9
The Delegated Administration Service

The Delegated Administration Service frees global directory administrators for the more important and complex tasks of directory management. It does this by enabling:

• End users to modify their own passwords without the intervention of an administrator

• Delegated administrators, such as non-technical managers, to create and manage both users and groups

• All users to search parts of the directory to which they have access

This chapter contains these topics:

• About the Delegated Administration Service

• Concepts and Architecture of the Delegated Administration Service

• Starting and Stopping the Delegated Administration Service

• Installing and Configuring the Delegated Administration Service

• Searching for User and Group Entries by Using the Delegated Administration Service

• Managing Users, Groups, and Subscribers by Using the Delegated Administration Service

About the Delegated Administration Service

This section contains these topics:

• Delegated Administration Service Units

• The Oracle Internet Directory Self-Service Console

• Benefits of the Delegated Administration Service and the Oracle Internet Directory Self-Service Console

Delegated Administration Service Units

The Delegated Administration Service is a set of individual, pre-defined services--called Delegated Administration Service units--for performing directory operations on behalf of a user. It makes it easier to develop and deploy administration solutions for both Oracle directory-enabled applications and other directory-enabled applications that use Oracle Internet Directory.

Delegated Administration Service units perform operations such as create user, create group, entry lookup, and change user password. They perform operations on behalf of the application and provide a user interface for displaying the results of those operations.

Delegated Administration Service units are invoked by way of URLs that are published in the directory. To invoke a DAS unit, an application searches for the corresponding URL in the directory.

Users may define their own specialized services to plug into the existing Delegated Administration Service framework.

The Oracle Internet Directory Self-Service Console

Oracle Internet Directory also includes a pre-built, Delegated Administration Service-based web application, called the Oracle Internet Directory Self-Service Console. This application enables administrated access to application data that is managed in the directory. This application enables:

• End users to perform self service on data they are authorized to manage. For example, they can use the Oracle Internet Directory Self-Service Console to change passwords, personal data such as telephone number or office location, or application preferences.

• Subscriber administrators to:
  • Manage subscriber-level information--for example, changing subscriber configurations

  • Provision new users and groups

  • Manage user-level and group-level information within a subscriber--for example, creating user and group entries and editing them

• Subscriber administrators can also use the Self-Service Console to perform such directory operations as:
  • Controlling white pages application access

  • Administering directory attributes not associated with a particular application--for example, telephone number or office location

• Site administrators to:
  • Manage site level information such as site configurations

  • Manage subscriber level information such as creating new subscribers, changing their access privileges and administration (?) privileges.

Benefits of the Delegated Administration Service and the Oracle Internet Directory Self-Service Console

The benefits of using the Delegated Administration Service and the Oracle Internet Directory Self-Service Console include:

• Rapid development and deployment of directory-enabled applications:

  By using Delegated Administration Service units, you can more easily develop the tools your applications need to administer the directory. These units provide most of the functionality applications require.

• Secure access to the directory:

  The Delegated Administration Service uses the proxy user feature of Oracle Internet Directory to perform various operations on behalf of users. When you use Delegated Administration Service units to build administration applications, your applications take advantage of this feature. This centralizes the proxy access in one place and improves the directory security. You, as the directory administrator, no longer need to provide super user access to the various directory administration tools that applications require.

• Application user ease-of-use:

  Users of multiple directory-enabled applications interface with a single set of services for administering application-related directory data.

• Ability for sites to delegate directory data administration:

  The Delegated Administration Service allows you to delegate the administration of defined directory data to subscriber administrators and application end users. This makes it easier for sites to manage directory data.

Concepts and Architecture of the Delegated Administration Service

The Delegated Administration Service uses an Oracle HTTP Server that is enabled for small Java programs, called servlets. Together, the Oracle HTTP Server and the servlets

1. Receive requests from clients

2. Process those requests--by either retrieving or updating data in Oracle Internet Directory--and compile the LDAP result into an HTML page

3. Send the HTML page back to the client Web browser

How the Delegated Administration Service Works

Figure 9-1 shows the relationship between components in the Delegated Administration Service environment.

Figure 9-1 Components of the Delegated Administration Service

Text description of the illustration oidag049.gif

1. The user, from a browser and using HTTP, sends to the Delegated Administration Service a request containing a query to Oracle Internet Directory.

2. The Delegated Administration Service receives the request and launches the appropriate servlet. This servlet interprets the request, and sends it Oracle Internet Directory by using LDAP.

3. Oracle Internet Directory sends the LDAP result to the Delegated Administration Service.

4. The Delegated Administration Service compiles the LDAP result into an HTML page, and sends it to the client Web browser.

The Delegated Administration Service and Oracle9iAS Single Sign-On

You can use the Delegated Administration Service in conjunction with Oracle9iAS Single Sign-On.

Figure 9-2 shows the relationship between components of the Delegated Administration Service during a search operation within the Oracle9iAS Single Sign-On environment.

Figure 9-2 Delegated Administration Service and Oracle9iAS Single Sign-On

Text description of the illustration oidag055.gif

1. The user seeks access to the Delegated Administration Service by way of the Oracle HTTP Server with the mod.osso module.

2. If this is the first time during a session that the user is accessing the Delegated Administration Service, then the Oracle HTTP Server transparently directs the user to the Oracle9iAS Single Sign-On server for authentication.

3. Oracle9iAS Single Sign-On, by way of the Oracle HTTP Server, prompts the user for user name and password. The user provides user name and password.

4. Oracle9iAS Single Sign-On verifies the user's credentials by comparing the values the user entered with the corresponding ones stored in Oracle Internet Directory.

5. If it successfully verifies the user name and password, then Oracle9iAS Single Sign-On directs the user to the Delegated Administration Service. It also sends to the Delegated Administration Service an encrypted parameter containing the user identifier.

6. The Delegated Administration Service trusts the authentication of the user by Oracle9iAS Single Sign-On.

   To enable the user to access the directory, the Delegated Administration Service:

   • Logs in to Oracle Internet Directory on the end user's behalf as a proxy user, which has the privilege to switch identities

   • Performs a second bind to the directory, this time using the DN of the end user.

   When the Delegated Administration Service logs in to the directory server by using the DN of the end user, the directory server:

   • Recognizes this second bind as an attempt by the proxy user to switch to the end user's identity

   • Trusts the authentication granted to the end user by the Delegated Administration Service

   • Allows this second bind to succeed without requiring the end user's password.

     See Also: "Authentication" for information about proxy users and indirect authentication

7. The Delegated Administration Service retrieves the LDAP result from Oracle Internet Directory.

8. The Delegated Administration Service compiles the LDAP result into an HTML page, and sends it to the client Web browser.

Starting and Stopping the Delegated Administration Service

Start the Service by entering:

$ORACLE_HOME/opmn/bin/opmnctl startall

Stop the Service by entering:

$ORACLE_HOME/opmn/bin/opmnctl stopall

Installing and Configuring the Delegated Administration Service

This section contains these topics:

• Log Files for Components in the Delegated Administration Service Environment

• Task 1: Install the Delegated Administration Service

• Task 2: Verify that the Delegated Administration Service Is Running

• Task 3: Configure the Default Subscriber Context

• Task 4: Configure User Entries

Log Files for Components in the Delegated Administration Service Environment

Table 9-1 tells you where to find the log files for components in the Delegated Administration Service environment.

Table 9-1 Log Files for Components In Delegated Administration Service Environment

Application	Log File Location
Oracle HTTP Server	$ORACLE_HOME/Apache/Apache/logs
Oracle Container for Java (OC4J)	$ORACLE_HOME/opmn/logs
Delegated Administration Service	$ORACLE_HOME/ldap/log/das.log

To install and configure the Delegated Administration Service, perform the tasks in these sections:

• Task 1: Install the Delegated Administration Service

• Task 2: Verify that the Delegated Administration Service Is Running

• Task 3: Configure the Default Subscriber Context

• Task 4: Configure User Entries

Task 1: Install the Delegated Administration Service

The Delegated Administration Service is installed along with Oracle Internet Directory Release 9.0.2. If you want to enable Oracle9iAS Single Sign-On, then you must install and configure the Oracle9iAS Single Sign-On Server.

See Also: Installation documentation for Oracle Internet Directory Release 9.0.2 for your operating system Single Sign-On Administrator's Guidein the Oracle Database Documentation Library

Task 2: Verify that the Delegated Administration Service Is Running

To verify that the Delegated Administration Service is running, follow these steps:

Step 1: Verify that the Oracle HTTP Server Is Running

To do this, use the following command:

ps -ef | grep http

See Also: Table 9-1 to find log file locations for components in the Delegated Administration Service environment "Starting and Stopping the Delegated Administration Service"

Step 2: Verify that Java (OC4J JVM) Is Running

Use the following command to do this:

ps -ef | grep java

Be sure that the Java process is running. If it is not, then consult the log file.

See Also: Table 9-1 for the location of the log file

Step 3: Verify that the Delegated Administration Service Is Running

Using any browser, enter:

http://host_name:port_number/oiddas/

where host_name is the name of the computer on which the Oracle HTTP Server is running. This displays the Delegated Administration Service home page.

Task 3: Configure the Default Subscriber Context

After you have installed the Delegated Administration Service, you may configure the default subscriber context--that is, the root entry of the naming context that contains all entries for the default subscriber.

To configure the default subscriber:

1. Login as the administrator. The default administrative user name is orcladmin, and the default password is welcome.

2. Select the Configuration tab.

3. In the Directory Configuration section:
   1. In the Attribute for Login Name field, enter the attribute by which you want users to identify themselves when they log in--for example: cn, UID, EmployeeNumber, SSN.

   2. In the User Search Base Context field, enter the DN of the entry under which the user entries for this subscriber are located.

   3. In the Group Search Base Context field, enter the DN of the entry under which group entries for this subscriber are located.

   4. In the Search Return Limit field, enter the number of entries you want displayed in the search results.

4. In the Logo Management section:
   1. If you want to display the subscriber's logo in the upper left corner of the Delegated Administration Service user interface, then select the Enable Subscriber Logo checkbox. Otherwise, leave it unselected.

   2. If you want to display the product name, namely Internet Directory, in the upper left corner of the Delegated Administration Service user interface, then select the Enable Product Logo checkbox. Otherwise, leave it unselected.

   3. In the Update Subscriber Logo field, enter the path and file name of this subscriber's logo, or, alternatively, navigate to it by choosing Browse.

5. When you have entered the location of the corporate image logo file, choose Submit to save your changes.

Task 4: Configure User Entries

When a user creates or edits a user entry, the user interface displays various categories--including, for example, basic information, password, and photo--each with its own set of attributes. You can customize the way the Delegated Administration Service displays these categories and the corresponding attributes.

Specifically, the Delegated Administration Service enables you to:

• Add object classes to user entries, and add and modify their attributes

• Specify the categories of attributes you want to enable users to add or modify

• Customize the way the Delegated Administration Service displays those categories and attributes

To configure user entries:

1. Select the Configuration tab, then choose User Entry. This displays the Configure User Object Classes window listing the existing object classes for user entries.

2. To add an object class for user entries:
   1. Choose Add Object Class. This displays the All Object Classes window.

   2. Select an object class you want to add, then choose Add. This returns you to the Specify Object Class window. The object class you just chose is now listed as an existing object class.

   3. To add more object classes, repeat these steps.

   If you are satisfied with the object classes, then choose Next to display the Configure Attributes window.

3. To add attributes or modify the way the Delegated Administration Service displays those attributes:
   1. Choose Add New Attribute to display the Add New Attribute window.

   2. From the Directory Attribute Name combo box, select the attribute you want to add.

   3. Enter values for the fields as described in Table 9-2.

      Table 9-2 Fields in the Configure Attributes Window

      Field	Description
      UI Label	Specify the friendly name of the attribute in the user interface. For example, you can display the sn attribute as Last Name in the interface.
      Required	Specify whether you want the attribute to be required. Required attributes appear in the interface with an asterisk (*) to the left of the field. If you do not select this check box, then the attribute is optional.
      Viewable	Specify whether you want the attribute to appear in search results by selecting this check box.
      UI Type	Specify the type of interface for this field. Options are: Single Line Text--a text field into which the user enters a value Multi Line Text--a text area where a user can type multiple lines of text Predefined List--a combo box in which a user selects a value from a drop-down list. To specify values for the drop-down list, choose Edit to display the Editing Attribute window. In the LOV Values text area, enter each value, then press the ENTER key. Date--a text field into which the user enters a date--for example, an employee's birthday Browse and Select--a button enabling the user to browse for a manager's entry or any entry that needs a DN as an attribute value Number--a text field into which the user enters numbers only--for example, a postal code

   4. Choose Done to return to the Configure User Attributes window. The attribute you just chose is now listed in the attribute list.

   If you are satisfied with the user attributes, then choose Next to display the Create Attribute Categories window.

4. Use the Create Attribute Categories window to customize the way that categories of attributes are displayed to a user.

   To add a new category:

   1. Choose Add New Category.

   2. In the UI Label field, enter the friendly name of the category--for example, Telephone Numbers or Organizational Details.

   3. Choose Done to return to the Create Attribute Categories window.

   To modify a category:

   1. In the Select column, select the appropriate category.

   2. In the UI Label and Display Order columns, edit the appropriate fields. To designate the display order, specify the category you want to appear at the top of the window with a 0, the next with a 1, the next with a 2, and so on.

   To delete a category, select it, then choose Delete.

   If you are satisfied with the attribute categories, choose Next to display the Configure Attribute Categories window.

5. To configure each category of attributes, use the Configure Attribute Categories window. For each category, it displays two lists:
   • All Attributes--All attributes available for this category

   • Selected Attributes--The attributes in this category that you want to enable users to modify.

   To configure each attribute category:

   1. Move items between the two lists by selecting one or more at a time, then choosing the appropriate arrow.

   2. Within the Selected Attributes list for each category, set the attribute display order by using the up and down arrow buttons on the right of the list.

   When you have finished configuring attribute categories, choose Next to display the Configure Public Groups window.

6. To configure the display of public group lists in the Delegated Administration Service user interface:

   To enable users to assign users to public groups, select the Enable Public Group assignment check box. Otherwise, leave it unselected.

   To add a public group, choose the Add Group button to display the Search and Select: Public Groups window. In the Group Name Begins With field, enter the first few letters of the name of the group you want to add, select it in the table of search results, then choose Select.

   To delete a public group, select the group from the table and choose Delete.

Searching for User and Group Entries by Using the Delegated Administration Service

This section contains these topics:

• Searching for User Entries by Using the Delegated Administration Service

• Searching for Group Entries by Using the Delegated Administration Service

Searching for User Entries by Using the Delegated Administration Service

To search for users:

1. Select the Directory tab, then select Users.

2. In the Search for User field, enter the first few characters of the name of the user. For example, if you are searching for Anne Smith, you could enter Ann.

3. Choose Go to display the search results.

Searching for Group Entries by Using the Delegated Administration Service

To search for groups:

1. Select the Directory tab, then select Groups.

2. In the In Search Group Name text box, enter the first few characters of the name of the group for which you are searching.

3. Choose Go to display the entries that match the criteria you entered.

Managing Users, Groups, and Subscribers by Using the Delegated Administration Service

This section contains these topics:

• Creating User Entries by Using the Delegated Administration Service

• Modifying User Entries by Using the Delegated Administration Service

• Deleting User Entries by Using the Delegated Administration Service

• Assigning Privileges to Users by Using the Delegated Administration Service

• Creating Group Entries by Using the Delegated Administration Service

• Modifying Group Entries by Using the Delegated Administration Service

• Deleting Group Entries by Using the Delegated Administration Service

• Assigning Privileges to Groups by Using the Delegated Administration Service

• Changing Passwords by Using the Delegated Administration Service

Creating User Entries by Using the Delegated Administration Service

To create a user entry:

1. Select the Directory tab, then select Users.

2. Choose Create to display the Create User window.

3. Enter values in the required and other appropriate fields.

4. Verify that you have entered all information correctly, then choose Submit.

Modifying User Entries by Using the Delegated Administration Service

To modify a user entry:

1. Select the Directory tab, and perform a search for the user whose entry you want to modify.

2. Select the user whose entry you want to modify, then choose Edit to display the Edit User window.

3. Modify values in the required and other appropriate fields, then choose Finish.

   See Also: Searching for User Entries by Using the Delegated Administration Service

Deleting User Entries by Using the Delegated Administration Service

To delete a user entry:

1. Select the Directory tab, and perform a search for the user whose entry you want to delete.

2. Select the user whose entry you want to delete, then choose Delete.

Assigning Privileges to Users by Using the Delegated Administration Service

You can privilege a user to do one or all of the following:

• Create and edit users and groups

• Assign privileges to other users and to groups

You can also revoke privileges from a user.

To assign privileges to a user:

1. Select the Directory tab, and perform a search for the user entry to which you want to assign privileges.

2. Select the user to whom you want to assign privileges, then choose Assign Privilege to display a list of privileges.

3. Select the privileges you want to assign to this user. Options are:

   Privilege	Description of Access Granted
   Allow user creation	Create user entries
   Allow user editing	Modify user entries
   Allow user deletion	Delete user entries
   Allow group creation	Create group entries
   Allow group editing	Modify group entries
   Allow group deletion	Delete group entries
   Allow privilege assignment to users	Assign access rights to users
   Allow privilege assignment to groups	Assign access rights to groups
   Allow Delegated Administration Service configuration	Configure Delegated Administration Service user interface
   Allow resource management for Oracle Reports and Forms based applications	Configure resource types and set up default resource access information for Oracle Reports and Forms based applications

4. Choose Submit, or, to assign privileges to another user, choose Specify Other User and repeat the process.

Creating Group Entries by Using the Delegated Administration Service

To create group entries:

1. Select the Directory tab, select Groups, then select Create. This displays the Create Group window.

2. In the Basic Information section, in the Name field, enter the name for this group.

3. In the Display Name field, enter the friendly name. For example, if the RDN is OracleDBCreators, then you could enter the display name as Oracle Database Creators.

4. In the Description field, enter a brief description of this group.

5. To hide this group entry from all but its owners, in the Group Visibility field, select Hidden. Otherwise, accept the default, Not Hidden.

   Choose Next. This displays the User Members page.

6. The creator of the group is automatically a group owner. To specify an additional owner of this group:
   1. In the Owners section, choose Add Owner to display the Search and Select: User window.

   2. Perform a search for the entry of the user you want to specify as an owner of the group, then choose Select. This returns you to the Create Group window. The user you specified is listed in the Owners section.

   To remove an owner, in the Owners section, select the owner's name and choose Remove.

7. To add a user as a member of this group:
   1. In the Members section, choose Add User Member to display the Search and Select window.

   2. Perform a search for the entry of the user you want to specify as a member of this group, then choose Select. This returns you to the Create Group window. The user you specified is listed in the User Members section.

   To remove a user from this group, in the Add User Members section, select the user's name and choose Remove.

8. To add a group as a member of this group:
   1. In the Members section, choose Add Group Member to display the Search and Select window.

   2. Perform a search for the entry of the group you want to specify as a member of this group, then choose Select. This returns you to the Create Group window. The group you specified is listed in the Members section.

Modifying Group Entries by Using the Delegated Administration Service

To modify group entries:

1. Select the Directory tab and perform a search for the group entry you want to modify.

2. Select the group entry you want to modify, then choose Edit to display the Edit Group window.

3. Modify the fields as described in "Creating Group Entries by Using the Delegated Administration Service", then choose Finish.

Deleting Group Entries by Using the Delegated Administration Service

To delete group entries:

1. Select the Directory tab, and perform a search for the group whose entry you want to delete.

2. Select the group whose entry you want to delete, then choose Delete.

Assigning Privileges to Groups by Using the Delegated Administration Service

You can privilege a group to do one or more of the following:

• Create and edit new users and groups

• Assign privileges to users and to other groups

To assign privileges to groups:

1. Select the Directory tab, choose Groups, and perform a search for the group entry to which you want to assign privileges.

2. Select the group to which you want to assign privileges, then choose Assign Privilege to display a list of privileges.

3. Select the privileges you want to assign to this group. Options are:

   Privilege	Description of Access Granted
   Allow user creation	Create user entries
   Allow user editing	Modify user entries
   Allow user deletion	Delete user entries
   Allow group creation	Create group entries
   Allow group editing	Modify group entries
   Allow group deletion	Delete group entries
   Allow privilege assignment to users	Assign access rights to users
   Allow privilege assignment to groups	Assign access rights to groups
   Allow Delegated Administration Service configuration	Configure Delegated Administration Service interface
   Allow resource management for Oracle Reports and Forms based applications	Configure resource types and set up default resource access information for Oracle Reports and Forms based applications

4. Choose Submit, or, to assign privileges to another user, choose Specify Other Group and repeat the process.

Changing Passwords by Using the Delegated Administration Service

You can change your own password and, if you have the privilege to modify user or group entries, then you can change another user's or a group's password.

Changing Your Own Password

You can change the password you use for authenticating to Oracle9iAS Single Sign-On, the Delegated Administration Service, the Enterprise Security Manager, and Oracle Portal. You can also change your password for other Oracle components.

To change your password:

1. Login to the Delegated Administration Service and select the My Profile tab.

2. Select Change My Password.

   To change your password to Oracle9iAS Single Sign-On, the Delegated Administration Service, the Enterprise Security Manager, and Oracle Portal:

   1. In the Single Sign-On section, in the Old Password field, enter your current password.

   2. In the New Password field, enter your new password, then confirm it in the Confirm New Password field.

   3. Choose Submit.

   To change your password to another Oracle component:

   1. In the Application Passwords section, select the Oracle component for which you want to specify a new password.

   2. Choose Update Password to display the Change Application Password window.

   3. In the New Password field, enter your new password, then confirm it in the Confirm New Password field.

   4. Choose Submit.

Changing Another User's Password

You can change another user's password if you have the necessary access rights. To change another user's password:

1. Select the Directory tab, and perform a search for the entry of the user whose password you want to change.

2. Select the user entry, then choose Edit to display the Edit User window.

3. In the Basic Information section, enter, then confirm, the password you want to assign to the user.

4. Choose Submit.