Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory
11g Release 1 (11.1.1)

Part Number E10046-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

19 Configuring Oracle Virtual Directory for Integrated Directory Solutions

This chapter explains how to configure Oracle Virtual Directory for integration with commonly used directory and identity management technologies and contains the following sections:

Note:

You can use Oracle Virtual Directory with most LDAP-enabled technologies. The information in this chapter highlights Oracle Virtual Directory features and capabilities that simplify common integrations.

Contact your Oracle support representative for assistance with other Oracle Virtual Directory integrations.

19.1 Configuring Oracle Virtual Directory for Oracle Access Manager

Perform the following steps to configure Oracle Virtual Directory for integration with Oracle Access Manager (OAM) using Oracle Directory Services Manager's Setup for Oracle Access Manager Quick Config Wizard. The Setup for Oracle Access Manager Quick Config Wizard walks you through the steps to create the required Local Store Adapter and also the appropriate adapter type, either LDAP, Database, or Custom, for the data repository that Oracle Access Manager uses.

  1. Log in to Oracle Directory Services Manager.

  2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

  3. Expand the Quick Config Wizards entry in the Advanced tree.

  4. Click Setup for Oracle Access Manager in the tree. The Setup for Oracle Access Manager screen appears.

  5. Enter the namespace for the Local Store Adapter in DN format in the Namespace used for creating Local Store Adapter (LSA) field and click Apply. The Adapters screen appears.

  6. Create an adapter for the data repository that Oracle Access Manager uses. Perform one of the following procedures that is appropriate for the data repository that Oracle Access Manager uses:

    To create an LDAP Adapter for Oracle Access Manager, perform the following steps:

    1. Click the Create OAM LDAP Adapter button. The Preparing OVD for OAM - Create LDAP Adapter dialog box appears.

    2. Enter a unique name for the LDAP Adapter in the Adapter Name field. Select the appropriate template for the LDAP Adapter by choosing an option from the Adapter Template list. Choose Default if you are not integrating with Microsoft Active Directory or Oracle Directory Server Enterprise Edition (formerly Sun Java System Directory Server). Refer to "Understanding Adapter Templates" for more information. Click Next. The Connection screen of the Preparing OVD for OAM - Create LDAP Adapter dialog box appears.

    3. Perform steps 516 in "Creating LDAP Adapters" to configure the LDAP Adapter for OAM.

    4. Review the summary of settings and click Finish to create the LDAP Adapter for OAM. The new LDAP Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.

    To create a Database Adapter for Oracle Access Manager, perform the following steps:

    1. Click the Create OAM Database Adapter button. The Preparing OVD for OAM - Create Database Adapter dialog box appears.

    2. Enter a unique name for the Database Adapter in the Adapter Name field. Select the appropriate template for the Database Adapter by choosing an option from the Adapter Template list. Refer to "Understanding Adapter Templates" for more information. Click Next. The Connection screen of the Preparing OVD for OAM - Create Database Adapter dialog box appears.

    3. Perform steps 510 in "Creating Database Adapters" to configure the Database Adapter for OAM.

    4. Review the summary of settings and click Finish to create the Database Adapter for OAM. The new Database Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.

    To create a Custom Adapter for Oracle Access Manager, perform the following steps:

    1. Click the Create OAM Custom Adapter button. The Preparing OVD for OAM - Create Custom Adapter dialog box appears.

    2. Enter a unique name for the Custom Adapter in the Adapter Name field.

    3. Enter a valid base DN in the Adapter Suffix/Namespace field.

    4. Click Next on the Preparing OVD for OAM - Create Custom Adapter dialog box. The Configure plug-in screen appears.

    5. Enter a name for the Plug-in into the Name field.

    6. Enter the Plug-in class name in the Class field, or click Browse, then select the plug-in from the Plug-In Selection box, and then click OK.

    7. Add parameters and values to the Plug-in by clicking the Create button in the Parameters table, selecting a parameter from the Name list, and entering a value for the parameter in the Value field.

    8. Click the Next on the Configure plug-in screen.

    9. Review the summary of settings and click Finish to create the Custom Adapter for OAM. The new Custom Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.

  7. Configure the adapter for the data repository that Oracle Access Manager uses by selecting Adapter from the Oracle Directory Services Manager task selection bar and then clicking the name of the adapter to configure in the Adapter tree.

    See Also:

    The following sections for more information on configuring each type of adapter:

19.1.1 Modifying Oracle Access Manager Adapter Settings

To modify the settings for an Oracle Access Manager integration adapter:

  1. Log in to Oracle Directory Services Manager and select the Adapter tab from the Oracle Directory Services Manager task selection bar.

  2. Select the name of the adapter to be modified from the Adapter tree.

  3. Modify the adapter settings as necessary on the Adapter tab. Refer to Chapter 12, "Creating and Configuring Oracle Virtual Directory Adapters" for more information about the adapter settings.

  4. Click Apply to apply the changes.

19.2 Integrating with Oracle's Enterprise User Security

Integrating Oracle Virtual Directory and Enterprise User Security (EUS) enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in an external LDAP repository without any additional synchronization.

This section describes how to integrate Oracle Virtual Directory with Oracle's Enterprise User Security and contains the following sections:

Note:

For upgrade environments,

The procedure for integrating Enterprise User Security in Oracle Virtual Directory was changed in the 11.1.1.6.0 release.

If you already had EUS configured in your deployment prior to upgrading to 11.1.1.6.0, then you must continue to use the old procedure for EUS configuration. To review this procedure, refer to "Integrating with Oracle's Enterprise User Security" in the previously released version of the Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

After upgrading to 11.1.1.6.0, you must use the integration steps described in this section for all brand new configurations.

19.2.1 Preparing Oracle Virtual Directory for the Enterprise User Security Integration

Regardless of which external directory you are storing your user identities in, you must perform the steps in this section first. After you complete the steps in this section, proceed with the integration by referring to Integrating Oracle Virtual Directory with External Directories.

Perform the following steps to prepare Oracle Virtual Directory for integration with with Enterprise User Security:

  1. Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.

  2. If one does not already exist, create an LDAP listener that is secured with SSL No Authentication Mode by referring to Chapter 11, "Creating and Managing Oracle Virtual Directory Listeners."

Important:

The steps for integrating Oracle Virtual Directory with Enterprise User Security from this point forward differ depending on which external directory you are storing your user identities in.

Continue the integration with Enterprise User Security by referring to Integrating Oracle Virtual Directory with External Directories.

19.2.2 Configuring Adapters for Enterprise User Security

To configure LDAP and Local Store adapters for EUS, follow these steps:

  1. Log in to Oracle Directory Services Manager.

  2. Select the Adapter tab.

  3. Click the Configure adapters for Enterprise User Security (EUS) icon.

    A wizard displays, showing the default dc=eusovd,dc=com Realm DN.

    Note:

    You can change this default realm DN if required; however, it is advisable to use the defaults. When you choose dc=eusovd,dc=com, RDBMS tools such as NetCA, DBCA, ESM, and EM will see dc=eusovd,dc=com as the realm DN.

  4. Click Next to go to the User and Group Location page.

  5. Specify the location of the user and group entries by selecting one of the following options:

    • Same Parent (default): Use entries that are under the same parent container in the back-end directory.

      For example, if Users and Groups in the back-end directory are under ou=People,dc=example,dc=com and ou=Groups,dc=example,dc=com, you can use the common parent container dc=example,dc=com in the back-end directory in the configuration.

    • Different Parent: Use entries from a different parent containers in the back-end directory.

      When you select this option, Oracle Virtual Directory creates two LDAP adapters (one for user and another one for group). By default, the Mapped Namespace for user is cn=Users,dc=eusovd,dc=com and Mapped Namespace for group is cn=Groups,dc=eusovd,dc=com. You can change these values if necessary.

    • Different Directory: Use entries from different back-end directories.

      When you select this option, Oracle Virtual Directory creates multiple LDAP adapters based on your input. When the pop-up displays, indicate whether the LDAP adapter contains user entries or group entries by clicking the appropriate Contains Entry For button, and then click OK to create the new LDAP adapters.

  6. Click Next to go to the LDAP Adapter page and provide the following information for the adapter.

    Note:

    The availability of these parameters depend on your User and Group Location selection. For more information about these parameters, see "Creating LDAP Adapters".

    Adapter Name (Required)

    Enter a unique name for the new adapter. Other configuration fields will use this name to reference this adapter.

    Adapter Template (Required)

    Select an EUS template from the menu. For example, select EUS ActiveDirectory to integrate Oracle Virtual Directory with EUS for user identities stored in Active Directory.

    LDAP Servers table

    Select an existing host from the table or click Add Host to add new host.

    For a new host, you must provide the host IP address, port number, and Weight value. If you want a read-only server, enable the Is Read Only box.

    Proxy DN

    Enter the proxy DN. The adapter will use this DN to bind to the directory.

    Proxy Password

    Change to the proxy password.

    Use SSL/TLS

    This option is enabled by default.

    SSL Authentication Mode

    Use the menu to specify Server Only Authentication/Mutual Authentication or No Authentication.

    Enable User Account Lockout

    Check this option to enable the User Account Lockout feature.

    Note: If you are using Oracle Directory Server Enterprise Edition as a back-end LDAP server, you must enter an additional Password Maximum Failure parameter.

    Query the Oracle Directory Server Enterprise Edition to determine its passwordMaxFailure value and enter it here. For example:

    ORACLE_HOME/bin/ldapsearch -h Sun_Java_System_Directory_Server_Name \
    -D bindDN -q -s base -b "cn=password policy,cn=config" objectclass="*" passwordmaxfailure
    

    Contains Entry for
    (Different Directory option only)

    Specify whether the directory contains users or groups entries.

    Mapped Namespace (Required)

    • If you select Under Same Parent, you must provide the local mapped DN. For example, cn=UsersGroups,dc=eusovd,dc=com.

    • If you select Under Different Parent, you must provide two mapped namespaces, one namespace for User and one namespace for Group.

    Remote Base (Required)

    • If you select Under Same Parent, you must provide the remote base entry (DN) at which all operations will begin.

    • If you select Under Different Parent, you must provide two remote bases, one remote base for User and one remote base for Group.


  7. Click Next to go to the Summary page.

  8. Verify the information presented on this page and if no additional changes are necessary, click Finish.

    Oracle Virtual Directory performs the following actions:

    • Adds the subschemasubentry and Dynamic Groups plug-ins as global plug-ins

    • Creates three Local Store adapters with the suffix cn=OracleContext, cn=OracleSchemaVerison, and the realm DN.

    • Creates one or more LDAP adapters based on the location of the user and group entries chosen.

    • Uploads all required entries to Oracle Virtual Directory

    • Adds all required ACLs in Oracle Virtual Directory

      Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for more information about each ACL.

  9. Query the Oracle Virtual Directory server to verify that all of the following entries were uploaded:

    Note:

    In this example, note that "5566" is the LDAP Listener port. You can change this port number if required.

    $ldapsearch -p 5566 -h ovd_host_name -D cn=orcladmin -q -s base -b
    "cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com" "(objectclass=*)" 
    dn orclCommonUserSearchBase orclCommonGroupSearchBase
    cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
    orclCommonGroupSearchBase=cn=UsersGroups,dc=eusovd,dc=com
    orclCommonUserSearchBase=cn=UsersGroups,dc=eusovd,dc=com
    

    Note:

    This example assumes that the realm DN is dc=eusovd,dc=com and that the Same Parent option is used for the location of the user and group entries.

    If you used a custom realm DN, then you must change the search base accordingly. In addition, if you used other options for the user and group entries location, then the orclCommonUserSearchBase and orclCommonGroupSearchBase values also might be different.

19.2.3 Integrating Oracle Virtual Directory with External Directories

This section contains instructions for integrating Oracle Virtual Directory with Enterprise User Security for use with specific external directories. These instructions are organized by external directory type into the following sections:

Continue to the section that describes the external directory where you are storing your user identities.

Note:

Back-end LDAP schema extensions are no longer required for any of these external directories, except Active Directory. These changes are now done in the Oracle Virtual Directory local store.

Only a single, minimal schema change to add the orclCommonAttribute attribute definition is necessary for Active Directory.

19.2.3.1 User Identities in Microsoft Active Directory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Active Directory:

19.2.3.1.1 Configuring Active Directory for the Integration

To configure Active Directory for the integration,

Note:

If you are using Kerberos authentication in the integration, do not perform steps 3 and 4 in the following procedure.

  1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  2. Execute the following command to load the Enterprise User Security required schema, extendAD, into Active Directory using the Java classes included in Oracle Virtual Directory.

    The extendAD file is located in the $ORACLE_HOME/ovd/eus/ directory. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
    -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
    –AD Active_Directory_Domain_DN -commonattr
    

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

  3. Install the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

    1. Copy the $ORACLE_HOME/ovd/eus/oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.

    2. Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

    3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      
    4. Restart the Active Directory system after making these changes.

  4. Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:

    1. Change the password of an Active Directory user.

    2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Active Directory.

    3. Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

  5. If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.

    After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.

19.2.3.1.2 Configuring Oracle Virtual Directory for the Integration

To configure Oracle Virtual Directory for integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create Local Store and LDAP adapters using the steps described in Section 19.2.2, "Configuring Adapters for Enterprise User Security".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the EUS_ActiveDirectory template.

    • Ensure the Use SSL/TLS option is enabled.

    • Set SSL Authentication Mode to Server Only Authentication / Mutual Authentication.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and for use with Microsoft Active Directory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.3.2 User Identities in Microsoft Active Directory and Metadata in Oracle Internet Directory

Perform the following steps to integrate Oracle Virtual Directory with Enterprise User Security when user identities are stored in Active Directory and to store metadata in Oracle Internet Directory:

Note:

  1. Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.

  2. If one does not already exist, create an LDAP listener that is secured with SSL by referring to Chapter 11, "Creating and Managing Oracle Virtual Directory Listeners.".

  3. Create and add the SubschemaSubentry plug-in and the Dynamic Groups plug-in as global server plug-ins. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.

  4. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  5. Load the Enterprise User Security required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
    -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
    –AD Active_Directory_Domain_DN -commonattr
    

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

  6. Install the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

    1. Locate the oidpwdcn.dll file and copy it to the Active Directory WINDOWS\system32 directory.

    2. Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

    3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      
    4. Restart the Active Directory system after making these changes.

  7. Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:

    1. Change the password of an Active Directory user.

    2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Active Directory.

    3. Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

  8. If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.

    After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.

  9. Extend the Oracle Internet Directory LDAP attribute and objectclass using the following command:

    ORACLE_HOME/bin/ldapmodify -h OID_Host_Name -p OID_Port -D bindDN \
    -q -v -f OIDSchema.ldif
    
  10. Create four new LDAP Adapters using the following settings and by entering the Oracle Internet Directory host information. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    For the first three new LDAP Adapters:

    • Use the Oracle_Internet_Directory adapter template.

    • The Adapter Remote Base and Mapped Namesapce for the first adapter must be cn=OracleContext.

    • The Adapter Remote Base and Mapped Namesapce for the second adapter must be cn=OracleSchemaVersion

    • The Adapter Remote Base and Mapped Namespace for the third adapter must be cn=subschemasubentry.

    For the fourth new LDAP Adapter:

    • Use the EUS_OID adapter template.

    • The Adapter Remote Base and Mapped Namesapce for the fourth adapter must be cn=oraclecontext,your_OID_realm.

  11. Create a new Local Store Adapter using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template.

    • The Adapter Suffix must be dc=com, unless your Oracle Internet Directory realm is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

  12. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Active Directory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.

    Note:

    The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.

  13. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
    -D bindDN -q -v -a –f realmRoot.ldif
    
  14. Create a new LDAP Adapter for the user search base in Active Directory using the following settings and by entering the Active Directory host information, including the Remote Base. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the EUS_ActiveDirectory template for the adapter.

    • Enable the Use SSL/TLS option.

    • Set the SSL Authentication Mode to Server Only Authentication/Mutual Authentication.

    • For Remote Base, enter the container in Active Directory, for example: cn=users,dc=adrealm,dc=com

  15. Check if the EUSActiveDirectory.py mapping is already deployed.

    Note:

    Remember that to deploy a mapping on an adapter, you must perform two steps:

    1. You must deploy it globally on the server, which compiles the mapping and makes it available to be activated at the adapter level.

    2. You must configure the mapping on a given adapter.

    For this step, you are confirming whether the EUSActiveDirectory.py mapping has already been deployed at the adapter level. Open the Adapter tab in Oracle Directory Services Manager. Select the name of the new adapter that you created in Step 14, select the Plug-Ins tab, and check if the mapping is displayed in the table.

    • If the mapping is displayed in the table, go to step 3 now.

    • If the EUSActiveDirectory.py mapping is not listed in the table, it is not yet deployed. To create a mapping for the Active Directory user search base adapter, click the Create Mapping button, then select EUSActiveDirectory.py, then enter a unique mapping name, click OK, and then click Apply.

      Note:

      It also might be necessary for you to first deploy the mapping in Oracle Directory Services Manager > Advanced > Deployed Mappings.

  16. Add the Mapped Namespace to the orclcommonusersearchbase under cn=Common,cn=Products,cn=oraclecontext,<OID realm>. You can use an LDIF file such as:

    dn: cn=Common,cn=Products,cn=oraclecontext,dc=oracle,dc=com
    changetype: modify
    add: orclcommonusersearchbase
    orclcommonusersearchbase: cn=users,dc=adrealm,dc=com
    
  17. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    Target DN

    cn=subschemasubentry

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    cn=subschemasubentry

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    cn=OracleContext

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    cn=OracleContext

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    cn=OracleSchemaVersion

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    cn=OracleSchemaVersion

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    dc=com

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    dc=com

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    dc=com

    Scope

    subtree

    Applies To

    authpassword

    Deny

    All operations

    Access

    Public


    Note:

    The following ACL must be the last ACL in the ACL list for dc=com.

    Target DN

    dc=com

    Scope

    subtree

    Applies To

    authpassword

    Grant

    Search and Read

    Access

    Group with DN of: cn=EUSDBGroup,<Your Mapped OID domain>.


  18. Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:

    Target DN

    cn=OracleContext,<YOUR DOMAIN>

    Scope

    subtree

    Applies To

    Entry

    Grant

    All

    Access

    Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>


    Target DN

    cn=OracleContext,<YOUR DOMAIN>

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    All

    Access

    Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>


  19. Set the ACLs in the Oracle Internet Directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.

19.2.3.3 User Identities in Oracle Directory Server Enterprise Edition

No manual configuration of Oracle Directory Server Enterprise Edition is required for this integration.

19.2.3.3.1 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create new Local Store and LDAP adapters using the steps described in Section 19.2.2, "Configuring Adapters for Enterprise User Security".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the EUS_Sun template.

    • Set SSL Authentication Mode to Server Only / Mutual Authentication.

    • The Proxy DN user must be able to read the userPassword attribute in the Oracle Directory Server Enterprise Edition.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.3.4 User Identities in Novell eDirectory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Novell eDirectory:

19.2.3.4.1 Configuring Novell eDirectory for the Integration

To configure Novell eDirectory for the integration, enable Universal Password in eDirectory and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.

19.2.3.4.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Download the NMAS toolkit from the Novell Developer Community Web site.

  3. Upload this library to Oracle Virtual Directory by using Oracle Directory Services Manager. Refer to "Loading Libraries into the Oracle Virtual Directory Server" for more information.

    Restart the Oracle Virtual Directory server.

  4. Start Oracle Directory Services Manager and connect to the Oracle Virtual Directory server.

  5. Create new Local Store and LDAP adapters using the steps described in "Configuring Adapters for Enterprise User Security".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the EUS_eDirectory template.

    • Enable the Use SSL/TLS option and set the SSL Authentication Mode to Server Only Authentication / Mutual Authentication.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Novell eDirectory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.3.5 User Identities in Oracle Internet Directory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Internet Directory:

19.2.3.5.1 Configuring Oracle Internet Directory for the Integration

No manual configuration of Oracle Internet Directory is required for this integration.

19.2.3.5.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create new Local Store and LDAP adapters using the steps described in "Configuring Adapters for Enterprise User Security".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the EUS_OID template.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Internet Directory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.4 Configuring Access Control Lists for the Enterprise User Security Integration

This section describes the Access Control Lists (ACLs) that must be configured in Oracle Virtual Directory for the Enterprise User Security integration regardless of which external repository you are using to store user identities in.

Note:

These ACLs are automatically configured in Oracle Virtual Directory when you run the EUS configuration wizard as described in Section 19.2.2, "Configuring Adapters for Enterprise User Security" .

However, if you customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations. Perform the following steps to manually configure Oracle Virtual Directory ACLs for the Enterprise User Security integration:

  1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for more information about creating ACLs:

    Target DN

    cn=OracleContext

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    cn=OracleContext

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    cn=OracleSchemaVersion

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    cn=OracleSchemaVersion

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    dc=com

    Scope

    subtree

    Applies To

    Entry

    Grant

    Browse DN and Return DN

    Access

    Public


    Target DN

    dc=com

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    Search and Read

    Access

    Public


    Target DN

    dc=com

    Scope

    subtree

    Applies To

    authpassword

    Deny

    All operations

    Access

    Public


    Note:

    The following ACL must be the last ACL in the ACL list for dc=com.

    Target DN

    dc=com

    Scope

    subtree

    Applies To

    authpassword

    Grant

    Search and Read

    Access

    Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.

    Note: Replace dc=dbdemo,dc=orion,dc=com
    with the DN of your namespace


  2. Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:

    Target DN

    cn=OracleContext,<YOUR DOMAIN>

    Scope

    subtree

    Applies To

    Entry

    Grant

    All

    Access

    Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>


    Target DN

    cn=OracleContext,<YOUR DOMAIN>

    Scope

    subtree

    Applies To

    All Attributes

    Grant

    All

    Access

    Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>


  3. Give write permission to the cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN> group.

19.2.5 Configuring Oracle Virtual Directory to Support Multiple Enterprise User Security Domains

Perform the following steps to configure Oracle Virtual Directory to allow Enterprise User Security users contained in multiple domains to authenticate to a database:

  1. Click the Configure adapters for Enterprise User Security (EUS) icon and specify the Different Directory option on the Location for User and Group page in the configuration wizard.

    Refer to "Configuring Adapters for Enterprise User Security" for more information.

  2. Repeat the preceding steps to support additional domains.

Note:

To login to the database as an enterprise user from any of these additional domains, you must create the User-Schema Mappings for the additional user containers from Enterprise Security Manager or Enterprise Manager.

Refer to Oracle® Database Enterprise User Security Administrator's Guide for instructions.

19.2.6 Enabling User Account Lockout

LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Enterprise User Security integration can use this lockout feature and enforce the back-end LDAP server's password lockout policy as follows:

  • An incorrect login to the Oracle Database records a login failure to the back-end LDAP server

  • A correct login to the Oracle Database resets the login failure count in the back-end LDAP server

    Note:

    For integrations using Active Directory, this functionality is only supported in RDBMS versions 10.2.0.5 and 11.2.

  • A locked user account cannot be used to log in to the Oracle Database

After performing the Oracle Virtual Directory-Enterprise User Security integration, you can enable user account lockout by selecting the Enable User Account Lockout option as you perform the Enterprise User Security configuration steps described in "Configuring Adapters for Enterprise User Security".

Enabling Account Lockout When User Identities Are Stored in Active Directory and Metadata Is Stored in Oracle Internet Directory

To enable the user account lockout feature when you have user identities stored in Active Directory and metadata stored in Oracle Internet Directory, you must perform the following steps:

Note:

For more information about integrating Oracle Virtual Directory with Enterprise User Security when user identities are stored in Active Directory and to store metadata in Oracle Internet Directory, see Section 19.2.3.2, "User Identities in Microsoft Active Directory and Metadata in Oracle Internet Directory."

  1. Create and configure the euslockout plug-in for the Enterprise User Security integration LDAP Adapter by referring to "Managing Adapter Plug-ins". When you configure the euslockout plug-in, you must:

    • Create a directoryType parameter with a value according to your back-end LDAP server, such as ActiveDirectory for Active Directory.

    • Create a namespace using the name of your user container.

  2. Create the following Access Control Lists. Refer to Section 16.1, "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

    Target DN

    Your_User_Container

    Scope

    subtree

    Applies To

    orclaccountstatusevent

    Deny

    All operations

    Access

    Public


    Target DN

    Your_User_Container

    Scope

    subtree

    Applies To

    orclaccountstatusevent

    Grant

    Write

    Access

    Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.

    Note: Replace dc=dbdemo,dc=orion,dc=com with the DN of your namespace.


19.2.7 Integration Limitations

The following is a list of Oracle Virtual Directory-Enterprise User Security integration known limitations:

  • The following functionality is not supported in the integration:

    • DN mapping between Microsoft Active Directory and Oracle Virtual Directory if the Active Directory domain containing the domain DN is mapped to Oracle Virtual Directory. For example, if the Active Directory DN is dc=us,dc=oracle,dc=com and you try to map it to dc=oracle,dc=com in Oracle Virtual Directory, this type of DN mapping is not supported.

    • Administrative Groups except for OracleContextAdmins

    • Enterprise Security Manager console to Oracle Internet Directory Delegated Administration Services

    • Password Policy

    • Client certificate authentication

    • Kerberos authentication when integrating for use with Oracle Directory Server Enterprise Edition and Oracle Internet Directory

    • User Migration Utility (UMU)

    • Multiple Domain environments

    • JDBC Thin Driver—you must use the OCI driver

    • Combined Microsoft Active Directory and Oracle Directory Server Enterprise Edition environments

  • Resetting the account lockout counter after a correct login is not available for Oracle Virtual Directory-Enterprise User Security integrations with Active Directory. Alternatively, Active Directory can reset the account lockout counter after a specified period has elapsed. You can use this option to prevent the lockout counter from accumulating indefinitely.

  • In the Enterprise Security Manager interface:

    • Listed databases may sometimes include an Active Directory tombstone entry.

    • Database and Oracle Internet Directory version information is not available.

19.3 Integrating with Oracle's Net Services

This section describes how to integrate Oracle Virtual Directory with Oracle Database Net Services to centralize name services with Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. This section is organized as follows:

19.3.1 Overview

Oracle Virtual Directory can be integrated with Oracle's Net Services database product. Integrating Oracle Virtual Directory and Net Services enhances and simplifies your name service capabilities by allowing you to leverage service entries stored in an external LDAP repository without any additional synchronization.

19.3.2 Starting the Integration

This section lists the common steps required for all Oracle Virtual Directory-Net Services integrations. Perform the steps in this section first to start the integration, then proceed to a subsequent section specific to Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. Different steps are presented depending on whether you are integrating Oracle Virtual Directory with Net Services for use with Oracle Internet Directory, Microsoft Active Directory, or Oracle Directory Server Enterprise Edition. Only perform the steps appropriate for your environment.

Perform the following steps to start the Oracle Virtual Directory-Net Services integration process:

  1. Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory.

  2. Create the subschemasubentry plug-in as global server plug-in. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.

19.3.3 Integrating for Use with Microsoft Active Directory

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Microsoft Active Directory. Perform these only after you have completed the steps in the "Starting the Integration" section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Microsoft Active Directory includes the following tasks:

19.3.3.1 Configuring Active Directory for the Integration

Perform the following steps to configure Active Directory for the integration:

  1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  2. Load the Net Services required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
    -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
    –AD Active_Directory_Domain_DN
    

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

19.3.3.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.

    • The Database File and Backup File fields for each of the adapters must be unique.

  3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
    -D bindDN -q -v -a -f loadOVD.ldif
    
  4. Create an LDAP Adapter for Net Services using the following settings and by entering the Active Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the ONames_ActiveDirectory adapter template.

    • Select the BindOnly Pass Through Credential option.

  5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

      Target DN

      cn=OracleContext

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      cn=OracleContext

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


      Target DN

      cn=OracleSchemaVersion

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


      Target DN

      Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


    2. Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins administrative group as follows:

      Target DN

      cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>

      Scope

      subtree

      Applies To

      Entry

      Grant

      All

      Access

      Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>


      Target DN

      cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      All

      Access

      Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>


  6. Create an LDAP Adapter for the OracleNetAdmins administrative group using the following settings and by entering the Active Directory host information, including port number, proxy DN, and password. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the Active_Directory adapter template.

    • Enter cn=OracleNetAdmins,cn=users, <YOUR Active_Directory_Domain_DN> as the Remote Base.

    • Enter cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED DOMAIN DN in Oracle Virtual Directory> as the Mapped Namespace.

  7. Configure a mapping and plug-in for the OracleNetAdmins administrative group adapter by performing the following steps:

    1. Click the Advanced tab, then click Active_Directory_to_inetOrg, and then click the Apply button to deploy the mapping.

    2. Click the Adapter tab, then click the adapter for the OracleNetAdmins administrative group, then click the Plug-ins tab, then click the Create Mapping button, then select Active_Directory_to_inetOrg.py, then enter a unique mapping name, and then click OK.

    3. Click the Create Plug-in button, then click the Select button, then select the EUSMemberDNMapping plug-in, then click OK, then enter a unique plug-in name, then create the localDomainDN and remoteDomainDN parameters, and then click OK. Note that the localDomainDN and remoteDomainDN may be different if you have DN mapping configured.

    4. Click the Apply button.

    Note:

    You may not see the group membership changes immediately after your changes in Active Directory. This is because of Active Directory's group membership refresh interval configuration.

The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Microsoft Active Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.

19.3.4 Integrating for Use with Oracle Directory Server Enterprise Edition

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition. Perform these only after you have completed the steps in the "Starting the Integration" section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition includes the following tasks:

19.3.4.1 Configuring Oracle Directory Server Enterprise Edition for the Integration

Perform the following steps to configure Oracle Directory Server Enterprise Edition for the integration:

  1. Extend the iPlanet LDAP attribute and objectclass using the following command:

    ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
    -D cn="directory manager" -q -v -a -f ./iPlanetSchema.ldif
    
  2. Create a realm in iPlanet by performing the following steps:

    1. Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create a realm in iPlanet using the realmiPlanet.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
      -D cn="directory manager" -q -v -a -f ./realmiPlanet.ldif
      
  3. Configure the user and group containers by either creating new user and group containers, or by using existing user and group containers.

    Creating New User and Group Containers

    1. Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create user and group containers in iPlanet using the iPlanetContainers.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
      -D cn="directory manager" -q -v -a -f ./iPlanetContainers.ldif
      

    Using Existing User and Group Containers

    1. Open the useiPlanetContainers.ldif file.

    2. Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string with the name of your user container.

    3. Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.

      Note:

      Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container.

    4. Run the following command to create a realm in iPlanet using the useiPlanetContainers.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
      -D cn="directory manager" -q -v -a -f ./useiPlanetContainers.ldif
      

19.3.4.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.

    • The Database File and Backup File fields for each of the adapters must be unique.

  3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
    -D bindDN -q -v -a -f loadOVD.ldif
    
  4. Create an LDAP Adapter for Net Services using the following settings and by entering the Oracle Directory Server Enterprise Edition host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the ONames_Sun adapter template.

    • Select the BindOnly Pass Through Credential option.

  5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

      Target DN

      cn=OracleContext

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      cn=OracleContext

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


      Target DN

      cn=OracleSchemaVersion

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      cn=OracleSchemaVersion

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


      Target DN

      Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


    2. Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins administrative group as follows:

      Target DN

      cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>

      Scope

      subtree

      Applies To

      Entry

      Grant

      All

      Access

      Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>


      Target DN

      cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      All

      Access

      Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED Oracle Virtual Directory NAMESPACE>


    3. Set the ACLs in the external directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.

      You must create an access control instruction (ACI) in Oracle Directory Server Enterprise Edition, so that only the OracleContextAdmins group can access and manage the domain-specific OracleContext sub-tree.

      The following LDIF entry provides read and write access to the OracleContext realm. You must replace <YOUR DOMAIN> with your specific domain DN.

      dn:cn=OracleContext,<YOUR DOMAIN>
      changetype:modify
      add:aci
      aci:(target = "ldap:///cn=OracleContext,<YOUR DOMAIN>")(targetattr =  "*")
      (version 3.0; acl "Allow OracleContextAdmins Group read and write
      access to all attributes"; allow (read, search, compare, add, write,
      delete) (groupdn = "ldap:///cn=OracleContextAdmins,cn=Groups,
      cn=OracleContext,<
      YOUR DOMAIN>");)
      

      Note:

      For more information about ACIs, refer to the directory-specific Administration Guide for the ACL.

      To verify that an ACI was loaded correctly, use an ldapsearch while explicitly requesting the ACI attribute. For example:

      ldapsearch -h <sun host> -p <port> -D "<admin dn, ie cn=directory manager>"
      -w <password> -s base -b "cn=OracleContext,dc=mydomain,dc=com" objectclass=*
      aci
      

The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.

19.3.5 Integrating for Use with Oracle Internet Directory

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Internet Directory. Perform these only after you have completed the steps in the "Starting the Integration" section.

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.

    • The Database File and Backup File fields for each of the adapters must be unique.

  3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
    -D bindDN -q -v -a -f loadOVD.ldif
    
  4. Create an LDAP Adapter for Net Services using the ONames_OID adapter template and by entering the Oracle Internet Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

  5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

      Target DN

      cn=OracleContext

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      cn=OracleContext

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


      Target DN

      cn=OracleSchemaVersion

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      cn=OracleSchemaVersion

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


      Target DN

      Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com

      Scope

      subtree

      Applies To

      Entry

      Grant

      Browse DN and Return DN

      Access

      Public


      Target DN

      Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com

      Scope

      subtree

      Applies To

      All Attributes

      Grant

      Search and Read

      Access

      Public


The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Oracle Internet Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.

19.4 Integrating with Oracle's Real Application Security

Integrating Oracle Virtual Directory and Real Application Security (RAS) provides uniform authorization services to Oracle applications by using an integrated infrastructure that spans across application tiers and database instances.

RAS user sessions are designed to enhance security and performance for applications and middle-tier servers that use the Oracle RDBMS for processing and storage. RAS sessions enable applications to create a user session on the database server that specifically holds the state relevant to the application and its user.

Because RAS is integrated with Oracle Platform Security Services (OPSS), RAS sessions support externally managed users and roles. Also, RAS supports directly logging into the RAS DB as an external user present in the identity store. This feature is similar to Enterprise User Security (EUS).

This section describes how to integrate Oracle Virtual Directory with Oracle's Real Application Security (RAS) and contains the following topics:

19.4.1 Before You Begin

Regardless of which external directory you use to store user identities, you must perform the following steps to prepare Oracle Virtual Directory for integration with with Real Application Security.

  • If you are using an Active Directory back-end directory, you must load the back-end LDAP schema. Only a single, minimal schema change, adding the orclCommonAttribute attribute definition, is necessary for Active Directory. This step is not required for other directory types.

  • Configure the policy stores in Oracle Virtual Directory for authorization for Java SE applications by following the instructions in the "Authorization for Java SE Applications" chapter of the Oracle Fusion Middleware Application Security Guide.

19.4.2 Preparing Oracle Virtual Directory for the Real Application Security Integration

Before configuring Oracle Virtual Directory for Real Application Security integration, you must create a back-up copy of the ORACLE_HOME/ovd/ras/ directory.

All of the configuration files required for the Real Application Security integration are stored in the ras directory. Making a back-up copy of the ras directory enables you to edit the template-like files in the original ras directory based on your environment, and still keep copies of the original files.

19.4.3 Configuring Adapters for Real Application Security (RAS)

You must create an LDAP adapter for each identity store. If an LDAP adapter already exists, you can configure a RAS Plug-in there.

Configuring Oracle Virtual Directory for RAS creates a cn=RealApplicationSecurityRoot entry in the Oracle Virtual Directory Local Store Adapter. Oracle Virtual Directory stores all RAS-specific data in this subtree. In addition, the cn=RealApplicationSecurityRoot entry contains an optional orclRASSearchBase attribute that RAS uses as the default searchbase for LDAP requests from the database.

To configure LDAP and Local Store adapters for RAS, follow these steps:

  1. Log in to Oracle Directory Services Manager.

  2. Select the Adapter tab and click the Configure adapters for Real Application Security (RAS) icon.

  3. When the LDAP Adapters Configuration for Real Application Security wizard displays, expand the Information node to read about the RAS Plug-in and RAS Sessions.

    Use the icons located above the Adapters table to create, add, edit, or delete LDAP adapters as follows:

    • To create a new LDAP adapter for RAS, click the Create new LDAP Adapter icon. When the Create LDAP Adapter dialog displays, provide the following information, and then click OK:

      Table 19-1 LDAP Adapter Parameters

      Parameter Description

      Adapter Name (Required)

      Enter a unique name for the new adapter. Other configuration fields will use this name to reference this adapter.

      Adapter Template (Required)

      Select a RAS template from the menu. For example, select RAS ActiveDirectory to integrate Oracle Virtual Directory with RAS for user identities stored in Active Directory.

      Host (Required)

      Enter the host DNS name or IP address used to connect to the LDAP server.

      Port (Required)

      Enter the port number.

      Server proxy Bind DN

      Enter the distinguished name that the adapter will use to bind to the directory. Leave this field blank for an anonymous bind.

      Proxy Password

      Enter the proxy password. Leave this field blank for an anonymous bind.

      Use SSL/TLS

      This option is enabled by default.

      Note: You must use SSL in the LDAP adapter.

      SSL Authentication Mode

      Use the menu to specify No Authentication or Server Only Authentication.

      Remote Base (Required)

      Enter the remote base entry (DN) at which all operations will begin.

      Mapped Namespace (Required)

      Enter the local mapped DN. For example, dc=org.

      Plugin Name (Required)

      This value is RAS by default.

      Login Attribute in Backend (Required)

      Enter a log in attribute name for the backend.

      Optional Parameters

      Use the Add or Delete icons to specify optional plugin parameters for this adapter.

      • Click Add to insert a new line in the table, where you can add a new parameter name and value.

      • Select a parameter listed in the table, and click Delete to remove that parameter from the list.

      For more information about these optional parameters, refer to Section 4.3.9, "Real Application Security Plug-In."


    • To configure a RAS plug-in using an existing LDAP adapter, click the Add existing LDAP Adapter icon. When the Add LDAP Adapters dialog displays, select one or more adapters in the table, and then click OK.

    • To edit an adapter listed in the table, select the adapter name and click the Edit the selected LDAP Adapter icon. When the Edit LDAP Adapter dialog displays, edit the parameters as needed, and then click OK.

    • To delete an adapter listed in the table, select the adapter name and click the Delete the selected LDAP Adapter icon. The adapter information is immediately removed from the Adapters table.

  4. When you are satisfied with the adapters listed in the Adapters table, click Next to go to the Search Base page. Notice that the Mapped Namespace value you specified previously is listed in this table.

  5. Use the Search Base page to add or remove RAS Search Base DNs.

    • To specify additional DNs, click the Add icon and when a new line appears in the table, enter the DN information.

    • To remove DNs, select the line you want to remove and then click the Delete icon.

  6. Click Next to go to the Summary page.

  7. Verify the LDAP Adapter Details and Search Base information presented on this page. If no additional changes are necessary, click Finish.

    Oracle Virtual Directory performs the following actions:

    • Creates a new LDAP adapter or updates the existing LDAP adapter with the RAS plug-in parameters

    • Creates the RealApplicationSecurityRoot Local Store Adapter with cn=RealApplicationSecurityRoot as root

    • Creates the cn=RealApplicationSecurityRoot entry in the Local Store Adapter (if it does not already exist)

      All RAS-specific data will be stored in this subtree.

    • Updates the orclRASSearchBase attribute with the search base provided by the user, which is used as the default seachbase for LDAP requests from the database.

    • Updates the ACL by creating an ACL for the cn=RealApplicationSecurityRoot entry (if it does not already exist).

19.4.4 Enabling RAS DB Root DN Discovery

Oracle Virtual Directory publishes the RAS DB root DN as part of an optional attribute, called orclRASSearchBase, in the cn=RealApplicationSecurityRoot entry.

The orclRASSearchBase attribute is multi-valued. Based on their directory structure, RAS DB uses these DNs as searchbases for searching users during the DB logon. After configuring Oracle Virtual Directory for RAS DB, administrators must populate this attribute as appropriate. Where LDAP adapters for RAS DB are configured in Oracle Virtual Directory, this attribute may have more than one value. Following are some examples of the orclRASSearchBase attribute value:

Note:

Administrators decide which searchbase to use, based on the deployment DIT. They can choose a DN provided that it is within the same namespace as the Oracle Virtual Directory adapter root.

  • Single RAS DB LDAP adapter case or multiple RAS DB adapters using the same adapter root DN

    For example, if the Oracle Virtual Directory LDAP adapter root is dc=oracle,dc=com, then orclRASSearchBase can be dc=oracle,dc=com

  • Multiple RAS DB LDAP adapter case, where the adapters do not share the same root

    For example, if the Oracle Virtual Directory LDAP adapter roots are dc=oracle,dc=com and dc=test,dc=com, then orclRASSearchBase can be dc=oracle,dc=com and dc=test,dc=com

  • RAS DB LDAP adapter case where the administrator wants to restrict the search scope of the user search request from RAS DB to some specific container at the back-end

    For example, if the Oracle Virtual Directory LDAP adapter root is dc=oracle,dc=com then orclRASSearchBase can be similar to ou=ST-Dev,dc=oracle,dc=com.

The following command line ldapsearch will print which values are configured for orclRASSearchBase.

ldapsearch –h <host> -p <port> -D DN –w password –b "cn=RealApplicationSecurityRoot" 
–s base "objectclass=*" orclRASSearchBase

19.4.5 Integrating Oracle Virtual Directory with External Directories

This section contains instructions for integrating Oracle Virtual Directory with Real Application Security for use with specific external directories. These instructions are organized by external directory type into the following sections:

Continue to the section that describes the external directory where you are storing your user identities.

Note:

Back-end LDAP schema extensions are not required for any of these external directories, except Active Directory. These changes are done in the Oracle Virtual Directory local store.

For an Active Directory directory, only a single, minimal schema change is necessary. You must add the orclCommonAttribute attribute definition, which is used by the Oracle Internet Directory Password Change Notification plug-in to store the generated password hash value.

For RAS DB, no metadata entries are stored in the back-end directory. Consequently, it is not necessary to make any back-end LDAP schema extensions for any external directories, except Active Directory.

19.4.5.1 Configuring Active Directory for the Integration

This section describes how to configure Active Directory and Oracle Virtual Directory for integration with RAS.

19.4.5.1.1 Configuring Active Directory for the Integration

Note:

If you are using Kerberos authentication in the integration, do not perform steps 3 and 4 in the following procedure.

To configure Active Directory for the integration,

  1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  2. Execute the following command to load the RAS required orclCommonAttribute schema, extendAD, into Active Directory using the Java classes included in Oracle Virtual Directory.

    The extendAD file is located in the $ORACLE_HOME/ovd/eus/ directory. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
    -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
    –AD Active_Directory_Domain_DN -commonattr
    

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

  3. Install the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

    1. Copy the $ORACLE_HOME/ovd/ras/oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.

    2. Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

    3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      
    4. Restart the Active Directory system after making these changes.

  4. Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:

    1. Change the password of an Active Directory user.

    2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Active Directory.

    3. Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

  5. If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.

    After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.

19.4.5.1.2 Configuring Oracle Virtual Directory for the Integration

Note:

Before starting this procedure, be sure you have performed all steps in Section 19.4.2, "Preparing Oracle Virtual Directory for the Real Application Security Integration."

To configure Oracle Virtual Directory for integration:

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create Local Store and LDAP adapters using the steps described in Section 19.4.3, "Configuring Adapters for Real Application Security (RAS)".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the RAS_ActiveDirectory template.

    • Ensure the Use SSL/TLS option is enabled.

    • Set SSL Authentication Mode to Server Only Authentication / Mutual Authentication.

The steps to configure Oracle Virtual Directory for integration with RAS and for use with Microsoft Active Directory are complete. To continue the integration process and configure RAS, refer to your Oracle Real Application Security product documentation.

19.4.5.2 Configuring Novell eDirectory for the Integration

This section describes how to configure Novell eDirectory and Oracle Virtual Directory for integration with RAS.

19.4.5.2.1 Configuring Novelle eDirectory for the Integration

To configure Novell eDirectory for the integration, enable Universal Password in eDirectory and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.

19.4.5.2.2 Configuring Oracle Virtual Directory for the Integration

Note:

Before starting this procedure, be sure you have performed all steps in Section 19.4.2, "Preparing Oracle Virtual Directory for the Real Application Security Integration."

To configure Oracle Virtual Directory for the integration:

  1. Download the NMAS toolkit from the Novell Developer Community Web site.

  2. Upload this library to Oracle Virtual Directory by using Oracle Directory Services Manager. Refer to "Loading Libraries into the Oracle Virtual Directory Server" for more information.

    Restart the Oracle Virtual Directory server.

  3. Start Oracle Directory Services Manager and connect to the Oracle Virtual Directory server.

  4. Create new Local Store and LDAP adapters using the steps described in "Configuring Adapters for Real Application Security (RAS)".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the RAS_eDirectory template.

    • Enable the Use SSL/TLS option and set the SSL Authentication Mode to Server Only Authentication / Mutual Authentication.

The steps to configure Oracle Virtual Directory for integration with RAS and use it with Novell eDirectory are complete. To continue the integration process and configure RAS, refer to your Oracle Real Application Security product documentation.

19.4.5.3 Configuring Oracle Internet Directory for the Integration

This section describes how to configure Oracle Internet Directory and Oracle Virtual Directory for integration with RAS.

19.4.5.3.1 Configuring Oracle Internet Directory for the Integration

No manual configuration of Oracle Internet Directory is required for this integration.

19.4.5.3.2 Configuring Oracle Virtual Directory for the Integration

Note:

Before starting this procedure, be sure you have performed all steps in Section 19.4.2, "Preparing Oracle Virtual Directory for the Real Application Security Integration."

To configure Oracle Virtual Directory for integration:

  1. Start the Oracle Virtual Directory server.

  2. Start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create Local Store and LDAP adapters using the steps described in Section 19.4.3, "Configuring Adapters for Real Application Security (RAS)."

    Be sure to select the RAS_OID template for the LDAP Adapter.

The steps to configure Oracle Virtual Directory for integration with RAS and for use with Oracle Internet Directory are complete. To continue the integration process and configure RAS, refer to your Oracle Real Application Security product documentation.

19.4.5.4 Configuring Oracle Directory Services Manager for the Integration

This section describes how to configure Oracle Directory Services Manager and Oracle Virtual Directory for integration with RAS.

19.4.5.4.1 Configuring Oracle Directory Services Manager for the Integration

Note:

If you are using Kerberos authentication in the integration, do not perform steps 3 and 4 in the following procedure.

To configure Oracle Directory Services Manager for the integration,

  1. Make a back-up copy of your Oracle Directory Services Manager image. The schema extensions inside of Oracle Directory Services Manager are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  2. Execute the following command to load the RAS required orclCommonAttribute schema, extendODSM, into Oracle Directory Services Manager using the Java classes included in Oracle Virtual Directory.

    The extendODSM file is located in the $ORACLE_HOME/ovd/eus/ directory. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendODSM -h ODSM_Host_Name -p ODSM_Port 
    -D ODSM_Admin_DN -w ODSM_Admin_Password
    –ODSM ODSM_Domain_DN -commonattr
    

    Note:

    An example of a valid Oracle Directory Services Manager domain DN is: dc=oracle,dc=com

  3. Install the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

    1. Copy the $ORACLE_HOME/ovd/ras/oidpwdcn.dll file to the Oracle Directory Services Manager WINDOWS\system32 directory.

    2. Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

    3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      
    4. Restart the Oracle Directory Services Manager system after making these changes.

  4. Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:

    1. Change the password of an Oracle Directory Services Manager user.

    2. Search Oracle Directory Services Manager for the user that you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Oracle Directory Services Manager.

    3. Reset the password for all the Oracle Directory Services Manager users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

  5. If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.

    After you configure the Kerberos authentication, make sure you can log in to the database using your Oracle Directory Services Manager user credential before proceeding to the next steps.

19.4.5.4.2 Configuring Oracle Virtual Directory for the Integration

Note:

Before starting this procedure, be sure you have performed all steps in Section 19.4.2, "Preparing Oracle Virtual Directory for the Real Application Security Integration."

To configure Oracle Virtual Directory for integration:

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create Local Store and LDAP adapters using the steps described in Section 19.4.3, "Configuring Adapters for Real Application Security (RAS)".

    Be sure to use the following settings for the LDAP Adapter:

    • Select the RAS_ODSM template.

    • Ensure the Use SSL/TLS option is enabled.

    • Set SSL Authentication Mode to Server Only Authentication / Mutual Authentication.

The steps to configure Oracle Virtual Directory for integration with RAS and for use with Oracle Directory Services Manager are complete. To continue the integration process and configure RAS, refer to your Oracle Real Application Security product documentation.

19.4.6 Configuring Access Control Lists for the Real Application Security Integration

This section describes the Access Control Lists (ACLs) that must be configured in Oracle Virtual Directory for the Real Application Security integration, regardless of the external repository that you are using to store user identities.

Default RASDB ACLs for Oracle Virtual Directory

During Oracle Virtual Directory configuration, the following ACLs are set by default for the subtree configured for RAS:

  • Read and search access for the adapter subtree to the RAS DB entry.

  • Deny access to authpassword and orclaccountstatusevent to everyone.

ACL for cn=RealApplicationSecurityRoot Entry

This ACL sets read and write access only for the administrator.

By default, after Oracle Virtual Directory is configured for RAS access, no users can login to the RAS DB until the you explicitly grant access privileges to users, allowing them to login.

To enable a user to login to RAS DB, you must set the following ACLs in Oracle Virtual Directory:

  • Specify access to the authpassword attribute for RAS DB entry, deny it to everyone else.

  • Specify access to the orclaccountstatusevent attribute for RAS DB entry, deny it to everyone else.

To set an ACL that enables a user for RAS DB access, you can use one of the following methods:

  • Grant access to an entire subtree.

  • Grant access to a group of users based on a user attribute. For example, You could grant access to the database for all users with the ou:st-dev user attribute.

  • Grant access to individual users.

You can set these ACLs from Oracle Directory Services Manager or from the command line using ldapmodify. Oracle Virtual Directory ships a few example LDIFs for configuring these ACLs in the $ORACLE_HOME/ovd/ras directory.

19.4.7 Configuring Oracle Virtual Directory to Support Multiple Identity Stores

Oracle Virtual Directory can support multiple identity stores, but you must configure a corresponding LDAP adapter with the RAS DB plug-in for each identity store.

Decide which root DN to use in the Oracle Virtual Directory LDAP adapters. Then, after creating the LDAP adapters, you must populate the orclRASSearchBase attribute with all these adapter root DNs.

19.4.8 Working with User Account Lockout

LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Real Application Security integration can use this lockout feature to enforce the back-end LDAP server's password lockout policy as follows:

  • An incorrect login to the Oracle Database records a login failure to the back-end LDAP server.

  • A correct login to the Oracle Database resets the login failure count in the back-end LDAP server.

  • A locked user account cannot be used to log in to the Oracle Database.

To enable user account lockout for Real Application Security, refer to Section 19.2.6, "Enabling User Account Lockout."