Oracle Internet Directory Administrator's Guide
Release 3.0.1

Part Number A90151-01
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback

Go to previous page Go to next page

10
Managing the Delegated Administration Service

The Delegated Administration Service enables directory users to modify their own personal data--such as addresses, phone numbers, and photos--without the intervention of an administrator. It also enables users to search other parts of the directory to which they have access. This frees directory administrators for other tasks in the enterprise.

This chapter contains these topics:

Concepts and Architecture

The Delegated Administration Service relies on a Web server, that is, a program that delivers Web pages. More specifically, it uses an Apache Web server, one of the most widely used Web servers.

The Apache Web server is enabled for small Java programs, called servlets. Together, the Apache Web server and the servlets do the following:

  1. Receive requests from clients

  2. Process those requests--by either retrieving or updating data in Oracle Internet Directory--then generate results

  3. Send responses back to clients

Figure 10-1 shows the relationship between components of the Delegated Administration Service.

Figure 10-1 Components of the Delegated Administration Service


Text description of oid81038.gif follows
Text description of the illustration oid81038.gif

In the first tier, the user sends to the Apache server an HTTP request containing a query to Oracle Internet Directory.

In the second tier, the Apache server receives the request and launches the appropriate Delegated Administration Service servlet. The Delegated Administration Service servlet interprets the request, and sends it Oracle Internet Directory on the third tier.

After the Delegated Administration Service servlet receives the LDAP result from Oracle Internet Directory, it compiles that result into an HTML page, and sends it back to the client Web browser.

Starting and Stopping the Apache Server

Start the Apache server by entering:

$ORACLE_HOME/Apache/Apache/bin/apachectl start

Stop the Apache server by entering:

$ORACLE_HOME/Apache/Apache/bin/apachectl stop

Installing and Configuring the Delegated Administration Service

To install and configure the Delegated Administration Service, perform these tasks:

Task 1: Install the Delegated Administration Service

The Delegated Administration Service is installed along with Oracle Internet Directory release 3.0.1. If you want to enable Single Sign-On, then you must install and configure the login server.

See Also:

 

Task 2: Configure the Delegated Administration Service

To configure the Delegated Administration Service, use a text editor to modify parameters in the oidprefs.properties file located in the ORACLE_HOME/ldap/ssa directory. The following sections discuss the parameters in that file.

The log file location for the Delegated Administration Service is located at $ORACLE_HOME/ldap/ssa/logs/ssa.log.

General Parameters

The Delegated Administration Service uses a special account to initialize and reset user passwords. If you are using IMAP authentication described in "Parameters for Registering and Resetting Passwords", then you need to configure this special account to initialize and reset user passwords. To do this, run the script setup_admin.sh in the directory $ORACLE_HOME/ldap/ssa. This script creates the default special administrator account and sets the privileges for it.

If Single Sign-On is enabled, then the Delegated Administration Service uses the Oracle Internet Directory proxy user feature. To use Single Sign-On, configure the parameters for the proxy user in Table 10-1.

Table 10-1 explains the fields for setting general parameters in the oidprefs.properties file:

Table 10-1 General Parameters in the oidprefs.properties File
Entry  Description 

oidhost 

Enter the fully qualified host name where the directory server is running and which you are using with the Delegated Administration Service. There is no default. 

corproot 

Enter the corporation root entry. Modify this field to comply your deployment environment. All user entries must exist below this container. The default is dc=oracle, dc=com

loginnameattr 

Enter the attribute that stores the user login identifier. This attribute needs to be indexed. It should uniquely identify the user in the organization under the specified corporation root. The default is uid

Mailinglistobjectclass 

Enter the object class that contains the mailing list-specific attributes. The default is mailgroup

employeeobjectclass 

Enter the object class that contains the user specific attributes. The default is orclmailuser

ssadebug 

Enable or disable debug logging for the Delegated Administration Service. The default is True. To disable debugging, set this value to False

ssahostport 

Point this entry to the following URL: http://your_host:http_port. The default is http://local_host_name:7777 

oidacct 

Enter the DN of the administration account for the user password population. This is used to populate user password for Oracle Internet Directory registration. You configure this account by running the script setup_admin.sh in the directory $ORACLE_HOME/ldap/ssa. The default value is cn=oidpasswordadmin,dc=oracle,dc=com

oidpwd 

Enter the password of the administration account specified in the oidacct configuration field. The default value is welcome

proxydn 

Within a Single Sign-On environment enabling the Delegated Administration Service, enter the DN for the proxy account used to switch the initial LDAP proxy connection to the login user connection. The default value is cn=proxy

proxypwd 

Enter the password of the proxy account. The default value is proxy.  

serverloc 

Enter the Apache image directory, that is, the local file system directory where the Apache server stores the images retrieved from the directory server to make them accessible to all HTTP connections to the Delegated Administration Service. For the Oracle Portal platform, it is located at $ORACLE_HOME/webdb30/images

passwordpolicyrule 

Customize the password policy. You can enforce the minimum password length and the number of letters and numerals. The default is len:5:letter:1:numeric:1.

See Also: "Password Policies" for a conceptual discussion of password policies 


Note:

Once you have modified the oidprefs.properties file, you must stop, then restart, the Apache server for your changes to take effect. 


Parameters for Registering and Resetting Passwords

To enable users to self-register and reset their passwords, you configure these properties. In release 3.0.1, the Delegated Administration Service verifies user credentials by using IMAP authentication only. You may use this if you have an IMAP server and want to use it to authenticate users.

The link (initial registration/forgot password) on the oidprefs login page:

If you do not want to use this feature, point the resetpasswordurl parameter to an HTML page with instructions for users to register or reset their passwords.

Table 10-2 Parameters for Registration and Resetting Passwords in the oidprefs.properties File
Entry  Description 

emailserver 

To enable self-registration of users, enter the fully qualified host name of your organization IMAP server. There is no default. 

emailport 

Enter the IMAP server port. The default is 143. 

resetpasswordurl 

If you have an IMAP server, and you want to enable self-registration, then use the default value, namely, /servlet/imAuth. Otherwise, customize the default value to point to another URL that provides this ability to users. 

Parameters for Integrating with Single Sign-On

Table 10-3 explains the parameters you set in order to integrate the Delegated Administration Service with Single Sign-On.

Table 10-3 Parameters for Integrating with Single Sign-On in the oidprefs.properties File
Entry  Description 

ssoenabled 

Enable or disable Single Sign-On. The default is False

ssopwdchange 

Enable or disable usage of the Single Sign-On password change page. If it is disabled, then the Delegated Administration Service uses its own password change page. 

tokenurl 

Enter the token used to register the Delegated Administration Service as a partner application within a Single Sign-On environment. If ssoenabled is set to False, then this field is displayed as empty. 

ssookurl 

Enter the page that appears after the user clicks OK on the password change page in Single Sign-On. If ssoenabled is set to false, then this field is displayed as empty. 

ssocancelurl 

Specify the URL for the HTML page that appears after the user clicks Cancel button on the Single Sign-On password change page. If ssoenabled is set to False, then this field is displayed as empty. 

oidpartnerid 

Enter the identifier stored in the cookie for login user. The default is OID_PARTNER_ID. Do not modify this parameter. 

ssodbuser 

Enter the user identifier for JDBC connection to the Single Sign-On database. If ssoenabled is set to false, then this field is displayed as empty. 

ssodbpwd 

Enter the password for JDBC connection to the Single Sign-On database. If ssoenabled is set to false, then this field is displayed as empty. 

ssodbhost 

Enter the name of the host for the Single Sign-On database. You need to modify this field. If ssoenabled is set to false, then this field is displayed as empty. 

ssodbport 

Enter the number of the Single Sign-On database port. If ssoenabled is set to false, then this field is displayed as empty. 

ssodbsid 

Enter the Single Sign-On database SID. If ssoenabled is set to false, then this field is displayed as empty. 

ssourl 

Enter the URL for the HTML page that appears after the user clicks the OK button on the Single Sign-On password change page. The value must be in this format: http://Apache_server_host>:port_number/servlet/root. For example, if the Apache server is running on My_computer, and the port number is 7777, then the value you enter is http://My_computer:7777/servlet/root 

Task 3: Verify that the Delegated Administration Service Is Running

To do this, follow these steps:

Step 1: Verify that the Apache Server Is Running

To do this, check the log files for the Apache server. Enter:

ps -ef | grep http

This command generates the related log files under the following directories:

Application  Log File Location 

Apache Server 

$ORACLE_HOME/Apache/Apache/logs 

Java Servlets for the Delegated Administration Service 

$ORACLE_HOME/Apache/Jserv/logs 

Delegated Administration Service 

$ORACLE_HOME/ldap/ssa/logs 

See Also:

"Starting and Stopping the Apache Server" 

Step 2: Verify that the Delegated Administration Service Is Running

Using any browser, enter:

http://host_name:7777/servlets/oidprefs

where host_name is the name of the computer on which the Apache server is running. This displays the Delegated Administration Service logon screen.


Go to previous page Go to next page
Oracle
Copyright © 1996-2001, Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback