10g (9.0.4)
Part Number B12118-01
 Home |
 Solution Area |
 Contents |
 Index |
| Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Oracle Internet Directory Schema Elements, 4 of 7
Oracle Internet Directory's proprietary schema includes attributes and object classes in these categories:
In addition, Oracle Internet Directory installation includes schema elements that enable specific Oracle products to use Oracle Internet Directory. For information about these schema elements, see the documentation for the specific Oracle product.
| Object Class | Attributes |
|---|---|
|
|
|
| Object Class | Attributes |
|---|---|
|
|
|
The following table lists and describes the entire set of configuration set entry attributes that are used to configure an instance of a directory server.
| Attribute | Description |
|---|---|
|
|
Specifies whether debug messages are to be written to the log file when a message is logged by the directory server. To enable it, set its value to See Also: "Force Flushing the Trace Information to a Log File" |
|
|
To make logging more focused, limits logged information to particular directory server operations by specifying the debug dimension to those operations. See Also: "Setting the Operation Debug Dimension" |
Table B-7 lists and describes the attributes of the orclDynamicGroup object class
|
See Also:
"Dynamic Groups" for information about dynamic groups and "connect by" assertions |
Oracle Internet Directory provides several predefined garbage collectors that, together, clean up all unwanted data in the directory server. These predefined garbage collectors are:
Audit log garbage collector cleans up unwanted entries created for auditing the directory server.
Change log garbage collector cleans up the consumed change log entries in the directory.
The General Statistics garbage collector cleans up unwanted general statistical entries created for the directory server.
The Health Statistics garbage collector cleans up unwanted health statistics entries created for the directory server.
The Security and Refresh Events garbage collector cleans up the unwanted entries created for monitoring the security and refresh events of the directory server.
The System Resource Events garbage collector cleans up unwanted entries created for monitoring system resources events of the directory server.
The Tombstone garbage collector cleans up unwanted entries marked as deleted.
The garbage collection framework relies on the Oracle Internet Directory plug-in framework to trigger the garbage collection engine. This section tells you the attribute value pairs that the garbage collection plug-in uses for various operations.
To create a garbage collector, the garbage collection plug-in uses the attribute value pairs listed in Table B-16.
| Attribute | Value |
|---|---|
|
|
PurgeAdmin |
|
|
operational |
|
|
post |
|
|
ldapadd |
|
|
|
To modify a garbage collector, the garbage collection plug-in uses the attribute value pairs listed in Table B-17.
| Attribute | Value |
|---|---|
|
|
PurgeAdmin |
|
|
operational |
|
|
post |
|
|
ldapmodify |
|
|
|
To delete a garbage collector, the garbage collection plug-in uses the attribute value pairs listed in Table B-18.
| Attribute | Value |
|---|---|
|
|
PurgeAdmin |
|
|
operational |
|
|
post |
|
|
ldapdelete |
|
|
|
The following are optional attributes from the orclUserV2 object class:
| Attribute | Description |
|---|---|
|
General Information |
- |
|
Profile Name ( |
Name of the profile for the particular third-party directory you are integrating with. This attribute is mandatory. |
|
Synchronization Mode |
Direction of synchronization between Oracle Internet Directory and the connected directory. |
|
ProfileStatus (orclOdipAgentControl) |
Indicator whether the profile is enabled or disabled. The default is DISABLE. You must set this value to ENABLE. |
|
Profile Password ( |
The password used by the profile to bind to Oracle Internet Directory. In case of import, the changes are made with the profile name as the identity. The default value is Note: For security reasons, change this password. |
|
Scheduling Interval |
Time interval in seconds after which a connected directory is synchronized with Oracle Internet Directory. The default is This attribute can be modified. |
|
Maximum Number of Retries |
Maximum number of times Oracle directory integration and provisioning server tries to run the third-party directory connector in the event of a failure. The default is |
|
Profile Version |
Version of the Oracle Directory Integration and Provisioning platform with which this profile was created.The default value is |
|
( |
Identifier indicating the level of debugging required for any profile. Set this attribute to 63 for the maximum debug level. See Also: "Setting Debug Logging Levels" |
|
Execution Information |
- |
|
Agent Execution Command ( |
Connector executable name and argument list used by the directory integration and provisioning server. It can be passed as a command-line argument when the connector is invoked. See Also: Chapter 39, "Synchronization with Oracle Human Resources" for typical usage of passing it in the command-line |
|
Connected Directory Account ( |
Valid user account in the connected directory to be used by the connector for synchronization. The value is specific to the connected directory with which you are integrating. For instance, for the SunONE synchronization connector, it is the valid bind DN in the SunONE Directory Server. For the Human Resources Connector, it is a valid user identifier in the Oracle Human Resources database. For other connectors, it can be passed as a command-line argument when the connector is invoked. See Also: Chapter 39, "Synchronization with Oracle Human Resources" for typical usage of passing it in the command-line |
|
Connected Directory Account Password ( |
Password to be used by the user specified in the orclOdipConDirAccessAccount attribute to connect to the connected directory. The value is specific to the third-party directory with which you are integrating. For instance, for the SunONE synchronization connector, it is the valid bind password in the SunONE Directory Server. For the Human Resources Agent, it is the Oracle Human Resources database password. |
|
Additional Config Info ( |
Any configuration information that you want the connector to store in Oracle Internet Directory. It is passed by the directory integration and provisioning server to the connector at time of connector invocation. The information is stored as an attribute and the directory integration and provisioning server does not have any knowledge of its content. When the connector is scheduled for execution, the value of the attribute is stored in the file,
Upload the file by using either the Directory Integration and Provisioning Assistant or the See Also: |
|
Connected Directory URL |
Connect details required to connect to the connected directory. This parameter refers to the host name and port number as
To connect by using SSL, enter
Make sure the certificate to connect to the directory is stored in the wallet, the location of which is specified in the file Note: To connect to SunONE Directory Server by using SSL, the server certificate needs to be loaded into the wallet. See Also: The chapter on Oracle Wallet Manager in Oracle Advanced Security Administrator's Guide |
|
Interface Type ( |
The data format or protocol used in synchronization. Supported values are:
|
|
Mapping Information |
- |
|
Mapping Rules |
Attribute for storing the mapping rules. Store the mapping rules in a file by using the Directory Integration and Provisioning Assistant or the See Also: |
|
Connected Directory Matching Filter |
This attribute specifies the filter to apply to the third-party directory change log. It is used in the import profile. The filter must be set in the import profile when both the import and export integration profiles are enabled, as follows:
This prevents the same change from being exchanged between the two directories indefinitely. To avoid confusion, make this account specific to synchronization. |
|
OID Matching Filter ( |
In export profiles, this attribute specifies the filter to apply to the Oracle Internet Directory change log container. It is used in the export profile. It must be set in the export profile when both the import and export integration profiles are enabled, as in the following example:
This prevents the same change from being exchanged between the two directories indefinitely. In import profiles, this attribute specifies a key for mapping entries between Oracle Internet Directory and the connected directory. This is useful when the DN cannot be used as the key. |
|
Status Information |
- |
|
OID Last Applied Change Number ( |
For export operations, the last change from Oracle Internet Directory that was applied to the connected directory. The default value is This is valid only in the export profile. |
|
Last Execution Time |
Status attribute set to the last time the integration profile was executed successfully by the Oracle directory integration and provisioning server. Its format is |
|
Last Successful Execution Time |
Status attribute set to the last time the integration profile was executed successfully by the Oracle directory integration and provisioning server. The format is |
|
Synchronization Status |
Synchronization status of the last execution: Success or failure. |
|
Synchronization Errors |
Messages explaining errors if the last execution failed. This parameter is updated by Oracle directory integration and provisioning server. It is a read-only attribute. |
|
Last Applied Change Number |
For import operations, the last change from the connected directory that was applied to Oracle Internet Directory. The default value is This is valid only in the import profile. |
|
See Also:
"Updating the Default Parameters" for instructions specific to integration with SunONE Directory Server |
| Attribute | Description |
|---|---|
|
|
Indicate whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to |
|
|
Specify how often you want to gather sample statistics--that is, the number of minutes in the interval. Set this to 1 or more minutes.
If |
|
|
Specify critical events related to security and system resources that you want recorded. The default is
For events other than super user, proxy user, and replication login, set the value of the See Also: "Configuring Critical Events" for a list of critical events that can be monitored |
|
|
Specify the level of statistics collection for users. There is only one valid value in this release, namely, |
|
|
Specifies maximum TCP connection time in minutes for an idle connection to be recorded as idle. Its default value is 120 minutes (2 hours). Please note that the value of this attribute should be less than that of the DSA Configuration Set attribute |
The pwdPolicy object class is an auxiliary object class containing the password policy information for a set of users in a given DIT. It contains attributes that define the password policy information for the entire directory.
Table B-23 lists and describes the attributes of the pwdPolicy object class. The default value for each of these attributes is 0 (zero). These attributes are single-valued, except orclpwdIllegalValues, which is multi-valued.
pwdPolicy Object Class
In addition to the pwdpolicysubentry mentioned earlier, the object class top contains these operational attributes to maintain the user-password state information for each user entry.
Top Object Class
| Attribute | Description |
|---|---|
|
|
Reversible encrypted value of the user password. This attribute is generated only if the attribute See Also: "Storing and Managing Password Verifiers for Authenticating to Oracle Internet Directory" |
|
|
The time at which a user was locked out of a specific IP address |
|
|
The timestamp of the last login by the user |
|
|
The time at which the user account was locked |
|
|
The timestamp of the user password creation or modification |
|
|
The time at which the first password expiration warning is been sent to the user |
|
|
The timestamp of consecutive failed login attempts by the user |
|
|
The time stamps of each grace login by the user |
|
|
A history of user's previously used passwords |
|
|
Indicator that the password has been reset and must be changed by the user on first authentication |
Both the directory and Oracle components store the user password in the user entry, but in different attributes. Whereas the directory stores user passwords in the userPassword attribute, Oracle components store user password verifiers in the authPassword, orclPasswordVerifier, or orclpassword attribute. Table B-25 describes each of the attributes used by Oracle components.
Each of these attribute types has appID as an attribute subtype. This attribute subtype uniquely identifies a particular application. For example, the appID can be the ORCLGUID of the application entry. This attribute subtype is generated during application installation.
The orclPluginConfig object class is a structural object class that must be associated with all plug-in entries. Its superclass is top. Table B-26 lists and describes its attributes.
| Attribute Name | Attribute Value | Mandatory? |
|---|---|---|
|
|
Plug-in entry name |
Yes |
|
|
A semicolon-separated attribute name list that controls whether the plug-in takes effect. If the target attribute is included in the list, the plug-in is invoked. |
No |
|
|
1 = enable |
No |
|
|
An ldap search filter type value need to be specified here. For example, if we specify |
No |
|
|
For WHEN timing plug-in only |
No |
|
|
PL/SQL |
No |
|
|
One of the following values: ldapcompare ldapmodify ldapbind ldapadd ldapdelete ldapsearch |
Yes |
|
|
Plug-in package name |
Yes |
|
|
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can actually invoke the plug-in.
For example, if you specify |
No |
|
|
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can NOT invoke the plug-in. For example, if you specify |
No |
|
|
An integer value to specify the ldap result code. If this value is specified, then plug-in will be invoked only if the ldap operation is in that result code scenario. This is only for the POST plug-in type. |
No |
|
|
File location of the dynamic linking library. If this value is not present, then Oracle Internet Directory server assumes the plug-in language is PL/SQL. |
No |
|
|
A semicolon-separated DN list that controls if the plug-in takes effect. For example: orclPluginSubscriberDNList= dc=COM,c=us; dc=us,dc=oracle,dc=com; dc=org,dc=us; If the target DN of an LDAP operation is included in the list, then the plug-in is invoked. |
No |
|
|
One of the following values: pre when post See Also: "About Directory Server Plug-ins" for explanations of these values |
No |
|
|
One of the following values: operational attribute password_policy syntax matchingrule See Also: The chapter about the Oracle Internet Directory server plug-in framework in Oracle Internet Directory Application Developer's Guide |
Yes |
|
|
Supported plug-in version number |
No |
This section lists and describes the attributes for:
The resource access descriptor object contains the attributes listed and described in.
| Attribute | Description |
|---|---|
|
|
Specifies the name of the resource for which the connection information is being maintained. |
|
|
Specifies the user or a group for which the preferences are being stored. The value of the attribute is same as the GUID (
For example, suppose that user John Doe from Acme Corporation needs to store his extended preferences. His actual user entry contains mostly white-pages information about the user and his authentication credentials. The user entry additionally has |
|
|
Specifies the global identifier of the application entity for which the user-preferences are being stored. The value of the attribute is same as the GUID ( |
|
|
Specifies the name of the resource--for example, database, XMLPDS, JDBCPDS |
|
|
Specifies the display name associated with the resource |
|
|
Specifies the description associated with |
|
|
Specifies the user identifier value to access the resource. |
|
|
Specifies the password value to access the resource. |
|
|
Specifies the additional information if required by the resource type. |
|
|
Specifies the additional information if required by the resource type. |
|
|
Specifies the additional information if required by the resource type. |
|
|
Specifies if the data is modifiable by the user that this RAD entry is created for |
Table B-30 lists and describes the attributes of the replication server configuration set entry, which has the following DN: cn=configset0,cn=osdrepld,cn=subconfigsubentry.
The container for replication naming context objects is an entry with the RDN cn=replication namecontext. It is created below the orclagreementID entry at installation. The cn=replication namecontext entry has the attributes listed and described in Table B-33.
The SSL attributes are: orclsslAuthentication, orclsslEnable, orclsslWalletURL, orclsslPort, orclsslVersion
|
See Also:
|
The following system operational attributes are modifiable.
| Attribute | Description |
|---|---|
|
|
Topmost DNs for the naming contexts contained in this server. You must have super user privileges to publish a DN as a naming context. There is no default. |
|
|
Hash algorithm for encrypting the password. Options are: The default is MD4. |
|
|
Maximum number of entries to be returned by a search |
|
|
Specification as to whether data can be written to the server. Valid values are read-only and read-write. The default is read-write. |
|
|
Maximum amount of time, in seconds, allowed for a search to be completed. The default is 3600. |
|
|
Specification as to whether entry caching, described in "Entry Caching", is enabled. The value for enabled is 1; the value for disabled is |
|
|
Maximum size in bytes of the entry that can be cached in the entry cache. Any entry with size greater than
This attribute is in the entry To change this value:
|
|
|
Maximum number of bytes of RAM that the entry cache can use. The default is 100M. |
|
|
Maximum number of entries that can be present in the entry cache. The default is 25,000. |
|
|
Used by the directory replication server, and indicates whether change logs are to be generated in the consumer node for the Oracle directory integration and provisioning server to consume. The default is FALSE. |
|
|
The cache of privilege groups and ACL groups in the directory server. Using this cache improves the performance of access control evaluation for users when privilege and ACP groups are used in ACI. Use the group cache when a privilege group membership does not change frequently. If a privilege group membership does change frequently, then it is best to turn off the group cache. This is because, in such a case, computing a group cache increases overhead. The default is 1. |
|
|
If the base DN of a search request is not found, then the directory server returns the nearest DN that matches the specified base DN. Whether the directory server tries to find the nearest match DN is controlled by this attribute. If set to 1, then match DN processing is enabled. If set to |
|
|
Specification as to whether anonymous binds are allowed or not. If set to 1, then anonymous binds are allowed. If set to 0 (zero), then they are not allowed. The default is 1. |
|
|
Specification as to how often you want to gather sample statistics--that is, the number of minutes in the interval. Set this to 1 or more minutes. The default is 60. |
|
|
Indicates whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to |
|
|
Specifies maximum connection time in minutes for an idle LDAP connection to be closed by the directory server. This is a DSA configuration set ( |
|
|
Specifies critical events related to security and system resources that you want recorded. The default is 0--that is, no critical events are recorded
Please note that for events other than super user, proxy and replication login, the value of the See Also: "Configuring Critical Events" for a list of critical events that can be monitored |
|
 Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|