|Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory
11g Release 1 (11.1.1)
Part Number E10029-03
This chapter assumes you have installed and configured Oracle Internet Directory as described in: Oracle Fusion Middleware Installation Guide for Oracle Identity Management. This chapter describes the management interfaces and documents the first tasks you must perform as an administrator of Oracle Internet Directory.
It contains the following sections:
To patch an existing system to 11g Release 1 (126.96.36.199.0), follow the procedures in Oracle Fusion Middleware Patching Guide. In addition, perform the following tasks:
If you have SSL server authentication enabled and cipher suites configured, deselect the configured cipher suites before patching your system. You can do this by using Oracle Enterprise Manager Fusion Middleware Control, as described in "Configuring SSL Parameters by Using Fusion Middleware Control". If you do not deselect the cipher suites before patching, you will be unable to use Oracle Enterprise Manager Fusion Middleware Control or WLST after patching.
If you discover this problem after patching, remove the
orclsslciphersuite attribute from the instance-specific configuration entry by using
ldapmodify. The LDIF file for deleting the
orclsslciphersuite attribute in the instance-specific entry is:
dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclsslciphersuite orclsslciphersuite: negotiateit
The command is:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
Restart Oracle Internet Directory as described in "Restarting the Oracle Internet Directory Server by Using opmnctl".
If replication is configured in your existing Oracle Internet Directory environment, you must follow the procedure in Appendix Q, "Performing a Rolling Upgrade."
Set the environment variables described at the beginning of "Using Command-Line Utilities to Manage Oracle Internet Directory".
See Appendix P, "Starting and Stopping the Oracle Stack" for information.
|URL or Port||Default Value|
|Oracle Directory Services Manager (ODSM)||
|Oracle Enterprise Manager Fusion Middleware Control||
|Oracle WebLogic Server Administrative Console||
|Oracle Internet Directory LDAP||
|Oracle Internet Directory LDAPS||
The default Oracle Internet Directory configuration must be tuned in almost all deployments. You must change the values of the certain configuration attributes, based on your deployment. See the "Basic Tuning Recommendations" section of the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide especially the tables " Minimum Values for Oracle Database Instance Parameters" and "LDAP Server Attributes to Tune."
For more information about tuning, see the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide. For descriptions of all the attributes, see Chapter 9, "Managing System Configuration Attributes" and Chapter 40, "Managing Replication Configuration Attributes."
Anonymous searches, except those on the root DSE, are disabled by default. In some deployment environments, clients might need access to more than the root DSE. If you have such a deployment, set the
orclanonymousbindsflag attribute to 1. See "Managing Anonymous Binds" for more information.
On many operating systems, only processes running with superuser privilege can use port numbers less than 1024. By default, Oracle Identity Management 11g Installer does not assign privileged ports to Oracle Internet Directory, although you can override the default by using
staticports.ini. (See Oracle Fusion Middleware Installation Guide for Oracle Identity Management.)
If you want to change the SSL and non-SSL ports to numbers in the privileged range after installation, proceed as follows:
root user, execute
Reassign the port numbers in one of the following ways:
Change the SSL Port and Non-SSL Port values on the General tab of the Server Properties page in Oracle Enterprise Manager Fusion Middleware Control, as described in"Configuring Server Properties".
Change the values of
orclsslport in the instance-specific configuration entry by using
ldapmodify, as described in "Setting System Configuration Attributes by Using ldapmodify".
If you changed the ports by using the command line, run
updatecomponentregistration, as described in "Updating the Component Registration of an Oracle Instance by Using opmnctl". (This step is not necessary if you are running a standalone instance of Oracle Internet Directory, as described in "Creating Additional Oracle Internet Directory Instances".)
Restart Oracle Internet Directory, as described in"Restarting the Oracle Internet Directory Server by Using Fusion Middleware Control" or "Restarting the Oracle Internet Directory Server by Using opmnctl".
To ensure that the Oracle Internet Directory garbage collection logic works correctly, verify the Oracle Database
dbtimezone parameter, as described in "Set Oracle Database Time Zone for Garbage Collection".
Oracle Enterprise Manager Fusion Middleware Control is a graphical user interface that provides a comprehensive systems management platform for Oracle Fusion Middleware. Fusion Middleware Control organizes a wide variety of performance data and administrative functions into distinct, Web-based home pages for the domain, Oracle instances, middleware system components, and applications.
If you selected Configure Without a Domain when prompted for a domain while installing Oracle Internet Directory, Oracle Enterprise Manager Fusion Middleware Control will not be available.
Oracle Enterprise Manager Fusion Middleware Control manages Oracle Internet Directory through its SSL port. The Oracle Internet Directory SSL port must be configured for no authentication or server authentication. If the Oracle Internet Directory SSL port is configured for mutual authentication, you will not be able to change Oracle Internet Directory parameters by using Oracle Enterprise Manager Fusion Middleware Control. See "SSL Authentication Modes".
For information about supported browsers for Fusion Middleware Control and Oracle Directory Services Manager, refer to System Requirements and Supported Platforms for Oracle Fusion Middleware 11gR1, which is linked from:
Oracle Internet Directory is a target type in Oracle Enterprise Manager Fusion Middleware Control. To use the interface to Oracle Internet Directory:
The URL is of the form:
In the left panel topology tree, expand the domain, then Fusion Middleware, then Identity and Access. Alternatively, from the domain home page, expand Fusion Middleware, then Identity and Access. Instances of Oracle Internet Directory are listed in both places. To view the full name of a component instance, move the mouse over the instance name.
Select the Oracle Internet Directory component you want to manage.
Use the Oracle Internet Directory menu to select tasks.
You can use the Oracle Internet Directory menu to navigate to other Fusion Middleware Control pages for Oracle Internet Directory, navigate to Oracle Directory Services Manager pages for Oracle Internet Directory, and perform other tasks, as described in Table 7-1.
Table 7-1 Using the Oracle Internet Directory Menu
Return to Home page
View a performance summary
Monitoring, then Performance
Start, stop, or restart the Oracle Internet Directory component
Control, then Start Up, Shut Down, or Restart, respectively.
View Oracle Internet Directory logs
Logs, then View Log Messages
View non-SSL and SSL port information.
Manage properties that are specific to this Oracle Internet Directory component
Administration, then Server Properties
Manage properties that are shared by all Oracle Internet Directory components that are connected to the same Oracle Database
Administration, then Shared Properties
Set up replication
Administration, then Replication Management
Get tuning and sizing recommendations,
Administration, then Tuning and Sizing
Manage Oracle Internet Directory entries by using Oracle Directory Services Manager
Directory Services Manager, then Data Browser
Manage the Oracle Internet Directory schema by using Oracle Directory Services Manager
Directory Services Manager, then Schema
Manage Oracle Internet Directory security by using Oracle Directory Services Manager
Directory Services Manager, then Security
Manage Oracle Internet Directory advanced features by using Oracle Directory Services Manager
Directory Services Manager, then Advanced
Configure auditing for Oracle Internet Directory
Security, then Audit Policy Settings
Create wallets for Oracle Internet Directory
Security, then Wallets
This section contains the following topics:
Oracle Directory Services Manager is a web-based interface for managing instances of Oracle Internet Directory and Oracle Virtual Directory. It is a replacement for Oracle Directory Manager, which is now deprecated. Oracle Directory Services Manager enables you to configure the structure of the directory, define objects in the directory, add and configure users, groups, and other entries. ODSM is the interface you use to manage entries, schema, security, and other directory features.
You can also use ODSM to manage system configuration attributes, which can be useful if Fusion Middleware Control is not available or if you must modify an attribute that has no Fusion Middleware Control interface. See "Managing System Configuration Attributes by Using ODSM Data Browser" and "Managing Entries by Using Oracle Directory Services Manager".
When you use JAWS with ODSM, whenever a new window pops up, JAWS reads "popup." To read the entire page, enter the keystrokes Insert+b.
Oracle Directory Services Manager allows you to connect to Oracle Internet Directory as any user with a valid DN and password in the directory. If you connect as the super user,
cn=orcladmin, or as a user who is a member of
cn=DirectoryAdminGroup,cn=oracle internet directory, you can access all the tabs in the interface. If you log in as any other user, you can access only the Home and Data Browser tabs.
You can configure Oracle Directory Services Manager to use Single Sign-On (SSO). When configured with SSO, Oracle Directory Services Manager allows a user who has been authenticated by the SSO server to connect to an SSO-enabled directory without logging in, provided that user has privileges to manage the directory.
Oracle Directory Services Manager maintains a list of Oracle Virtual Directory servers that SSO-authenticated users can manage. To validate whether an SSO-authenticated user has the required privileges to manage Oracle Virtual Directory, Oracle Directory Services Manager maps the SSO-authenticated user to a DN in the Oracle Virtual Directory server.
Oracle Directory Services Manager uses proxy authentication to connect to the directory. The proxy user's DN and password are stored in a secure storage framework called the Credential Store Framework (CSF).
To map an SSO-authenticated user, Oracle Directory Services Manager authenticates to the Oracle Virtual Directory server using the credentials of a user with proxy privileges. Oracle Directory Services Manager then tries to map the SSO-authenticated user's unique identifier to the Oracle Virtual Directory user's unique identifier.
The WLS Administrator configures the proxy user's credentials, unique identifier attribute, and the base DN under which Oracle Directory Services Manager searches for the user, which are stored in the CSF. If Oracle Directory Services Manager gets a valid DN, it maps the SSO-authenticated user to that DN. When the SSO-authenticated user is mapped to a valid DN, Oracle Directory Services Manager uses proxy authentication to connect to the Oracle Virtual Directory server with the SSO-authenticated user's mapped DN.
To configure SSO integration, see the following sections:
To configure ODSM-SSO integration, use the ODSM Proxy Bind Configuration Screen, at
/odsm-config. Log in as the WebLogic administrator.
On this screen, you provide Oracle Directory Services Manager with the set of directory servers that SSO users can manage. This screen lists the Single Sign-On accessible directories.
Use the View list to modify the number and order of the columns. To remove an existing directory, click Remove.
To modify an existing directory, click Modify.
To add a new Single Sign-On accessible directory, click Add.
When you click Modify or Add, the Directory Details screen appears. Proceed as follows:
Select Non-SSL or SSL from the Port Type list.
Select OID or OVD from the Directory Type list.
Provide the following information:
Host and Port of the directory.
Proxy User's DN and Password: The DN and password that Oracle Directory Services Manager uses for proxy authentication.
User Container DN: The DN under which user entries are located in the directory.
User Lookup Attribute: A unique attribute for looking up a user's DN in the directory. For example, if the SSO server sends the user's mail ID to Oracle Directory Services Manager as the user's unique identifier, you can configure
Click Validate to verify your directory connection details.
Oracle Directory Services Manager authenticates to the directory server with the credentials provided.
Click Apply to apply your selections.
Click Revert to abandon your selections.
Specify the SSO server's Logout URL in the SSO Logout URL text box.
For example, http://myoamhost.mycompany.com:14100/oam/server/logout is the default Logout URL for the Oracle Access Manager 11g server. If you only configure this field, Oracle Directory Services Manager displays the Login link at the top right corner of the Oracle Directory Services Manager page.
To make SSO-ODSM integration work correctly, you must configure specific ODSM URLs as protected or unprotected.
ODSM's home page must be an unprotected URL. That is, all users must be able to access the ODSM home page, including those who have not gone through the SSO authentication process.
/odsm/odsm-sso.jsp must be protected by the SSO server. When a user clicks the Login link appearing on the top right corner of the home page, ODSM redirects the user to
/odsm/odsm-sso.jsp. The SSO server challenges the user for a username and password, if the user is not already authenticated. Upon successful authentication, the user is directed back to the ODSM home page.
You must configure
/odsm/odsm-sso.jsp as a protected URL. In addition you must configure the following URLs as unprotected URLs:
You can use either Oracle Access Manager 11g or Oracle Access Manager 10g as your SSO provider.
To configure Oracle Access Manager 11g, see "Deploying the OAM 11g SSO Solution" in Oracle Fusion Middleware Application Security Guide.
You must configure an Oracle Access Manager server to send the SSO-authenticated user's unique identifier through an HTTP header to Oracle Directory Services Manager. Oracle Directory Services Manager looks for the
OAM_REMOTE_USER HTTP header. The Oracle Access Manager server sets the
OAM_REMOTE_USER header by default. If this header is not available, Oracle Directory Services Manager looks for the
odsm-sso-user-unique-id HTTP header. If Oracle Directory Services Manager cannot find any of these headers, Oracle Directory Services Manager SSO integration will not work.
In addition to sending the user's unique identifier through HTTP header, you can optionally configure Oracle Access Manager to send following HTTP headers:
odsm-sso-user-firstname HTTP header to send the user's first name.
odsm-sso-user-lastname HTTP header to send the user's last name.
If these headers are available, Oracle Directory Services Manager displays the user's first name and last name in the “Logged in as” section located in the top right corner of Oracle Directory Services Manager. If the first name or the last name is not available, Oracle Directory Services Manager displays the user's unique identifier in the “Logged in as” section.
To configure Oracle Access Manager 11g, see “Deploying the OAM 11g SSO Solution” in Oracle Fusion Middleware Application Security Guide.
To configure Oracle Access Manager 10g, see "Deploying SSO Solutions with OAM 10g" in Oracle Fusion Middleware Application Security Guide.
If you are using Oracle HTTP Server to host the SSO server's WebGate agent and as a front end to the WebLogic server hosting ODSM, you must configure Oracle HTTP Server's
mod_wl_ohs module to forward all requests starting with
/odsm to the WebLogic server hosting ODSM. The
mod_wl_ohs module allows requests to be proxied from Oracle HTTP Server to Oracle WebLogic Server.
mod_wl_ohs, see "Configuring the mod_wl_ohs Module" in Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.
You can invoke Oracle Directory Services Manager directly or from Oracle Enterprise Manager Fusion Middleware Control.
If you selected Configure Without a Domain when prompted for a domain while installing Oracle Internet Directory, Oracle Directory Services Manager will not be available.
For information about supported browsers for Fusion Middleware Control and Oracle Directory Services Manager, refer to System Requirements and Supported Platforms for Oracle Fusion Middleware 11gR1, which is linked from:
In the URL to access Oracle Directory Services Manager, host is the name of the managed server where Oracle Directory Services Manager is running. port is the managed server port number from the WebLogic server. You can determine the exact port number by examining the $Fusion_Middleware_Home/Oracle_Identity_Management_domain/servers/wls_ods/data/nodemanager/wls_ods1.url file, where Fusion_Middleware_Home represents the root directory where Fusion Middleware is installed.
To invoke Oracle Directory Services Manager from Fusion Middleware Control, select Directory Services Manager from the Oracle Internet Directory menu in the Oracle Internet Directory target, then Data Browser, Schema, Security, or Advanced. (You can connect from the Oracle Virtual Directory menu in a similar manner.)
A new browser window, containing the ODSM Welcome screen, pops up. Connect to the server as described in the next section.
When the ODSM Welcome screen appears, you can connect to either an Oracle Internet Directory server or a Oracle Virtual Directory server.
This section contains the following topics:
After you have logged into ODSM, you can connect to multiple directory instances from the same browser window.
Avoid using multiple windows of the same browser program to connect to different directories at the same time. Doing so can cause a
You can log in to the same ODSM instance from different browser programs, such as Internet Explorer and Firefox, and connect each to a different directory instance.
If you change the browser language setting, you must update the session in order to use the new setting. To update the session, either reenter the ODSM URL in the URL field and press Enter or quit and restart the browser.
You log in to a directory server's non-SSL port from Oracle Directory Services Manager as follows:
Click the small arrow to the right of the label Click to connect to a directory. It opens a dialog box containing the following sections:
Live Connections–current connections that you can return to.
Disconnected Connections–a list of directory servers you have connected to and then disconnected from. Oracle Directory Services Manager saves information about connections that you've used previously and lists them, by optional Name or by server, so that you can select them again.
New Connections–used to initiate a new connection
If you are SSO-authenticated, you might see an additional section, described in "Connecting to an SSO-Enabled Directory as an SSO-Authenticated User".
To reconnect to a live connection, click it.
To select a disconnected connection, click the entry. You see a short version of the Login Dialog with most fields filled in. To remove a selection from the list, select it and then select Delete.
To initiate a connection to a new directory server, click Create a New Connection or type Ctrl+N. The New Connection Dialog appears.
Select OID or OVD.
Optionally, enter an alias name to identify this entry on the Disconnected Connections list.
Enter the server and non-SSL port for the Oracle Internet Directory or Oracle Virtual Directory instance you want to manage.
Deselect SSL Enabled.
Enter the user (usually
cn=orcladmin) and password.
Select the Start Page you want to go to after logging in.
After you have logged in to an Oracle Internet Directory or Oracle Virtual Directory server, you can use the navigation tabs to select other pages.
The Oracle Directory Services Manager home pages for Oracle Internet Directory and Oracle Virtual Directory list version information about Oracle Directory Services Manager itself, as well as the directory and database. It also lists directly statistics.
If you are unfamiliar with SSL authentication modes, see "SSL Authentication Modes".
When you log in to the server's SSL port, you follow the procedure in "Logging in to the Directory Server from Oracle Directory Services Manager", except that you specify the SSL port in Step 5 and do not deselect SSL Enabled in Step 6. After you click Connect in Step 9, you might be presented with a certificate, depending on the type of SSL authentication.
If the directory server is using SSL No Authentication mode (the default), you are not presented with a certificate. SSL No Authentication provides data confidentiality and integrity only but no authentication using X509 certificates.
If the directory server is using SSL Server Authentication Only Mode, when you click connect in Step 9, you are presented with the server's certificate. After manually verifying the authenticity of the server certificate, you can accept the certificate permanently, accept the certificate for the current session only, or reject the certificate. If you accept the certificate permanently, the certificate is stored in its Java Key Store (JKS). From then on, you are not prompted to accept the certificate when you connect to that server. If you accept the certificate only for the current session, you are prompted to accept or reject the certificate every time you connect to the server. If you reject the certificate, ODSM closes the connection to the server.
After OSDM accepts the server's certificate, ODSM sends its own certificate to the server for authentication. The server accepts ODSM's certificate if that certificate is present in its trusted list of certificates.
If the DN of ODSM's certificate is present in the server, you do not need to provide the username and password in the connection dialog.
If the DN of ODSM's certificate is not present in the server, you must provide the user name and password.
ODSM's certificate is a self-signed certificate. You must use the
keytool command to assign a CA signed certificate to ODSM. See Appendix O, "Managing Oracle Directory Services Manager's Java Key Store.".
If you have already been authenticated by the single sign-on server, ODSM allows you to connect to SSO-enabled directories without logging in, provided you have an entry in that directory. When you access the ODSM Welcome page, if you have an entry in only one SSO-enabled directory, ODSM connects you to it. If you have entries in more than one SSO-enabled directory ODSM allows you to select directory you want to connect to, as follows.
Click the small arrow to the right of the label Click to connect to a directory. In this case, the dialog box contains an extra section, listing SSO-enabled directories you are authorized to connect to. Select the directory you want. ODSM connects you without requesting a username or password.
The default session timeout for Oracle Directory Services Manager is 35 minutes. You can change it by editing the file
web.xml, which resides in
/war/WEB-INF. (This assumes your managed server is named
wls_ods1. Adjust the pathname if your managed server has a different name.)
The file fragment containing the timeout value looks like this:
<session-config> <session-timeout>35</session-timeout> </session-config>
After you change the value, restart the managed server or restart Oracle Directory Services Manager through the WebLogic console.
If you edit the file
web.xml, keep in mind that the change you make might not be permanent. Oracle Directory Services Manager is deployed from
/ldap/odsm/odsm.ear to the WebLogic server. The WebLogic server expands
odsm.ear into the
/servers/wls_ods1/tmp/_WL_user/odsm_188.8.131.52.0 directory for performance reasons. This is a temporary cache directory for WebLogic server. If you apply a patch that overwrites
/ldap/odsm/odsm.ear, the changes you made to
web.xml in the temporary cache directory are also overwritten.
Perform the following steps to configure Oracle HTTP Server to route Oracle Directory Services Manager requests to multiple Oracle WebLogic Servers in a clustered Oracle WebLogic Server environment:
Create a backup copy of the Oracle HTTP Server's
httpd.conf file. The backup copy provides a source to revert to if you encounter problems after performing this procedure.
Add the following text to the end of the Oracle HTTP Server's
httpd.conf file and replace the variable placeholder values with the host names and managed server port numbers specific to your environment. Be sure to use the
<Location /odsm/ > as the first line in the entry. Using
<Location /odsm/faces > or
<Location /odsm/faces/odsm.jspx > can distort the appearance of the Oracle Directory Services Manager interface.
<Location /odsm/ > SetHandler weblogic-handler WebLogicCluster host-name-1:managed-server-port,host-name_2:managed_server_port </Location>
Note:Oracle Directory Services Manager loses its connection and displays a session time-out message if the Oracle WebLogic Server in the cluster that it is connected to fails. Oracle Directory Services Manager requests are routed to the secondary Oracle WebLogic Server in the cluster that you identified in the httpd.conf file after you log back in to Oracle Directory Services Manager.
TNS_ADMIN - The directory where the database connect string is defined in the tnsnames.ora file. By default it is the
$ORACLE_INSTANCE/config directory. The database connect alias as defined in
OIDDB by default.
Many of the activities that you can perform at the command line can also be performed in Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory Services Manager. A few functions are only available from the command line.
ldapbind -D "cn=orcladmin" -q -h "myserver.example.com" -p 3060 ldapsearch -b "cn=subschemasubentry" -s base "objectclass=*" -p 3060 \ -D "cn=orcladmin" -q
This book contains many examples of LDAP tool use.
The chapter "Oracle Internet Directory Data Management Tools" in Oracle Fusion Middleware Reference for Oracle Identity Management for a detailed description of each tool.
For security reasons, avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen and might appear in log files or in the output from the
ps command. When you supply a password at a prompt, it is not visible on the screen, in
ps output, or in log files. Use the
-Q options, respectively, instead of the
LDAP tools have been modified to disable the options
password when the environment variable
LDAP_PASSWORD_PROMPTONLY is set to
1. Use this feature whenever possible.
See Also:"Using Passwords with Command-Line Tools" in Oracle Fusion Middleware Reference for Oracle Identity Management.
Oracle Internet Directory provides several tools to help you manage large numbers of entries. See Chapter 15, "Performing Bulk Operations."
See Also:The chapter "Oracle Internet Directory Data Management Tools" in Oracle Fusion Middleware Reference for Oracle Identity Management for a detailed description of each tool.
The Oracle WebLogic Scripting Tool (WLST) is a Jython-based command-line scripting environment that you can use to manage and monitor WebLogic Server domains. To use it to manage and monitor Oracle Internet Directory, you must navigate to the custom MBean tree where Oracle Internet Directory is located. Then you can list, get values, and change values of the managed beans (MBeans) that represent Oracle Internet Directory resources. See "Managing System Configuration Attributes by Using WLST" and "Configuring SSL by Using WLST".
Note:WLST manages Oracle Internet Directory through its SSL port. The Oracle Internet Directory SSL port must be configured for no authentication or server authentication. If the Oracle Internet Directory SSL port is configured for mutual authentication, you will not be able to change Oracle Internet Directory parameters. by using WLST. See "SSL Authentication Modes".
Start and stop the LDAP server. See Chapter 8
Manage system configuration attributes. See Chapter 9.
Manage directory entries. See Chapter 13.
Manage directory schema. See Chapter 20.
Configure auditing. Chapter 22.
Manage log files. See Chapter 23.
Configure SSL. See Chapter 26.
Configure password policies. See Chapter 28.
Configure access control. See Chapter 29.
Get sizing and tuning recommendations for Oracle Internet Directory deployments. See the "Obtaining Recommendations by Using the Tuning and Sizing Wizard" section of the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
Convert an Advanced Replication-based replication agreement to an LDAP-based replication agreement. See "Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement".
Modify an existing replication setup. See Chapter 41.