Oracle Internet Directory Administrator's Guide -- Contents

What Is a Directory?

The Expanding Role of Online Directories

The Problem: Too Many Special-Purpose Directories

What Is the Lightweight Directory Access Protocol (LDAP)?

LDAP and Simplified Directory Management

LDAP Version 3

What Is Oracle Internet Directory?

Architecture of the Oracle Internet Directory

Components of Oracle Internet Directory

Advantages of Oracle Internet Directory

Oracle Identity Management

How Oracle Components Use Oracle Internet Directory

Easier and More Cost-Effective Administration of Applications

Tighter Security Through Centralized Security Policy Administration

Integration of Distributed Directories

Entries

Distinguished Names (DNs) and Directory Information Trees (DITs)

Entry Caching

Attributes

Kinds of Attribute Information

Single-Valued and Multivalued Attributes

Common LDAP Attributes

Attribute Syntax

Attribute Matching Rules

Attribute Options

Object Classes

Subclasses, Superclasses, and Inheritance

Object Class Types

Naming Contexts

Security

Globalization Support

Oracle Internet Directory Architecture

An Oracle Internet Directory Node

An Oracle Directory Server Instance

Directory Metadata

Configuration Set Entries

Example: How Oracle Internet Directory Works

Distributed Directories

Directory Replication

Directory Partitioning

Knowledge References and Referrals

Oracle Delegated Administration Services and the Oracle Internet Directory Self-Service Console

The Oracle Directory Integration and Provisioning Platform

Oracle Internet Directory and Identity Management

About Identity Management

About the Oracle Identity Management Infrastructure

Identity Management Realms

Resource Information

Resource Type Information

Resource Access Information

Location of Resource Information in the DIT

Task 1: Start the OID Monitor

Task 2: Start a Server Instance

Task 3: Reset the Default Security Configuration

Task 4: Reset the Default Password for the Database

Task 5: Run the OID Database Statistics Collection Tool

Log File Locations

Using Oracle Directory Manager

Starting Oracle Directory Manager

Connecting to a Directory Server by Using Oracle Directory Manager

Navigating Oracle Directory Manager

Connecting to Additional Directory Servers by Using Oracle Directory Manager

Disconnecting from a Directory Server by Using Oracle Directory Manager

Configuring the Display and Duration of Searches in Oracle Directory Manager

Performing Administration Tasks by Using Oracle Directory Manager

Using Command-Line Tools

Command-Line Tools for Starting, Stopping, and Monitoring Oracle Internet Directory Servers

Command-Line Tools for Managing Entries and Attributes

Command-Line Tools for Performing Bulk Operations

Command-Line Tools for Managing Replication

Command-Line Tools for Managing Directory Synchronization and Provisioning

OID Migration Tool (ldifmigrator)

OID Database Statistics Tool (oidstats.sh)

OID Database Password Utility (oidpasswd)

Routine Administration at a Glance

Managing Server Configuration Set Entries

Preliminary Considerations for Managing Configuration Set Entries

Managing Server Configuration Set Entries by Using Oracle Directory Manager

Managing Server Configuration Set Entries by Using Command-Line Tools

Setting System Operational Attributes

Setting System Operational Attributes by Using Oracle Directory Manager

Setting System Operational Attributes by Using ldapmodify

Managing Naming Contexts

Publishing Naming Contexts by Using Oracle Directory Manager

Publishing Naming Contexts by Using ldapmodify

Managing Super Users, Guest Users, and Proxy Users

Managing Super Users, Guest Users, and Proxy Users by Using Oracle Directory
Manager

Managing Super Users, Guest Users, and Proxy Users by Using ldapmodify

Viewing Active Server Instance Information

Closing Idle LDAP Connections

Changing the Password to the Oracle Internet Directory Database Server

Dereferencing Alias Entries

About Alias Entries

Examples: Using Alias Entry Dereferencing

Success and Error Messages

Locating Directory Servers in a Distributed Environment

Static Directory Server Discovery by Using the Directory Server Usage File (ldap.ora)

Dynamic Directory Server Discovery by Using the Domain Name System (DNS)

About the Directory Schema

Object Classes in the Directory

About Object Class Management

Managing Object Classes by Using Oracle Directory Manager

Managing Object Classes by Using Command-Line Tools

Attributes in the Directory

About Attribute Management

Managing Attributes by Using Oracle Directory Manager

Managing Attributes by Using Command-Line Tools

How to Extend the Number of Attributes Associated with Entries

Extending the Number of Attributes Prior to Creating Entries in the Directory

Extending the Number of Attributes for Existing Entries by Creating an Auxiliary
Object Class

Extending the Number of Attributes for Existing Entries by Creating a Content Rule

Matching Rules in the Directory

Viewing Matching Rules by Using Oracle Directory Manager

Viewing Matching Rules by Using ldapsearch

Syntaxes in the Directory

Viewing Syntaxes by Using Oracle Directory Manager

Viewing Syntaxes by Using by Using ldapsearch

Managing Entries by Using Oracle Directory Manager

Searching for Entries by Using Oracle Directory Manager

Viewing Attributes for a Specific Entry by Using Oracle Directory Manager

Adding Entries by Using Oracle Directory Manager

Modifying Entries by Using Oracle Directory Manager

Managing Entries with Attribute Options by Using Oracle Directory Manager

Managing Entries by Using Command-Line Tools

Command-Line Tools for Managing Entries

Example: Adding a User Entry by Using ldapadd

Example: Modifying a User Entry by Using ldapmodify

Managing Entries with Attribute Options by Using Command-Line Tools

Managing Entries by Using Bulk Tools

Importing an LDIF File by Using bulkload

Converting Directory Data to LDIF

Modifying a Large Number of Entries

Deleting a Large Number of Entries

Managing Knowledge References and Referrals

Configuring Smart Referrals

Configuring Default Referrals

Client-Side Referral Caching

About Attribute Uniqueness

Rules for Creating Attribute Uniqueness

Specifying Multiple Attribute Names in an Attribute Uniqueness Constraint

Specifying Multiple Subtrees in an Attribute Uniqueness Constraint

Specifying Multiple Scopes in an Attribute Uniqueness Constraint

Specifying Multiple Object Classes in an Attribute Uniqueness Constraint

Specifying Multiple Subtrees, Scopes, and Object Classes in an Attribute Uniqueness Constraint

Managing Attribute Uniqueness

Location of Attribute Uniqueness Entries

Managing Attribute Uniqueness by Using Oracle Directory Manager

Managing Attribute Uniqueness by Using Command-Line Tools

Limitations of Attribute Uniqueness in Oracle Internet Directory 10g (9.0.4)

About Groups

Static Groups

Dynamic Groups

Hierarchies

Querying Group Entries

When to Use Each Kind of Group

Limitations of Dynamic Groups in Oracle Internet Directory 10g (9.0.4)

Managing Group Entries

Managing Static Group Entries by Using Oracle Directory Manager

Managing Static Group Entries by Using Command-Line Tools

Managing Dynamic Groups by Using Oracle Directory Manager

Managing Dynamic Groups by Using Command-Line Tools

Using Debug Logging

About Oracle Internet Directory Debug Logging

About Log Messages

Setting Debug Logging Levels

Setting the Operation Debug Dimension

Force Flushing the Trace Information to a Log File

Using the Audit Log

Monitoring Oracle Internet Directory Servers

Capabilities of Oracle Internet Directory Server Manageability

Oracle Internet Directory Server Manageability Architecture and Components

Location of Configuration Information for Oracle Internet Directory Server
Manageability

Configuring Oracle Internet Directory Server Manageability

Configuring Critical Events

Using the Oracle Internet Directory Server Manageability Framework Through Oracle Enterprise Manager Application Server Control

Backing Up and Restoring a Small Directory or Specific Naming Context

Backing Up and Restoring a Large Directory

Data Integrity and Oracle Internet Directory

Data Privacy and Oracle Internet Directory

Authorization in Oracle Internet Directory

Authentication in Oracle Internet Directory

Direct Authentication

Indirect Authentication

External Authentication

Protection of User Passwords for Directory Authentication

Password Policies in Oracle Internet Directory

Authentication by Using Simple Authentication and Security Layer (SASL)

Supported Cipher Suites

SSL Client Scenarios

Configuring SSL Parameters

Configuring SSL Parameters by Using Oracle Directory Manager

Configuring SSL Parameters by Using Command-Line Tools

Starting a Directory Server Instance with SSL Enabled

Limitations of the Use of SSL in Oracle Internet Directory 10g (9.0.4)

Overview of Access Control Policy Administration

Access Control Management Constructs

Access Control Information Components

Access Level Requirements for LDAP Operations

How ACL Evaluation Works

Precedence Rules Used in ACL Evaluation

Use of More Than One ACI for the Same Object

Exclusionary Access to Directory Objects

ACL Evaluation For Groups

Managing Access Control by Using Oracle Directory Manager

Configuring Oracle Directory Manager for Access Control Management

Viewing an ACP by Using Oracle Directory Manager

Adding an ACP by Using Oracle Directory Manager

Adding an ACP by Using the ACP Creation Wizard of Oracle Directory Manager

Modifying an ACP by Using Oracle Directory Manager

Granting Entry-Level Access by Using Oracle Directory Manager

Example: Managing ACPs by Using Oracle Directory Manager

Managing Access Control by Using Command-Line Tools

Example: Restricting the Kind of Entry a User Can Add

Example: Setting Up an Inheritable ACP by Using ldapmodify

Example: Setting Up Entry-Level ACIs by Using ldapmodify

Example: Using Wild Cards

Example: Selecting Entries by DN

Example: Using Attribute and Subject Selectors

Example: Granting Read-Only Access

Example: Granting Selfwrite Access to Group Entries

About Password Policies

What a Password Policy Is

Default Password Policy

Directory Server Verification of Password Policy Information

Overview: Establishing a Password Policy for an Identity Management Realm

Managing Password Policies

Managing Password Policies by Using Oracle Directory Manager

Managing Password Policies by Using Command-Line Tools

Managing Password Policies by Using the Self-Service Console

Password Policy Error Messages

About Centralized Storage of User Authentication Credentials

Storing and Managing Password Verifiers for Authenticating to Oracle Internet
Directory

Password Verifiers and Authentication to the Directory

Hashing Schemes for Creating Password Verifiers

Managing Password Protection by Using Oracle Directory Manager

Managing Password Protection by Using ldapmodify

Storing and Managing Password Verifiers for Authenticating to Oracle Components

About Password Verifiers for Oracle Components

Attributes for Storing Password Verifiers

Default Verifiers for Oracle Components

Example: How Password Verification Works for an Oracle Component

Managing Password Verifier Profiles for Oracle Components by Using Oracle Directory Manager

Managing Password Verifier Profiles for Oracle Components by Using Command-Line Tools

Delegation in the Oracle Identity Management Model

How Delegation Works

Delegation in an Oracle Application Server Environment

About the Default Configuration

Overview: Privileges for Administering the Oracle Technology Stack

Delegation of Privileges for User and Group Management

How Privileges Are Granted for Managing User and Group Data

Default Privileges for Managing User Data

Default Privileges for Managing Group Data

Delegation of Privileges for Deployment of Oracle Components

How Deployment Privileges Are Granted

Oracle Application Server Administrators

User Management Application Administrators

Trusted Application Administrators

Delegation of Privileges for Component Runtime

Default Privileges for Reading and Modifying User Passwords

Default Privileges for Comparing User Passwords

Default Privileges for Comparing Password Verifiers

Default Privileges for Proxying on Behalf of End Users

Default Privileges for Managing the Oracle Context

Default Privileges for Reading Common User Attributes

Default Privileges for Reading Common Group Attributes

The Expanding Role of Directories

Logical Organization Of Directory Information

Physical Distribution: Partitions, Replicas, and High Availability

An Ideal Deployment

Partitioning Considerations

Replication Considerations

High Availability Considerations

The Oracle Directory Integration and Provisioning Platform

Capacity Planning, Sizing, and Tuning

Capacity Planning

Sizing Considerations

Tuning Considerations

Identity Management Realms in an Enterprise Deployment

Single Identity Management Realm in the Enterprise

Multiple Identity Management Realms in the Enterprise

Identity Management Realms in a Hosted Deployment

Identity Management Realm Implementation in Oracle Internet Directory

Planning the Directory Information Tree for Identity Management

Planning the Overall Directory Structure

Planning the Names and Containment of Users and Groups

Planning the Identity Management Realm

Default Directory Information Tree and Identity Management Realm

Administration of Identity Management Realms

Customizing an Existing Identity Management Realm

Creating Additional Identity Management Realms

About Capacity Planning

Getting to Know Directory Usage Patterns: A Case Study

I/O Subsystem Requirements

About the I/O Subsystem

Rough Estimates of Disk Space Requirements

Detailed Calculations of Disk Space Requirements

Memory Requirements

Network Requirements

CPU Requirements

CPU Configuration

Rough Estimates of CPU Requirements

Detailed Calculations of CPU Requirements

Summary of Capacity Plan for Acme Corporation

About Tuning

Tools for Performance Tuning

CPU Usage Tuning

Tuning CPU for Oracle Internet Directory Processes

Tuning CPU for Oracle Foreground Processes

Taking Advantage of Processor Affinity on SMP Systems

Other Alternatives for a CPU Constrained System

Memory Tuning

Tuning the System Global Area (SGA) for Oracle9i Database Server

Other Alternatives for a Memory-Constrained System

Disk Tuning

Database Tuning

Required Parameter

Parameters Dependent on Oracle Internet Directory Server Configuration

SGA Parameters Dependent on Hardware Resources

Entry Caching

Optimizing Searches

Optimizing Searches for Large Group Entries

Optimizing Searches for Skewed Attributes

Setting the Time Limit Mode

Setting the Time Limit Mode by Using Oracle Directory Manager

Setting the Time Limit Mode by Using ldapmodify

Setting the Timeout for Client/Server Connections

Setting the Timeout for Client/Server Connections by Using Oracle Directory
Manager

Performance Troubleshooting

About the Oracle Internet Directory Garbage Collection Framework

Components of the Oracle Internet Directory Garbage Collection Framework

How Oracle Internet Directory Garbage Collection Works

Garbage Collector Entries

Change Log Purging in Multimaster Replication

Modifying Oracle Internet Directory Garbage Collectors

Modifying a Garbage Collector by Using Oracle Directory Manager

Modifying a Garbage Collector by Using Command-Line Tools

Enabling and Disabling Logging for Oracle Internet Directory Garbage Collectors

Enabling Logging for Oracle Internet Directory Garbage Collectors

Disabling Logging for Oracle Internet Directory Garbage Collectors

Migrating Data from LDAP-Compliant Directories

About the Data Migration Process

Tasks For Migrating Data from LDAP-Compliant Directories

Migrating User Data from Application-Specific Repositories

The Intermediate Template File

Reconciling Data in Application Repository with Data Already in Oracle Internet
Directory

Tasks For Migrating Data from Application-Specific Repositories

Migrating an Existing Directory into the Default Directory Structure

The Default Directory Structure

Changing the Location of Users or Groups in the Oracle Context of the Default Identity Management Realm

About Directory Replication

Full and Partial Directory Replication

Full Directory Replication

Partial Directory Replication

Directory Replication Groups

Data Transfer Between Nodes in a Directory Replication Group

Single-Master Replication Groups

Multimaster Replication Groups

Fan-Out Replication Groups

Types of Directory Replication Compared

Multimaster Replication with Fan-Out

Included and Excluded Naming Contexts

Replication Agreements

Multimaster Replication Agreements

Single-Master Replication Agreements

Replication Configuration Objects in the Directory

The Replication Configuration Container

The Replica Subentry

The Replication Agreement Entry

The Replication Naming Context Container Entry

Examples of Replication Configuration Objects in the Directory

Replication Security

Authentication and the Directory Replication Server

Secure Sockets Layer (SSL) and Oracle Internet Directory Replication

Change Logs in Directory Replication

Multimaster Replication

Oracle9i Advanced Replication

Architecture for Multimaster Replication

Conflict Resolution in Multimaster Replication

The Multimaster Replication Process

Fan-Out and Partial Replication

Rules for Partial Replication Filtering

Rules for Managing Naming Contexts and Attributes

Optimization of Partial Replication for Better Performance

Installing and Configuring Multimaster Replication

Installing and Configuring a Multimaster Replication Group

Adding a Node to a Multimaster Replication Group

Deleting a Node from a Multimaster Replication Group

Resolving Conflicts Manually in a Multimaster Replication Group

Installing and Configuring LDAP-Based Replication

Rules for Configuring LDAP-Based Replication

Installing an LDAP-Based Replica

Configuring an LDAP-Based Replica

Deleting an LDAP-Based Replica

Determining What Is to Be Replicated in LDAP-Based Partial Replication

Managing Replication

Viewing and Modifying Directory Replication Server Configuration Parameters

Viewing and Modifying Parameters for Particular Replica Nodes

Modifying Parameters for Replication Agreements

Changing the Replication Administrator's Password on All Nodes

Managing the Change Log

Modifying the Speed of Directory Replication

Example: Installing and Configuring a Multimaster Replication Group with Fan-Out

About High Availability and Failover for Oracle Internet Directory

Oracle Internet Directory and the Oracle Technology Stack

Failover Options on Clients

Alternate Server List from User Input

Alternate Server List from the Oracle Internet Directory Server

Failover Options in the Public Network Infrastructure

Hardware-Based Connection Redirection

Software-Based Connection Redirection

High Availability and Failover Capabilities in Oracle Internet Directory

Failover Options in the Private Network Infrastructure

IP Address Takeover (IPAT)

Redundant Links

High Availability Deployment Examples

About Rack-Mounted Directory Server Configurations

Architecture of the Rack-Mounted Directory Server Configuration

Load Balancing for High Availability

Metadata Synchronization in a Rack-Mounted Directory Server Environments

How Failover Works in a Rack-Mounted Directory Server Environment

Rules for Managing a Rack-Mounted Directory Server Environment

Installation of a Rack-Mounted Directory Server

About the Cold Failover Cluster Configuration

The Simple Cold Failover Configuration

How to Ensure that Oracle Internet Directory Runs on the Virtual Host

The Simple Cold Failover Process

The Cold Failover Cluster Configuration in Conjunction with Oracle Internet Directory Replication

The Cold Failover Process in Conjunction with Oracle Directory Replication

Terminology

The Oracle Directory Server in an Oracle9i Real Application Clusters Environment

Oracle Directory Server Connection Modes to Real Application Clusters Database
Instances

Load_balance

Connect-Time Failover (CTF)

Transparent Application Failover (TAF)

Configuring the tnsnames.ora File for the Failover

Oracle Directory Replication Between Oracle Internet Directory Real Application Clusters Nodes

About Changing the ODS Password on a Real Application Clusters Node

About Oracle Delegated Administration Services

Delegation of Directory Data Administration

How Oracle Delegated Administration Services Works

How Oracle Delegated Administration Services Provides Secure Access to the
Directory

Installing and Configuring Oracle Delegated Administration Services

Location of Log Files for Components in the Oracle Delegated Administration Services Environment

Task 1: Install Oracle Delegated Administration Services

Task 2: Verify that Oracle Delegated Administration Services Is Running

Task 3: Configure the Default Identity Management Realm

Task 4: Configure User Entries

Task 5: Enable Debugging of Oracle Delegated Administration Services

Starting and Stopping Oracle Delegated Administration Services

Starting and Stopping Oracle Delegated Administration Services by Using the
Command Line

Starting, Stopping, and Restarting Oracle Delegated Administration Services by
Using Oracle Enterprise Manager

Creating Applications by Using Oracle Delegated Administration Services

Oracle Delegated Administration Services for User Entries

Oracle Delegated Administration Services for Group Entries

Configuring Oracle Delegated Administration Services in an Existing Oracle Home

Configuring Oracle Delegated Administration Services in a New Oracle Home

Performing a Standalone Oracle Delegated Administration Services Installation

Manually Deploying Oracle Delegated Administration Services in a New Oracle
Home

Configuring Oracle Delegated Administration Services with Load Balancers in a Different DNS Domain

Delegated Administration Through the Oracle Internet Directory Self-Service Console

About Delegated Administration

About the Oracle Internet Directory Self-Service Console

Using the Oracle Internet Directory Self-Service Console

Getting Started with the Oracle Internet Directory Self-Service Console

Searching for Entries by Using Oracle Internet Directory Self-Service Console

Performing the Tasks of an End User

Performing the Tasks of an Administrator

About the Oracle Directory Integration and Provisioning Platform

Synchronization, Provisioning, and the Difference Between Them

Synchronization

Provisioning

How Synchronization and Provisioning Differ

Oracle Directory Synchronization Service

Oracle Directory Provisioning Integration Service

Oracle Directory Integration and Provisioning Server

Directory Integration Toolkit

Administration and Monitoring Tools

Oracle Directory Manager

OID Control and OID Monitor

Directory Integration and Provisioning Assistant

Oracle Enterprise Manager

Example: A Deployment of the Oracle Directory Integration and Provisioning
Platform

Components in the MyCompany Enterprise

Requirements of the MyCompany Enterprise

Overall Deployment in the MyCompany Enterprise

User Creation and Provisioning in the MyCompany Enterprise

Modification of User Properties in the MyCompany Enterprise

Deletion of Users in the MyCompany Enterprise

About Connectors and Directory Integration Profiles

Connectors for Directory Synchronization

Synchronization Scenarios

Directory Synchronization Profiles

Registration of Connectors into the Oracle Directory Integration and Provisioning
Platform

Format of the Mapping Rules Attribute

Location and Naming of Files

Managing Synchronization Profiles

Managing Synchronization Profiles by Using Oracle Directory Manager

Managing Synchronization Profiles by Using Command-Line Tools

Troubleshooting Synchronization in the Oracle Directory Integration and Provisioning Platform

About the Oracle Directory Provisioning Integration Service

About Provisioning

How the Oracle Directory Provisioning Integration Service Retrieves
Changes from Oracle Internet Directory

How an Application Registers with the Oracle Directory Provisioning
Integration Service

How an Application Receives Provisioning Information from Oracle
Internet Directory

How Oracle Internet Directory Receives Provisioning Information from an
Application

How an Application Unsubscribes from the Oracle Directory Provisioning
Integration Service

Managing the Oracle Directory Provisioning Integration Service Environment

Overview: Deploying the Oracle Directory Provisioning Integration Service

Managing the Oracle Directory Provisioning Integration Service

Security and the Oracle Directory Provisioning Integration Service

The Need to Control Access to Provisioning Profiles

Entities Needing Access

Entry-Level Privileges Granted to Entities

Attribute-Level Privileges Granted to Entities

Troubleshooting the Oracle Directory Provisioning Integration Service

About the Oracle Directory Integration and Provisioning Server

Operational Information about the Oracle Directory Integration and Provisioning
Server

The Oracle Directory Integration and Provisioning Server and Configuration Set
Entries

Standard Sequences of Directory Integration and Provisioning Server Events

Managing the Oracle Directory Integration and Provisioning Server

Viewing Oracle Directory Integration and Provisioning Server Information

Managing Configuration Set Entries Used by the Oracle Directory Integration and Provisioning Server

Managing the SSL Certificates of Oracle Internet Directory and Connected Directories

Starting, Stopping, and Restarting the Oracle Directory Integration and Provisioning
Server

Starting and Stopping the Oracle Directory Integration and Provisioning Server in a High Availability Scenario

Setting the Debug Level for the Oracle Directory Integration and Provisioning
Server

Managing the Oracle Directory Integration and Provisioning Platform in a Replicated Environment

Finding the Log Files

Manually Registering the Oracle Directory Integration and Provisioning Server

Manually Registering the Oracle Directory Integration and Provisioning Server by
Using the Oracle Directory Integration and Provisioning Server Registration Tool

Manually Registering the Oracle Directory Integration and Provisioning Server by
Using Oracle Enterprise Manager Application Server Control

Troubleshooting the Oracle Directory Integration and Provisioning Server

Troubleshooting the Oracle Directory Integration and Provisioning Server in an Infrastructure Installation

Troubleshooting the Oracle Directory Integration and Provisioning Server in an
Oracle Directory Integration and Provisioning Platform-Only Installation

Authentication in the Oracle Directory Integration and Provisioning Platform

Secure Sockets Layer (SSL) and the Oracle Directory Integration and Provisioning Platform

Oracle Directory Integration and Provisioning Server Authentication

Profile Authentication

Access Control and Authorization and the Oracle Directory Integration and Provisioning Platform

Access Controls for the Oracle Directory Integration and Provisioning Server

Access Controls for Agents

Data Integrity and the Oracle Directory Integration and Provisioning Platform

Data Privacy and the Oracle Directory Integration and Provisioning Platform

Tools Security and the Oracle Directory Integration and Provisioning Platform

About Directory Bootstrapping in the Oracle Directory Integration and Provisioning Platform

Bootstrapping by Using a Parameter File

Bootstrapping Without Using an LDIF File

Bootstrapping by Using an LDIF File

Bootstrapping Directly by Using the Default Integration Profile

Overview: Synchronizing Oracle Internet Directory with Relational Database Tables

Managing Synchronization Between Oracle Internet Directory and a Relational Database

Task 1: Prepare the Additional Configuration Information File

Task 2: Prepare the Mapping File

Task 3: Prepare the Directory Integration Profile

Example: Synchronizing a Relational Database Table to Oracle Internet Directory

Introduction to Synchronization with Oracle Human Resources

Data that You Can Import from Oracle Human Resources

Managing Synchronization Between Oracle Human Resources and Oracle Internet
Directory

Task 1: Configure a Directory Integration Profile for the Oracle Human Resources Connector

Task 2: Configure the List of Attributes to Be Synchronized with Oracle Internet
Directory

Task 3: Configure Mapping Rules for the Oracle Human Resources Connector

Task 4: Prepare for Synchronization from Oracle Human Resources to Oracle Internet Directory

The Synchronization Process

Boostrapping Oracle Internet Directory from Oracle Human Resources

General Considerations for Integrating with a Third-Party Directory

Configuring Simple Synchronization with a Third-Party Directory

Configuring Complete Integration with the Oracle Application Server Infrastructure

Choose Which Directory Is to Be the Central Enterprise Directory

Oracle Internet Directory as the Central Enterprise Directory

Third-Party Directory as the Central Directory

Choose Where to Store Passwords

Advantages and Disadvantages of Storing the Password in One Directory

Advantages and Disadvantages of Storing the Password in Both Directories

Choose the Structure of the Directory Information Tree

Create Identical DIT Structures on Both Directories

Domain-Level Mapping and Limitations

Select the loginID Attribute

Select the User Search Base

Select the Group Search Base

Decide How to Address Security Concerns

Configuring Synchronization with a Third-Party Directory: Step by Step Guide

Limitations of Third-Party Integration in Oracle Internet Directory 10g (9.0.4)

About the SunONE Connector

SunONE Directory Server Integration Concepts

Synchronization Between Oracle Internet Directory and SunONE Directory Server

The SunONE Directory Server External Authentication Plug-in

Configuring the SunONE Connector

Task 1: Configure the Integration Profile for the SunONE Connector

Task 2: Configure Access Control Lists

Task 3: Prepare Both Directories for Synchronization

Task 4: (Optional) Configure the SunONE Directory Server External Authentication
Plug-in

Task 5: Start the Synchronization

The Synchronization Process

Troubleshooting Synchronization with the SunONE Directory Server

Location of Error Message File

How to Debug the SunONE Connector

Supported Configurations for Integrating with SunONE Directory Server

Overview of Integration with the Microsoft Windows Environments

Components for Integrating with the Microsoft Windows Environment

Methods for Tracking Changes in Microsoft Active Directory

Configuration Information Set During Installation of the Active Directory Connector

Information Required During Setup

Information Required in a Multiple-Domain Microsoft Active Directory
Environment

Directory Information Tree Setup for Integration with Microsoft Active Directory

Tools for Configuring the Active Directory Connector

High-Level Configuration Requirements

Deployments with Oracle Internet Directory as the Central Directory

Deployments with Microsoft Active Directory as the Central Directory

Planning the Integration with Microsoft Active Directory

Configuring the Active Directory Connector

Summary of Active Directory Connector Configuration Scenarios

About Scenario Examples

About the Information You Must Add to the Active Directory Connector

About the adprofilecfg.sh Tool

Tasks Common to Various Scenarios

Synchronization Between a Single-Domain Microsoft Active Directory and Oracle
Internet Directory

Synchronization Between a Multiple-Domain Microsoft Active Directory and Oracle Internet Directory

Configuring The Active Directory External Authentication Plug-in

Installing Active Directory External Authentication Plug-ins

Enabling the Active Directory External Authentication Plug-ins

Customizing the Active Directory Connector

Creating and Customizing a Synchronization Profile

Customizing Mapping Rules

Customizing the Search Filter to Get Information from Microsoft Active Directory

Running the Active Directory Connector in SSL Mode

Synchronizing Passwords

Customizing ACLs

Customizing the LDAP Schema

Migrating Data Between Directories

Managing Integration with Microsoft Windows

Typical Management Tasks

Managing the Active Directory External Authentication Plug-in

Integration with Microsoft Windows NT 4.0

Installing and Configuring Windows NT External Authentication and Auto-Provisioning Plug-ins

Troubleshooting Integration with Microsoft Windows

Troubleshooting Synchronization with Active Directory Connector

Debugging the Microsoft Active Directory External Authentication Plug-in

Sample LDIF Files Required for Integration with Microsoft Windows

grantrole.ldif

multidomaindit.ldif

renameprofile.ldif

About Change Logs

Enabling Third-Party Metadirectory Solutions to Synchronize with Oracle Internet
Directory

Task 1: Perform Initial Bootstrapping

Task 2: Create a Change Subscription Object in Oracle Internet Directory for the Third-Party Metadirectory Solution

The Synchronization Process

How a Connected Directory Retrieves Changes the First Time from Oracle Internet Directory

How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory

Disabling and Deleting Change Subscription Objects

Disabling a Change Subscription Object

Deleting a Change Subscription Object

About Directory Server Plug-ins

Registering and Managing Plug-ins

Registering and Managing Plug-ins by Using Oracle Directory Manager

Registering and Managing Plug-ins by Using Command-Line Tools

How the Password Policy Plug-in Works

Example: Installing, Configuring, and Enabling a Customized Password Policy Plug-in

Loading and Registering the PL/SQL Program

Coding the Password Policy Plug-in

Debugging the Password Policy Plug-in

Contents of Sample PL/SQL Package pluginpkg.sql

Native Authentication Contrasted with External Authentication

Example: Installing, Configuring, and Enabling the External Authentication Plug-in

Sample PL/SQL Package oidexaup.sql

Debugging the External Authentication Plug-in

Contents of PL/SQL Package oidexaup.sql

LDAP Data Interchange Format (LDIF) Syntax

Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers

The OID Monitor (oidmon) Syntax

The OID Control Utility (oidctl) Syntax

Entry and Attribute Management Command-Line Tools Syntax

The Catalog Management Tool (catalog.sh) Syntax

Bulk Operations Command-Line Tools Syntax

Replication-Management Command-Line Tools Syntax

Replication Conflict Resolution Command-Line Tools

The Replication Environment Management Tool

Oracle Directory Integration and Provisioning Platform Command-Line Tools Syntax

The Directory Integration and Provisioning Assistant

The ldapUploadAgentFile.sh Tool Syntax

The ldapCreateConn.sh Tool Syntax

The ldapDeleteConn.sh Tool Syntax

The StopOdiServer.sh Tool Syntax

The schemasync Tool Syntax

The Oracle Directory Integration and Provisioning Server Registration Tool
(odisrvreg)

The Provisioning Subscription Tool (oidprovtool) Syntax

OID Database Password Utility (oidpasswd) Syntax

Changing the Password to the Oracle Internet Directory Database

Creating Wallets for the Oracle Internet Directory Database Password and the Oracle Directory Replication Server Password

Unlocking a Super User Account

OID Database Statistics Collection Tool (oidstats.sh) Syntax

The OID Migration Tool (ldifmigrator) Syntax

Examples: Using the OID Migration Tool

OID Migration Tool Error Messages

IETF Requests for Comments (RFCs) Enforced by Oracle Internet Directory

IETF Drafts Enforced by Oracle Internet Directory

Proprietary Schema Elements of Oracle Internet Directory

Access Control Schema Elements

Audit Log Schema Elements

Attribute Uniqueness Schema Elements

Configuration Set Entry Schema Elements

Debug Logging Schema Elements

Dynamic Groups Schema Elements

Garbage Collection Schema Elements

Optional Attributes of the orclUserV2 Object Class

Oracle Directory Integration and Provisioning Platform Schema Elements

Oracle Internet Directory Configuration Schema Elements

Oracle Internet Directory Server Manageability Schema Elements

Password Policy Schema Elements

Password Verifier Schema Elements

Plug-in Schema Elements

Resource Information Schema Elements

Replication Schema Elements

SSL Schema Elements

System Operational Attributes

LDAP Syntax

LDAP Syntax Enforced by Oracle Internet Directory

Commonly Used LDAP Syntax Recognized by Oracle Internet Directory

Additional LDAP Syntax Recognized by Oracle Internet Directory

Size of Attribute Values

Matching Rules

Schema to Represent a User

Fields in Oracle Directory Manager

Access Control Management Fields in Oracle Directory Manager

Attribute Uniqueness Fields in Oracle Directory Manager

Garbage Collection Management Fields in Oracle Directory Manager

Password Policy Fields in Oracle Directory Manager

Password Verifier Fields in Oracle Directory Manager

Plug-in Management Fields in Oracle Directory Manager

Replication Fields in Oracle Directory Manager

Schema Management Fields in Oracle Directory Manager

Server Management Fields in Oracle Directory Manager

SSL Management Fields in Oracle Directory Manager

Synchronization Fields in Oracle Directory Manager

Fields in Oracle Internet Directory Self-Service Console

User Management Fields in the Oracle Internet Directory Self-Service Console

Identity Management Realm Fields in the Oracle Internet Directory Self-Service
Console

Resource Access Information Fields in the Oracle Internet Directory Self-Service
Console

Schema for orclACI

Schema for orclEntryLevelACI

Assumptions

Sponsor Directory Site Environment

New Directory Site Environment

Tasks To Be Performed on the Sponsor Node

Tasks To Be Performed on the New Node

Verification Process

The NLS_LANG Environment Variable

Using Non-UTF-8 Databases

Using Globalization Support with LDIF Files

An LDIF file Containing Only ASCII Strings

An LDIF file Containing UTF-8 Encoded Strings

Using Globalization Support with Command-Line Tools

Specifying the -E Argument When Using Each Tool

Examples: Using the -E Argument with Command-Line Tools

Setting NLS_LANG in the Client Environment

Using Globalization Support with Bulk Tools

Using Globalization Support with bulkload

Using Globalization Support with ldifwrite

Using Globalization Support with bulkdelete

Using Globalization Support with bulkmodify

Setting up Access Controls for the User Search Base and the User Creation Base

Setting up Access Controls for the Group Search Base and the Group Creation Base

Installation Errors

Administration Error Messages and Causes

Oracle Database Server Error Due to Schema Modifications

Standard Error Messages Returned from Oracle Directory Server

Additional Error Messages

Password Policy Violation Error Messages

Password Policy Controls

Contents

Volume 1

Volume 2