Using an LDAP Server for Oracle Java CAPS JMS IQ Manager User Management
You can configure a Oracle Java CAPS JMS IQ Manager to use
an LDAP server for user management. A realm is a collection of users, groups,
and roles that are used in enforcing security policies. The JMS IQ Manager
supports multiple LDAP realms running at the same time.
When you perform the following steps, access to the JMS IQ Manager is
granted only when the connection has a valid user name and password.
For a list of supported LDAP servers, see Java CAPS 6.3 Components and Supported External Systems in Planning for Oracle Java CAPS 6.3 Installation . For basic information about
Oracle Java CAPS JMS IQ Manager user management, see Managing Java CAPS Users.
Configuring the LDAP Server
In the following procedure, you create users and roles in the LDAP server.
To Configure the LDAP server
- Create one or more JMS IQ Manager users.
- Create one or more of the following roles:
|
|
|---|
application |
Enables clients to access the
JMS IQ Manager. |
asadmin |
Enables use of the JMS control utility (stcmsctrlutil) or Enterprise Manager,
and enables clients to access the JMS IQ Manager. |
|
- Assign the roles to your users as needed.
Configuring the Oracle Java CAPS JMS IQ Manager
You must configure the JMS IQ Manager so it can locate the
LDAP server and find the appropriate information. You can enable more than one LDAP
server and you can specify the default realm.
To Configure the Oracle Java CAPS JMS IQ Manager
- If the GlassFish server is not running, start it before proceeding.
- Log in to the Configuration Agent. The format of the URL is http://hostname:port-number/configagent. Set
the hostname to the TCP/IP host name of the computer where the application
server is installed. Set the port number to the administration port number of
the application server. For example:
http://localhost:4848/configagent
- In the left pane, click the JMS IQ Manager node (for example,
IQ_Manager_18007).
- Click the Access Control tab.
- Ensure that the check box to the right of the Require Authentication label
is selected.
- If you want to change the default realm, select a new realm from
the Default Realm drop-down list.
- To disable the file realm, deselect the check box to the right of
Enable File Realm.
Note - Disable file realm when using Oracle Internet Directory or Oracle Virtual Directory.
- To enable Oracle Directory Server Enterprise Edition, select the check box to the
right of Enable Sun Java System Directory Server and click Show Properties. Modify
the values for the properties as described in Table 1.
The default values are intended to match the standard schema of Oracle Directory
Server Enterprise Edition.
- To enable Active Directory, select the check box to the right of Enable
Microsoft Active Directory Server and click Show Properties. Modify the values for the properties
as described in Table 2.
The default values are intended to match the standard schema of Active Directory.
- To enable OpenLDAP Directory Server, select the check box to the right of Enable
Generic LDAP Server and click Show Properties. Modify the values for the properties
as described in Table 3.
- To enable Oracle Internet Directory, select the check box to the right of
Enable Oracle Internet Directory Server and click Show Properties. Enter values for the
properties as described in Table 4.
The default values are intended to match the standard schema of Oracle Internet
Directory.
- To enable Oracle Virtual Directory, select the check box to the right of
Enable Oracle Virtual Directory Server and click Show Properties. Enter values for the
properties as described in Table 5.
The following table describes the properties that appear. The default values are intended to
match the standard schema of Oracle Directory Server Enterprise Edition. Review the default
value for each property. If necessary, modify the default value.
- Click Save.
Access Control LDAP Server Properties
The following tables describe the access control properties that appear for each LDAP
server:
The following table lists the Oracle Directory Server Enterprise Edition (formerly Sun Java
System Directory Server) properties on the Access Control page of the Configuration Agent.
Table 1 Oracle Directory Server Enterprise Edition Access Control Properties
|
|
|---|
Naming
Provider URL |
The URL of the Java Naming and Directory Interface (JNDI) service provider. The
default value is ldap://IP_address:589. |
Naming Initial Factory |
The fully qualified name of the factory
class that creates the initial context. The initial context is the starting point
for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming Security Authentication |
The security level to
use in JNDI naming operations. The default value is simple. |
Naming Security Principal |
The security
principal used for connecting to the LDAP server. |
Naming Security Credentials |
The password of
the naming security principal. The default value is STC. The value is encrypted when
you save and then view it again. |
Group DN Attribute Name in Group |
The
name of the Distinguished Name attribute in group entries. The default value is
entrydn. |
Group Name Field in Group DN |
The name of the group name field
in group Distinguished Names. The default value is cn. |
Groups of User Filter Under
Groups Parent DN |
The LDAP search filter used to retrieve all of a
user’s groups. This property follows the syntax supported by the java.text.MessageFormat class with
{1} indicating where the user’s Distinguished Name should be inserted. The default value is
uniquemember={1}. |
Groups Parent DN |
The parent Distinguished Name of the group entries. In other words,
this property specifies the root entry of the groups portion of the LDAP
directory. |
Role Name Attribute Name in User |
The name of the role name attribute
in user entries. The default value is nsroledn. |
Role Name Field in Role DN |
The
name of the role name field in role Distinguished Names. The default value
is cn. |
Roles Parent DN |
The parent Distinguished Name of the role entries. In
other words, this property specifies the root entry of the roles portion of the
LDAP directory. |
|
By default, the groups portion of the LDAP
directory is searched only one level below the root entry. To enable searches
of the entire subtree, set the value to true. The default value is false. |
Search
Roles Sub Tree |
By default, the roles portion of the LDAP directory is
searched only one level below the root entry. To enable searches of the
entire subtree, set the value to true. The default value is false. |
Search Users Sub
Tree |
By default, the users portion of the LDAP directory is searched only one
level below the root entry. To enable searches of the entire subtree, set
the value to true. The default value is false. |
User DN Attribute Name in
User |
The name of the Distinguished Name attribute in user entries. The default value
is entrydn. |
User ID Attribute Name in User |
The name of the user ID
attribute in user entries. The default value is uid. |
Users Parent DN |
The parent Distinguished
Name of the user entries. In other words, this property specifies the root
entry of the users portion of the LDAP directory. |
|
The following table lists the Microsoft Active Directory Server properties on the Access
Control page of the Configuration Agent.
Table 2 Microsoft Active Directory Server Access Control Properties
|
|
|---|
Naming Provider URL |
The URL of the Java
Naming and Directory Interface (JNDI) service provider. The default value is ldap://IP_address:389. |
Naming Initial Factory |
The
fully qualified name of the factory class that creates the initial context. The
initial context is the starting point for JNDI naming operations. The default value is
com.sun.jndi.ldap.LdapCtxFactory. |
Naming Security Authentication |
The security level to use in JNDI naming operations. The default
value is simple. |
Naming Security Principal |
The security principal used for connecting to the
LDAP server. |
Naming Security Credentials |
The password of the naming security principal. The default value
is STC. The value is encrypted when you save and then view it
again. |
Users Parent DN |
The parent Distinguished Name of the user entries. In other words,
this property specifies the root entry of the users portion of the LDAP
directory. |
User DN Attribute Name in User |
The name of the Distinguished Name attribute
in user entries. The default value is distinguishedName. |
User ID Attribute Name in User |
The
name of the user ID (that is, the login ID) attribute in user
entries. The default value is sAMAccountName. |
Roles Parent DN |
The parent Distinguished Name of the
role entries. In other words, this property specifies the root entry of the
roles portion of the LDAP directory. |
Role DN Attribute Name in Role |
The name of
the Distinguished Name attribute in role entries. The default value is cn. |
Roles of
User Filter Under Roles Parent DN |
The LDAP search filter used to retrieve
all of a user’s roles. This property follows the syntax supported by the
java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name should be inserted. The
default value is (&(member={1})(objectclass=group)). |
Groups Parent DN |
The parent Distinguished Name of the group
entries. In other words, this property specifies the root entry of the groups
portion of the LDAP directory. |
Group DN Attribute Name in Group |
The name of the
Distinguished Name attribute in group entries. The default value is distinguishedName. |
Group Name Field
in Group DN |
The name of the group name field in group Distinguished
Names. The default value is cn. |
Groups of User Filter Under Groups Parent DN |
The
LDAP search filter used to retrieve all of a user’s groups. This property
follows the syntax supported by the java.text.MessageFormat class with {1} indicating where
the user’s Distinguished Name should be inserted. The default value is (&(member={1})(objectclass=group)). |
|
By
default, the groups portion of the LDAP directory is searched only one level
below the root entry. To enable searches of the entire subtree, set the
value to true. The default value is false. |
Search Users Sub Tree |
By default, the
users portion of the LDAP directory is searched only one level below the
root entry. To enable searches of the entire subtree, set the value to
true. The default value is false. |
Search Roles Sub Tree |
By default, the roles portion
of the LDAP directory is searched only one level below the root entry.
To enable searches of the entire subtree, set the value to true. The default
value is false. |
|
The following table lists the OpenLDAP Directory Server properties on the Access Control
page of the Configuration Agent.
Table 3 OpenLDAP Directory Server Access Control Properties
|
|
|---|
Naming Provider URL |
The URL of the Java Naming
and Directory Interface (JNDI) service provider. The default value is ldap://IP_address:489. |
Naming Initial Factory |
The fully
qualified name of the factory class that creates the initial context. The initial
context is the starting point for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming
Security Authentication |
The security level to use in JNDI naming operations. The default value
is simple. |
Users Parent DN |
The parent Distinguished Name of the user entries. In
other words, this property specifies the root entry of the users portion of the
LDAP directory. |
User ID Attribute Name in User |
The name of the user ID
attribute in user entries. The default value is uid. |
Roles Parent DN |
The parent Distinguished
Name of the role entries. In other words, this property specifies the root
entry of the roles portion of the LDAP directory. |
Role Name Attribute Name in
Role |
The name of the role name attribute in user entries. The default value
is cn. |
Roles of User Filter Under Roles Parent DN |
The LDAP search filter
used to retrieve all of a user’s roles. This property follows the syntax
supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name
should be inserted. The default value is uniquemember={1}. |
Group Name Field in Group DN |
The
name of the group name field in group Distinguished Names. The default value
is cn. |
Groups Parent DN |
The parent Distinguished Name of the group entries. In
other words, this property specifies the root entry of the groups portion of the
LDAP directory. |
Groups of User Filter Under Groups Parent DN |
The LDAP search filter
used to retrieve all of a user’s groups. This property follows the syntax
supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name
should be inserted. The default value is uniquemember={1}. |
|
By default, the groups
portion of the LDAP directory is searched only one level below the root
entry. To enable searches of the entire subtree, set the value to true. The
default value is false. |
Search Users Sub Tree |
By default, the users portion of
the LDAP directory is searched only one level below the root entry. To
enable searches of the entire subtree, set the value to true. The default value
is false. |
Search Roles Sub Tree |
By default, the roles portion of the LDAP
directory is searched only one level below the root entry. To enable searches
of the entire subtree, set the value to true. The default value is false. |
|
The following table lists the Oracle Internet Directory properties on the Access Control
page of the Configuration Agent.
Table 4 Oracle Internet Directory Access Control Properties
|
|
|---|
Naming Provider URL |
The URL of the Java Naming
and Directory Interface (JNDI) service provider. The default value is ldap://127.0.0.1:3060. |
Naming Initial Factory |
The fully
qualified name of the factory class that creates the initial context. The initial
context is the starting point for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming
Security Authentication |
The security level to use in JNDI naming operations. The default value
is simple. |
Naming Security Principal |
The security principal to use for connecting to the
LDAP server. The default value is cn=orcladmin. |
Naming Security Credentials |
The password of the naming
security principal. The default value is welcome1. The value is encrypted when you save
and then view it again. |
Users Parent DN |
The parent Distinguished Name of the
user entries. This property specifies the root entry of the users portion of
the LDAP directory. The default value is cn=People,dc=sun,dc=com. |
User ID Attribute Name in User |
The
name of the user ID attribute in user entries. The default value is
cn. |
Roles Parent DN |
The parent Distinguished Name of the role entries. This property specifies
the root entry of the roles portion of the LDAP directory. The default
value is ou=capsroles,dc=sun,dc=com. |
Role Name Attribute Name in User |
The name of the role
name attribute in user entries. The default value is cn. |
Roles of User Filter
Under Roles Parent DN |
The LDAP search filter used to retrieve all of
a user’s roles. This property follows the syntax supported by the java.text.MessageFormat class
with {1} indicating where the user’s Distinguished Name should be inserted. The default value
is (uniqueMember={1}). |
Search Roles Sub Tree |
By default, the roles portion of the LDAP
directory is searched only one level below the root entry. To enable searches
of the entire subtree, set the value to true. The default value is false. |
Search
Users Sub Tree |
By default, the users portion of the LDAP directory is
searched only one level below the root entry. To enable searches of the
entire subtree, set the value to true. The default value is false. |
|
The following table lists the Oracle Virtual Directory properties on the Access Control
page of the Configuration Agent.
Table 5 Oracle Virtual Directory Access Control Properties
|
|
|---|
Naming Provider URL |
The URL of the Java Naming
and Directory Interface (JNDI) service provider. The default value is ldap://127.0.0.1:6501. |
Naming Initial Factory |
The fully
qualified name of the factory class that creates the initial context. The initial
context is the starting point for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming
Security Authentication |
The security level to use in JNDI naming operations. The default value
is simple. |
Naming Security Principal |
The security principal to use for connecting to the
LDAP server. The default value is cn=orcladmin. |
Naming Security Credentials |
The password of the naming
security principal. The default value is welcome1. The value is encrypted when you save
and then view it again. |
Users Parent DN |
The parent Distinguished Name of the
user entries. This property specifies the root entry of the users portion of
the LDAP directory. The default value is cn=People,dc=sun,dc=com. |
User ID Attribute Name in User |
The
name of the user ID attribute in user entries. The default value is
cn. |
Roles Parent DN |
The parent Distinguished Name of the role entries. This property specifies
the root entry of the roles portion of the LDAP directory. The default
value is ou=capsroles,dc=sun,dc=com. |
Role Name Attribute Name in User |
The name of the role
name attribute in user entries. The default value is cn. |
Roles of User Filter
Under Roles Parent DN |
The LDAP search filter used to retrieve all of
a user’s roles. This property follows the syntax supported by the java.text.MessageFormat class
with {1} indicating where the user’s Distinguished Name should be inserted. The default value
is (uniqueMember={1}). |
Search Roles Sub Tree |
By default, the roles portion of the LDAP
directory is searched only one level below the root entry. To enable searches
of the entire subtree, set the value to true. The default value is false. |
Search
Users Sub Tree |
By default, the users portion of the LDAP directory is
searched only one level below the root entry. To enable searches of the
entire subtree, set the value to true. The default value is false. |
|
