Skip Headers

Oracle® Internet Directory Administrator's Guide
10g (9.0.4)
Part Number B12118-01
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Table Of Contents
Contents		 Go To Index
Index

Go to previous page Go to beginning of chapter Go to next page

Integration with the Microsoft Windows Environment, 6 of 13

Configuring The Active Directory External Authentication Plug-in

If you are storing passwords in Microsoft Active Directory, then you must use the Active Directory external authentication plug-in to authenticate Microsoft Active Directory users from Oracle Internet Directory.

This section tells how to install, and enable the Active Directory external authentication plug-in.

For the most part, these instructions are the same for setting up the plug-in both single-domain and multiple-domain Microsoft Active Directory environments. There is, however, one difference: In a multiple-domain environment, the external authentication plug-in requires the Microsoft Active Directory Global Catalog Server.

This section contains these topics:

Installing Active Directory External Authentication Plug-ins

To install the plug-in:

  1. Execute $ORACLE_HOME/ldap/admin/oidspadi.sh.

    Note:

    To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:

    To execute oidspadi.sh, enter: 

    cd $ORACLE_HOME/ldap/admin
sh oidspadi.sh

    If you are using the Windows operating system, then execute oidspadi.sh after you have installed the UNIX emulation utility by entering: 

    sh oidspadi.sh.
  2. Enter the Microsoft Active Directory host name. This is the Microsoft Active Directory to which you are going to synchronize. This value is required.

  3. Enter the Microsoft Active Directory port number. In a multiple domain environment, the default port can be that of the global catalog server, namely, 3268.

  4. Enter directory server host name. This value is required.

  5. Enter directory server port number. The default port is 389.

  6. Enter the password of the Oracle administrator (orcladmin). This value is required.

  7. Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container will be authenticated against Microsoft Active Directory. Note that this need not necessarily be the User Search Base supplied in Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the Microsoft Active Directory. If more than one container is specified, then separate the DNs with semi-colons (;).

  8. Enter the value of the entry that is to be excluded from authentication to Microsoft Active Directory. This value is the exception to Step 7. You need to enter the value in the standard ldapsearch filter format. For example, if you specify the value (&(objectclass=inetorgperson)(cn=orcladmin)), then any entry under the user container specified in Step 7 that has the cn=orcladmin and objectclass=inetorgperson attribute values will not be authenticated to Microsoft Active Directory.

  9. Enter the Plug-in Request Group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext. If you enter this DN as the vale for the Plug-in Request Group DN, then only requests coming from members of the Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, it should be specified.

  10. Enter the choice of using SSL connection to Active Directory or not. If you choose to use SSL, then you need to enter the following:

    1. The Active Directory SSL connection port number.

    2. The location of the Oracle wallet. This wallet needs to have the valid certificate from the Active Directory that you are trying to connect to.

    3. The Oracle wallet password.

      When specifying the wallet location on the Microsoft Windows operating system, add an additional backslashes (\). For example, if the wallet location is D: storage\wallet, then enter D:\\storage\\wallet.

  11. Specify the backup Microsoft Active Directory domain controller details (optional).

Enabling the Active Directory External Authentication Plug-ins

To enable the Active Directory external authentication plug-ins, use these two commands: 

ldapmodify -h host  -p port  -D cn=orcladmin -w password  <<EOF
dn: cn=adwhencompare,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

ldapmodify -h host  -p port  -D cn=orcladmin -w password  <<EOF
dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

See Also:

"Managing the Active Directory External Authentication Plug-in"

Go to previous page Go to beginning of chapter Go to next page
Oracle
Copyright © 1999, 2003 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Table Of Contents
Contents		 Go To Index
Index