Preface

Oracle Internet Directory Administrator's Guide describes the features, architecture, and administration of Oracle Internet Directory. For information about installation, see the installation documentation for your operating system.

This preface contains these topics:

• Audience

• Organization

• Related Documentation

• Conventions

• Documentation Accessibility

Audience

Oracle Internet Directory Administrator's Guide is intended for anyone who performs administration tasks for the Oracle Internet Directory. You should be familiar with either the UNIX operating system or the Microsoft Windows NT operating system in order to understand the line-mode commands and examples. You can perform all of the tasks through the line-mode commands, and you can perform most of the tasks through Oracle Directory Manager, which is operating system-independent.

To use this document, you need some familiarity with the Lightweight Directory Access Protocol (LDAP).

Organization

This document contains the chapters and appendixes listed in this section. Oracle Corporation encourages you to read the conceptual and other introductory material presented in Part I before performing installation and maintenance.

Depending on your administrative role, you may find some parts of this guide more pertinent to the tasks you perform.

• For information about routine administration:
  • Part I: Getting Started

  • Part II: Basic Directory Administration

• For information about directory planning and deployment in enterprises and hosted environments:
  • Part III Directory Security

  • Part IV Directory Deployment

  • Part V Directory Replication and High Availability

  • Part VI: Delegation and Self-Service Administration in Oracle Internet Directory

• For information about integration between Oracle Internet Directory and other directories, see Part VII: The Oracle Directory Integration and Provisioning Platform

• For information about extending Oracle Internet Directory functionality by using plug-ins, see Part VIII: Oracle Internet Directory Plug-ins

Part I: Getting Started

Part I provides an overview of the product and its features, a conceptual foundation necessary to configure and manage a directory.

Chapter 1, "Introduction to LDAP and Oracle Internet Directory"

This chapter provides an introduction to directories, LDAP, and Oracle Internet Directory features.

Chapter 2, "Directory Concepts and Architecture"

This chapter gives an overview of online directories and Lightweight Directory Access Protocol (LDAP). Provides conceptual descriptions of directory entries, attributes, object classes, naming contexts, schemas, distributed directories, security, and Globalization Support. It also discusses Oracle Internet Directory architecture.

Chapter 3, "Preliminary Tasks and Information"

This chapter discusses how to prepare your directory for configuration and use. It tells you how to start and stop OID Monitor and instances of Oracle directory server and Oracle directory replication server. It discusses the need to reset the default security configuration, how to upgrade from earlier releases of Oracle Internet Directory, and how to migrate data from other LDAP-compliant directories.

Chapter 4, "Directory Administration Tools"

This chapter explains how to use the various administration tools: Oracle Directory Manager, command-line tools, bulk tools, Catalog Management tool, OID Database Password Utility, replication tools, and Database Statistics Collection tool.

Part II: Basic Directory Administration

Part II guides you through the tasks required to configure and maintain Oracle Internet Directory.

Chapter 5, "Oracle Directory Server Administration"

This chapter provides instructions for managing server configuration set entries; setting system operational attributes; managing naming contexts and password encryption; configuring searches; managing super, guest, and proxy users; setting debug logging levels; using audit log; viewing active server instance information; and changing the password to an Oracle database server.

Chapter 6, "Directory Schema Administration"

This chapter explains what a directory schema is, what an object class is, and what an attribute is. It tells you how to manage the Oracle Internet Directory schema by using Oracle Directory Manager and the command-line tools.

Chapter 7, "Directory Entries Administration"

This chapter explains how to search, view, add, modify and manage entries by using Oracle Directory Manager and the command-line tools.

Chapter 8, "Attribute Uniqueness in the Directory"

This chapter explains the attribute uniqueness feature that enables applications synchronizing with Oracle Internet Directory to use attributes other than distinguished names as their unique keys.

Chapter 9, "Dynamic and Static Groups in Oracle Internet Directory"

This chapter describes both static and dynamic groups and explains how to administer them in Oracle Internet Directory.

Chapter 10, "Logging, Auditing, and Monitoring the Directory"

This chapter describes the comprehensive framework provided by Oracle Internet Directory for enabling you to debug, audit, and monitor the directory.s

Part III Directory Security

Part III tells how to secure data within the directory itself and within an enterprise deployment of a directory.

Chapter 11, "Backup and Restoration of a Directory"

This appendix tells how to backup and restore both small and large directories.

Chapter 12, "Directory Security Concepts"

This chapter describes the security features available with Oracle Internet Directory, and explains how to deploy the directory for administrative delegation.

Chapter 13, "Secure Sockets Layer (SSL) and the Directory"

This chapter introduces and explains how to configure the features of Secure Sockets Layer (SSL).

Chapter 14, "Directory Access Control"

This chapter provides an overview of access control policies and describes how to administer directory access.

Chapter 15, "Password Policies in Oracle Internet Directory"

This chapter discusses password policies--that is, sets of rules that govern how passwords are used. When a user attempts to bind to the directory, the directory server uses the password policy to ensure that the password meets the requirements set in that policy.

Chapter 16, "Directory Storage of Password Verifiers"

This chapter explains how Oracle components store application security credentials in Oracle Internet Directory to make their administration easy for both end users and administrators and to address a major security threat to any enterprise.

Chapter 17, "Delegation of Privileges for an Oracle Technology Deployment"

This chapter explains how to store all the data for users, groups, and services in one repository, and delegate the administration of that data to various administrators. It also explains the default security configuration in Oracle Internet Directory.

Part IV Directory Deployment

Part IV discusses important deployment considerations, including capacity planning, high availability, and tuning.

Chapter 18, "Directory Deployment Considerations"

This chapter discusses general issues to consider when deploying Oracle Internet Directory. This chapter helps you assess the requirements of a directory in an enterprise and make effective deployment choices.

Chapter 19, "Deployment of Oracle Identity Management Realms"

Many Oracle components use Oracle Internet Directory for a variety of purposes. In doing this, they rely on a consolidated Oracle Internet Directory schema and a default Directory Information Tree (DIT). This chapter:

• Describes the consolidated Oracle Internet Directory schema used by various components

• Describes a default DIT structure available when using the various Oracle components

Chapter 20, "Capacity Planning for the Directory"

This chapter tells you how to assess applications' directory access requirements and ensure that the Oracle Internet Directory has adequate computer resources to service requests at an acceptable rate.

Chapter 21, "Tuning Considerations for the Directory"

This chapter gives guidelines for ensuring that the combined hardware and software are yielding the desired levels of performance.

Chapter 22, "Garbage Collection in Oracle Internet Directory"

The term "garbage" refers to any data not needed by the directory but still occupying space on it. The process of removing this unwanted data from the directory is called garbage collection. This chapter describes the predefined garbage collectors available with Oracle Internet Directory, and tells how to modify them.

Chapter 23, "Migration of Data from Other Directories"

This chapter explains the steps to migrate data from LDAP v3-compatible and application-specific directories into Oracle Internet Directory.

Part V Directory Replication and High Availability

Part IV provides a detailed discussion of replication and how to manage it.

Chapter 24, "Directory Replication Concepts"

This chapter expands on the discussion about replication in Chapter 2, "Directory Concepts and Architecture".

Chapter 25, "Oracle Directory Replication Administration"

This chapter explains how to install and initialize Oracle directory replication server software the first time, and how to install new nodes into an environment where that software is already installed.

Chapter 26, "High Availability And Failover Considerations"

This chapter describes the availability and failover features of various components in the Oracle Internet Directory technology stack, and provides guidelines for exploiting them optimally for typical directory deployment.

Chapter 27, "Rack-Mounted Directory Server Configurations"

This chapter describes rack-mounted directory server configuration, which provides high availability of a directory server. This configuration involves running multiple directory server instances on different hardware nodes. The directory servers are connected to the same directory store, which is an Oracle9i Database Server.

Chapter 28, "Cold Failover Cluster Configuration"

This chapter explains how to increase high availability by using logical hosts--as opposed to physical hosts--in clustered environments.

Chapter 29, "The Directory in an Oracle9i Real Application Clusters Environment"

This chapter discusses the ways you can run Oracle Internet Directory in an Oracle Real Application Clusters system.

Part VI: Delegation and Self-Service Administration in Oracle Internet Directory

Chapter 30, "Oracle Delegated Administration Services"

This chapter describes Oracle Delegated Administration Services, a framework consisting of pre-defined, Web-based units for building administrative and self-service consoles. These consoles can be used by Delegated administrators and users to perform specified directory operations.

Chapter 31, "Oracle Internet Directory Self-Service Console"

This chapter describes the Oracle Internet Directory Self-Service Console, a ready-to-use application created by using Oracle Delegated Administration Services.

Part VII: The Oracle Directory Integration and Provisioning Platform

Part VII explains the concepts, architecture, and components of the Oracle Directory Integration and Provisioning platform, and tells you how to configure and use it to synchronize multiple directories with Oracle Internet Directory.

Chapter 32, "Oracle Directory Integration and Provisioning Platform Concepts and Components"

This chapter introduces the Oracle Directory Integration and Provisioning platform, its components, architecture, and administration tools.

Chapter 33, "Oracle Directory Synchronization Service"

This chapter discusses the synchronization profiles and connectors that link Oracle Internet Directory and connected directories.

Chapter 34, "Oracle Directory Provisioning Integration Service"

This chapter describes the Oracle Directory Provisioning Integration Service, which enables your applications to receive provisioning information from Oracle Internet Directory.

Chapter 35, "Oracle Directory Integration and Provisioning Server Administration"

This chapter discusses Oracle directory integration and provisioning server and tells you how to configure and manage it.

Chapter 36, "Security in the Oracle Directory Integration and Provisioning Platform"

This chapter discusses the most important aspects of security in the Oracle Directory Integration and Provisioning platform.

Chapter 37, "Bootstrapping of a Directory in the Oracle Directory Integration and Provisioning Platform"

This chapter explains some of the initial setup tasks you may need to perform as you begin using the Oracle Directory Integration and Provisioning platform.

Chapter 38, "Synchronization with Relational Database Tables"

This chapter explains how to synchronize data to Oracle Internet Directory from tables in a relational database. The synchronization can be either incremental--for example, one database table row at a time--or all the database tables at once.

Chapter 39, "Synchronization with Oracle Human Resources"

If you store employee data in Oracle Internet Directory, and if you use Oracle Human Resources to create, modify, and delete that data, then you must ensure that the data is synchronized between the two. This chapter explains the Oracle Human Resources agent, which enables you to do this.

Chapter 40, "Integration of Provisioning Data with the Oracle E-Business Suite"

In Oracle Internet Directory 10g (9.0.4), you can use the Oracle Directory Provisioning Integration Service to synchronize user accounts and other user information from the Oracle E-Business Suite.

Chapter 41, "Considerations for Integrating with Third-Party Directories"

Before you begin integrating any third-party directory with Oracle Internet Directory, you need to decide how you want to configure the integrated environment. This chapter discusses the basic decisions you need to make. Once you have made them, you can follow the steps for setting up successive bootstrapping and synchronization of data between the directories.

Chapter 42, "Integration with SunONE (iPlanet) Directory Server"

This chapter explains how you can synchronize between Oracle Internet Directory and an SunONE Directory Server by using the SunONE connector.

Chapter 43, "Integration with the Microsoft Windows Environment"

This chapter explains how to integrate the Oracle Application Server infrastructure with the Microsoft Windows Operating System. This integration is achieved by using the Active Directory Connector in the Oracle Directory Integration and Provisioning platform.

Chapter 44, "Synchronization with Third-Party Metadirectory Solutions"

Oracle Internet Directory uses change logs to enable synchronization with supported third party metadirectory solutions. This chapter describes how change log information is generated and how supporting solutions use that information. It tells you how to enable the directory integration agents of third-party metadirectory solutions so that they can synchronize with Oracle Internet Directory.

Part VIII: Oracle Internet Directory Plug-ins

Chapter 45, "Oracle Internet Directory Plug-in Framework"

This chapter describes how you can extend the capabilities of the Oracle directory server by using plug-ins developed by either Oracle Corporation or third-party vendors.

Chapter 46, "Oracle Internet Directory Plug-In for Password Policies"

Oracle Internet Directory uses plug-ins to add password value checking to its other password policy management capabilities. These plug-ins enable you to verify that, for example, a new or modified password has the specified minimum length. You can customize password value checking to meet your own requirements. This chapter describes the plug-in for password policies and provides an example of its use.

Chapter 47, "Setting Up the Customized External Authentication Plug-in"

You can store user security credentials in a repository other than Oracle Internet Directory--for example, a database or another LDAP directory--and use these credentials for user authentication to Oracle components. You do not need to store the credentials in Oracle Internet Directory and then worry about keeping them synchronized. Authenticating a user by way of credentials stored in an external repository is called external authentication. This chapter describes the external authentication plug-in and provides an example of its use.

Part IX: Appendixes

Appendix A, "Syntax for LDIF and Command-Line Tools"

This appendix provides syntax, usage notes, and examples for LDAP Data Interchange Format and LDAP command-line tools.

Appendix B, "Oracle Internet Directory Schema Elements"

This appendix lists schema elements supported in Oracle Internet Directory.

Appendix C, "Elements in Oracle Internet Directory Graphical User Interfaces"

This appendix lists and describes the various fields and control devices in Oracle Directory Manager and the Oracle Internet Directory Self-Service Console.

Appendix D, "The LDAP Filter Definition"

This appendix, copied with permission from the Internet Engineering Task Force (IETF), describes a directory access protocol that provides both read and update access.

Appendix E, "The Access Control Directive Format"

This appendix describes the format (syntax) of Access Control Information Items(ACIs).

Appendix F, "Addition of a Directory Node by Using the Database Copy Procedure"

This chapter describes an alternate method of adding a node to a replicated directory system if the directory is very large.

Appendix G, "Globalization Support in the Directory"

This chapter discusses Globalization Support as used by Oracle Internet Directory.

Appendix I, "Troubleshooting"

This appendix lists possible failures and error codes and their probable causes.

Related Documentation

For more information, see:

• Online help available through Oracle Directory Manager, the Oracle Delegated Administration Services and Oracle Enterprise Manager

• The Oracle Application Server and Oracle9i Database Server documentation sets, especially:
  • Oracle Internet Directory Application Developer's Guide

  • Oracle Identity Management Concepts and Deployment Planning Guide

  • Oracle9i Database Administrator's Guide

  • Oracle9i Application Developer's Guide - Fundamentals

  • Oracle Application Server 10g Administrator's Guide

  • Oracle9i Net Services Administrator's Guide

  • Oracle9i Real Application Clusters Administration

  • Oracle9i Advanced Replication

  • Oracle Advanced Security Administrator's Guide

Printed documentation is available for sale in the Oracle Store at

http://oraclestore.oracle.com/

To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at

http://otn.oracle.com/membership/

If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at

http://otn.oracle.com/documentation/

For additional information, see:

• Chadwick, David. Understanding X.500--The Directory. Thomson Computer Press, 1996.

• Howes, Tim and Mark Smith. LDAP: Programming Directory-enabled Applications with Lightweight Directory Access Protocol. Macmillan Technical Publishing, 1997.

• Howes, Tim, Mark Smith and Gordon Good, Understanding and Deploying LDAP Directory Services. Macmillan Technical Publishing, 1999.

• Internet Assigned Numbers Authority home page, http://www.iana.org, for information about object identifiers

• Internet Engineering Task Force (IETF) documentation available at: http://www.ietf.org, especially:
  • The LDAPEXT charter and LDAP drafts

  • The LDUP charter and drafts

  • RFC 2254, "The String Representation of LDAP Search Filters"

  • RFC 1823, "The LDAP Application Program Interface"

• The OpenLDAP Community, http://www.openldap.org

Conventions

This section describes the conventions used in the text and code examples of this documentation set. It describes:

• Conventions in Text

• Conventions in Code Examples

• Conventions for Windows Operating Systems

Conventions in Text

We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.

Convention	Meaning	Example
Bold	Bold typeface indicates terms that are defined in the text or terms that appear in a glossary, or both.	When you specify this clause, you create an index-organized table.
Italics	Italic typeface indicates book titles or emphasis.	Oracle9i Database Concepts Ensure that the recovery catalog and target database do not reside on the same disk.
UPPERCASE monospace (fixed-width) font	Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, datatypes, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, usernames, and roles.	You can specify this clause only for a NUMBER column. You can back up the database by using the BACKUP command. Query the TABLE_NAME column in the USER_TABLES data dictionary view. Use the DBMS_STATS.GENERATE_STATS procedure.
lowercase monospace (fixed-width) font	Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values. Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.	Enter sqlplus to open SQL*Plus. The password is specified in the orapwd file. Back up the datafiles and control files in the /disk1/oracle/dbs directory. The department_id, department_name, and location_id columns are in the hr.departments table. Set the QUERY_REWRITE_ENABLED initialization parameter to true. Connect as oe user. The JRepUtil class implements these methods.
lowercase italic monospace (fixed-width) font	Lowercase italic monospace font represents placeholders or variables.	You can specify the parallel_clause. Run Uold_release.SQL where old_release refers to the release you installed prior to upgrading.

Conventions in Code Examples

Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:

SELECT username FROM dba_users WHERE username = 'MIGRATE';

The following table describes typographic conventions used in code examples and provides examples of their use.

Convention	Meaning	Example
[ ]	Brackets enclose one or more optional items. Do not enter the brackets.	DECIMAL (digits [ , precision ])
{ }	Braces enclose two or more items, one of which is required. Do not enter the braces.	{ENABLE | DISABLE}
|	A vertical bar represents a choice of two or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.	{ENABLE | DISABLE} [COMPRESS | NOCOMPRESS]
...	Horizontal ellipsis points indicate either: That we have omitted parts of the code that are not directly related to the example That you can repeat a portion of the code	CREATE TABLE ... AS subquery; SELECT col1, col2, ... , coln FROM employees;
. . .	Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.	SQL> SELECT NAME FROM V$DATAFILE; NAME ------------------------------------ /fsl/dbs/tbs_01.dbf /fs1/dbs/tbs_02.dbf . . . /fsl/dbs/tbs_09.dbf 9 rows selected.
Other notation	You must enter symbols other than brackets, braces, vertical bars, and ellipsis points as shown.	acctbal NUMBER(11,2); acct CONSTANT NUMBER(4) := 3;
Italics	Italicized text indicates placeholders or variables for which you must supply particular values.	CONNECT SYSTEM/system_password DB_NAME = database_name
UPPERCASE	Uppercase typeface indicates elements supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.	SELECT last_name, employee_id FROM employees; SELECT * FROM USER_TABLES; DROP TABLE hr.employees;
lowercase	Lowercase typeface indicates programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files. Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.	SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9;

Conventions for Windows Operating Systems

The following table describes conventions for Windows operating systems and provides examples of their use.

Convention	Meaning	Example
Choose Start >	How to start a program.	To start the Database Configuration Assistant, choose Start > Programs > Oracle - HOME_NAME > Configuration and Migration Tools > Database Configuration Assistant.
File and directory names	File and directory names are not case sensitive. The following special characters are not allowed: left angle bracket (<), right angle bracket (>), colon (:), double quotation marks ("), slash (/), pipe (|), and dash (-). The special character backslash (\) is treated as an element separator, even when it appears in quotes. If the file name begins with \\, then Windows assumes it uses the Universal Naming Convention.	c:\winnt"\"system32 is the same as C:\WINNT\SYSTEM32
C:\>	Represents the Windows command prompt of the current hard disk drive. The escape character in a command prompt is the caret (^). Your prompt reflects the subdirectory in which you are working. Referred to as the command prompt in this manual.	C:\oracle\oradata>
Special characters	The backslash (\) special character is sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt. Parentheses and the single quotation mark (') do not require an escape character. Refer to your Windows operating system documentation for more information on escape and special characters.	C:\>exp scott/tiger TABLES=emp QUERY=\"WHERE job='SALESMAN' and sal<1600\" C:\>imp SYSTEM/password FROMUSER=scott TABLES=(emp, dept)
HOME_NAME	Represents the Oracle home name. The home name can be up to 16 alphanumeric characters. The only special character allowed in the home name is the underscore.	C:\> net start OracleHOME_NAMETNSListener
ORACLE_HOME and ORACLE_BASE	In releases prior to Oracle8i release 8.1.3, when you installed Oracle components, all subdirectories were located under a top level ORACLE_HOME directory. For Windows NT, the default location was C:\orant. This release complies with Optimal Flexible Architecture (OFA) guidelines. All subdirectories are not under a top level ORACLE_HOME directory. There is a top level directory called ORACLE_BASE that by default is C:\oracle. If you install the latest Oracle release on a computer with no other Oracle software installed, then the default setting for the first Oracle home directory is C:\oracle\orann, where nn is the latest release number. The Oracle home directory is located directly under ORACLE_BASE. All directory path examples in this guide follow OFA conventions. Refer to Oracle9i Database Platform Guide for Windows for additional information about OFA compliances and for information about installing Oracle products in non-OFA compliant directories.	Go to the ORACLE_BASE\ORACLE_HOME\rdbms\admin directory.

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.