Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory
11g Release 1 (11.1.1)

Part Number E10029-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

38 Configuring Server Chaining

Directory server chaining is a new feature of Oracle Internet Directory, introduced at 10g (10.1.4.0.1). It was implemented using the new Java Plug-in framework.

This chapter contains the following topics:

Note:

All references to Oracle Single Sign-On in this chapter refer to Oracle Single Sign-On 10g (10.1.4.3.0) or later.

38.1 Introduction to Configuring Server Chaining

Server chaining enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration. With server chaining, you can use Oracle Internet Directory's authorization framework when identity data resides outside of Oracle Internet Directory. Server chaining is certified only with Enterprise User Security. No other Oracle applications can be used with server chaining.

Server chaining does not replace Oracle Directory Integration Platform. Rather, it offers complementary functionality to Oracle Directory Integration Platform.

Server chaining is different from a virtual directory. A virtual directory, such as Oracle Virtual Directory, is a flexible virtualization layer between multiple identity repositories and applications. It offers complementary services to identity synchronization and directory servers. With a virtual directory, organizations can create consolidated, logical or virtual views of data that may span multiple directories and databases.

Server chaining is a simpler, more flexible solution, embedded in Oracle Internet Directory server, and particular suited to Enterprise User Security customers. It is easy to administer and upgrade. It also provides Oracle Internet Directory's authorization framework without extra configuration steps.

As of 11g Release 1 (11.1.1), you can configure server chaining to use SSL.

38.1.1 Supported External Servers

Oracle Internet Directory server chaining supports the following external servers:

  • Microsoft Active Directory

  • Sun Java System Directory Server, formerly known as SunONE iPlanet

  • Oracle Directory Server Enterprise Edition

  • Novell eDirectory

An implementation of Oracle Internet Directory can connect with one Active Directory server, one Sun Java System Directory Server, one Novell eDirectory, or with all three.

Note:

Oracle Internet Directory server chaining does not support Active Directory Lightweight Directory Service (AD LDS), formerly known as ADAM.

38.1.2 Integrated Oracle Products

The following products have been integrated with Oracle Internet Directory server chaining:

  • Oracle Single Sign-On 10g (10.1.4.3.0) or later

  • Enterprise User Security

38.1.2.1 Oracle Single Sign-On

When server chaining is enabled, a user from the external directory can log in through Oracle Single Sign-On as if authenticated locally within Oracle Internet Directory, rather than the external repository.

38.1.2.2 Enterprise User Security

Oracle Internet Directory server chaining enables you to implement Enterprise User Security without synchronizing identity data with Oracle Internet Directory through Oracle Directory Integration Platform. Your identity data remains in the external repository and the Oracle Internet Directory data store contains only Enterprise User Security-related metadata.

With Sun Java System Directory Server as the external directory, server chaining supports password-based authentication with Enterprise User Security.

With Active Directory as the external directory, server chaining supports Kerberos- based authentication and password-based authentication with Enterprise User Security. The external users can log in to Oracle Database after the Enterprise User Security authentication setup is completed. For further details, see Section 38.5, "Configuring an Active Directory Plug-in for Password Change Notification," which is based on Note 452385.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.

See Also:

Oracle Database Enterprise User Security Administrator's Guide for more information on configuring Enterprise User Security for password authentication and Kerberos authentication.

38.1.3 Supported Operations

Server chaining supports the following operations:

  • Bind

  • Compare

  • Modify

  • Search

The compare, modify, and search operations can be enabled or disabled by setting configuration parameters.

When an Oracle Internet Directory client application issues an LDAP search request, Oracle Internet Directory integrates the search results from its own data and the external directories.

When an Oracle Internet Directory client application issues an LDAP bind, compare, or modify request, Oracle Internet Directory redirects the request to the external directory.

In 10g (10.1.4.0.1) and later, the compare operation is only supported for the userpassword attribute.

In 10g (10.1.4.0.1) and later, attribute modification is supported in two cases:

  • The external attribute has the same name as the Oracle Internet Directory attribute. This is true for most standard LDAP attributes.

  • The external attribute is mapped to an Oracle Internet Directory attribute, and neither the external nor the Oracle Internet Directory attribute is an operational attribute.

Note:

You cannot modify an Active Directory user password from Oracle Internet Directory through server chaining.

38.1.4 Server Chaining with Replication

If you use server chaining in a replication environment, set it up on all nodes so that the entries remain consistent across nodes. Configure server chaining so that the mapped external directories are the same for all the replicated nodes.

38.2 Configuring Server Chaining

Oracle Internet Directory is shipped with disabled sample server chaining entries.

For Active Directory, the DN for the server chaining entry is

cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry 

For Oracle Directory Server Enterprise Edition and Sun Java System Directory Server, the entry DN is

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry

Novell eDirectory, the entry DN is

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry 

You configure server chaining by customizing these entries for your environment and enabling them. You can do this either from the command line or by using Oracle Directory Services Manager.

This section contains the following topics:

38.2.1 Configuring Server Chaining by Using Oracle Directory Services Manager

Oracle Directory Services Manager provides a convenient interface for modifying the Oracle Internet Directory server chaining configuration entries. To configure server chaining by using Oracle Directory Services Manager, perform the following steps:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."

  2. From the task selection bar, select Advanced.

  3. Expand Server Chaining. Server Chaining entries appear in the left panel. Current entries include iPlanet (Oracle Directory Server Enterprise Edition and Sun Java System Directory Server) and Active Directory.

  4. To modify a server chaining configuration entry, select it. The Server Chaining Management tab appears in the right pane.

  5. Modify External Host Name, External Port Number, Login User DN, and Login User Password as necessary.

  6. To enable server chaining authentication, modification, or search, select the corresponding checkbox.

  7. Modify the other fields as necessary.

  8. After modifying an external user container, group container, or login credential, verify the value by clicking Verify User Container, Verify Group Container, or Verify Login Credential, respectively.

    If the verification fails, examine the values you entered for errors. If the problem persists, consult the external directory administrator to verify the accuracy of the values you entered.

  9. If you want to add an attribute mapping, click the Add attribute mappings to list icon under Attribute Mapping. To edit an existing mapping, select the mapping and click the Edit Attribute Mapping icon under Attribute Mapping. The New Attribute Mapping window appears. Enter the External Directory Attribute and the OID Attribute. To locate Oracle Internet Directory attribute by browsing, click Select then select the attribute in the Attribute Selection window.

  10. Click OK to create the mapping or click Cancel to abandon it.

  11. To delete a mapping, select the mapping and click the Delete selected attribute mapping icon. When the Delete Confirm dialog appears, click Delete to delete the mapping or Cancel to abandon deletion.

  12. Click OK to enable the configuration changes or click Cancel to abandon the changes.

38.2.2 Configuring Server Chaining from the Command Line

Perform the following steps to configure server chaining from the command line:

  1. Create an LDIF file to manually add the user and group containers. To determine the DNs for these containers, see Section 38.3.2, "Requirements for User and Group Containers." For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com, and the group search base is cn=groups,dc=us,dc=oracle,dc=com, then you would use the following entries in your LDIF file:

    dn: cn=AD,cn=users,dc=us,dc=oracle,dc=com
    cn: AD
    objectclass: orclcontainer
    objectclass: top
     
    dn: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
    cn: iPlanet
    objectclass: orclcontainer
    objectclass: top
     
    dn: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
    cn: AD
    objectclass: orclcontainer
    objectclass: top
     
    dn: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
    cn: iPlanet
    objectclass: orclcontainer
    objectclass: top
    
  2. Use ldapadd and the LDIF file you just created to add the entries.

    ldapadd -p port -h host -D "binddn" -q -v -f container_ldif_file_name
    
  3. Create another LDIF file to modify and enable the server chaining configuration entries. For example LDIF files, see Section 38.3.4, "Active Directory Example" and Section 38.3.7, "Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example." A table of attributes is provided in Section 38.3, "Creating Server Chaining Configuration Entries" Attribute mapping is explained in Section 38.3.3, "Attribute Mapping."

  4. Modify the server chaining configuration entries using the ldapmodify command and the LDIF file you just created. Use a command line of the form:

    ldapmodify -D "cn=orcladmin" -q -p port -h host -D "binddn" \
       -v -f entry_ldif_file_name
    

38.3 Creating Server Chaining Configuration Entries

This section contains the following topics:

38.3.1 Configuration Entry Attributes

Table 38-1 lists the configuration entry attributes for server chaining.

Table 38-1 Configuration Entry Attributes for Server Chaining

Attribute Required Description

orclOIDSCExtHost

Yes

The host name of the external directory host. This is a single value attribute.

orclOIDSCExtPort

Yes

The port number of the external directory host. This is a single value attribute. The default value is 3060.

orclOIDSCExtDN

Yes

The DN in the external directory. Server chaining binds against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. This is a single value attribute.

orclOIDSCExtPassword

Yes

The password for the DN of the external directory. This is a single value attribute. Be sure to enable privacy mode to ensure that users cannot retrieve this attribute in clear text. See Section 28.7, "Configuring Privacy of Retrieved Sensitive Attributes."

orclOIDSCExtUserContainer

Yes

The user container in the external directory from which to perform the user search operation. This is a single value attribute.

orclOIDSCExtGroupContainer

Yes

The group container in the external directory from which to perform the group search operation. This is a single value attribute.

This attribute is optional if the external user container and the external group container are the same. In this case the group search operations are performed on the external user container.

orclOIDSCTargetUserContainer

Yes

The user container in Oracle Internet Directory in which the external users reside. For more information, see Section 38.3.2, "Requirements for User and Group Containers."

orclOIDSCTargetGroupContainer

Yes

The group container in Oracle Internet Directory in which the external groups reside. For more information, see Section 38.3.2, "Requirements for User and Group Containers."

orclOIDSCAttrMapping

No

Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the eMail attribute from Active Directory to the mail attribute in Oracle Internet Directory, set this attribute to:

orclOIDSCAttrMapping;mail:eMail

For more information, see Section 38.3.3, "Attribute Mapping."

orclOIDSCExtSearchEnabled

Yes

External search capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.

orclOIDSCExtModifyEnabled

Yes

External modify capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.

orclOIDSCExtAuthEnabled

Yes

External authentication capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.

orclOIDSCSSLEnabled

No

SSL connection to the external directory. 0 = disabled (default), 1 = enabled. This is a single value attribute. Required if SSL is enabled.

orclOIDSCExtSSLPort

No

The SSL port number of the external directory host. This is a single value attribute.

OrclOIDSCWalletLocation

No

The filename and path of the wallet that contains the server certificate of the external directory. This is a single value attribute. Required if SSL is enabled

orclOIDSCWalletPassword

No

The wallet password. This is a single value attribute. Required if SSL is enabled

mapUIDtoADAttribute

No

Specifies the mapping of OID attribute "uid" to an attribute in Active Directory. You can map "uid" to any non-binary attributes defined in Active Directory. The default value is "name". This is a single value attribute.

showExternalGroupEntries

No

In a search against the group container: "base" - show entries with objectclass group (default), "sub" - show entries without objectclass "user" and "computer". This is a single value attribute. Applicable with Active Directory only.

showExternalUserEntries

No

In a one level search with an entry one level below the user container as the base: "base" - do not show any entry (default), "sub" - show entries in the subtree below the base of the search. This is a single value attribute. Applicable with Active Directory only.

addOrcluserv2ToADUsers

No

Add "orcluserv2" objectclass to entries that have objectclass user. 0 = disabled (default), 1 = enabled. This is a single value attribute. Applicable with Active Directory only.


38.3.2 Requirements for User and Group Containers

The target user and group containers must be under the Oracle Internet Directory search base in order to work with Oracle Single Sign-On. Use the container names cn=AD for Active Directory and cn=iPlanet for Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet). For example, if your user search base is:

cn=users,dc=us,dc=oracle,dc=com

you would use

cn=AD,cn=users,dc=us,dc=oracle,dc=com

as the target user container for the Active Directory users or

cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com

as the target user container for the Sun Java System Directory Server users. Similarly, if your group search base is:

cn=groups,dc=us,dc=oracle,dc=com

you would use

cn=AD,cn=groups,dc=us,dc=oracle,dc=com

as the target container for the Active Directory s or

cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com

as the target container for the Oracle Directory Server Enterprise Edition or Sun Java System Directory Server groups.

The target user and group containers exist only for the external directories. All the users and groups that appear under these nodes are populated by the external directories. Do not add entries under these containers directly from Oracle Internet Directory.

38.3.3 Attribute Mapping

If an attribute in an external directory and an Oracle Internet Directory attribute are the same, then no mapping is required. Server chaining performs some attribute mapping by default. The default mapping list is as follows:

Table 38-2 Default Attribute Mapping to Active Directory

Oracle Internet Directory Attribute Active Directory Attribute

orclguid

objectGUID

uid

name

orclsamaccountname

samaccountname

krbprincipalname

userprincipalname


For Active Directory server chaining, you can use the mapUIDtoADAttribute attribute to map uid to any non-binary attributes defined in Active Directory.

Table 38-3 Default Attribute Mapping to Sun Java System Directory Server

Oracle Internet Directory Attribute Sun Java System Directory Server Attribute

orclguid

nsuniqueid

authpassword

userpassword

krbprincipalname

mail


Table 38-4 Default Attribute Mapping to Novell eDirectory

Oracle Internet Directory Attribute Novell eDirectory Attribute

orclguid

guid

orclsamaccountname

uid

krbprincipalname

mail


The following objects cannot be mapped:

  • Operational attributes

  • Object classes

  • Oracle Internet Directory- specific attributes. These attributes typically have names starting with orcl.

38.3.4 Active Directory Example

The following example shows server chaining configured to use the Active Directory server dlin-pc9.us.example.com, port 3060, as its external directory store. The SSL capability has been enabled. All the attributes are explained in Table 38-1.

cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry
orclOIDSCExtHost: dlin-pc9.us.example.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com
orclOIDSCExtPassword: *******
orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com
orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCAttrMapping;description: title
orcloidscsslenabled: 0

The following example is the LDIF file used to modify the configuration entry:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=administrator,cn=users,dc=oidvd,dc=com
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc9.us.example.com
-
replace: orcloidscextport
orcloidscextport: 3060
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
-
replace: orcloidscsslenabled
orcloidscsslenabled:1

38.3.5 Active Directory with SSL Example

The following example shows server chaining configured to use the Active Directory server ad.example.com, SSL port 3133, and the wallet located at /adwallet/ewallet.p12.

cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry
orclOIDSCExtHost: ad.example.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com
orclOIDSCExtPassword: *******
orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com
orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 3133
orclOIDSCWalletLocation: /adwallet/ewallet.p12
orclOIDSCWalletPassword: ********

Perform the following steps to configure server chaining with SSL from the command line:

  1. Configure Active Directory server chaining without SSL, as described in the previous section.

  2. Create an LDIF file like the following to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Active Directory server:

    dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
    changetype: modify 
    replace: orcloidscsslenabled 
    orcloidscsslenabled:1 
    - 
    replace: orcloidscextsslport 
    orcloidscextsslport: 3133 
    - 
    replace: orcloidscwalletlocation 
    orcloidscwalletlocation: /adwallet/ewallet.p12 
    - 
    replace: orcloidscwalletpassword 
    orcloidscwalletpassword: passw0rd
    
  3. To apply the changes, use a command line such as

    ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
    

38.3.6 Active Directory with New Attributes Example

The attributes mapUIDtoADAttribute, showExternalGroupEntries, showExternalUserEntries, and addOrcluserv2ToADUsers have been added since Oracle Internet Directory 10g (10.1.4.0.1). To add these attributes to an existing Active Directory server chaining entry, modify the following LDIF file with the appropriate values:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
changetype: modify 
replace: mapUIDtoADAttribute
mapUIDtoADAttribute: name
-
replace: showExternalGroupEntries
showExternalGroupEntries: base
-
replace: showExternalUserEntries
showExternalUserEntries: base
-
replace: addOrcluserv2ToADUsers
addOrcluserv2ToADUsers: 0

Use a command line such as

ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name

to modify the configuration entry.

38.3.7 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example

The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.example.com, port 103060, as its external directory store. All the attributes are explained in Table 38-1.

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: dlin-pc10.us.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled:0

The following example is the LDIF file used to modify the configuration entry:

dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=directory manager
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc10.us.example.com
-
replace: orcloidscextport
orcloidscextport: 10389
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: ou=people,dc=example,dc=com
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: ou=groups,dc=example,dc=com
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1

38.3.8 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) with SSL Example

The following example shows server chaining configured to use the Sun Java System Directory Server sunone.example.com, SSL port 10636, and the wallet located at /ipwallet/ewallet.p12

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636 
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********

Perform the following steps to configure server chaining with SSL from the command line:

  1. Configure server chaining without SSL, as described in the previous section.

  2. Create the following LDIF file to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Oracle Directory Server Enterprise Edition/Sun Java System Directory Server.

    dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
    changetype: modify
    replace: orcloidscsslenabled
    orcloidscsslenabled:1
    -
    replace: orcloidscextsslport
    orcloidscextsslport: 10636 
    -
    replace: orcloidscwalletlocation
    orcloidscwalletlocation: /ipwallet/ewallet.p12
    -
    replace: orcloidscwalletpassword
    orcloidscwalletpassword: passw0rd
    
  3. Execute a command such as

    ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
    

    to modify the configuration entry.

38.3.9 eDirectory Example

A sample eDirectory configuration looks like this:

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: edirhost.domain.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=admin,o=domain
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=users,o=domain
orclOIDSCExtGroupContainer: ou=groups,o=domain
orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled:0 

38.3.10 eDirectory with SSL Example

A sample edirectory configuration with SSL looks like this:

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: edirhost.domain.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=admin,o=domain
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=users,o=domain
orclOIDSCExtGroupContainer: ou=groups,o=domain
orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 3133
orclOIDSCWalletLocation: /edir/ewallet.p12
orclOIDSCWalletPassword: ******** 

38.4 Debugging Server Chaining

To debug server chaining, perform the following steps:

  1. Set the Oracle Internet Directory server debug logging level, as described in Section 24.2, "Managing Logging by Using Fusion Middleware Control" or Section 24.3, "Managing Logging from the Command Line." Use the logging level value 402653184. This value enables logging of all messages related to the Java plug-in framework.

  2. Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry. set the attribute orcloidscDebugEnabled to 1.

    For example, to set orcloidscDebugEnabled to 1 in cn=oidscad,cn=oid server chaining,cn=subconfigsubentry, you would type:

    $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
    

    where file contains:

    dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
    changetype: modify
    replace: orcloidscDebugEnabled
    orcloidscDebugEnabled: 1
    

    See Also:

    Java plug-in debugging and logging information in the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management.

38.5 Configuring an Active Directory Plug-in for Password Change Notification

When you use Enterprise User Security (EUS) with Server Chaining, a hash password is required in order to authenticate users. This section describes how to install a plug-in in the Microsoft Active Directory (AD) server so that this hash password is available to users accessed through Oracle Internet Directory. Customers planning to configure Enterprise User Security (EUS) to work with users accessed through Server Chaining must configure this feature.

The steps are as follows

  1. In Active Directory, create an attribute called orclCommonAttribute to store the hash password. Use a command line such as:

    ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f orclca.ldif
    

    Use an orclca.ldif file similar to the following example. Replace DC=bill,DC=com with the actual Active Directory domain name and choose an appropriate attributeID.

    dn: cn=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com 
    objectClass: top
    objectClass: attributeSchema
    cn: orclcommonattribute
    distinguishedName: CN=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com
    instanceType: 4
    uSNCreated: 16632
    attributeID: 1.9.9.9.9.9.9.9.9
    attributeSyntax: 2.5.5.3
    isSingleValued: TRUE
    uSNChanged: 16632
    showInAdvancedViewOnly: TRUE
    adminDisplayName: orclCommonAttribute
    oMSyntax: 27
    lDAPDisplayName: orclCommonAttribute
    name: orclcommonattribute
    objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bill,DC=com
    
  2. Associate the attribute with the user objectclass. Use a command line such as:

    ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f user.ldif
    

    In the following file, user.ldif, replace DC=bill,DC=com with the actual Active Directory domain name.

    dn: CN=User,CN=Schema,CN=Configuration,DC=bill,DC=com
    changetype: modify
    add: mayConatin
    mayContain: orclCommonAttribute 
    

    It might take Active Directory a few minutes to refresh the schema.

  3. Install the password change notification plug-in, as follows:

    1. Copy %ORACLE_HOME%\ldap\admin\oidpwdcn.dll to the Active Directory WINDOWS\system32 folder.

    2. Use regedt32 to modify the registry. In the line:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, add oidpwdcn to the end. It should look like the following:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      
    3. Restart Active Directory.

    4. Verify that the plug-in is installed properly by resetting the password of a user. The orclCommonAttribute should contain the hash password value.

  4. Reset the password for all the Active Directory users so that the password verifier is present for all the users.