| Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1) Part Number E10046-07 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1) Part Number E10046-07 |
|
|
PDF · Mobi · ePub |
This chapter explains how to configure Oracle Virtual Directory for integration with commonly used directory and identity management technologies and contains the following topics:
Note:
You can use Oracle Virtual Directory with most LDAP-enabled technologies. The information in this chapter highlights Oracle Virtual Directory features and capabilities that simplify common integrations.Contact your Oracle support representative for assistance with other Oracle Virtual Directory integrations.
Perform the following steps to configure Oracle Virtual Directory for integration with Oracle Access Manager (OAM) using Oracle Directory Services Manager's Setup for Oracle Access Manager Quick Config Wizard. The Setup for Oracle Access Manager Quick Config Wizard walks you through the steps to create the required Local Store Adapter and also the appropriate adapter type, either LDAP, Database, or Custom, for the data repository that Oracle Access Manager uses.
Log in to Oracle Directory Services Manager.
Select Advanced from the task selection bar. The Advanced navigation tree appears.
Expand the Quick Config Wizards entry in the Advanced tree.
Click Setup for Oracle Access Manager in the tree. The Setup for Oracle Access Manager screen appears.
Enter the namespace for the Local Store Adapter in DN format in the Namespace used for creating Local Store Adapter (LSA) field and click Apply. The Adapters screen appears.
Create an adapter for the data repository that Oracle Access Manager uses. Perform one of the following procedures that is appropriate for the data repository that Oracle Access Manager uses:
To create an LDAP Adapter for Oracle Access Manager, perform the following steps:
Click the Create OAM LDAP Adapter button. The Preparing OVD for OAM - Create LDAP Adapter dialog box appears.
Enter a unique name for the LDAP Adapter in the Adapter Name field. Select the appropriate template for the LDAP Adapter by choosing an option from the Adapter Template list. Choose Default if you are not integrating with Microsoft Active Directory or Oracle Directory Server Enterprise Edition (formerly Sun Java System Directory Server). Refer to "Understanding Adapter Templates" for more information. Click Next. The Connection screen of the Preparing OVD for OAM - Create LDAP Adapter dialog box appears.
Perform steps 5–16 in "Creating LDAP Adapters" to configure the LDAP Adapter for OAM.
Review the summary of settings and click Finish to create the LDAP Adapter for OAM. The new LDAP Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.
To create a Database Adapter for Oracle Access Manager, perform the following steps:
Click the Create OAM Database Adapter button. The Preparing OVD for OAM - Create Database Adapter dialog box appears.
Enter a unique name for the Database Adapter in the Adapter Name field. Select the appropriate template for the Database Adapter by choosing an option from the Adapter Template list. Refer to "Understanding Adapter Templates" for more information. Click Next. The Connection screen of the Preparing OVD for OAM - Create Database Adapter dialog box appears.
Perform steps 5–10 in "Creating Database Adapters" to configure the Database Adapter for OAM.
Review the summary of settings and click Finish to create the Database Adapter for OAM. The new Database Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.
To create a Custom Adapter for Oracle Access Manager, perform the following steps:
Click the Create OAM Custom Adapter button. The Preparing OVD for OAM - Create Custom Adapter dialog box appears.
Enter a unique name for the Custom Adapter in the Adapter Name field.
Enter a valid base DN in the Adapter Suffix/Namespace field.
Click Next on the Preparing OVD for OAM - Create Custom Adapter dialog box. The Configure plug-in screen appears.
Enter a name for the Plug-in into the Name field.
Enter the Plug-in class name in the Class field, or click Browse, then select the plug-in from the Plug-In Selection box, and then click OK.
Add parameters and values to the Plug-in by clicking the Create button in the Parameters table, selecting a parameter from the Name list, and entering a value for the parameter in the Value field.
Click the Next on the Configure plug-in screen.
Review the summary of settings and click Finish to create the Custom Adapter for OAM. The new Custom Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.
Configure the adapter for the data repository that Oracle Access Manager uses by selecting Adapter from the Oracle Directory Services Manager task selection bar and then clicking the name of the adapter to configure in the Adapter tree.
See Also:
The following sections for more information on configuring each type of adapter:To modify settings for an Oracle Access Manager integration adapter:
Click the name of the adapter you want to modify on the Setup for Oracle Access Manager page. The adapter's settings appear at the bottom of the page.
Modify the appropriate adapter settings. Refer to Chapter 12, "Creating and Configuring Oracle Virtual Directory Adapters" for more information on adapter settings.
Click Apply at the bottom of the adapter settings screen to apply the changes.
Integrating Oracle Virtual Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in an external LDAP repository without any additional synchronization.
This topic describes how to integrate Oracle Virtual Directory with Oracle's Enterprise User Security and contains the following sections:
Preparing Oracle Virtual Directory for the Enterprise User Security Integration
Integrating Oracle Virtual Directory with External Directories
Configuring Access Control Lists for the Enterprise User Security Integration
Configuring Oracle Virtual Directory to Support Multiple Enterprise User Security Domains
Note:
For upgrade environments,The procedure for integrating Enterprise User Security in Oracle Virtual Directory was changed in the 11.1.1.6.0 release.
If you already had EUS configured in your deployment prior to upgrading to 11.1.1.6.0, then you must continue to use the old procedure for EUS configuration. To review this procedure, refer to "Integrating with Oracle's Enterprise User Security" in the previously released version of the Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
After upgrading to 11.1.1.6.0, you must use the integration steps described in this section for all brand new configurations.
Regardless of which external directory you are storing your user identities in, you must perform the steps in this section first. After you complete the steps in this section, proceed with the integration by referring to Integrating Oracle Virtual Directory with External Directories.
Perform the following steps to prepare Oracle Virtual Directory for integration with with Enterprise User Security:
Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.
If one does not already exist, create an LDAP listener that is secured with SSL No Authentication Mode by referring to Chapter 11, "Creating and Managing Oracle Virtual Directory Listeners."
Important:
The steps for integrating Oracle Virtual Directory with Enterprise User Security from this point forward differ depending on which external directory you are storing your user identities in.Continue the integration with Enterprise User Security by referring to Integrating Oracle Virtual Directory with External Directories.
To configure LDAP and Local Store adapters for EUS, follow these steps:
Log in to Oracle Directory Services Manager.
Select the Adapter tab.
Click the Configure adapters for Enterprise User Security (EUS) icon.
A wizard displays, showing the default dc=eusovd,dc=com Realm DN.
Note:
You can change this default realm DN if required; however, it is advisable to use the defaults. When you choose dc=eusovd,dc=com, RDBMS tools such as NetCA, DBCA, ESM, and EM will see dc=eusovd,dc=com as the realm DN.Click Next to go to the User and Group Location page.
Specify the location of the user and group entries by selecting one of the following options:
Same Parent (default): Use entries that are under the same parent container in the back-end directory.
For example, if Users and Groups in the back-end directory are under ou=People,dc=example,dc=com and ou=Groups,dc=example,dc=com, you can use the common parent container dc=example,dc=com in the back-end directory in the configuration.
Different Parent: Use entries from a different parent containers in the back-end directory.
When you select this option, Oracle Virtual Directory creates two LDAP adapters (one for user and another one for group). By default, the Mapped Namespace for user is cn=Users,dc=eusovd,dc=com and Mapped Namespace for group is cn=Groups,dc=eusovd,dc=com. You can change these values if necessary.
Different Directory: Use entries from different back-end directories.
When you select this option, Oracle Virtual Directory creates multiple LDAP adapters based on your input. When the pop-up displays, indicate whether the LDAP adapter contains user entries or group entries by clicking the appropriate Contains Entry For button, and then click OK to create the new LDAP adapters.
Click Next to go to the LDAP Adapter page and provide the following information for the adapter.
Note:
The availability of these parameters depend on your User and Group Location selection. For more information about these parameters, see "Creating LDAP Adapters".| Adapter Name (Required) | Enter a unique name for the new adapter. Other configuration fields will use this name to reference this adapter. |
| Adapter Template (Required) | Select an EUS template from the menu. For example, select EUS ActiveDirectory to integrate Oracle Virtual Directory with EUS for user identities stored in Active Directory. |
| LDAP Servers table | Select an existing host from the table or click Add Host to add new host.
For a new host, you must provide the host IP address, port number, and Weight value. If you want a read-only server, enable the Is Read Only box. |
| Proxy DN | Enter the proxy DN. The adapter will use this DN to bind to the directory. |
| Proxy Password | Change to the proxy password. |
| Use SSL/TLS | This option is enabled by default. |
| SSL Authentication Mode | Use the menu to specify Server Only Authentication/Mutual Authentication or No Authentication. |
| Enable User Account Lockout | Check this option to enable the User Account Lockout feature.
Note: If you are using Oracle Directory Server Enterprise Edition as a back-end LDAP server, you must enter an additional Password Maximum Failure parameter. Query the Oracle Directory Server Enterprise Edition to determine its ORACLE_HOME/bin/ldapsearch -h Sun_Java_System_Directory_Server_Name \
-D bindDN -q -s base -b "cn=password policy,cn=config" objectclass="*" passwordmaxfailure
|
| Contains Entry for (Different Directory option only) |
Specify whether the directory contains users or groups entries. |
| Mapped Namespace (Required) |
|
| Remote Base (Required) |
|
Click Next to go to the Summary page.
Verify the information presented on this page and if no additional changes are necessary, click Finish.
Oracle Virtual Directory performs the following actions:
Adds the subschemasubentry and Dynamic Groups plug-ins as global plug-ins
Creates three Local Store adapters with the suffix cn=OracleContext, cn=OracleSchemaVerison, and the realm DN.
Creates one or more LDAP adapters based on the location of the user and group entries chosen.
Uploads all required entries to Oracle Virtual Directory
Adds all required ACLs in Oracle Virtual Directory
Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for more information about each ACL.
Query the Oracle Virtual Directory server to verify that all of the following entries were uploaded:
Note:
In this example, note that "
5566" is the LDAP Listener port. You can change this port number if required.$ldapsearch -p 5566 -h ovd_host_name -D cn=orcladmin -q -s base -b "cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com" "(objectclass=*)" dn orclCommonUserSearchBase orclCommonGroupSearchBase cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com orclCommonGroupSearchBase=cn=UsersGroups,dc=eusovd,dc=com orclCommonUserSearchBase=cn=UsersGroups,dc=eusovd,dc=com
Note:
This example assumes that the realm DN is dc=eusovd,dc=com and that the Same Parent option is used for the location of the user and group entries.If you used a custom realm DN, then you must change the search base accordingly. In addition, if you used other options for the user and group entries location, then the orclCommonUserSearchBase and orclCommonGroupSearchBase values also might be different.
This section contains instructions for integrating Oracle Virtual Directory with Enterprise User Security for use with specific external directories. Perform the steps in the appropriate section that are specific to the external directory in which you are storing your user identities. This sections contains the following sections:
User Identities in Microsoft Active Directory and Metadata in Oracle Internet Directory
User Identities in Oracle Directory Server Enterprise Edition
Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Active Directory:
Perform the following steps to configure Active Directory for the integration:
Note:
If you are using Kerberos authentication in the integration, do not perform steps 3 and 4 in the following procedure.Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Load the Enterprise User Security required schema, extendAD, into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. The extendAD file is located in the $ORACLE_HOME/ovd/eus/ directory. You can use the java executable in the ORACLE_HOME/jdk/bin directory.
java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN -commonattr
Note:
An example of a valid Active Directory domain DN is:dc=oracle,dc=comInstall the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:
Copy the $ORACLE_HOME/ovd/eus/oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.
Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:
RASSFM KDCSVC WDIGEST scecli oidpwdcn
Restart the Active Directory system after making these changes.
Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:
Change the password of an Active Directory user.
Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.
This value adds the orclCommonAttribute attribute definition in Active Directory.
Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.
If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.
After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.
To configure Oracle Virtual Directory for integration:
Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
Create Local Store and LDAP adapters using the steps described in Section 19.2.2, "Configuring Adapters for Enterprise User Security (EUS)".
Be sure to use the following settings for the LDAP Adapter:
Select the EUS_ActiveDirectory template.
Ensure the Use SSL/TLS option is enabled.
Set SSL Authentication Mode to Server Only Authentication / Mutual Authentication.
The steps to configure Oracle Virtual Directory for integration with Enterprise Security and for use with Microsoft Active Directory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.
Perform the following steps to integrate Oracle Virtual Directory with Enterprise User Security when user identities are stored in Active Directory and to store metadata in Oracle Internet Directory:
Note:
This procedure does not use the Oracle Directory Services Manager Configure adapters for Enterprise User Security (EUS) wizard documented in "Configuring Adapters for Enterprise User Security (EUS)". You must create the adapters using the Oracle Directory Services Manager adapter creation process as described in Chapter 12, "Creating and Configuring Oracle Virtual Directory Adapters."
If you are using Kerberos authentication in the integration, do not perform steps 6 and 7 in the following procedure.
Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.
If one does not already exist, create an LDAP listener that is secured with SSL by referring to Chapter 11, "Creating and Managing Oracle Virtual Directory Listeners.".
Create and add the Dynamic Groups plug-ins as global server plug-ins. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.
Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Load the Enterprise User Security required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOME/jdk/bin directory.
java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN -commonattr
Note:
An example of a valid Active Directory domain DN is:dc=oracle,dc=comInstall the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:
Locate the oidpwdcn.dll file and copy it to the Active Directory WINDOWS\system32 directory.
Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.
Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:
RASSFM KDCSVC WDIGEST scecli oidpwdcn
Restart the Active Directory system after making these changes.
Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:
Change the password of an Active Directory user.
Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.
This value adds the orclCommonAttribute attribute definition in Active Directory.
Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.
If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.
After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.
Extend the Oracle Internet Directory LDAP attribute and objectclass using the following command:
ORACLE_HOME/bin/ldapmodify -h OID_Host_Name -p OID_Port -D bindDN \ -q -v -f OIDSchema.ldif
Create four new LDAP Adapters using the following settings and by entering the Oracle Internet Directory host information. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.
For the first three new LDAP Adapters:
Use the Oracle_Internet_Directory adapter template.
The Adapter Remote Base and Mapped Namesapce for the first adapter must be cn=OracleContext.
The Adapter Remote Base and Mapped Namesapce for the second adapter must be cn=OracleSchemaVersion
The Adapter Remote Base and Mapped Namespace for the third adapter must be cn=subschemasubentry.
For the fourth new LDAP Adapter:
Use the EUS_OID adapter template.
The Adapter Remote Base and Mapped Namesapce for the fourth adapter must be cn=oraclecontext,your_OID_realm.
Create a new Local Store Adapter using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.
Use the Local_Storage_Adapter template.
The Adapter Suffix must be dc=com, unless your Oracle Internet Directory realm is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.
Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Active Directory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.
Note:
TherealmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a –f realmRoot.ldif
Create a new LDAP Adapter for the user search base in Active Directory using the following settings and by entering the Active Directory host information, including the Remote Base. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.
Use the EUS_ActiveDirectory template for the adapter.
For Remote Base, enter the container in Active Directory, for example: cn=users,dc=adrealm,dc=com
Check if the EUSActiveDirectory.py mapping is already deployed. If it is, go to step 16 now.
If the EUSActiveDirectory.py mapping is not deployed, you must create a mapping for the Active Directory user search base adapter by clicking the Create Mapping button, then select EUSActiveDirectory.py, then enter a unique mapping name, then click the OK button, and then click the Apply button.
Add the Mapped Namespace to the orclcommonusersearchbase under cn=Common,cn=Products,cn=oraclecontext,<OID realm>. You can use an LDIF file such as:
dn: cn=Common,cn=Products,cn=oraclecontext,dc=oracle,dc=com changetype: modify add: orclcommonusersearchbase orclcommonusersearchbase: cn=users,dc=adrealm,dc=com
Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.
| Target DN | cn=subschemasubentry |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=subschemasubentry |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | dc=com |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | dc=com |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | dc=com |
| Scope | subtree |
| Applies To | authpassword |
| Deny | All operations |
| Access | Public |
Note:
The following ACL must be the last ACL in the ACL list for dc=com.| Target DN | dc=com |
| Scope | subtree |
| Applies To | authpassword |
| Grant | Search and Read |
| Access | Group with DN of: cn=EUSDBGroup,<Your Mapped OID domain>. |
Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:
| Target DN | cn=OracleContext,<YOUR DOMAIN> |
| Scope | subtree |
| Applies To | Entry |
| Grant | All |
| Access | Group with DN of:
|
| Target DN | cn=OracleContext,<YOUR DOMAIN> |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | All |
| Access | Group with DN of:
|
Set the ACLs in the Oracle Internet Directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.
No manual configuration of Oracle Directory Server Enterprise Edition is required for this integration.
Perform the following steps to configure Oracle Virtual Directory for the integration:
Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
Create new Local Store and LDAP adapters using the steps described in Section 19.2.2, "Configuring Adapters for Enterprise User Security (EUS)".
Be sure to use the following settings for the LDAP Adapter:
Select the EUS_Sun template.
The Proxy DN user must be able to read the userPassword attribute in the Oracle Directory Server Enterprise Edition.
The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.
Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Novell eDirectory:
To configure Novell eDirectory for the integration, enable Universal Password in eDirectory and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.
Perform the following steps to configure Oracle Virtual Directory for the integration:
Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.
Download the NMAS toolkit from the Novell Developer Community Web site.
Upload this library to Oracle Virtual Directory by using Oracle Directory Services Manager. Refer to "Loading Libraries into the Oracle Virtual Directory Server" for more information.
Restart the Oracle Virtual Directory server.
Start Oracle Directory Services Manager and connect to the Oracle Virtual Directory server.
Create new Local Store and LDAP adapters using the steps described in "Configuring Adapters for Enterprise User Security (EUS)".
Be sure to use the following settings for the LDAP Adapter:
Select the EUS_eDirectory template.
Enable the Use SSL/TLS option and set the SSL Authentication Mode to Server Only Authentication / Mutual Authentication.
The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Novell eDirectory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.
Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Internet Directory:
No manual configuration of Oracle Internet Directory is required for this integration.
Perform the following steps to configure Oracle Virtual Directory for the integration:
Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
Create new Local Store and LDAP adapters using the steps described in "Configuring Adapters for Enterprise User Security (EUS)".
Be sure to use the following settings for the LDAP Adapter:
Select the EUS_OID template.
The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Internet Directory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.
This section describes the Access Control Lists (ACLs) that must be configured in Oracle Virtual Directory for the Enterprise User Security integration regardless of which external repository you are using to store user identities in.
Note:
These ACLs are automatically configured in Oracle Virtual Directory when you run the EUS configuration wizard as described in Section 19.2.2, "Configuring Adapters for Enterprise User Security (EUS)" .However, if you customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations. Perform the following steps to manually configure Oracle Virtual Directory ACLs for the Enterprise User Security integration:
Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for more information about creating ACLs:
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | dc=com |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | dc=com |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | dc=com |
| Scope | subtree |
| Applies To | authpassword |
| Deny | All operations |
| Access | Public |
Note:
The following ACL must be the last ACL in the ACL list for dc=com.| Target DN | dc=com |
| Scope | subtree |
| Applies To | authpassword |
| Grant | Search and Read |
| Access | Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.
Note: Replace |
Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:
| Target DN | cn=OracleContext,<YOUR DOMAIN> |
| Scope | subtree |
| Applies To | Entry |
| Grant | All |
| Access | Group with DN of:
|
| Target DN | cn=OracleContext,<YOUR DOMAIN> |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | All |
| Access | Group with DN of:
|
Give write permission to the cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN> group.
Perform the following steps to configure Oracle Virtual Directory to allow Enterprise User Security users contained in multiple domains to authenticate to a database:
Click the Configure adapters for Enterprise User Security (EUS) icon and specify the Different Directory option on the Location for User and Group page in the configuration wizard.
Refer to "Configuring Adapters for Enterprise User Security (EUS)" for more information.
Repeat the preceding steps to support additional domains.
Note:
To login to the database as an enterprise user from any of these additional domains, you must create the User-Schema Mappings for the additional user containers from Enterprise Security Manager or Enterprise Manager.Refer to Oracle® Database Enterprise User Security Administrator's Guide for instructions.
LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Enterprise User Security integration can use this lockout feature and enforce the back-end LDAP server's password lockout policy as follows:
An incorrect login to the Oracle Database records a login failure to the back-end LDAP server
A correct login to the Oracle Database resets the login failure count in the back-end LDAP server
Note:
This functionality is not available for integrations that use Active Directory.A locked user account cannot be used to log in to the Oracle Database
After performing the Oracle Virtual Directory-Enterprise User Security integration, you can enable user account lockout by selecting the Enable User Account Lockout option as you perform the Enterprise User Security configuration steps described in "Configuring Adapters for Enterprise User Security (EUS)".
The following is a list of Oracle Virtual Directory-Enterprise User Security integration known limitations:
The following functionality is not supported in the integration:
DN mapping between Microsoft Active Directory and Oracle Virtual Directory if the Active Directory domain containing the domain DN is mapped to Oracle Virtual Directory. For example, if the Active Directory DN is dc=us,dc=oracle,dc=com and you try to map it to dc=oracle,dc=com in Oracle Virtual Directory, this type of DN mapping is not supported.
Administrative Groups except for OracleContextAdmins
Enterprise Security Manager console to Oracle Internet Directory Delegated Administration Services
Password Policy
Client certificate authentication
Kerberos authentication when integrating for use with Oracle Directory Server Enterprise Edition and Oracle Internet Directory
User Migration Utility (UMU)
Multiple Domain environments
JDBC Thin Driver—you must use the OCI driver
Combined Microsoft Active Directory and Oracle Directory Server Enterprise Edition environments
Resetting the account lockout counter after a correct login is not available for Oracle Virtual Directory-Enterprise User Security integrations with Active Directory. Alternatively, Active Directory can reset the account lockout counter after a specified period has elapsed. You can use this option to prevent the lockout counter from accumulating indefinitely.
In the Enterprise Security Manager interface:
Listed databases may sometimes include an Active Directory tombstone entry.
Database and Oracle Internet Directory version information is not available.
This topic describes how to integrate Oracle Virtual Directory with Oracle Database Net Services to centralize name services with Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. This topic contains the following sections:
Oracle Virtual Directory can be integrated with Oracle's Net Services database product. Integrating Oracle Virtual Directory and Net Services enhances and simplifies your name service capabilities by allowing you to leverage service entries stored in an external LDAP repository without any additional synchronization.
This section lists the common steps required for all Oracle Virtual Directory-Net Services integrations. Perform the steps in this section first to start the integration, then proceed to a subsequent section specific to Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. Different steps are presented depending on whether you are integrating Oracle Virtual Directory with Net Services for use with Oracle Internet Directory, Microsoft Active Directory, or Oracle Directory Server Enterprise Edition. Only perform the steps appropriate for your environment.
Perform the following steps to start the Oracle Virtual Directory-Net Services integration process:
Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory.
Create the subschemasubentry plug-in as global server plug-in. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.
Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Microsoft Active Directory. Perform these only after you have completed the steps in the "Starting the Integration" section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Microsoft Active Directory includes the following tasks:
Perform the following steps to configure Active Directory for the integration:
Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Load the Net Services required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOME/jdk/bin directory.
java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN
Note:
An example of a valid Active Directory domain DN is:dc=oracle,dc=comPerform the following steps to configure Oracle Virtual Directory for the integration:
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.
Use the Local_Storage_Adapter template for each adapter.
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.
The Database File and Backup File fields for each of the adapters must be unique.
Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.
ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif
Create an LDAP Adapter for Net Services using the following settings and by entering the Active Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.
Use the ONames_ActiveDirectory adapter template.
Select the BindOnly Pass Through Credential option.
Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.
Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins administrative group as follows:
| Target DN | cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE> |
| Scope | subtree |
| Applies To | Entry |
| Grant | All |
| Access | Group with DN of:
|
| Target DN | cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE> |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | All |
| Access | Group with DN of:
|
Create an LDAP Adapter for the OracleNetAdmins administrative group using the following settings and by entering the Active Directory host information, including port number, proxy DN, and password. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.
Use the Active_Directory adapter template.
Enter cn=OracleNetAdmins,cn=users, <YOUR Active_Directory_Domain_DN> as the Remote Base.
Enter cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED DOMAIN DN in Oracle Virtual Directory> as the Mapped Namespace.
Configure a mapping and plug-in for the OracleNetAdmins administrative group adapter by performing the following steps:
Click the Advanced tab, then click Active_Directory_to_inetOrg, and then click the Apply button to deploy the mapping.
Click the Adapter tab, then click the adapter for the OracleNetAdmins administrative group, then click the Plug-ins tab, then click the Create Mapping button, then select Active_Directory_to_inetOrg.py, then enter a unique mapping name, and then click OK.
Click the Create Plug-in button, then click the Select button, then select the EUSMemberDNMapping plug-in, then click OK, then enter a unique plug-in name, then create the localDomainDN and remoteDomainDN parameters, and then click OK. Note that the localDomainDN and remoteDomainDN may be different if you have DN mapping configured.
Click the Apply button.
Note:
You may not see the group membership changes immediately after your changes in Active Directory. This is because of Active Directory's group membership refresh interval configuration.The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Microsoft Active Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.
Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition. Perform these only after you have completed the steps in the "Starting the Integration" section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition includes the following tasks:
Perform the following steps to configure Oracle Directory Server Enterprise Edition for the integration:
Extend the iPlanet LDAP attribute and objectclass using the following command:
ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn="directory manager" -q -v -a -f ./iPlanetSchema.ldif
Create a realm in iPlanet by performing the following steps:
Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.
Run the following command to create a realm in iPlanet using the realmiPlanet.ldif file:
ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn="directory manager" -q -v -a -f ./realmiPlanet.ldif
Configure the user and group containers by either creating new user and group containers, or by using existing user and group containers.
Creating New User and Group Containers
Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.
Run the following command to create user and group containers in iPlanet using the iPlanetContainers.ldif file:
ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn="directory manager" -q -v -a -f ./iPlanetContainers.ldif
Using Existing User and Group Containers
Open the useiPlanetContainers.ldif file.
Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string with the name of your user container.
Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.
Note:
Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain isdc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container.Run the following command to create a realm in iPlanet using the useiPlanetContainers.ldif file:
ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn="directory manager" -q -v -a -f ./useiPlanetContainers.ldif
Perform the following steps to configure Oracle Virtual Directory for the integration:
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.
Use the Local_Storage_Adapter template for each adapter.
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.
The Database File and Backup File fields for each of the adapters must be unique.
Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.
ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif
Create an LDAP Adapter for Net Services using the following settings and by entering the Oracle Directory Server Enterprise Edition host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.
Use the ONames_Sun adapter template.
Select the BindOnly Pass Through Credential option.
Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.
Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins administrative group as follows:
| Target DN | cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE> |
| Scope | subtree |
| Applies To | Entry |
| Grant | All |
| Access | Group with DN of:
|
| Target DN | cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE> |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | All |
| Access | Group with DN of:
|
Set the ACLs in the external directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.
You must create an access control instruction (ACI) in Oracle Directory Server Enterprise Edition, so that only the OracleContextAdmins group can access and manage the domain-specific OracleContext sub-tree.
The following LDIF entry provides read and write access to the OracleContext realm. You must replace <YOUR DOMAIN> with your specific domain DN.
dn:cn=OracleContext,<YOUR DOMAIN> changetype:modify add:aci aci:(target = "ldap:///cn=OracleContext,<YOUR DOMAIN>")(targetattr = "*") (version 3.0; acl "Allow OracleContextAdmins Group read and write access to all attributes"; allow (read, search, compare, add, write, delete) (groupdn = "ldap:///cn=OracleContextAdmins,cn=Groups, cn=OracleContext,< YOUR DOMAIN>");)
Note:
For more information about ACIs, refer to the directory-specific Administration Guide for the ACL.To verify that an ACI was loaded correctly, use an ldapsearch while explicitly requesting the ACI attribute. For example:
ldapsearch -h <sun host> -p <port> -D "<admin dn, ie cn=directory manager>" -w <password> -s base -b "cn=OracleContext,dc=mydomain,dc=com" objectclass=* aci
The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.
Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Internet Directory. Perform these only after you have completed the steps in the "Starting the Integration" section.
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.
Use the Local_Storage_Adapter template for each adapter.
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.
The Database File and Backup File fields for each of the adapters must be unique.
Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.
ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif
Create an LDAP Adapter for Net Services using the ONames_OID adapter template and by entering the Oracle Internet Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.
Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.
Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleContext |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | cn=OracleSchemaVersion |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
| Target DN | Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com |
| Scope | subtree |
| Applies To | Entry |
| Grant | Browse DN and Return DN |
| Access | Public |
| Target DN | Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com |
| Scope | subtree |
| Applies To | All Attributes |
| Grant | Search and Read |
| Access | Public |
The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Oracle Internet Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.
|
 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|