AnsweredAssumed Answered

VLV Indexes and Oracle Directory as the Policy Store

Question asked by brentsherman on Aug 21, 2014
Latest reply on Oct 7, 2014 by kristen.palazzolo

According to the Policy Server 12.52 Installation Guide you are supposed to create VLV indexes when installing Policy Server to use Oracle Directory Server as the policy store.  After we created the VLV indexes we started noticing strange behavior.  First our privileged siteminder account defined in the Policy Server Console was unable to read any of the objects in the policy store.  This siteminder account is part of the directory administrators group and has full access in the directory server and to perform the VLV searches.  This was verified by the Oracle Directory tool getEffectiveRights.  To mitigate this we changed the directory user in the console to the cn=Directory Manager entry.  This cleared most of the issues but our user community began reporting that their applications would disappear from the AdminUI and then reappear days later.  We finally backed out the VLV indexes and all seems to be normal again.


Then I found this in the 12.52 SP1 release notes and 12.52 Admin Guide:


"VLV Indexing on Some LDAP User Directories Causes SiteMinder Agent Group Lookups to Fail

Flaws in the Virtual List View (VLV) implementation on some LDAP user directories can cause SiteMinder Agent group lookups to fail, returning zero entries and raising a “directory unwilling to perform" error."


Could somebody elaborate which LDAP user directory has issues.  In our case it is problem larger than agent lookups.  We are using Oracle 11g.  Has anybody else seen problems with VLV indexes?