|Oracle® Fusion Middleware Administrator's Guide for Oracle Authentication Services for Operating Systems
11g Release 1 (11.1.1)
Part Number E16454-02
|PDF · Mobi · ePub|
Before configuring Oracle Authentication Services for Operating Systems, ensure that you are using a supported operating system and the supported version of Oracle Internet Directory. Then, before you start the install, determine which of the optional product features you will use and locate the scripts you will use for migration.
This chapter contains the following topics:
Oracle Authentication Services for Operating Systems has both server and client components. The server is the computer that runs Oracle Internet Directory. The client is a computer that uses the services of Oracle Internet Directory for authentication.
For up-to-date information about supported server and client operating systems, please consult the following documents:
The README document accompanying this release
Note 1064891.1: Oracle Authentication Services for Operating Systems Documentation Addendum (22.214.171.124). This document is available on My Oracle Support at
Before you can configure Oracle Authentication Services for Operating Systems, you must install Oracle Internet Directory. If you plan to migrate entries from an existing LDAP-compliant directory, or to synchronize Oracle Internet Directory with another directory, such as Active Directory, you must install Oracle Directory Integration Platform along with Oracle Internet Directory.
See Also:The Oracle Fusion Middleware Installation Guide for Oracle Identity Management for your platform for information about installing Identity Management components.
If you have already installed Oracle Authentication Services for Operating Systems 10g, you do not need to reconfigure your server or client machines unless you are changing some configuration features, such as ports or SSL certificate.
Upgrade to Oracle Internet Directory 11g as described in Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management. Apply 11g R1 Patch Set 2 (126.96.36.199.0).
If you need to change the configuration, use the 11g scripts, as described in Chapter 3, "Configuring Oracle Authentication Services for Operating Systems."
In Oracle Internet Directory 11g Release 1 (11.1.1) and later, anonymous binds are allowed by default, but anonymous users can only perform search operations on the root DSE entry. When you upgrade, however, Oracle Internet Directory enables anonymous binds. If, for some reason, anonymous binds have been disabled, you can enable them by using the
ldapmodify command, as described in the Troubleshooting section "Users Cannot Log In".
Before you begin the installation, consider which features of the product you are likely to use. For basic functionality, you must run the server script on the system where you are running the Oracle Internet Directory server, then run the client script on each client. These scripts configure the server and clients for LDAP authentication. In addition to configuring basic LDAP authentication, you can choose from the following options:
Secure Socket Layer (SSL)–Unless your server and clients are isolated from the internet, you should enable SSL. To do so, use the SSL versions of the server and client configuration scripts. The
system-config-users requires SSL when you use it with Oracle Authentication Services for Operating Systems on Red Hat or Oracle Enterprise Linux.
Certificate and wallet to use with SSL–The SSL server configuration script can use an existing certificate or generate a self-signed certificate, which is not designed for production mode. If you plan to use an existing certificate, you must have already configured Oracle Internet Directory in SSL mode with this certificate. You can also choose to use a customized wallet instead of the default wallet.
The "Configuring Secure Sockets Layer (SSL)" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on configuring Oracle Internet Directory in SSL mode.
Oracle Fusion Middleware Administrator's Guide for information on Oracle wallets.
Current authentication source to migrate from–If you are using files, NIS, or another LDAP server, you can migrate to Oracle Internet Directory.
Whether to configure the
libuser tools to use LDAP–The GUI tool
system-config-users and the command-line utilities (
luserdelete, etc.) exist, by default, on Red Hat Enterprise Linux and Oracle Enterprise Linux. You can configure the
libuser tools to work with LDAP, so that adding a user with
luseradd, for example, adds the user entry to Oracle Internet Directory. If you do not use the
libuser tools, you must use Oracle Directory Manager, Oracle Internet Directory bulk tools, or Oracle Internet Directory LDAP tools to configure entries directly in Oracle Internet Directory. If your client is Red Hat Enterprise Linux or Oracle Enterprise Linux, the client script will prompt you as to whether you want to configure
libuser tools, you must configure your client and server for SSL.
If you plan to use Oracle Internet Directory to enforce password policies, you cannot use tools in the
libuser package to add passwords or entries containing passwords.
You cannot use the non-
groupdel for user or group administrative tasks.
Data to migrate–Open Source scripts such as those described in the next section support migration of users and groups and other configuration data from NIS or from files. Oracle Authentication Services for Operating Systems includes tools for migrating from a third-party LDAP directory server.
Whether to migrate
sudo–You can use Oracle Internet Directory instead of a
sudoers configuration file to authenticate
How to enforce password policies–You can continue to use the operating system for password enforcement. Alternatively, you can use Oracle Internet Directory for centralized password policies.
Whether to integrate with Active Directory–You can use credentials stored in Active Directory for user authentication on Linux or UNIX-based operating systems.
If you have user, group, and other entries maintained in the local file system or in NIS/NIS+, you can move to LDAP as your storage mechanism for these entries. There are tools available to extract the existing information and produce output files in the LDAP Data Interchange Format (LDIF). Once you have your information in LDIF files, you can use the
ldapadd tool to load the information into Oracle Internet Directory.
You must use the
nistoldif tools on AIX for user and group migrations. Do not use the migration tools from
A number of free tools are available. We have validated the process of migrating information using the LDAP migration tools available at:
If you have the
openldap packages installed on your host, you will find the same migration tools at:
If you want to migrate the contents of the
sudoers file to LDAP, you must run a migration script and build
sudo with LDAP enabled. You can obtain the
sudo package from:
You cannot successfully search for an attribute in Oracle Internet Directory unless the attribute is indexed. If you plan to add custom attributes, you can index them at the time you create them by using Oracle Directory Manager. You can also use
ldapmodify to create an indexed attribute. You would use an LDIF file such as this:
dn: cn=catalogs changetype: modify add: orclindexedattribute orclindexedattribute: attribute_name
Alternatively, you can index attributes after they have been created in Oracle Internet Directory by using
catalog, as explained in "Using Custom Attributes in Oracle Internet Directory".
Note:If you attempt to perform a search with a non-indexed attribute specified as a required attribute, the server will return the error:
Function not implemented. DSA unwilling to perform.
The following pre-installation tasks are platform-specific.
If a computer that you plan to use as a client is running HP-UX, you must download and install: LDAP-UX Integration J4269AA, HP-UX 11iv2 for Workstations and Servers B.04.00.03, as
root. You can download the software from:
If you plan to run the SSL version of the server configuration script on Solaris 5.9 or 5.10, you must ensure that Oracle Internet Directory is using the standard LDAP ports,
636, for non-SSL and SSL, respectively.
If necessary, start a new Oracle Internet Directory instance using the standard LDAP ports. Proceed as follows:
Stop all Oracle Internet Directory instances by using the
opmnctl command. Type:
opmnctl stopproc process-type=OID
root, execute the command:
Create a new component of type
OID. For example, to create a component with component name
oid2 and namespace
$ORACLE_INSTANCE/bin/opmnctl createcomponent -componentType OID \ -componentName oid2 -Db_info \ "myhost.us.example.com:1521:dbservice.us.example.com" \ -Port 389 -Sport 636 -Namespace "dc=us,dc=example,dc=com"
Start the Oracle Internet Directory instances. For example, to start component
$ORACLE_INSTANCE/bin/opmnctl startproc ias-component=oid2
See Also:The chapter "Managing Oracle Internet Directory Instances," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.