Oracle Internet Directory OID

OID which stands for Oracle Internet Directory is part of Identity Management in Infrastructure Tier of Fusion Middleware. If you are planning to configure 10g Application Server with Apps 11i or R12 , This note might be useful for you in understanding OID . Looking at importance of OID, I am going to discuss on few important things about OID today .
OID is part of infrastructure tier in 10g Application Server (Identity Mangement from 10.1.4 onwards)

What is OID ?
Oracle Internet Directory (OID) is Oracle’s Implementation of LDAP (Light weight Directory Access Protocol) which is ldap version 3 compliant. OID is special kind of database repository in which information is stored in Tree structure also called DIT (Directory Information Tree).
Similar to OID , Microsoft has its own LDAP server called Active Directory (AD) and Sun’s LDAP server is called as iPlanet .

Where is OID code in oracle_home ?
OID code & its corresponding log files are stored in directories under $ORACLE_HOME/ldap directory in Infrastructure Tier . This is same tier where your SSO server sits.
OID logs are stored at $ORACLE_HOME/ldap/log (This location is quite important for apps dba’s for troubleshooting OID Issues). Few executables like oidctl, oidadmin, oidca, oidldapd are in ORACLE_HOME/bin .

What are default ports for OID ?
You may see different ports for OID depending on OID server version but most common is 389 non ssl OID port & 636 for SSL OID port (These are also default ldap server ports). If you don’t know which ports your OID is using refer portlist.ini in $ORACLE_HOME/install (Note that this file will not list updated port if you change OID ports after Installation)
You should an entry like
Oracle Internet Directory port = 389
Oracle Internet Directory (SSL) port = 636

How to start OID ?
OID process is controlled by opmn (Oracle process monitor & notification server) so you by default use opmnctl command
To Start OID opmnctl startproc ias-component=OID
To Stop OID opmnctl stopproc ias-component=OID

OID can also be started without OPMN by
First start oidmon (OID Monitor Process)
Then use oidctl (OID control)
To stop OID without OPMN
First stop oid process using oidctl then stop oidmon (OID monitoring process)

When you start services using opmnctl , it inturn start oidmon & oidctl .

How to troubleshoot OID issues ??
Where to check for OID Logs ??
What is OID Replication Server ??
What is Integration & Provisioning Server in OID ??
Coming soon …..


About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

90 comments
Anonymous says December 21, 2006

Hi Atul,

I want’s to know what are the attributes will syn between Active directory and OID.

Thanks
Muralidhar Muddada

Reply
Atul Kumar says December 21, 2006

Muddada,
This is configurable & you can configure what all attributes you want to synch by using profiles

Check OID admin guide
Atul

Reply
Pavan says January 16, 2007

Hi Atul,

You might need to correct your stmt : OID which stands for Oracle Internet Directory is expected to be part of Oracle Apps Release 12 – OID is NOT a part of Apps, instead OID is a part of Oracle Database (or IAS – only executables). You can use OID for Identity Management in 11i or R12.

Regards
Pavan PVJ

Reply
Atul Kumar says January 16, 2007

Thanks Pavan for correcting this . Yes OID is not part of Apps 11i or R12. Its part of Infrastructure Tier (IM) for Fusion Middleware.

Reply
soumya says April 8, 2008

Its related to integration R12 with third party portal (here the Portal is websphere) , third party LDAP (Microsoft active directory).
SSO is going to be implemented but it is also delegated to Websphere portal . R12 will be a partner application which is going to accessed thruough Websphere.

My queries are as follows:
1. How to address the whole scenario ?
2. is this required to implement OID ?
3. IS it required to implement SSO separately for oracle?
4. Is it required to install 10iAS ?
5. How to integrate r12 with Webshpere?
6.How to integrate r12 with LDAP?
7 Is there any stadard adapter available for integration of each product?
As this scenario involves SSO , portal LDAP I am not able to make separate as all these has tobe integrated in the same scenario.

Your valueable Input is required

Regards

Reply
Atul says April 9, 2008

You have to understand requirement completely from end users on what is their definition of integration.

It may be possible that all they need is just R12 portlets to be available on IBM websphere portal and user clicks on link and need to authenticate for R12 (means No SSO)

1. How to address the whole scenario ?

Install OID & SSO (IdM 10.1.4), and integrate it with R12.
Integrate OID with AD for LDAP Integration (pointers available on this site) and delegate R12 FND authentication to OID

Integrate Oracle SSO with IBM websphere – I am not sure about this bit. I know you can integrate Oracle Access manager with IBM webspehere but not sure about right way to integrate Oracle 10g AS SSO with IBM Websphere (Not sure if thats even requirement)

2. is this required to implement OID ?
Only If you wish to synch FND_USER in R12 with AD or you wish to keep same/partial user in R12 that of AD

3. IS it required to implement SSO separately for oracle?
If you need single sign on solution between IBM Web Sphere and R12

4. Is it required to install 10iAS ?
If you need SSO or LDAP integration

5. How to integrate r12 with Webshpere?
What you wish to achive with this integration ?

6.How to integrate r12 with LDAP?
This is via OID

7 Is there any stadard adapter available for integration of each product?
OID to R12 (FND_USER) and OID to AD -> Yes

Reply
soumya says April 9, 2008

Thakns alot for your response .

Webshepre is the portal to be used . Orcale portal is not used and SSO has to be implemetded . In Websphere including R12 few other applications will be integarted . When ever user is logingin to any of the application automaticaly he can login to other application and no need of entering password repeatadely. Websphere will be integrated to Active Directory(3rd party LDAP) for password . Third party SSo will be used . In this case is it required to install oracle SSO for integration with third party SSO ? If so can u plz explain the steps briefly what should be the approach ?
Thanks and regards

Reply
Atul says April 9, 2008

Integrate OID with AD and then FND_USER/R12 with OID

Integrate third party sso server with Oracle 10g Single Sign-On Server and Orcle SSO with R12

Reply
Syed says July 14, 2008

Hi Atual,

Well, is there any script or utility to get S/W version information, about EBS All inlcuding S/W’s (like Diagnost, Autocongif,form,report,EBS,DB ect..) in 1 script or using any utility. it should get info in 1 shot.

and same for 10gAS inlcuing S/W’s (I’Mgnt ,AS, OID,SSO,FORm,REPORT,PORTal ect..)

Thnks Man

Reply
Atul says July 14, 2008

Check this , you can find some here (Not all you are looking for) Metalink Note
468311.1 Script to find Apache, Java, Jinitiator, Forms version for Oracle E-Business Suite R12

Few are listed here
http://www.teachmeoracle.com/version.html

Reply
RS says July 22, 2008

With regards to your response above under:
Atul in April 9th, 2008 at 10:03 am
“It may be possible that all they need is just R12 portlets to be available on IBM websphere portal and user clicks on link and need to authenticate for R12″

Does it have JSR 168 / 286 portlets that can be provided to be integrated with Web sphere portal 6.0?
Can have a case when after SSO the user clicks on JSR portlets in WS-Portal and rest authoristaion is done in R12 and then the portlet gets displayed on the WS-portal for the user to use.

Reply
Syed says July 24, 2008

Dear Atual,

I wanna Thank you to lot of support with U and ur website comments.

now ths issue is

http://oradevds2.india.com:7777/sso/pages/home.jsp.

I am Getting SSO page then i Enter orcladmin/oracle123
i login to R12 application.
when i log out i am not getting single sign out page.

if i use R12 EBS user, on SSO i cant . authintication fails. Except orcladmin can login secussfully to EBS using SSO

1) Sign out page not appear. after logout again getting SSO page.

2) i use bi-directional provision templete. there is no EBS user in OID.

Reply
Atul says July 24, 2008

Syed,
I replied to your comment in some other post and I am going to be bit harsh here that you need to read some documentation (as suggested in reply to your other comment)

For exisitng users in ebs you manually need to migrate them to apps r12. All new users (created after ebs-oid integration) should synch automatically.

Reply
Syed says July 28, 2008

Hi, Atul
As per pervious comments and the doc u directed i have doen each and every thing , more than 90% i secussfull

but when At the time of loading data to OID.
Following tables do not have all indexes
CT_ORCLGUID

bulkload -connect asdb1 -check=true -generate=true file=/export/home/oracle/users.ldif

bulkload -connect asdb1 -load=true file=/export/home/oracle/users.ldif
….
….
….
….
orclmailfolderdn…
orclrealmname…
orcldasispersonal…
orclmailaci…
shadowflag…
orclcalendarresourcenumber…
ctcalorgunit3…
gecos…
orclassignedpermissions…
orclmaillistsuspendedmember…
orcldbaqpointerattr…
ctcalorganization…
secretary…

————————————————————
Data loaded successfully
————————————————————

————————————————————
Verifying indexes …
————————————————————

————————————————————
Following tables do not have all indexes
————————————————————
CT_ORCLGUID

————————————————————
Generating Database Statistics …
————————————————————
…Setting OID server mode to read-write on “target” node…

Reply
» Integrate Oracle BI Server with LDAP Server (OID - Oracle Internet Directory) Online Apps DBA: One Stop Shop for Apps DBA’s says September 13, 2008

[…] wish to integrate OBIEE (analytics) with Oracle Single Sign-On Server To know more about OID   click here   and   here […]

Reply
Balu says December 10, 2008

Hi Atul,

I want to integrate OID with oracle BI Publisher so do we need SSO is that is mandatory to SSO with LDAP .

Regards

Balakrishna.

Reply
Atul Kumar says December 10, 2008

Balu,
If you want to integrate BIEE with OID then SSO server in not compulsory.

Check http://onlineappsdba.com/index.php/2008/09/13/integrate-oracle-bi-server-with-ldap-server-oid-oracle-internet-directory/

Reply
bhimshan27 says January 16, 2009

Atul,

I am in urgent need of steps to integrate OID with OWSM. Immediate help on this would be appreciable.

Thanks in advance
BhimaShankar K

Reply
raj says January 25, 2009

Hello Atul
While searching for scripts to start OID automatically during the server start (RedHat Linux ES 5) I came across your post. Though you have mentioned starting the OID components, I believe you had completely ignored specifying about starting the OID database.

For example (Without any .sh script to do the job for me) I follow the given procedure below once after logging in as oracle
$ lsnrctl start
$ sqlplus “/ as sysdba”
SQL>startup
# To make sure OID hasn’t inserted another instance entry
SQL> select count(*) from ods.ods_process;
# If I find only one entry
SQL> exit;
$ oidmon start

Then proceed with starting both Application server instance and internet directory instances.

Now, please tell me how I could automize the startup of OID database startup using a script.

Thanks and regards

Reply
Atul Kumar says January 25, 2009

Yes you can automate OID startup with O.S.

Create shell script (with OID startup steps) and include it in init.d (o.s.).

The /etc/init.d directory contains the scripts executed by init at boot time and when the init state

For database use /etc/oratab (Y infront of corresponding database entry)

Check this http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-boot-init-shutdown-process.html

Reply
raj says January 25, 2009

Hello Atul
Thanks for the quick reply. I know I could automize the OID startup process. At the same time having troubles with starting the database for OID. Could you provide me a sample script just to start the OID database? I already made a .sh script for starting the Application instance and it works great, provided my OID is started manually.

Thanks and regards

Reply
Raj says January 27, 2009

Hello Atul
Finally I found a small piece of script which has solved my issues. I am posting the solution(s) over here, so if somebody who has just started with Oracle application server 10g could refer it.
In order to set the oid environment by pass . oraenv, the following were added to .bash_profile for user oracle (hidden file which could be found under /home/oracle/ folder. Do not change any existing lines, just cut and paste the following:
########## Oracle Variables ##########
echo ” Welcome to oracle”;
ORACLE_BASE=/u01/app/oracle
ORACLE_OWNER=oracle;
export ORACLE_OWNER
ORACLE_TERM=xterm;
export ORACLE_TERM
ORACLE_HOME=/u01/app/oracle/infra
ORACLE_SID=infra
PATH=$PATH:$ORACLE_HOME/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/network/lib
CLASSPATH=$ORACLE_HOME/JRE:
$ORACLE_HOME/jlib:
$ORACLE_HOME/rdbms/jlib
export
CLASSPATH
#LD_ASSUME_KERNEL=2.4.1;
#export LD_ASSUME_KERNEL
THREADS_FLAG=native;
export THREADS_FLAG
TMP=/tmp;
export TMP
TMPDIR=$TMP;
export TMPDIR
export PATH ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH LD_PRELOAD
########## End of Oracle variables ##########

This way each time when the user oracle logs in, all the environment variable for instance infra would be set!

Now create a .sh file on oracle’s desktop with any name you wish and cut and paste the following inside the file

$ORACLE_HOME/bin/lsnrctl start
$ORACLE_HOME/bin/sqlplus /nolog<<EOF
connect / as sysdba
startup
EOF

you are done with starting the oiddb instance!!. Before starting oidmon just do a select count(*) from ods.ods_process to make sure the table doesn’t have multiple instance entries (ie the count(*) must return you a value ‘1’)

Now you can proceed with opmn services. If you are hosting both infrastructure and application server (normally yes when you had installed it for testing and learning purposes) in a single box, you can include everything within your new script.

Best regards,

Reply
» Error adding new User (11i) - unable to call fnd_ldap_wrapper.create_user Online Apps DBA: One Stop Shop for Apps DBA’s says May 14, 2009

[…] Looking at error message “unable to call fnd_ldap_wrapper” its clear that issue is with LDAP (Lightweight Directory Access Protocol) i.e. OID (Oracle Internet Directory) to know more about OID click here […]

Reply
rajeshmanoharan says May 30, 2009

Hi Atul,
I have 10g (10.1.2.0.2) business intelligence installed on standalone server for discoverer and it’s integrated with EBS 11.5.10.2. Is there any possibility that I can make use of OID from the existing installation? (Like enabling the OID)
Now I would like integrate EBS with Microsoft Active directory.
Thanks in advance and waiting for your reply.

Regards,
Rajesh

Reply
Atul Kumar says May 30, 2009

Rajesh,
There are two ways to install discoverer
, standalone (without oid) or with oid.

If you initially installed disco with oid use oid
To integrate apps with AD

Or install standalone oid/sso and integrate that with
Apps and active directory.

Reply
rajeshmanoharan says May 31, 2009

Thank you very much Atul :)

Regards,
Rajesh

Reply
rajeshmanoharan says June 7, 2009

Hi Atul,
Can I have another installation with BIS and OID in the single $ORACLE_HOME on another node and migrate the existing BIS to the newly installed BIS with OID? Kindly let me if this way is possible.

Thanks in advance,

Regards,
Rajesh

Reply
Atul Kumar says June 7, 2009

Can I have another installation with BIS and OID in the single $ORACLE_HOME ?

No, BIS middle tier and OID can’t share ORACLE_HOME . Install them in different ORACLE_HOME

Reply
Sundar says July 6, 2009

Atul,
when i try to load this user using bulkload, i am getting duplicate dn error.

the duplicateDN.log entries are cn=jguillory,cn=users,dc=seacor,dc=
net

cn=jguillory,cn=users,dc=seacor,dc=
net
The LDIF entry is
dn: cn=JGUILLORY,cn=users,dc=seacor,dc=net
cn: JGUILLORY
sn: Guillory
objectclass: top
objectclass: person
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: orcluser
objectclass: orcluserv2
objectclass: seaganperson
givenname: Jarrott
uid: JGUILLORY
userpassword: welcome1
mail: Jarrott.Guillory@xyz.com
userclass: Customer
userorgidx: 26165
userorgname: MMS CO., LTD.

Reply
Atul Kumar says July 6, 2009

@Sundar,
Login to OID ORACLE_HOME and list all users in domain seacor.net under users and see (users.ldif) if you have any duplicate entry

$ORACLE_HOME/ldap/bin/ldifwrite connect=”” basedn=”cn=users,dc=seacor,dc=net” ldiffile=”$HOME/users.ldif”

replace tns_alias_for_oid_db in above command

Reply
Sundar says July 6, 2009

Atul,

Thanks for your help..this is what i see which is odd…i see couple of users merged causing this issue…any idea to resolve this issue? I am not sure what/how this could have happened…

This is what i see in the ldifwrite file when i search for that particular user..

dn: cn=JGUILLORY,cn=users,dc=seacor,dc=net
authpassword;oid: {SASL/MD5}9tHeoTUDjxU9FfVyr8b99g==
authpassword;orclcommonpwd: {X- ORCLLMV}C23413A8A1E7665FC2265B23734E0DAC
authpassword;orclcommonpwd: {X- ORCLIFSMD5}fEOJleWx4HgG6OJns/lo6g==
authpassword;orclcommonpwd: {X- ORCLWEBDAV}SfzW4BUc1a7R8XuTijTSHA==
authpassword;orclcommonpwd: {X- ORCLNTV}A3A685F89364D4A5182B028FBE79AC38
authpassword;orclcommonpwd: {X- ORCLWEBDAV}aFYc83CdzT9lwZeeczw1ig==
authpassword;orclcommonpwd: {X- ORCLIFSMD5}As1xKH8xC7sMrTOKz+4nZw==
authpassword;orclcommonpwd: {X- ORCLNTV}A3A685F89364D4A5182B028FBE79AC38
authpassword;orclcommonpwd: {X- ORCLLMV}C23413A8A1E7665FC2265B23734E0DAC
authpassword;orclcommonpwd: {MD5}IB8AtcpdZaHBGOXjJDFRTA==
authpassword;oid: {SASL/MD5-U}rU98LLLkCn2K5k6MPPPGwQ==
authpassword;oid: {SASL/MD5-DN}BJQ0HNZ/nMPIiPe2acvzKA==
authpassword;oid: {SASL/MD5}3zXVmuoUQrmoFIXlN5mKNw==
authpassword;orclcommonpwd: {MD5}IB8AtcpdZaHBGOXjJDFRTA==
authpassword;oid: {SASL/MD5-DN}uU5oLzy4YRniY72gBmMwFQ==
authpassword;oid: {SASL/MD5-U}a5uFuHASCwDFHxKh+X7ImA==
cn: TERRYC
cn: JGUILLORY
createtimestamp: 20090701231213z
createtimestamp: 20090701234025z
creatorsname: cn=bulkload
creatorsname: cn=bulkload
givenname: Terry
givenname: Jarrott
mail: terryc@erahelicopters.com
mail: unknowncustomer@xyz.com
modifiersname: cn=bulkload
modifiersname: cn=bulkload
modifytimestamp: 20090701231213z
modifytimestamp: 20090701234025z
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: seaganperson
objectclass: orcluserv2
objectclass: orcluser
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: person
objectclass: top
objectclass: seaganperson
objectclass: orcluserv2
objectclass: orcluser
objectclass: inetorgperson
orclguid: 6DAE0DAC9A373825E0440003BA774D25
orclguid: 6DAE728F39084188E0440003BA774D25
orclnormdn: cn=terryc,cn=users,dc=seacor,dc=net
orclnormdn: cn=jguillory,cn=users,dc=seacor,dc=net
orclpassword: {x- orcldbpwd}1.0:8478BF68F421A840
orclpassword: {x- orcldbpwd}1.0:91959291907A327E
pwdchangedtime: 20090701231213z
pwdchangedtime: 20090701234025z
sn: Cole
sn: Guillory
uid: TERRYC
uid: JGUILLORY
userclass: Employee
userclass: Customer
userorgidx: 245
userorgidx: 26165
userorgname:: RVJBIEhFTElDT1BURVJTLCBMTEMN
userorgname:: TU1TIENPLiwgTFRELg0=
userpassword: {SHA}41vs5sXm4OhspR0EQOkigqnWrIo=
userpassword: {SHA}41vs5sXm4OhspR0EQOkigqnWrIo=

Reply
Atul Kumar says July 6, 2009

This could be because of bulkload , what options you used during initial bulkload command ?

Reply
Sundar says July 6, 2009

There’s a check script which basically checks the ldif file and then the load script which is as follows…

$ORACLE_HOME/ldap/bin/bulkload.sh -connect iasdb -generate -load
-append $ORACLE_HOME/ldap/load/oid_user_load.ldif

Reply
Atul Kumar says July 6, 2009

@ Sundar,
Restore OID from valid backup (prior to bulkload) and rerun bulkload.sh with additional -check option.

http://download-west.oracle.com/
docs/cd/B15904_01/manage.1012/b14082/syntax.htm#CEGJIEHI

Reply
Sundar says July 6, 2009

Atul,

when you say valid backup, do you mean Database backup or backing-up of OID entries using ldifwrite?

Is there a reference somewhere that you could point me for backing-up and restoring OID entries? That way i will take backups before using bulkload.

Since we don’t have a valid backup of OID, I am tryig to delete the entries that we loaded using ldif file that we used to load and retry loading them again.

I created a LDIF file as follows:

dn: cn=SMILNER,cn=users,dc=seacor,dc=net
changetype: delete

and when i run this using the following command:

ldapdelete -p 389 -h localhost -D “cn=orcladmin” -w -v -f $ORACLE_HOME/ldap/load/user_del_test.ldif

i get the following error message:

ldap_init( localhost, 389 )
deleting entry dn: cn=SMILNER,cn=users,dc=seacor,dc=net
ldap_delete: No such object
ldap_delete: matched: cn=Users, dc=seacor,dc=net
ldap_delete: additional info: Entry to be deleted not found.

When i search for SMILLER in ODM under entry management or view the dump of all users from OID DB i see the dn value same as the one i have in the ldif file.

Anything wrong with the ldif file?

FYI, when i use ldapdelete and a issue dn as a single entry (same as in the ldif file for dn) it takes it and removes the entry.

example:
ldapdelete -v -D “cn=orcladmin” -w -h localhost -p 389 “cn=JGUILLORY,cn=users,dc=seacor,dc=net”

The above command removed the entry successfully.

Any help is highly appreciated.

Thanks,

Sundar

Reply
Atul Kumar says July 7, 2009

OID is stored in Oracle Database so there are two ways to backup/restore OID.

1. Using Oracel Database Hot/Cold backup

2. Using ldifwrite

To backup & restore only users using ldap commands use ldifwrite , check steps mentioned here

http://download.oracle.com/
docs/cd/B14099_19/core.1012/b13995/prodtest.htm#BABEDBHI

Focus only on tree under “cn=users, dc=seacor,dc=net “

Reply
Sundar says July 7, 2009

Atul,

Thanks, I am able to delete the merged entries using ldapdelete.

Now when we run the bulkload with -check option, there are no duplicates (which is good) but then there’s an error in schemacheck.log. Do you know what it means?

Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.
Duplicate while inserting in Hash Table.

Thanks for your help.

Sundar

Reply
reeta says September 28, 2009

about AD & OID
As for the AD interface, there will be synchronisation b/t the OID and AD & these can be two-way. Can the following scenario be used : At first, users are taken from the AD system to populate the OID and the Oracle HRMS BUT subsequently, we want the users from the OID to initiate the transfer whereby a user who leaves the company first has his employee file updated/deleted in Oracle and this change is done in the AD system.

2) Suppose an account is locked out in HRMS for a particular reason. As account info is syncronized/replicated, how to ensure that the particular user still has access to other systems within the MT group.

Reply
Atul Kumar says September 28, 2009

Can the following scenario be used : At first, users are taken from the AD system to populate the OID and the Oracle HRMS BUT subsequently, we want the users from the OID to initiate the transfer whereby a user who leaves the company first has his employee file updated/deleted in Oracle and this change is done in the AD system.

Yes, this process is called as boot straping and you can use ldifwrite and bulkload feature to load initial set of users and then use provisioning profile to synchronise users

Reply
Will L says September 28, 2009

Can someone help me. I can’t figure out why when it won’t start oidmon, oidldapd. It gives me a Process (index=1,uid=1942228545,pid=4929) time out while waiting for managed process to start
Log:
/oracle/middleware/asinst_1/diagnostics/logs/OID/oid1/console~OID~1.log.

The log file doesn’t contain anything and I’m not sure how to turn up the debugging information as well.

Thank you!

Reply
Atul Kumar says September 28, 2009

@ Will, Looking at log structure it seems you are using 11g OID.

Is your database & DB listener (for OID schema) up and accessible ?

Check OPMN logs at

/oracle/middleware/asinst_1/diagnostics/logs/OPMN/opmn/opmn.log

and OIDCTL logs at

/oracle/middleware/asinst_1/diagnostics/logs/OID/oid1/oidctl.log

OPMN start OIDCTL which in turn starts OID processes

Reply
» How to integrate WebLogic with Oracle Internet Directory for Login : Authentication Online Apps DBA: One Stop Shop for Apps DBA’s says February 4, 2010

[…] you wish to login to WebLogic Server using users in Oracle Internet Directory (more on OID here) or allow access to your WebServices to users in OID (OWSM Policy) then you will have to define […]

Reply
varma namburi says May 27, 2010

Hi Atul,

We are using Oracle Identity Management suite 11g for single signon where OAM for identity and access management and OIM for User provisioning.OID to store the user data.I download these software from this url
http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

ofm_idm_win_11.1.1.3.0_32_disk1_1of1.zip
ofm_oam_core_win_10.1.4.3.0_disk1_1of1.zip
ofm_oam_pm_webpass_win_10.1.4.3.0_disk1_1of1.zip
ofm_oam_webgates_win_10.1.4.3.0_disk1_1of1.zip

Can you please confirm whether these software are sufficient for my requirement?

Reply
varma namburi says May 27, 2010

Hi Atul,

We are using Oracle Identity Management suite 11g for single signon where OAM for identity and access management and OIM for User provisioning.OID to store the user data.I download these software on x86 from this url
http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

Identity Management (11.1.1.3.0)
Access Manager Core Components (10.1.4.3.0)
Access Manager WebGates (10.1.4.3.0)
Policy Manager and WebPass on Third Party and non-OHS 11g Web Servers

Reply
Atul Kumar says May 27, 2010

@ Varma,
You would also need
a) Database for OID repository
b) WebLogic to host ODSM and DIP (though this is not mandatory) you can run OID without ODSM and DIP application as well
c) RCU (this is not mandatory again) – required to load OID schemas in database. You can create OID schema during OID install as well without RCU, but RCU gives you flexibility to change tablespaces and other things for schema.
d) Identity Manager – OIM (Identity Manager) is not part of Identity Management (11.1.1.3.0)
so download version OIM 9.1.0.1 separately from http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

Polease share your installation steps with readers (specially Identity Manager installation)

Reply
Guest says August 24, 2010

Hi Atul,

I am very new to OIM and OVD. I am not understanding the distriction between these two. Can you please Advise?

Thanks
Guest

Reply
Atul Kumar says August 25, 2010

@ Guest

OIM : Oracle Identity Manager (Provisioning and Identity Management software)
OVD : Oracle Virtual Directory (Virtual directory which sits in front of multiple directory servers to give single view of ldaps servers to client )
OID : Oracle Internet Directory (LDAP compliant Directory Server)

More on all Oracle Identity Management Products here http://onlineappsdba.com/index.php/2010/06/01/oracle-identity-management-products-oid-ovd-oam-oim-orm-owsm-oif-esso-oes-oaam/

Reply
Dan says November 24, 2010

Atul,

Firstly a big thank you for all the good work you guys are doing. These articles are immensely helpful.

I am struggling to get information on how to enable self-service for password change and reset for the OID users. Please note I am not provisioning these users to OID using OIM. These users are being manually created in OID by the administrator. However when they access the WebGate protected resource through OAM, I would like to provide them the option to register (secret questions) and manage their passwords. My question is where would the secret questions be created and how would the users access this self-service page to change and reset passwords?

Can these questions be set up in OAM although the user identities are in OID?

We are using 11g.

Thanks,
Dan

Reply
Atul Kumar says November 24, 2010

@ Dan,

OID in 10g used to come with default self service application called OIDDAS and 11g OID you can still use 10g OIDDAS application but I would not recommend you to use OIDDAS with 11g OID.

If you have OAM with OID then questions can be set up at OAM via lost password management feature of OAM.

IF this is what you are looking for then check http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12489/idconfig.htm#BABDFCGI

What is version of your OAM ?

Reply
» Troubleshoot ORA-01017 for database login when Database is configured with EUS Online Apps DBA: One Stop Shop for Apps DBA’s says December 16, 2010

[…] issue (ORA-01017 Invalid Username/Password) where Oracle Database is registered with LDAP Server (OID or Microsoft Active Directory) for Enterprise User […]

Reply
cristiano says February 18, 2011

Do anyone know in which manner the password is stored and controlled in OID ?

We are integrating the Sharepoint membership provider with OID but seems to not recognize the password. The Ldap Membership provider hash the password and then compare it against OID. So what is the hash Algorithm used by OID ?

Thanks

Reply
urs.shivakumar@gmail.com says March 29, 2011

Hi,

During the IDM 11.1.1.4 Configuration on Windows XP 32 bit system. I am getting the following error.

oracle.as.provisioning.util.ConfigException:
Error creating ASComponent oid1.
Cause:
An internal operation has failed: Failed to start the component

Prerequisite:
1. Oracle Database 11.2.0.1
2. RCU 11.1.1.3.3
3. Weblogic – 10.3.4
4. FMW IDM (OID) – 11.1.1.4

During the installation of OID, All the prerequisites were passed. Installation was successful. While Configuring OID with weblogic domain, I have faced this.

In last step, Start Oracle Internet Directory. I am facing this error.

Please help me to solve this error.

Thanks,
Shiv

Reply
Shiv says March 29, 2011

Hi,

During the IDM 11.1.1.4 Configuration on Windows XP 32 bit system. I am getting the following error.

oracle.as.provisioning.util.ConfigException:
Error creating ASComponent oid1.
Cause:
An internal operation has failed: Failed to start the component

Prerequisite:
1. Oracle Database 11.2.0.1
2. RCU 11.1.1.3.3
3. Weblogic – 10.3.4
4. FMW IDM (OID) – 11.1.1.4

During the installation of OID, All the prerequisites were passed. Installation was successful. While Configuring OID with weblogic domain, I have faced this.

In last step, Start Oracle Internet Directory. I am facing this error.

Please help me to resolve this issue.

Thanks,
Shiv

Reply
Atul Kumar says March 29, 2011

@ Shiv,
11.1.1.4 is patchset. Did you install 11.1.1.2 base reelase ?

If yes then did this ever fail in past ?

If you applied 11.1.1.4 on top of 11.1.1.2 and this is fresh installation (which never failed in past) then

Run opmnctl startall from $WL_HOME/asinst_1/bin and update output here

Reply
Shiv says March 29, 2011

@Atul,

Thanks Atul.

I did as you said. This is the response for that.
After “opmnctl startall”, I have fired “opmnctl status” also for your information.

C:\Oracle\apps\idm11g\MWHOME\asinst_3\bin>opmnctl startall
opmnctl startall: starting opmn and all managed processes…

C:\Oracle\apps\idm11g\MWHOME\asinst_3\bin>opmnctl status

Processes in Instance: asinst_3
——————–+—————-+——-+—–
ias-component | process-type | pid | status
———————————+——————–+———+———
EMAGENT | EMAGENT | 6484 | Alive

C:\Oracle\apps\idm11g\MWHOME\asinst_3\bin>opmnctl startall
opmnctl startall: starting opmn and all managed processes…

C:\Oracle\apps\idm11g\MWHOME\asinst_3\bin>

Please resolve this.

Thank you Atul,
Shiv

Reply
Shiv says March 29, 2011

@Atul,

This is regarding last post in this series. I had installed 11.1.1.2 base release. On that I installed patchset 11.1.1.4. I had not configured while installing. Now once I am trying to configure, I am getting this error.

Reply
Atul Kumar says March 29, 2011

@ Shiv,
Only issue I can see here could be because of RCU version mismatch.

Currently in your setup, OID instance failed to start and installer removed configuration (related to OID from database)

To fix this issue donot use RCU :

1. Recreate Database (using dbca) – drop and create database
2. Install weblogic 10.3.4
4. Install OID 11.1.1.2 (donot configure – just install)
5. Apply patch 11.1.1.4 for OID
6. Configure OID (create schema during config stage)

More steps here http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

Reply
Shiv says March 29, 2011

@Atul,

Thank you very much Atul. I will follow the steps you told. And I will let you know the result.

Thanks Again,
Shiv

Reply
Shiv says April 7, 2011

@Atul,

I have followed exactly the steps you told with same versions. I am configuring OID Without Weblogic Domain. But Again facing error in “Configure OCM” step.

The Error is

oracle.as.provisioning.util.ConfigException:
Error creating ASComponent oid1.
Cause:
An internal operation has failed: Failed to start the component

Please help me to resolve this issue.

Thanks,
Shiv

Reply
Atul Kumar says April 7, 2011

@ Shiv,
Which version of OID you are installing ?

Which link on this site you are using to install OID ?

Reply
Shiv says April 7, 2011

@ Atul,

Thanks for your response.

I have installed IDM 11.1.1.2.0, then I have installed IDM 11.1.1.4.0 patch(patch number is (11060980).

I have followed the steps in this link.

http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

And I have referred this link also.

http://download.oracle.com/docs/cd/E17904_01/install.1111/e12002/instps2.htm#BGBCHIJI

Please help.

Thanks,
Shiv

Reply
Atul Kumar says April 7, 2011

@ Shiv,
Is this on Unix ?

What is hostname and entry in /etc/hosts ?

Do you have IP assigned to server and if yes can you ping to this hostname/ip (entry defiend in /etc/hosts) ?

If you are installing just OID then don;t create schema using RCU, try following –
1. Remove database and install again
2. Install weblogic 10.3.4
3. Install OID 11.1.1.2 (install – donot configure)
4. Install OID 11.1.1.4
5. Configure OID and then during config create schema.

See if this helps.

Reply
Shiv says April 7, 2011

@ Atul,

Thanks again for your help.

This is on Windows XP 32 bit system.

Earlier you told me to do these steps. I followed same steps exactly.

Again problem persists.

Please help.

Thanks,
Shiv

Reply
Atul Kumar says April 7, 2011

@ Shiv,
Sorry didn’t check your previous comments.

In order to further debug this

1. See if you can see any logs in $ORACLE_INSTANCE /diagnostics /logs /OID /oid1/*

and
$ORACLE_INSTANCE /diagnostics /logs /OPMN /opmn/*

2. What is hostname and IP address of machine ?

3. Try pinging hostane

ping [hostname]
ping [IP]

Reply
Shiv says April 8, 2011

@ Atul,

Thanks again for your help.

1. I can’t see the OID folder inside “$ORACLE_INSTANCE/diagnostics/logs/”

2. I can see three log files here “$ORACLE_INSTANCE/diagnostics/logs/OPMN/opmn/*”

debug.log -> It contains nothing. Empty file
opmn.log -> It contains

[2011-04-07T14:16:01][opmn][NOTIFICATION:1][90][OPMN][code:ons-internal]ONS server initiated
[2011-04-07T14:16:01][opmn][NOTIFICATION:1][520][OPMN][code:pm-internal]Create pm state directory: C:\Oracle\apps\idm11g\MWHOME\asinst_1\config\OPMN\opmn\states
[2011-04-07T14:16:01][opmn][TRACE:1][526][OPMN][code:pm-internal]PM state file does not exist: C:\Oracle\apps\idm11g\MWHOME\asinst_1\config\OPMN\opmn\states\.opmndat
[2011-04-07T14:16:01][opmn][NOTIFICATION:1][675][OPMN][code:pm-internal]OPMN server ready. Request handling enabled.
[2011-04-07T17:37:25][opmn][NOTIFICATION:1][676][OPMN][code:pm-internal]OPMN server stopped. Request handling disabled.
[2011-04-07T17:37:25][opmn][TRACE:1][667][OPMN][code:pm-requests]Request 5 Started. Command: /shutdown
[2011-04-07T17:37:25][opmn][TRACE:1][668][OPMN][code:pm-requests]Request 5 Completed. Command: /shutdown

service.log -> It contains

——–
11/04/07 14:16:01 startproc
——–

——–
11/04/07 17:37:26 shutdown
——–

3. I tried pinging hostname/IP. Both are working fine.

Reply
Atul Kumar says April 8, 2011

@ Shiv,
In your case installation failed and installer has rolled back entire oid instance (so logs missing)

Check installation logs under oraInventory (:\program files\Oracle\Inventory)

Reply
Atul Kumar says April 8, 2011

@ Shiv,
Your problem could be because of one of following reasons (apart from few mentioned above in comments) – installation logs should tell you root cause issue

Issue 1. TNS listener for database is listening IPv4 and the IM installation try to connect using an IPv6 or vice versa
Fix 1: Disable IPV6 , restart machine and install everything again (including database)

Issue 2: You are trying to use a port for OID which is already in use
Fix 2: Default OID port in 11g are 3060 and 3131 so check if they are in use . Use different port

Issue 3 (Unix only): You are trying to use OID port < 1024 and forgot to run oraRoot.sh (after OIM install)
Fix 3: Run oraRoot.sh before running config.sh

Issue 4: Database Standard Edition (SE) is used
Fix 4: use EE (Enterprise edition) or apply patch for SE compatibility

Issue 5(Unix only) : SE Linux is used
Fix5: Temporarily disable enforcement (SELinux)

I suspect you are hitting issue 1

Reply
Shiv says April 11, 2011

@ Atul,

Thanks for the solution.

I will try this & let you know.

Thanks Again,
Shiv

Reply
» Overview of EGRCM Governance Risk & Compliance (8.0.1) Installation Online Apps DBA: One Stop Shop for Apps DBA’s says July 18, 2011

[…] Oracle Internet Directory Release 11.1.1.2.0 – If you wish to login to WebLogic Server using users in Oracle Internet Directory or allow access to your users in OID (OWSM Policy). […]

Reply
Mohan Poojari says August 9, 2011

Atul

I have successfully imported the SSO users, groups and Portal groups after removing the authpassword attributes. The attribute userpassword has been successfully imported for each user.

Users cannot login with the same password as in Live as it is failing on authentication. How can I get the same passwords working as in Live. I don’t want to change the password using ldapmodify.

Thanks in advance.

Mohan

Reply
Atul Kumar says August 9, 2011

@Mohan Poojari,
Can you do ldapbind using prod user and prod password in target environment ?

—Users cannot login with the same password as in Live as it is failing on authentication.

Is this for portal login/password ? try and see if ldapbind works first

Reply
Mohan Poojari says August 9, 2011

Atul

ldapbind is working and Portal login is also working.

I have found the issue, it was due to a missing attribute.

Have a good evening.

Thanks

Mohan

Reply
Nehas says April 22, 2012

Atul,

I am using Oracle Intergrated Plateform (OIP)to synch OID (Identity store) with Sieble. I wanted to know which protocol OIP uses it connect and trasfer user credentials to sieble or any other applications.

Thanking you in advacne

Reply
siva says June 22, 2012

i have question here

1. Once i integrated the LDAP , it is going to Authenticate the User (valid user).

2. to integrate the user and OBIEE user & Role instead of OID

3. support think that i don’t have OID , is there way i can create my own Database and integrate tthe same to the OBIEE

is it possible ?

Reply
Rgupta says August 28, 2012

how to integrate OID 11gR1(along with oAM 11gr1) with ebs r12?

I found the oracle note used for above is 1309013.1. our need to integrate 11g OAM anlong with OID 11gR1ebs.
In master note 1309013.1, it is mention to follow 1370938.1 for registering OID 11gr1(using OAM 11G) with EBS.
I am using 1370938.1 but not clear what exsactly WE need to run to complete OID 11gr1 integration with EBS.

Can you please provide step details of how to integrate OID 11gr1(using oam 11gr1 and not sso) with ebs using 1370938.1?

Reply
Daniele Trabucco says December 20, 2012

Help! my configuration is:

Oracle OIM 10.3
Oracle Weblogic 10.3.0

I have a java application using OID for user authentication, users are created such as firstname.lastname, but if I perform with any user access in this way FIRSTNAME.LASTNAME or Firstname.laStname or by adding “space” before or after the user name, are authenticated as well! how can I set the criteria for userID?

Reply
    Atul Kumar says December 20, 2012

    @ Daniele Trabucco,
    Which application is doing authentication ? You can configure application to check login attribute (cn or lastname or uid or email) as per your choie . Look for application which is doing authentication.

    Reply
darleys says April 11, 2013

Atul ,
here’s my situation,
I have installed OID 11.1.1.6.0 and OAM 11.1.1.7.0 and no issues in integrating them. but when I install oracle portal 11.1.1.6.0 it asks for OID information and when I provide those information it throws an error “cannot retrieve SSO information” there is no issue in the login credential because when I provide a wrong password for ‘cn=orcladmin’ it throws an error ‘cannot login into the LDAP’ . then I did more research and it seems the OID 11g misses DAS 10g , and that’s the reason portal is not able to fetch the SSO.
Now… please advice me of what path to take
1. use inspre11.pl and install MRCA(10g 10.1.4.3.0) and install SSO + ODAS 10.1.4.3.0 (*** Iam not able to get the downloads at all for that)
or

2. install 10g OID+SSO which will automatically install ODAS 10g and then upgrade OID to 11g?

or if you know of any other way please help me…

Reply
ddawicki says September 18, 2013

HI Atul, We had a working 9.0.4.0.0 after yearend passwords, except the cn=orcladmin didn’t log into the Windows Oracle Directory. 10G Application Server – 2 farms, I think I issued a bad ldapbind, tried to restart with DOS shortcut to stop and start the services and they appeared hung so interruptd them. Now they say they are not valid win32 applications when issued…

OID port 389 can’t be accessed, ldap server not connected when issuing ldapbind -q, can’t log into Oracle Directory on Windows, ldap down. The database ods id locks up all the time. I don’t know how to change the cn=orcladmin (older version of oidpasswd), unsure where the wallet is, checked Linux, assuming it’s on Windows, can’t locate it..

So hung up, the Enterprise Console Farms don’t start without an error connecting to the repository, cannot connect to port 389. etc…. One of the farms windows service doesn’t complete. We are production DBAs, didn’t set this up. We have a test side that works but can’t seem to get to the crux of this. I appreciate your insights very much.

Reply
ram says September 24, 2013

Can we use FMW forms/reports OID database and OAM to configure SSO for EBS 12.1.3, pleae advise.

Reply
    Atul Kumar says September 25, 2013

    @ ram,
    Yes you should have one single SSO-OAM, OID protecting EBS and middleware products like FMW Forms, Reports etc

    Reply
Krish says January 23, 2014

Can we sync pwdHistory and pwdReset attributes from Source OID to Target OID.

Can we sync the operational attributes like CreatorsName, CreateTimeStamp,ModifiersName, ModifiedTimeStamp from Source OID to Target OID.

Reply
    Atul Kumar says January 23, 2014

    YES – If you clone complete OID including database.

    NO – If you are using LDAP based or ASR replication

    Reply
Krish says January 24, 2014

Thanks Atul. I could sync the pwd attributes to target OID but could not the attributes CreatorsName, CreateTimeStamp,ModifiersName, ModifiedTimeStamp. Thanks for your input.

PN: I really like your posts.

Reply
Bheem says June 24, 2014

Hi atul,

how to check the status of OID in putty,

Thanks,
Bheem

Reply
sundas7 says September 30, 2014

Hi Experts,

I have the old version of OIM 9.1.0 installed.I am just trying to set up a test environ here, Please let me know the best way to download and install OID 10g here. I would like to install it as an add-on component.Later I would be installing 11gr2.Please advice.Thanks sundas7

Reply
Kemal says March 30, 2015

Hi Atul,

do you know if it is possible to link two Oracle Messaging Agents which communicate bidirektional, like this:

DB OMG Agent OMG Agent DB
—————– —————-
DMZ1 DMZ2

Best Regards
Kemal

Reply
kishore GP says July 24, 2016

Hi Atul

what is the IDM & OAM roles in fusion

Reply
Add Your Reply