.com/index.php/2008/09/13/integrate-oracle-bi-server-with-ldap-server-oid-oracle-internet-directory/
Atul,
I am in urgent need of steps to integrate OID with OWSM. Immediate help on this would be appreciable.
Thanks in advance
BhimaShankar K
Hello Atul
While searching for scripts to start OID automatically during the server start (RedHat Linux ES 5) I came across your post. Though you have mentioned starting the OID components, I believe you had completely ignored specifying about starting the OID database.
For example (Without any .sh script to do the job for me) I follow the given procedure below once after logging in as oracle
$ lsnrctl start
$ sqlplus “/ as sysdba”
SQL>startup
# To make sure OID hasn’t inserted another instance entry
SQL> select count(*) from ods.ods_process;
# If I find only one entry
SQL> exit;
$ oidmon start
Then proceed with starting both Application server instance and internet directory instances.
Now, please tell me how I could automize the startup of OID database startup using a script.
Thanks and regards
Yes you can automate OID startup with O.S.
Create shell script (with OID startup steps) and include it in init.d (o.s.).
The /etc/init.d directory contains the scripts executed by init at boot time and when the init state
For database use /etc/oratab (Y infront of corresponding database entry)
Check this http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-boot-init-shutdown-process.html
Hello Atul
Thanks for the quick reply. I know I could automize the OID startup process. At the same time having troubles with starting the database for OID. Could you provide me a sample script just to start the OID database? I already made a .sh script for starting the Application instance and it works great, provided my OID is started manually.
Thanks and regards
Hello Atul
Finally I found a small piece of script which has solved my issues. I am posting the solution(s) over here, so if somebody who has just started with Oracle application server 10g could refer it.
In order to set the oid environment by pass . oraenv, the following were added to .bash_profile for user oracle (hidden file which could be found under /home/oracle/ folder. Do not change any existing lines, just cut and paste the following:
########## Oracle Variables ##########
echo ” Welcome to oracle”;
ORACLE_BASE=/u01/app/oracle
ORACLE_OWNER=oracle;
export ORACLE_OWNER
ORACLE_TERM=xterm;
export ORACLE_TERM
ORACLE_HOME=/u01/app/oracle/infra
ORACLE_SID=infra
PATH=$PATH:$ORACLE_HOME/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/network/lib
CLASSPATH=$ORACLE_HOME/JRE:
$ORACLE_HOME/jlib:
$ORACLE_HOME/rdbms/jlib
export
CLASSPATH
#LD_ASSUME_KERNEL=2.4.1;
#export LD_ASSUME_KERNEL
THREADS_FLAG=native;
export THREADS_FLAG
TMP=/tmp;
export TMP
TMPDIR=$TMP;
export TMPDIR
export PATH ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH LD_PRELOAD
########## End of Oracle variables ##########
This way each time when the user oracle logs in, all the environment variable for instance infra would be set!
Now create a .sh file on oracle’s desktop with any name you wish and cut and paste the following inside the file
$ORACLE_HOME/bin/lsnrctl start
$ORACLE_HOME/bin/sqlplus /nolog<<EOF
connect / as sysdba
startup
EOF
you are done with starting the oiddb instance!!. Before starting oidmon just do a select count(*) from ods.ods_process to make sure the table doesn’t have multiple instance entries (ie the count(*) must return you a value ‘1′)
Now you can proceed with opmn services. If you are hosting both infrastructure and application server (normally yes when you had installed it for testing and learning purposes) in a single box, you can include everything within your new script.
Best regards,
[…] Looking at error message “unable to call fnd_ldap_wrapper” its clear that issue is with LDAP (Lightweight Directory Access Protocol) i.e. OID (Oracle Internet Directory) to know more about OID click here […]
Hi Atul,
I have 10g (10.1.2.0.2) business intelligence installed on standalone server for discoverer and it’s integrated with EBS 11.5.10.2. Is there any possibility that I can make use of OID from the existing installation? (Like enabling the OID)
Now I would like integrate EBS with Microsoft Active directory.
Thanks in advance and waiting for your reply.
Regards,
Rajesh
Rajesh,
There are two ways to install discoverer
, standalone (without oid) or with oid.
If you initially installed disco with oid use oid
To integrate apps with AD
Or install standalone oid/sso and integrate that with
Apps and active directory.
Thank you very much Atul
Regards,
Rajesh
Hi Atul,
Can I have another installation with BIS and OID in the single $ORACLE_HOME on another node and migrate the existing BIS to the newly installed BIS with OID? Kindly let me if this way is possible.
Thanks in advance,
Regards,
Rajesh
Can I have another installation with BIS and OID in the single $ORACLE_HOME ?
No, BIS middle tier and OID can’t share ORACLE_HOME . Install them in different ORACLE_HOME
Atul,
when i try to load this user using bulkload, i am getting duplicate dn error.
the duplicateDN.log entries are cn=jguillory,cn=users,dc=seacor,dc=
net
cn=jguillory,cn=users,dc=seacor,dc=
net
The LDIF entry is
dn: cn=JGUILLORY,cn=users,dc=seacor,dc=net
cn: JGUILLORY
sn: Guillory
objectclass: top
objectclass: person
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: orcluser
objectclass: orcluserv2
objectclass: seaganperson
givenname: Jarrott
uid: JGUILLORY
userpassword: welcome1
mail: Jarrott.Guillory@xyz.com
userclass: Customer
userorgidx: 26165
userorgname: MMS CO., LTD.
@Sundar,
Login to OID ORACLE_HOME and list all users in domain seacor.net under users and see (users.ldif) if you have any duplicate entry
$ORACLE_HOME/ldap/bin/ldifwrite connect=”" basedn=”cn=users,dc=seacor,dc=net” ldiffile=”$HOME/users.ldif”
replace tns_alias_for_oid_db in above command
Atul,
Thanks for your help..this is what i see which is odd…i see couple of users merged causing this issue…any idea to resolve this issue? I am not sure what/how this could have happened…
This is what i see in the ldifwrite file when i search for that particular user..
dn: cn=JGUILLORY,cn=users,dc=seacor,dc=net
authpassword;oid: {SASL/MD5}9tHeoTUDjxU9FfVyr8b99g==
authpassword;orclcommonpwd: {X- ORCLLMV}C23413A8A1E7665FC2265B23734E0DAC
authpassword;orclcommonpwd: {X- ORCLIFSMD5}fEOJleWx4HgG6OJns/lo6g==
authpassword;orclcommonpwd: {X- ORCLWEBDAV}SfzW4BUc1a7R8XuTijTSHA==
authpassword;orclcommonpwd: {X- ORCLNTV}A3A685F89364D4A5182B028FBE79AC38
authpassword;orclcommonpwd: {X- ORCLWEBDAV}aFYc83CdzT9lwZeeczw1ig==
authpassword;orclcommonpwd: {X- ORCLIFSMD5}As1xKH8xC7sMrTOKz+4nZw==
authpassword;orclcommonpwd: {X- ORCLNTV}A3A685F89364D4A5182B028FBE79AC38
authpassword;orclcommonpwd: {X- ORCLLMV}C23413A8A1E7665FC2265B23734E0DAC
authpassword;orclcommonpwd: {MD5}IB8AtcpdZaHBGOXjJDFRTA==
authpassword;oid: {SASL/MD5-U}rU98LLLkCn2K5k6MPPPGwQ==
authpassword;oid: {SASL/MD5-DN}BJQ0HNZ/nMPIiPe2acvzKA==
authpassword;oid: {SASL/MD5}3zXVmuoUQrmoFIXlN5mKNw==
authpassword;orclcommonpwd: {MD5}IB8AtcpdZaHBGOXjJDFRTA==
authpassword;oid: {SASL/MD5-DN}uU5oLzy4YRniY72gBmMwFQ==
authpassword;oid: {SASL/MD5-U}a5uFuHASCwDFHxKh+X7ImA==
cn: TERRYC
cn: JGUILLORY
createtimestamp: 20090701231213z
createtimestamp: 20090701234025z
creatorsname: cn=bulkload
creatorsname: cn=bulkload
givenname: Terry
givenname: Jarrott
mail: terryc@erahelicopters.com
mail: unknowncustomer@xyz.com
modifiersname: cn=bulkload
modifiersname: cn=bulkload
modifytimestamp: 20090701231213z
modifytimestamp: 20090701234025z
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: seaganperson
objectclass: orcluserv2
objectclass: orcluser
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: person
objectclass: top
objectclass: seaganperson
objectclass: orcluserv2
objectclass: orcluser
objectclass: inetorgperson
orclguid: 6DAE0DAC9A373825E0440003BA774D25
orclguid: 6DAE728F39084188E0440003BA774D25
orclnormdn: cn=terryc,cn=users,dc=seacor,dc=net
orclnormdn: cn=jguillory,cn=users,dc=seacor,dc=net
orclpassword: {x- orcldbpwd}1.0:8478BF68F421A840
orclpassword: {x- orcldbpwd}1.0:91959291907A327E
pwdchangedtime: 20090701231213z
pwdchangedtime: 20090701234025z
sn: Cole
sn: Guillory
uid: TERRYC
uid: JGUILLORY
userclass: Employee
userclass: Customer
userorgidx: 245
userorgidx: 26165
userorgname:: RVJBIEhFTElDT1BURVJTLCBMTEMN
userorgname:: TU1TIENPLiwgTFRELg0=
userpassword: {SHA}41vs5sXm4OhspR0EQOkigqnWrIo=
userpassword: {SHA}41vs5sXm4OhspR0EQOkigqnWrIo=
This could be because of bulkload , what options you used during initial bulkload command ?
There’s a check script which basically checks the ldif file and then the load script which is as follows…
$ORACLE_HOME/ldap/bin/bulkload.sh -connect iasdb -generate -load
-append $ORACLE_HOME/ldap/load/oid_user_load.ldif
@ Sundar,
Restore OID from valid backup (prior to bulkload) and rerun bulkload.sh with additional -check option.
http://download-west.oracle.com/
docs/cd/B15904_01/manage.1012/b14082/syntax.htm#CEGJIEHI
Atul,
when you say valid backup, do you mean Database backup or backing-up of OID entries using ldifwrite?
Is there a reference somewhere that you could point me for backing-up and restoring OID entries? That way i will take backups before using bulkload.
Since we don’t have a valid backup of OID, I am tryig to delete the entries that we loaded using ldif file that we used to load and retry loading them again.
I created a LDIF file as follows:
dn: cn=SMILNER,cn=users,dc=seacor,dc=net
changetype: delete
and when i run this using the following command:
ldapdelete -p 389 -h localhost -D “cn=orcladmin” -w -v -f $ORACLE_HOME/ldap/load/user_del_test.ldif
i get the following error message:
ldap_init( localhost, 389 )
deleting entry dn: cn=SMILNER,cn=users,dc=seacor,dc=net
ldap_delete: No such object
ldap_delete: matched: cn=Users, dc=seacor,dc=net
ldap_delete: additional info: Entry to be deleted not found.
When i search for SMILLER in ODM under entry management or view the dump of all users from OID DB i see the dn value same as the one i have in the ldif file.
Anything wrong with the ldif file?
FYI, when i use ldapdelete and a issue dn as a single entry (same as in the ldif file for dn) it takes it and removes the entry.
example:
ldapdelete -v -D “cn=orcladmin” -w -h localhost -p 389 “cn=JGUILLORY,cn=users,dc=seacor,dc=net”
The above command removed the entry successfully.
Any help is highly appreciated.
Thanks,
Sundar
OID is stored in Oracle Database so there are two ways to backup/restore OID.
1. Using Oracel Database Hot/Cold backup
2. Using ldifwrite
To backup & restore only users using ldap commands use ldifwrite , check steps mentioned here
http://download.oracle.com/
docs/cd/B14099_19/core.1012/b13995/prodtest.htm#BABEDBHI
Focus only on tree under “cn=users, dc=seacor,dc=net “
Atul,
Thanks, I am able to delete the merged entries using ldapdelete.
Now when we run the bulkload with -check option, there are no duplicates (which is good) but then there’s an error in schemacheck.log. Do you know what it means?
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Thanks for your help.
Sundar
about AD & OID
As for the AD interface, there will be synchronisation b/t the OID and AD & these can be two-way. Can the following scenario be used : At first, users are taken from the AD system to populate the OID and the Oracle HRMS BUT subsequently, we want the users from the OID to initiate the transfer whereby a user who leaves the company first has his employee file updated/deleted in Oracle and this change is done in the AD system.
2) Suppose an account is locked out in HRMS for a particular reason. As account info is syncronized/replicated, how to ensure that the particular user still has access to other systems within the MT group.
Can the following scenario be used : At first, users are taken from the AD system to populate the OID and the Oracle HRMS BUT subsequently, we want the users from the OID to initiate the transfer whereby a user who leaves the company first has his employee file updated/deleted in Oracle and this change is done in the AD system.
Yes, this process is called as boot straping and you can use ldifwrite and bulkload feature to load initial set of users and then use provisioning profile to synchronise users
Can someone help me. I can’t figure out why when it won’t start oidmon, oidldapd. It gives me a Process (index=1,uid=1942228545,pid=4929) time out while waiting for managed process to start
Log:
/oracle/middleware/asinst_1/diagnostics/logs/OID/oid1/console~OID~1.log.
The log file doesn’t contain anything and I’m not sure how to turn up the debugging information as well.
Thank you!
@ Will, Looking at log structure it seems you are using 11g OID.
Is your database & DB listener (for OID schema) up and accessible ?
Check OPMN logs at
/oracle/middleware/asinst_1/diagnostics/logs/OPMN/opmn/opmn.log
and OIDCTL logs at
/oracle/middleware/asinst_1/diagnostics/logs/OID/oid1/oidctl.log
OPMN start OIDCTL which in turn starts OID processes
[…] you wish to login to WebLogic Server using users in Oracle Internet Directory (more on OID here) or allow access to your WebServices to users in OID (OWSM Policy) then you will have to define […]
Leave A Reply