Thursday Mar 06, 2014

Transition Guide from DSEE to OUD just published

Transition Guide from (O)DSEE to Oracle Unified Directory (OUD) was just added to the OUD doc set.
It is available at

Other OUD documents are available at

Wednesday Mar 13, 2013

ODSEE 11gR1 PS2 Released

Check our documentation set for more, including Release Notes and Certification Matrix.

Download ODSEE 11gR1 PS2 (aka from here.

Tuesday Jun 07, 2011

ODSEE released

Oracle Directory Server Enterprise Edition 11gR1 PS1( aka 7.1 using old Sun versioning is available for download at

The corresponding doc set is available at

For questions, please use the OTN dedicated forum at

Wednesday Jan 19, 2011

ODSEE directory documentation moved

All the Directory documentation moved from to Oracle Technology Network documentation
over the weekend.  Here is the new link.

Thursday Jan 13, 2011

DPS and slow DNS

Every time a new client connection is treated, one of the tasks done is to log it to the access and connection logs. To log it, the canonical host name is retrieved, probably from the DNS server. If the call to InetAddress.getCanonicalHostName() gets blocked (for instance, because of a slow DNS server or a network problem), the calling Connection Handler Thread will get blocked for some time, preventing the thread from processing the other new connections and reading from the other connections.

In controlled environments, in may be useful to tune java dns caching, by setting the security property networkaddress.cache.ttl to a bigger value, or to -1 (cache forever).

You can't set the value of networkaddress.cache.ttl directly on the command line but you can set the required value in the file located in %JRE%\\lib\\security



Thursday Nov 18, 2010

Unable to retrieve backend SEARCH connection

That error message is pretty common with Directory Proxy Server. Here are the reasons why:

Upon reception of a request, DPS tries to route the request to the target data views, based on the request (base) dn. When this step fails (misconfiguration), a "No such Object" error is returned with additional text "The entry foo=bar is not handled by the server.
Then DPS selects the "best" directory server associated with the target data view according to the load-balancing algorithm. If no valid directory server is found, the error "Unable to retrieve backend SEARCH connection" is returned.

There are 4 possible causes:
- the data source pool associated with the target data view is empty (configuration problem)
- the data sources in that data source pool are disabled or have search-weight/bind-weight set to 0 so they are not considered valid servers to process search/bind operations (configuration problem)
- every data source (directory server) in that data source pool are down
- the max number of connection to every data source is reached.

If you get these errors after a brain new deployment with the OOTB dps configuration, #1 is probably the cause: DPS default config comes with a default data view able to handle every suffix/request. This data view is associated with a data souce pool that is empty by default. You have to create at least one data source object, add it to that data source pool then set load-balancing weights.

More info are available at

Monday Sep 27, 2010

Dynamic provisioning of directory instances with DPS - Part 2

The goal here is still (see previous post ) to dynamically  add/remove a directory server instance from the mesh with no or limited impact on the client applications and w/o altering the HW load-balancers that are commonly deployed in front of the directories. In the rest of this post, we assume that client applications access the directory services via an access layer provided by the Sun/Oracle Directory Proxy Server (DPS).

The second method consists in changing the configuration of each Directory Proxy Server. Each data source (directory server instance) is put in disabled mode so that DPS immediatly stops forwarding traffic to them. The property is-enabled can be changed to false. To reactivate a data source, set that property to true again.

e.g. dpconf  set-ldap-data-source-prop  is-enabled:false

Wednesday Sep 15, 2010

Dynamic provisioning of directory instances with DPS - Part 1

The goal here is to dynamically  add/remove a directory server instance from the mesh with no or limited impact on the client applications and w/o altering the HW load-balancers that are commonly deployed in front of the directories. In the rest of this post, we assume that client applications access the directory services via an access layer provided by the Sun/Oracle Directory Proxy Server (DPS).

The first method consists in changing the directory server operational state so that it is automatically considered as "unavailable" by DPS. Each DPS periodically checks directory servers availability by retrieving  its operational state with a configurable LDAP search. Would the operational entry "disappears" (i.e. no longer matches a search filter), the directory server would stop receiving traffic from the DPS(s).


First, decide  which entry and attribute will hold the server operational state, e.g. attribute description in entry  cn=server state,cn=config

dn: cn=server state,cn=config
objectclass: top
objectclass: extensibleObject

Then change the DPS configuration of each LDAP data sources so that this "state" entry is checked on a regular basis. By convention, the server is down if the poll returns no entry.

In this example, the property monitoring-entry-dn must be set to cn=server state,cn=config, the property monitoring-search-filter can be set to (description=SERVER_AVAILABLE). Depending on the state entry used, it may be necessary to use specific credentials to access it. In such case, the properties monitoring-bind-dn and monitoring-bind-pwd should be changed as well.

[@euler]# dpconf get-ldap-data-source-prop euler:10389          
ldap-address                                          : 
ldap-port                                               :  10389 
ldaps-port                                             :  ldaps 
monitoring-bind-dn                        :  cn=directory manager 
monitoring-bind-pwd                      :  {3DES}qowEGwcvUhKdUKegsRrO73X46Gb2JKPT 
monitoring-bind-timeout              :  5s 
monitoring-entry-dn                       :  cn=server state,cn=config
monitoring-interval                       :  30s 
monitoring-search-filter              :  (description=SERVER_AVAILABLE)

Removing a directory server from the topology

The description of the state entry must first be modified e.g. the state can be set to SERVER_UNAVAILABLE.  DPS will take up to about 2 times the monitoring-interval to stop forwarding traffic to that server. It is then safe to shut down the directory server instance w/o impacting client applications.

(Re)adding a directory server to the topology

Set (back) the description value to "SERVER_AVAILABLE" in the directory state entry (and dynamically add a new data source object to the DPS configuration for a brand-new server).

Thursday Aug 19, 2010

Using ODSEE Directory Proxy Server with Oracle Internet Directory (OID)

The DPS 6.x and 7.x default configuration must be slightly changed to be able to work smoothly with OID. Indeed, the DPS health-check engine might compute OID operational state incorrectly and consider OID down when it is up and running.

There are 2 ways to fix that: either disable the proactive health-check monitoring or (recommended) change the LDAP query done to determine the backend operational state. To do so, make sure DPS is running and launch the command below on each ldap data source associated with an OID instance:

dpconf set-ldap-data-source-prop <data source> monitoring-search-filter:(objectclass=\*)

Note: this configuration is not specific to OID and works well with other directory server instances, including DSEE.

Wednesday Jun 02, 2010

Directory Proxy Server at high connection rate

In some DPS deployments, there is a high number of new connections being established. This high connection rate may lead to performances issues.

It may be useful to consider changing the tcp time wait interval: That parameter notifies TCP/IP on how long to keep the connection control blocks closed. After the applications drop the TCP/IP connection, the control blocks are kept for the specified time.  When high connection rates occur, a large backlog of the TCP/IP connections accumulate and can slow server performance. The server can stall during certain peak periods. If the server stalls, the netstat command shows that many of the sockets that are opened to the server are in TIME_WAIT state

On Solaris, you can change the tcp_timeout_interval using ndd.

Monday Apr 26, 2010

Directory Services as a Web Service

DSEE - Directory Services Enterprise Edition,  provides a Web Services access (HTTP/SOAP binding) using the  DSMLv2 standard. Development of  WS clients using the contract-first approach requires a corresponding WSDL file describing the service.

I recently wrote such WSDL file. I had to modify slightly some regular expressions present in the DSML types as IDEs like NetBeans or JDeveloper complain during xml binding generation, that's the reason why it may worth sharing this. An updated WSDL file is available here.  You can use it as such for Web Service client code generation but don't forget to override the service port binding at the end of the file.

Friday Feb 12, 2010

200 (two hundreds)

[Read More]

Tuesday Dec 01, 2009

DPS and OutLook address lookup

Outlook LDAP address lookup requires VLV and companion Server Side Sorting controls. If these controls are blocked by DPS, you may get errors messages like "The server is not configured to pass through control 1.2.840.113556.1.4.473" or "The server is not configured to pass through control 2.16.840.1.113730.3.4.9"

To enable control pass-thru in DPS, use

dpconf set-server-prop [...] allowed-ldap-controls:vlv-request \\

Tuesday Nov 17, 2009

DSEE 7.0 has been released and is available for download

Sun Directory Server Entreprise Edition 7.0 aka DSEE 7.0 has just been released today and is available for download at

Wednesday Sep 30, 2009

JDBC URLs with Oracle database

The JDBC URL structure indicated in the DPS doc set to access ORACLE databases is wrong somehow: Referring to the DPS admin guide, the db-url is in the form jdbc:vendor:driver://dbhost:dbport.

A correct db-url for Oracle is jdbc:oracle:thin:@localhost:1521:

Using "//" instead of "@" may lead to errors similar to the one below:

Snipplet from the Oracle EX logs:
28-SEP-2009 12:12:52 \*
(CONNECT_DATA=(SID=orcl)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=))) \*
(ADDRESS=(PROTOCOL=tcp)(HOST= \* establish \* orcl
\* 12505
TNS-12505: TNS:listener does not currently know of SID given in connect


My name is Sylvain Duloutre, I worked as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement and Solutions Architecture.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

A mirror of this blog is available on Wordpress here.


« June 2016