B Configuring Oracle Internet Directory for Installation Privileges

When you install certain Oracle Collaboration Suite 10g Applications or infrastructure components, the installer prompts you for a user name to log in to Oracle Internet Directory. For the installation to end successfully, this user must belong to certain groups in Oracle Internet Directory. The groups that are required for installation depend on the components that you are installing.

The cn=orcladmin user is the superuser, who has rights to perform all operations, including installation. Users need not log in as the superuser to perform installations. To enable other users to perform installations, add users to specific groups.

This chapter contains the following sections:

• Section B.1, "Default Users in Oracle Internet Directory"

• Section B.2, "Groups in Oracle Internet Directory"

• Section B.3, "Groups Required to Configure or Deinstall Components"

• Section B.4, "Groups Required to Install Oracle Collaboration Suite 10g Database"

• Section B.5, "Creating Users in Oracle Internet Directory"

• Section B.6, "Adding Users to Groups in Oracle Internet Directory"

• Section B.7, "Contents of a New Oracle Internet Directory"

• Section B.8, "User Name and Realm for Logging In to Oracle Internet Directory"

B.1 Default Users in Oracle Internet Directory

When you install Oracle Internet Directory, the following users are automatically created:

• cn=orcladmin

  The cn=orcladmin user is the Oracle Internet Directory superuser. This user has all the privileges to perform all tasks in Oracle Internet Directory. The initial password for the cn=orcladmin user is the same as the password for the ias_admin user for the Oracle Collaboration Suite instance, which you specified during installation.

  The cn=orcladmin user is the owner of the objects created during the same installation session. For example, when you install Oracle Internet Directory, Oracle Collaboration Suite 10g Database, and Oracle Delegated Administration Services, the cn=orcladmin user is automatically created and made a member of the Repository Owners group, the DAS Component Owners group, and the IAS Admins group.

  
  

  Note: You cannot log in to Oracle Internet Directory as the cn=orcladmin user by using Oracle Delegated Administration Services. To log in as the cn=orcladmin user, you must use the Oracle Directory Manager.

  
  

• orcladmin

  The DN for the orcladmin user is: cn=orcladmin,cn=users,[default realm DN]. The initial password for the orcladmin user is the same as the password for the ias_admin user for the Oracle Collaboration Suite instance, which you specify during installation.

  To manage other Oracle Internet Directory users, you can log in to Oracle Internet Directory as the orcladmin user by using Oracle Delegated Administration Services. You can do this because the orcladmin user is a valid Oracle Application Server Single Sign-On user.

B.2 Groups in Oracle Internet Directory

Groups in Oracle Internet Directory can be classified in to these categories:

• Section B.2.1, "Global Groups"

• Section B.2.2, "Groups for Each Oracle Collaboration Suite 10g Database"

• Section B.2.3, "Groups for Each Component"

B.2.1 Global Groups

Table B-1 describes the groups that concern all Oracle Collaboration Suite instances and components registered with Oracle Internet Directory.

Table B-1 Global Groups

Group	Description
IAS Admins DN: cn=IASAdmins, cn=groups, cn=OracleContext	Members of the IAS Admins group have the privileges required to: Install and register new Oracle Collaboration Suite 10g Database. However, this group does not have the privileges required to manage existing databases already registered with Oracle Internet Directory. Install OracleAS Portal, Collaborative Portlets, Oracle Collaboration Suite 10g Voicemail & Fax, Oracle Real-Time Collaboration, Oracle Wireless and Voice, and Oracle Search.
Trusted Application Admins DN: cn=Trusted Application Admins, cn=groups, cn=OracleContext	To install OracleAS Portal, Collaborative Portlets, or Oracle Mail, you must belong to several groups, one of which is the Trusted Application Admins group. Table B-4 lists the groups required for each component.
User Management Application Admins DN: cn=IAS and User Mgmt Admins, cn=groups, cn=OracleContext	To install Identity Management, OracleAS Portal, Collaborative Portlets, Oracle Mobile Collaboration, Oracle Content Services, Oracle Calendar, or Oracle Mail, or you must belong to several groups, one of which is User Management Application Admins group. Table B-4 lists the groups required for each component.

B.2.2 Groups for Each Oracle Collaboration Suite 10g Database

Each Oracle Collaboration Suite 10g Database registered with Oracle Internet Directory has its own groups, which are described in Table B-2. This enables you to assign different owners and users for each repository.

Table B-2 Metadata Repository Groups That Are Registered with Oracle Internet Directory

Group	Description
Repository Owners DN: cn=Repository Owners, orclReferenceName=dbName, cn=IAS Infrastructure Databases, cn=IAS, cn=Products, cn=OracleContext	The user who installs Oracle Collaboration Suite 10g Database becomes a member of this group. Members of the Repository Owners group have the privileges required to: Add or remove users to or from the group Unregister the repository Add or remove users to or from the Application-Tier Administrators group for this database Add or remove Applications instances to or from the database The group also has all the privileges of the Application-Tier Administrators group.
Application-Tier Administrators DN: cn=Repository Mid-tiers, orclReferenceName=dbName, cn=IAS Infrastructure Databases, cn=IAS, cn=Products, cn=OracleContext	Members of the Mid-Tier Administrators group have the privileges required to: Add or remove Applications instances from the Associated Applications Tiers group for this repository Install Applications or configure an Applications component to use a different repository Access metadata for the repository database object
Associated Application Tiers DN: cn=Associated Mid-tiers, orclReferenceName=dbName, cn=IAS Infrastructure Databases, cn=IAS, cn=Products, cn=OracleContext	Members of this group are Applications instances associated with this database. Instances of Applications are added to this group during installation. You do not need to manually add the instances to this group. Members of the Associated Middle Tiers group have the privileges required to access metadata for the repository database object and its schemas.

B.2.3 Groups for Each Component

Oracle Collaboration Suite components also have groups in Oracle Internet Directory. Each component has a Component Owners group and an Associated Middle Tiers group. These groups are described in Table B-3.

Table B-3 Groups Associated with Each Oracle Collaboration Suite Component

Group	Description
Component Owners	Members of the Component Owners group have the privileges required to: Add or remove owners for the component. Unregister the component. Associate additional Applications with the component.
Associated Application Tiers	Members of Associated Middle Tiers group are Oracle Collaboration Suite 10g Applications instances.

B.3 Groups Required to Configure or Deinstall Components

You must belong to specific groups to configure or deinstall Oracle Collaboration Suite components. These groups are described in Table B-4. You become the owner of the components that you install.

Table B-4 Oracle Internet Directory Groups Required to Configure Components

To Configure This Component	User Must Be a Member of All the Listed Groups:
Infrastructure Components
Oracle Collaboration Suite 10g Database	To register Oracle Collaboration Suite 10g Database with Oracle Internet Directory, you must log in to Oracle Internet Directory as a user who belongs to the IAS Admins group.
Oracle Internet Directory	In OracleAS Cluster (Identity Management) environments, to install subsequent Oracle Internet Directory instances after the first one, you must be the Oracle Internet Directory superuser, cn=orcladmin.
Oracle Delegated Administration Services	Trusted Application Admins IAS Admins Application-Tier Admins group for the database used by Oracle Application Server Single Sign-On If you are not sure about the database that is used by Oracle Application Server Single Sign-On, then refer to "To Determine the Database Used by OracleAS Single Sign-On". Component Owners for the Oracle Delegated Administration Services component Note: You must be a member of the Component Owners for the Oracle Delegated Administration Services component only if you are installing multiple instances of Oracle Delegated Administration Services. When you are installing the second and subsequent instances, then you only need to belong to the Component Owners group. You do not need to be a member of the group when you install the first Oracle Delegated Administration Services instance. Refer to Section B.6.1 for the steps add users to groups.
OracleAS Single Sign-On	You must install Oracle Application Server Single Sign-On as the cn=orcladmin user.
Oracle Directory Integration and Provisioning	IAS Admins Trusted Application Admins Admin for Oracle Directory Integration and Provisioning, which is identified by cn=dipadmingrp,cn=odi,cn=Oracle Internet Directory Mid-Tier Admins group for the database used by Oracle Application Server Single Sign-On. If you are not sure about the database that is used by Oracle Application Server Single Sign-On, refer to "To Determine the Database Used by OracleAS Single Sign-On".
Oracle Application Server Certificate Authority, configured against an existing Oracle Collaboration Suite 10g Database	Trusted Application Admins IAS Admins Repository Owners group for the existing database
Oracle Application Server Certificate Authority, configured against a new Oracle Collaboration Suite 10g Database	Trusted Application Admins IAS Admins
Identity Management Access only	IAS Admins
Identity Management Access and OracleAS Cluster (Database-Based or File-Based)	IAS Admins Mid-Tier Admins or Repository Owners group for the database
OracleAS Portal	Trusted Application Admins IAS and User Management Application Admins IAS Admins Mid-Tier Admins or Repository Owners group for the database Component Owners group for the OracleAS Portal component Note: Membership of this group is required if you need to install additional OracleAS Portal instances. It does not apply for the first OracleAS Portal installation. For subsequent OracleAS Portal installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. To allow a different Oracle Internet Directory user to install OracleAS Portal, then you must add this user to the Component Owners group for the OracleAS Portal application entity.
OracleAS Wireless	IAS and User Management Application Admins IAS Admins Mid-Tier Admins or Repository Owners group for the database Component Owners group for the Oracle Collaboration Suite Wireless component Note: Membership of this group is required if you need to install additional Oracle Collaboration Suite Wireless instances. It does not apply for the first Oracle Collaboration Suite Wireless installation. For subsequent OracleAS Portal installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. To allow a different Oracle Internet Directory user to install Oracle Collaboration Suite Wireless, then you must add this user to the Component Owners group for the Wireless application entity.
Application Tier Components
Oracle Calendar Server	IAS Admin Trusted Application Admin Oracle Internet Directory Schema Admin Service Registry Admin
Oracle Mail	Trusted Application Admins User Management Application Admins Oracle Internet Directory Schema Admin
Oracle Content Services	User Management Application Admins
Oracle Real-Time Collaboration	IAS Admin
Oracle Search	IAS Admin
Oracle Voicemail & Fax	IAS Admin
Oracle Wireless and Voice	IAS Admin User Management Application Admins

To Determine the Database Used by OracleAS Single Sign-On

1. Enter the following command (all on one line):

   # $ORACLE_HOME/bin/ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
    -b "orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,
         cn=oraclecontext"
    -s base "objectclass=*" seealso
   
   

   The values that you must provide are:

   • oidhostname - name of the computer running Oracle Internet Directory Example: dbmachine.mydomain.com

   • oidport - port number on which Oracle Internet Directory is listening

     Example: 389

   • password - password for the cn=orcladmin user

2. If the command in Step 1 does not return the name of the database, then enter the following commands:

   1. Enter the following command first to get the orclreplicaid value:

      # $ORACLE_HOME/bin/ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
       -b "" -s base "objectclass=*" orclreplicaid
      
      
      
      This returns something like:
      orclreplicaid=broeser-sun_iocsdb
      
      

   2. Use the orclreplicaid value obtained by running the preceding command when you run the following command:

      # $ORACLE_HOME/bin/ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
       -b "orclreplicaid=value_from_previous_command,cn=replication configuration"
       -s base "objectclass=*" seealso
      
      

      This command returns a seealso value in the format: cn=Metadata repository DB Name,cn=oraclecontext.

      This returns something like:

      orclreplicaid=broeser-sun_ocsdb,cn=replication configuration
      seealso=cn=OCSDB,cn=OracleContext
      

B.4 Groups Required to Install Oracle Collaboration Suite 10g Database

To install additional databases, a user must be a member of the IAS Admins group. After installation, the user then becomes a member of the Repository Owners group for that database.

B.5 Creating Users in Oracle Internet Directory

You can create users in Oracle Internet Directory by using Self-Service Console, which is part of Oracle Delegated Administration Services.

See Also: Oracle Internet Directory Administrator's Guide for details

Note: You cannot connect to Oracle Internet Directory as the cn=orcladmin superuser using Oracle Delegated Administration Services. To connect to Oracle Internet Directory as the superuser, use Oracle Directory Manager.

B.6 Adding Users to Groups in Oracle Internet Directory

To add users to groups in Oracle Internet Directory, you can use one of the following tools:

• Oracle Directory Manager

  This is a Java-based tool for managing Oracle Internet Directory.

• Oracle Delegated Administration Services

  This is a Web-based tool intended to enable end users to perform tasks such as changing their passwords and editing their personal information. If users have the proper privileges, then they can also use this tool to create groups and users.

  
  

  Note: You cannot log in to Oracle Internet Directory as the cn=orcladmin superuser by using Oracle Delegated Administration Services. When you log in as the superuser to add users to groups (or to perform other Oracle Internet Directory-related tasks), you must use Oracle Directory Manager.

  
  

B.6.1 Using Oracle Directory Manager to Add Users to Groups

When you must log in as the cn=orcladmin superuser to add users to groups, you must use Oracle Directory Manager, instead of Oracle Delegated Administration Services.

To add users to groups using Oracle Directory Manager:

1. Use the following commands to start Oracle Directory Manager:

   # cd $ORACLE_HOME/bin
   # ./oidadmin
   
   

   In the preceding command, ORACLE_HOME refers to the home directory where Oracle Internet Directory is installed.

2. In the Oracle Directory Manager Connect screen, enter the connect information for Oracle Internet Directory:

   • Enter cn=orcladmin in the User field.

   • Enter the password for cn=orcladmin in the Password field.

   • Click the icon at the right of the field to enter the name of the computer running Oracle Internet Directory in the Server field.

   • Enter the port number on which Oracle Internet Directory is listening, in the Port field.

   • Click Login.

3. On the left side, navigate to the group to which you want to add users. Select the group on the left side to display its attributes on the right side.

   For instructions on navigation to global groups, refer to Section B.6.1.1.

   For instructions on navigation to repository groups, refer to Section B.6.1.2.

   For instructions on navigation to, refer to Section B.6.1.3.

4. Add the DNs of the users to the uniquemember attribute.

B.6.1.1 Navigating to Global Groups

The global groups are listed in Table B-1. The general navigation path is as follows:

1. Click the top-level entry, Oracle Internet Directory Servers, then click the specific Oracle Internet Directory.

2. Click Entry Management and then click cn=OracleContext.

3. Click cn=Groups.

4. Click the group to which you want to add users.

B.6.1.2 Navigating to Oracle Collaboration Suite 10g Database Groups

The database groups are listed in Table B-2. The general navigation path is as follows:

1. Click the top-level entry, Oracle Internet Directory Servers, then click the specific Oracle Internet Directory.

2. Click Entry Management and then click cn=OracleContext.

3. Click cn=Products and then click cn=IAS.

4. Click cn=IAS Infrastructure Databases.

5. Click orclReferenceName=dbName, where dbName is the name of the database.

6. Click the group to which you want to add users.

B.6.1.3 Navigating to Component Groups

The component groups are listed in Table B-3.

The general navigation path is as follows:

1. Click the top-level entry, Oracle Internet Directory Servers and then click the specific Oracle Internet Directory.

2. Click Entry Management and then click cn=OracleContext.

3. Click cn=Products.

4. Click the particular component, for example, cn=DAS or cn=Apps, to whose groups you want to add users.

5. Click orclApplicationCommonName=appName, where appName is specific to the component and Collaboration Suite instance. If you have installed multiple instances of a component, then multiple instances of this entry appear on the screen.

6. Click the group to which you want to add users.

B.6.2 Using the Deployment Delegation Console to Add Users to Groups

Using the Deployment Delegation Console, which is installed as part of Oracle Delegated Administration Services, you can add users to, or remove users from the following groups:

• Repository Owners

• Mid-Tier Administrators

• Component Owners

Note: You can add users to these groups only if these groups have existing members other than the cn=orcladmin superuser. If the only member of these groups is the superuser, then you must use Oracle Directory Manager to add users to these groups. Refer to Section B.6.1 for more information.

To add users to these groups:

1. Ensure that Oracle Delegated Administration Services and Oracle Internet Directory are running.

2. Display the Deployment Delegation Console page.

   The URL is:

   http://hostname:port/oiddas/ui/oidinstallhome
   
   

   Here, hostname specifies the name of the computer where you installed Oracle Delegated Administration Services and port specifies the port on which Oracle HTTP Server is listening.

3. Click Login.

4. Enter a user name and password to log in to Oracle Internet Directory, and click Login.

   The login user must have sufficient privileges to enable you to add users to the desired group:

   To Add Users to This Group:	Log in as a User Who Belongs to:
   Repository Owners	The same Repository Owners group
   Mid-Tier Administrators	The Repository Owners group for the same repository
   Component Owners	The same Component Owners group

   
   

5. Perform these steps to add users to the desired group:

   To Add Users to the Repository Owners Group	To Add Users to the Mid-Tier Administrators Group	To Add Users to the Component Owners Group
   Click the Repository tab. This displays all the metadata repositories for which you are an owner. Select the database to which you want to add a user, and click Manage Owners. On the page that displays the current owners, click Add. Enter the first few characters of the user name in the Search field, and click Go. If you leave the Search field empty and click Go, then you would get a list of all the users in Oracle Internet Directory. Select the user that you want to add to the Repository Owners group, and click Select. Click Submit on the Manage Repository Owners page.	Click the Repository tab. This displays all the metadata repositories for which you are an owner. Select the database to which you want to add a user, and click Manage Administrators. On the page that displays the current administrators, click Add. Enter the first few characters of the user name in the Search field, and click Go. If you leave the Search field empty and click Go, then you would get a list of all the users in Oracle Internet Directory. Select the user that you want to add to the Mid-Tier Administrators group, and click Select. Click Submit on the Manage Administrators page.	Click the Components tab. This displays all the components for which you are an owner. Select the component to which you want to add a user, and click Manage Owners. On the page that displays the current component owners, click Add. Enter the first few characters of the user name in the Search field, and click Go. If you leave the Search field empty and click Go, then you would get a list of all the users in Oracle Internet Directory. Select the user that you want to add to the Component Owners group, and click Select. Click Submit on the Manage Component Owners page.

   
   

B.7 Contents of a New Oracle Internet Directory

When you install Oracle Collaboration Suite 10g Infrastructure with Oracle Internet Directory, Oracle Collaboration Suite 10g Database, and Oracle Delegated Administration Services, the Oracle Internet Directory contains the following objects:

• The Global groups, which are listed in Table B-1

• The cn=orcladmin superuser

• The orcladmin user belonging to the default realm

• An entry for the instance of Oracle Collaboration Suite 10g Database registered with the Oracle Internet Directory

  This database is associated with the groups listed in Table B-2. The cn=orcladmin superuser is a member of the Repository Owners group.

• An application entity entry for the Oracle Delegated Administration Services component

  This component is associated with the groups listed in Table B-3. The cn=orcladmin superuser is a member of the Component Owners group.

  To enable other users to install additional instances of Oracle Delegated Administration Services, log in as cn=orcladmin in Oracle Directory Manager and add the users to the Component Owners group. Refer to Section B.6.1.

B.8 User Name and Realm for Logging In to Oracle Internet Directory

The installer displays the Specify Login for Oracle Internet Directory screen in each of the following scenarios:

• You are installing Oracle Collaboration Suite 10g Infrastructure and using an existing Oracle Internet Directory.

• You are installing an Applications tier that requires an Infrastructure.

This screen prompts you to enter the login details and realm required to log in to Oracle Internet Directory.

Username

Enter either the simple user name or the DN of the user in the Username field.

Example of a simple user name: jdoe

Example of a DN: cn=ocsadmin

The user must belong to specific groups for installing and configuring certain components. Refer to Table B-4 for details.

To specify the superuser, enter cn=orcladmin instead of orcladmin in the Username field.

Realm

The Realm field appears only if your Oracle Internet Directory contains more than one realm. The user name that you enter is authenticated against the specified realm. If you are not sure about the name of the realm, then contact your Oracle Internet Directory administrator.

Examples of names of realms are:

• In a hosted deployment, the realm name might be similar to the name of the hosted company: XYZCorp.

• Within an enterprise, you might have separate realms for internal users and external users. The realm name for the external users could be externalUsers.