27
Oracle Internet Directory Plug-in Framework

This chapter describes how you can extend the capabilities of the Oracle directory server by using plug-ins developed by either Oracle Corporation or third-party vendors.

This chapter contains these topics:

• About Directory Server Plug-ins

• Operation-Based Plug-ins

• Registering Plug-ins

About Directory Server Plug-ins

Oracle Internet Directory supports a directory server plug-in a PL/SQL package. It can add the following kinds of functionality to the directory server, to mention just a few:

• Validate data before the directory server performs an operation on it

• Perform specified actions after the server performs an operation

• Define password policies

• Authenticate users through external credential stores

On startup, the directory server loads your plug-in configuration and library. Then, when it processes requests, it calls your plug-in functions whenever the specified event takes place.

Figure 27-1 Oracle Internet Directory Server Plug-in Framework

Text description of the illustration oidag063.gif

Operation-Based Plug-ins

This section describes the operation-based plug-ins that the Oracle Internet Directory plug-in framework supports. These plug-ins execute before, after, or in addition to normal directory server operations.

Table 27-1 Types of Operation-Based Plug-ins

Type of Plug-in	Description
Pre-operation	Plug-ins that the directory server calls before performing an LDAP operation. Typically, these plug-ins validate data before using it in an LDAP operation. If validation fails, then depending on the error or warning returned from the plug-in, the LDAP operation can decide to proceed or not. However, if the associated LDAP request fails later on, then Oracle Internet Directory does not roll back whatever the plug-in has already committed.
Post-operation	Plug-ins that the directory server calls after performing an LDAP operation. Typically, these plug-ins invoke a function, such as logging or notification, when the directory server performs a particular operation. If the plug-in fails, then the directory server does not roll back the associated LDAP operation. The plug-in executes regardless of whether the associated LDAP request fails.
When-operation	Plug-ins that the directory server calls in addition to standard processing. Typically, these plug-ins augment existing functionality, performing extra operations in the same transactions as the corresponding LDAP operations. If either the LDAP operation or the plug-in fails, then the directory server rolls back the changes.

Registering Plug-ins

To enable the directory server to call a plug-in at the right moment, you must register the plug-in with the directory server. Do this by creating an entry for the plug-in under cn=plugin,cn=subconfigsubentry.

The orclPluginConfig Object Class

A plug-in must have orclPluginConfig as one of its object classes. This is a structural object class, and its super class is top. Table 27-2 lists and describes its attributes.

Table 27-2 Attributes of the orclPluginConfig Object Class

Attribute	Attribute Value	Mandatory	Optional
Cn	Plug-in entry name	X
orclPluginName	Plug-in package name	X
orclPluginType	One of the following values: operational attribute password_policy syntax matchingrule See Also: Operation-Based Plug-ins	X
orclPluginKind	PL/SQL		X
orclPluginEnable	0 = disable (default) 1 = enable		X
orclPluginVersion	Supported plug-in version number		X
orclPluginShareLibLocation	File location of the dynamic linking library. If this value is not present, then the directory server assumes that the plug-in language is PL/SQL.		X
orclPluginLDAPOperation	One of the following values: ldapcompare ldapmodify ldapbind ldapadd ldapdelete ldapsearch		X
orclPluginTiming	One of the following values: pre when post		X
orclPluginIsReplaced	0 = disable (default) 1 = enable For WHEN timing plug-in only		X
orclPluginSubscriberDNList	A semicolon separated DN list that controls whether the plug-in takes effect. If the target DN of an LDAP operation is included in the list, then the plug-in takes effect.		X

Adding a Plug-in Entry Using Command-Line Tools

Plug-ins must be added to the Oracle Internet Directory server so that the server is aware of additional operations that must be performed at the correct time.

When the plug-in successfully compiles against the Oracle Internet Directory back end database, create a new entry and place it under cn=plugin,cn=subconfigsubentry.

In the following examples, an entry is created for an operation-based plug-in called my_plugin1. The LDIF file, my_ldif_file.ldif, is as follows:

Example 1

The following is an example LDIF file to create such an object:

cn=when_comp,cn=plugin,cn=subconfigsubentry
objectclass=orclPluginConfig
objectclass=top
orclPluginName=my_plugin1
orclPluginType=operational
orclPluginTiming=when
orclPluginLDAPOperation=ldapcompare
orclPluginEnable=1
orclPluginVersion=1.0.1
orclPluginIsReplace=1
cn=when_comp
orclPluginKind=PLSQL
orclPluginSubscriberDNList=dc=COM,c=us;dc=us,dc=oracle,dc=com;dc=org,dc=us;o=IMC
,c=US

Example 2

cn=post_mod_plugin, cn=plugin,cn=subconfigsubentry
objectclass=orclPluginConfig
objectclass=top
orclPluginName=my_plugin1
orclPluginType=operational
orclPluginTiming=post
orclPluginLDAPOperation=ldapmodify
orclPluginEnable=1
orclPluginVersion=1.0.1
cn=post_mod_plugin
orclPluginKind=PLSQL

Add this file to the directory with the following command:

ldapadd -p 389 -h myhost -D binddn -w password -f my_ldif_file.ldif

When you have added this entry to the directory, the directory server validates the plug-in by quickly executing it and checking for compilation or access privilege errors. It then gathers more information about this plug-in--such as attributes, timing, or the type of LDAP operation related to the plug-in.

Notes: The plug-in configuration entry, for example, cn=plugin,cn=subconfigsubentry metadata is not replicated in the replication environment to avoid creating inconsistent state.

See Also: Oracle Internet Directory Application Developer's Guide for more detail