OUD11g - 24405001 - New Certificate Mapper "Subject Alternative Names To User Attribute"

(Doc ID 2210549.1)

Last updated on MARCH 30, 2017

Applies to:

Oracle Unified Directory - Version 11.1.2.3.161018 to 11.1.2.3.161018 [Release 11g]
Information in this document applies to any platform.
=================== New Certificate Mapper =================================
Background :
Base Bug # 24405001
Starting with OUD BUNDLE PATCH 11.1.2.3.161018, a new fix ( Bug # 24405001 ) introduces a new certificate mapper ""Subject Alternative Names To User Attribute" which reads the certificate and extract the principal name out of it. This new mapper is utilized during login/authentication of smart card users.

Following content has been added within config.ldif as part of the fix :

dn: cn=Subject Alternative Name To User Attribute,cn=Certificate
Mappers,cn=config
objectClass:
ds-cfg-subject-alternative-name-to-user-attribute-certificate-mapper
objectClass: top
objectClass: ds-cfg-certificate-mapper
ds-cfg-enabled: true
ds-cfg-subject-alternative-name-attribute-mapping: 1.3.6.1.4.1.311.20.2.3:cn
ds-cfg-java-class:
org.opends.server.extensions.SubjectAlternativeNameToUserAttributeCertificateM
apper
cn: Subject Alternative Name To User Attribute

The new mapper will be available in a new instance created after application of OUD BP 11.1.2.3.161018. For existing instance(s), you need to manually copy the config.ldif content as specified above. Make sure to stop the instance, take a backup of existing config.ldif before performing this change.


============= Rollback Issue ============================================:

Post application of Bundle Patch, 11.1.2.3.161018 or above. We're observing following schema error during the bundle patch (
11.1.2.3.170117 ) rollback, and ldap fails to start. We've observed this is replicated env, and with Opatch version of 11.1.0.9.10.
.
=====================================

$ $ORACLE_HOME/OPatch/opatch rollback -id 24945523
Oracle Interim Patch Installer version 11.1.0.9.10
Copyright (c) 2012, Oracle Corporation. All rights reserved.
.
.
Oracle Home : /scratch/appl/oracle/fmw-jan17bp/Oracle_OUD1
Central Inventory : /appl/oracle/oraInventory
from : /scratch/appl/oracle/fmw-jan17bp/Oracle_OUD1//oraInst.loc
OPatch version : 11.1.0.9.10
OUI version : 11.1.0.11.0
Log file location :
/scratch/appl/oracle/fmw-jan17bp/Oracle_OUD1/cfgtoollogs/opatch/24945523_Nov_2
1_2016_23_47_07/rollback2016-11-21_23-47-07PM_1.log
.
.
OPatch detects the Middleware Home as "/scratch/appl/oracle/fmw-jan17bp"
.
RollbackSession rolling back interim patch '24945523' from OH
'/scratch/appl/oracle/fmw-jan17bp/Oracle_OUD1'
.
Patching component oracle.idm.oud, 11.1.2.3.0...
RollbackSession removing interim patch '24945523' from inventory
Log file location:
/scratch/appl/oracle/fmw-jan17bp/Oracle_OUD1/cfgtoollogs/opatch/24945523_Nov_2
1_2016_23_47_07/rollback2016-11-21_23-47-07PM_1.log
.
OPatch succeeded.

============= While starting the OUD Server ===================
$
/scratch/appl/oracle/fmw-jan17bp/22369027-TOMBSTONE-11389/OUD/bin/start-ds
[21/Nov/2016:23:49:11 -0800] category=CORE severity=INFORMATION msgID=132
msg=The Directory Server is beginning the configuration bootstrapping process
[21/Nov/2016:23:49:12 -0800] category=CORE severity=NOTICE msgID=458886
msg=Oracle Unified Directory 11.1.2.3.0 (build 20150414142803Z, R1504140602)
starting up
[21/Nov/2016:23:49:13 -0800] category=CORE severity=NOTICE msgID=458891
msg=The Directory Server has sent an alert notification generated by class
org.opends.server.core.DirectoryServer (alert type
org.opends.server.DirectoryServerShutdown, alert ID 458893): The Directory
Server has started the shutdown process. The shutdown was initiated by an
instance of class org.opends.server.core.DirectoryServer and the reason
provided for the shutdown was An error occurred while trying to start the
Directory Server: An error occurred at or near line 179 while trying to
parse the configuration from LDIF file
/scratch/appl/oracle/fmw-jan17bp/22369027-TOMBSTONE-11389/OUD/config/config.ld
if: org.opends.server.util.LDIFException: Entry cn=Subject Alternative Name
To User Attribute,cn=Certificate Mappers,cn=config read from LDIF starting at
line 179 is not valid because it violates the server's schema configuration:
Entry cn=Subject Alternative Name To User Attribute,cn=Certificate
Mappers,cn=config violates the Directory Server schema configuration because
it contains an unknown objectclass
ds-cfg-subject-alternative-name-to-user-attribute-certificate-mapper
[21/Nov/2016:23:49:14 -0800] category=CORE severity=NOTICE msgID=458955
msg=The Directory Server is now stopped

============================================================

Goal

 To provide background of new certificate mapper and possible solution for the bug#25132763

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms