Skip Navigation Links | |
Exit Print View | |
Using LDAP with Oracle Java CAPS Java CAPS Documentation |
Using an LDAP Server for Repository User Management
Configuring Oracle Virtual Directory for the Repository
To Configure LDAP Servers Connected to Oracle Virtual Directory
Configuring Oracle Internet Directory for the Repository
To Configure Oracle Internet Directory
Configuring Oracle Directory Server Enterprise Edition for the Repository
To Configure Oracle Directory Server Enterprise Edition
Configuring the Active Directory Service for the Repository
To Configure the Active Directory Service
Configuring the OpenLDAP Directory Server for the Repository
To Configure the OpenLDAP Directory Server
Configuring the Repository for LDAP Support
Configuring the Repository for LDAP and SSL Support
Configuring SSL on the LDAP Server
Using an LDAP Server for Oracle Java CAPS JMS IQ Manager User Management
Configuring the Oracle Java CAPS JMS IQ Manager
To Configure the Oracle Java CAPS JMS IQ Manager
Access Control LDAP Server Properties
Using an LDAP Server for Enterprise Manager User Management
Configuring Oracle Virtual Directory for Enterprise Manager
To Configure LDAP Servers Connected to Oracle Virtual Directory
Configuring Oracle Internet Directory for Enterprise Manager
To Configure Oracle Internet Directory
Configuring Oracle Directory Server Enterprise Edition for Enterprise Manager
To Configure the Oracle Directory Server Enterprise Edition
Configuring Microsoft Active Directory Service for Enterprise Manager
To Configure the Active Directory Service
Configuring the OpenLDAP Directory Server for Enterprise Manager
To Configure the OpenLDAP Directory Server
Configuring the Enterprise Manager Server
To Configure the Enterprise Manager Server
Configuring Enterprise Manager for LDAP and SSL Support
Configuring SSL on the LDAP Server
Importing the LDAP Server's Certificate
Specifying an Application Configuration Property Dynamically
Enabling the Application Server to Access the LDAP Server
To Enable the Application Server to Access the LDAP Server
Specifying an LDAP URL for a Property
You can configure the Java CAPS Repository to use an LDAP server for user management. When a user attempts to log into the Repository, the user name and password are checked against the user name and password that are stored in the LDAP server. In addition, the list of roles for the user is retrieved from the server to authorize the user’s access to various objects in the Repository.
To configure LDAP support with Java CAPS, you need to configure the LDAP server and then configure the Java CAPS Repository. See the appropriate section below to configure the LDAP server:
Configuring Oracle Directory Server Enterprise Edition for the Repository
Configuring the OpenLDAP Directory Server for the Repository
You configure the Repository so it can locate the LDAP server and find the appropriate information (such as the portion of the directory that contains users). For instructions, see Configuring the Repository for LDAP Support. If you want to encrypt communications between the Repository and the LDAP server, see Configuring the Repository for LDAP and SSL Support.
Managing Java CAPS Users provides basic information about Repository user management.
Oracle Virtual Directory accesses information from multiple directories and databases, giving you a single entry point into the information stored in these directories. Oracle Virtual Directory does not store user and group entries, so instead of configuring Oracle Virtual Directory you configure the LDAP servers to which it connects.
You can perform most administrative tasks, such as configuring the schema and managing the LDAP directory entries, through the Oracle Directory Services Manager or using a set of command-line tools. Oracle Directory Services Manager is available from Oracle Enterprise Manager Fusion Middleware Control or directly from its own URL.
The Data Browser on the Oracle Directory Services Manager lets you browse, add, and modify entries using the Data Browser . Directory entries appear in the data tree in the left panel, which you can expand to see more information.
Note - For detailed information about how to administrative tasks in Oracle Virtual Directory, see the documentation provided with Oracle Virtual Directory.
Perform the following general steps to create the user and roles for each LDAP directory that will connect to Java CAPS through the Oracle Virtual Directory. More complete instructions are provided for certain LDAP directories in the following sections:
Configuring Oracle Directory Server Enterprise Edition for the Repository
Configuring the OpenLDAP Directory Server for the Repository
Oracle Internet Directory runs as an application on an Oracle database. It includes the following main components:
Oracle directory server
Oracle directory replication server
Directory administration tools, including:
Oracle Directory Services Manager
Command-line tools
Oracle Internet Directory pages in Oracle Enterprise Manager Fusion Middleware Control
Oracle Internet Directory Software Developer's Kit
As with Oracle Virtual Directory, you can perform administrative tasks, such as configuring the schema and managing the LDAP directory entries, using Oracle Directory Services Manager (described in Configuring Oracle Internet Directory for the Repository) or a set of command line tools. Oracle Directory Services Manager is available from Oracle Enterprise Manager Fusion Middleware Control or directly from its own URL.
Note - For detailed information about how to perform the following steps, see the documentation provided with Oracle Internet Directory.
person
top
organizationalPerson
organizationalUnit
top
organizationalRole
top
groupOfUniqueNames
Oracle Directory Server Enterprise Edition version 5.x includes the following primary components:
Directory Server
Administration Server
Directory Server console
The Directory Server console enables you to perform most administrative tasks. The console contains four top-level tabs: Tasks, Configuration, Directory, and Status. The Directory tab displays the directory entries as a tree. You can browse, display, and edit all of the entries and attributes from this tab.
You can also perform administrative tasks manually by editing configuration files or by using command-line utilities.
Oracle Directory Server Enterprise Edition version 6.x provides the following ways for you to manage the entries in a directory:
Directory Editor
ldapmodify and ldapdelete command-line utilities
DSCC is integrated into the Oracle Java Web Console. DSCC contains five top-level tabs: Common Tasks, Directory Servers, Proxy Servers, Server Groups, and Settings. To access the page where you can browse, add, and modify entries, click the Directory Servers tab, click the name of a server, and then click the Entry Management tab. The Directory Information Tree (DIT) appears on the left.
You can also use the Common Tasks tab to create a new entry or browse data.
Note - For detailed information about how to perform the following steps, see the documentation provided with Oracle Directory Server Enterprise Edition.
Active Directory is a key part of Windows 2003. It provides a wide variety of manageability, security, and interoperability features. The main administration tool is a snap-in called Active Directory Users and Computers.
Active Directory does not support the concept of roles. Therefore, you must simulate the Java CAPS roles in Active Directory using the concept of groups.
Rather than creating the groups within the Users directory, you create the groups in a new organizational unit called CAPSRoles.
Note - For detailed information about how to perform the following steps, see the documentation provided with Active Directory.
The New Object - Organization Unit dialog box appears.
After you add the groups, they appear under the organizational unit.
The OpenLDAP Project provides an open source implementation of the LDAP protocol. The LDAP server runs as a standalone daemon called slapd. The main configuration file is called slapd.conf. This file contains global information specific to the database and the back end. You can use various approaches to add entries to the database, such as using the slapadd program. To search the database, use the ldapsearch program.
For more information, see http://www.openldap.org.
Note - For detailed information about how to perform the following steps, see the documentation provided with OpenLDAP Directory Server.
dn: ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: organizationalUnit ou: CAPSRoles
dn: cn=all, ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: groupOfUniqueNames cn: all ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=oracle, dc=com uniqueMember: uid=Administrator, ou=People, dc=oracle, dc=com dn: cn=administration, ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: groupOfUniqueNames cn: administration ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=oracle, dc=com uniqueMember: uid=Administrator, ou=People, dc=oracle, dc=com dn: cn=management, ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: groupOfUniqueNames cn: management ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=oracle, dc=com uniqueMember: uid=Administrator, ou=People, dc=oracle, dc=com
dn: cn=all, ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: groupOfUniqueNames cn: all ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=oracle, dc=com uniqueMember: uid=Administrator, ou=People, dc=oracle, dc=com uniqueMember: uid=userA, ou=People, dc=oracle, dc=com uniqueMember: uid=userB, ou=People, dc=oracle, dc=com dn: cn=administration, ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: groupOfUniqueNames cn: administration ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=oracle, dc=com uniqueMember: uid=Administrator, ou=People, dc=oracle, dc=com uniqueMember: uid=userB, ou=People, dc=oracle, dc=com dn: cn=management, ou=CAPSRoles, dc=oracle, dc=com objectClass: top objectClass: groupOfUniqueNames cn: management ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=oracle, dc=com uniqueMember: uid=Administrator, ou=People, dc=oracle, dc=com
To use an LDAP server for Repository user management, you must add a <Realm> element to the Repository’s server.xml file, which is located in the JavaCAPS-install-dir/repository/repository/server/conf directory. The server.xml file contains a default <Realm> element that specifies a flat file implementation of the user database. The flat file implementation uses the tomcat-users.xml file in the JavaCAPS-install-dir/repository/repository/data/files directory.
The following table describes the attributes used by the LDAP versions of the <Realm> element. For a detailed description of all the possible attributes, see the Tomcat documentation for the org.apache.catalina.realm.JNDIRealm class.
|
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:3060" connectionName="cn=oracleadmin" connectionPassword="OpCT/AcQGL/ch+GN460Zcg=" userBase="cn=People,dc=oracle,dc=com" userSearch="(cn={0})" userSubtree="true" roleBase="ou=CAPSRoles,dc=sun,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" roleSubtree="true" />
Note - For the connectionName property, enter the DN of the administrator user. The value of the connectionPassword property must be encrypted. You can use the encrypt utility provided with Java CAPS, located in JavaCAPS_Home\repository\repository\util. This utility uses the following syntax:
encrypt passsword
Where password is the unencrypted password for the user. The utility will display the encrypted version of the password.
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:489" userBase="cn=People,dc=oracle,dc=com" userSearch="(uid={0})" userSubtree="true" userRoleName="nsroledn" userRoleNamePattern="cn={0},dc=oracle,dc=com" roleSubtree="true" />
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:389" userBase="cn=Users,dc=oracle,dc=com" userSearch="(cn={0})" userSubtree="true" roleBase="ou=CAPSRoles,dc=oracle,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" />
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:389" userBase="ou=People,dc=oracle,dc=com" userSearch="(uid={0})" userSubtree="true" roleBase="ou=CAPSRoles,dc=oracle,dc=com" roleName="cn" roleSearch="(uniquemember={0})" roleSubtree="true" />
Oracle Directory Server Enterprise Edition:
connectionName="cn=Directory Manager" connectionPassword="E451KDVb0OPcH+GN46OZcg=="
Active Directory:
connectionName="Administrator@oracle.com" connectionPassword="geEiVIbtO+DcH+GN46OZcg=="
OpenLDAP Directory Server:
connectionName="cn=Manager,dc=oracle,dc=com" connectionPassword="l/ZRt1cfNKc="
To encrypt the password, use the encrypt utility in the JavaCAPS-install-dir/repository/repository/util directory. The file extension of the utility depends on your platform. This utility takes the unencrypted password as an argument. For example:
C:\JavaCAPS6\repository\repository\util>encrypt mypwd LCUApSkYpuE
By default, communications between the Repository and the LDAP server are unencrypted. To encrypt communications between the Repository and the LDAP server, make the following additions and modifications to the procedures described earlier in this topic.
Ensure that the LDAP server is configured to use the Secure Sockets Layer (SSL). For detailed instructions, see the documentation provided with the LDAP server. In preparation for the next step, export the LDAP server’s certificate to a file.
You must add the LDAP server’s certificate to the Repository’s list of trusted certificates. The list is located in a file called cacerts. In the following procedure, you use the keytool program. This program is included with the Java SDK.
Use the JDK that was specified during the installation of the Repository.
keytool -import -trustcacerts -alias alias -file certificate_filename -keystore cacerts_filename
For the -alias option, you can assign any value.
For the -file option, specify the fully qualified name of the LDAP server’s certificate. For example:
C:\mycertificate.cer
For the -keystore option, specify the fully qualified name of the cacerts file. The cacerts file is located in the JDK-install-dir/jre/lib/security directory. For example:
C:\Java\jdk1.6.0_06\jre\lib\security\cacerts
The following message appears:
Certificate was added to keystore
To use the Repository with LDAP and SSL, you need to modify the Realm element you created when you performed the steps described in Configuring the Repository for LDAP Support.
Typically, this number is 636. For example:
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://myldapserver:636" ...