|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
 Previous |
 Next |
|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
|
Previous |
Next |
This appendix lists and describes the various windows and fields Oracle Directory Manager. It contains these topics:
Access Control Management Fields in Oracle Directory Manager
Garbage Collection Management Fields in Oracle Directory Manager
Table C-1 Fields in the Credentials Tab Page
| Field | Description |
|---|---|
| User | The first time you log in, do so either as the super user or anonymously. If you intend to configure SSL features during this session, login as the super user.
If you are logging in as the super user, in the User box, type If you are logging in anonymously, leave the User box empty. If you have already set up the user's entry by using LDAP command-line tools, you can enter that user's entry in one of two ways:
|
| Password | If you are logging in as the super user and you specified a password for the super user during installation, in the Password field, type the password you specified. Otherwise, type the default password, namely, welcome. After you are logged into Oracle Directory Manager and have connected to a directory server, you should change this password to protect the directory.
If you are logging in anonymously, leave the Password filed empty. If you want to login as a specific directory user, enter the corresponding password. See Also: "Managing Super Users, Guest Users, and Proxy Users" for instructions on how to change the password |
| Server | From the Server list, select the host containing the directory server to which you want to connect.
If you are already connected to a directory server, and you want to connect to one on a different host:
To add a directory server to the list:
To modify a directory server on the list:
|
| Port | The default port (389) appears in this field. If there is more than one directory server instance on the same host, then each directory server instance has a different port, and, when you select the directory server instance, that port number appears in this field.
To change this port number:
|
| SSL Enabled | Selecting this check box causes all commands you issue by using Oracle Directory Manager to be sent over Secure Sockets Layer (SSL).
You can connect to a directory server either with or without SSL. If you connect by using SSL, then Oracle Directory Manager becomes an SSL client. You can connect in this way if both of the following two conditions are met:
|
Table C-2 Fields in the SSL Tab Page
Table C-3 Fields in the Access Control Management Pane
| Field | Description |
|---|---|
| Path to the Subtree Control Point | Contains the path defined by the ACP. |
| Subtree Control Point | Contains the ACP |
Table C-4 lists and describes the authentication choices—that is, the methods by which users can be authenticated to the directory.
Table C-4 Fields in Authentication Choice List
| Authentication Choice | Description |
|---|---|
| MD5Digest. | Binding by using MD5Digest blocks Simple, Proxy and Anonymous access. |
| PKCS12 | Binding by using PKCS12 blocks MD5Digest, Simple, Proxy and Anonymous access |
| Proxy |
|
| Simple |
|
Table C-5 lists and describes the encryption choices—that is, the method by which data is encrypted.
Table C-5 Fields in Encryption Choice List
| Authentication Choice | Description |
|---|---|
| SASL | Simple Authentication and Security Layer |
| SSL No Authentication | Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. In this case, SSL encryption/decryption only is used. |
| SSL One Way | Only the directory server authenticates itself to the client. The directory server sends the client a certificate verifying that the server is authentic. |
Table C-6 Entities to Whom You Are Granting Access in the By Whom Tab Page
Table C-7 Access Rights for Attributes
| Access Right | Description |
|---|---|
| Read | Right to read attribute values. Even if read permission is available for an attribute, it cannot be returned unless there is browse permission on the entry itself. |
| Search | Right to use an attribute in a search filter |
| Write | Right to modify/add/delete the attributes of an entry. |
| Selfwrite | Right to add oneself to, delete oneself from, or modify one's own entry in a list of DNs group entry attribute. Use this to allow members to maintain themselves on lists. For example, the following command allows people within a group to add or remove only their own DN from the member attribute:
access to attr=(member) by dnattr=(member) (selfwrite) The |
| Compare | Right to perform compare operation on the attribute value |
Table C-8 Fields in the New Constraint Dialog Box
| Field | Description |
|---|---|
| Attribute Uniqueness Constraint Name | Name of the attribute uniqueness constraint you are creating |
| Unique Attribute Name | The attribute you want the directory server to check |
| Unique Attribute Object Class | The object class where the attribute uniqueness constraint is enforced—for example, person. By default, it is enforced on all object classes. |
| Unique Attribute Scope | The filter you want the directory server to use when searching for an attribute constraint. For example:
|
| Unique Attribute Subtree | The subtree where the attribute uniqueness constraint is enforced. By default, it is enforced from the root directory. |
Table C-9 Fields in the Garbage Collector Window
| Field | Description |
|---|---|
| Garbage Collector Name | You cannot modify this field. |
| Purge Base | The base DN of the naming context to which the garbage collection task is to be applied. You cannot modify this field. |
| Purge Debug | Indicator of whether to enable or disable debug logging for this garbage collector |
| Purge Enable Status | Enable or disable this garbage collector. The default is Enable. |
| Purge File Location | Absolute path name of the directory in which the log file is located |
| Purge File Name | Name of the log file |
| Purge Interval | The interval, in hours, after which the Garbage Collection job is executed again. For example, if you set this value to 12, then garbage collection occurs every 12 hours. This attribute is optional. The default value is 24.
|
| Purge Now | Entering any value in this field means that, when you choose Apply, the garbage collection begins immediately. At that point, the value in this field automatically reverts to null. |
| Purge Start | Time, in seconds, when the Garbage collector runs for the first time. The format is YYYYMMDDHH24MISS. This attribute is optional. The default value is 0, which means that the garbage collector is enabled immediately.
|
| Purge Target Age | Age, in hours, of the target objects. Objects older than the age specified in this attribute are purged at midnight. This attribute is optional. The default value is 12. |
| Purge Transaction Size | Number of objects to be purge in one committed transaction. This attribute is optional. The default value is 1000.
|
Table C-10 Fields in the Password Policies General Tab Page
| Field | Description |
|---|---|
| Enable OID Password Policy | To disable the default Oracle Internet Directory password policy, select Disable. The default is Enable. |
| Need to Supply Old Password When Modifying Password | Specify whether user must supply old password with new one when modifying password. By default, the old password is not required. |
| Number of Grace Logins after Password Expiration | Maximum number of grace logins allowed after a password expires. By default, no grace logins.are allowed. The default value is 3. |
| Reset password upon next login | Indicator of whether users must change their passwords after the first login, or after the password is reset by the administrator. Enabling this option requires users to change their passwords even if user-defined passwords are disabled. By default, users need not change their passwords after reset. |
| Password Expiration Warning | Enter the number of seconds in which users must modify their passwords before those passwords expire.
The directory server sends a password expiration warning if these two conditions are met:
From that point, the user has a specified number of seconds in which to modify the password. If the user does not modify the password within the specified number of seconds, then the password expires and the user is locked out until the password is changed by the administrator. For example, suppose that:
In this example, if you bind during the last hour, then you receive a warning that your password is about to expire. If you do not modify your password during that time, then your password expires and you are locked out of your account until the administrator changes your password. For this feature to work, the client application must support it. The default is |
| Password Expiry Time | Enter the number of seconds that a given password is valid. For example, if you set the value of this attribute to 7200, then the password expires in two hours from the time that you set it.
If this attribute is not present, or if the value is 0, then the password does not expire. By default, passwords expire in 60 days. |
| Password Policy Entry | This field displays the RDN of the password policy entry. You cannot edit this field. |
| Path to Password Policy Entry | This field displays the full DN of the password policy entry. You cannot edit this field. |
Table C-11 Fields in the Password Policies Account Lockout Tab Page
| Field | Description |
|---|---|
| Global Lockout Duration | Enter the number of seconds a user is locked out of the global directory if both of the following are true:
You can set user lockout for a specific duration, or until the administrator resets the user's password. The default value is 24 hours. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password. |
| Password Failure Count Interval | Enter the number of seconds after which the password failure times are purged from the user entry. |
| Password Maximum Failure | Enter the number of consecutive failed bind attempts after which a user account is locked. |
Table C-12 Fields in the Password Policies IP Lockout Tab Page
| Field | Description |
|---|---|
| IP Lockout Duration | Specify the number of seconds you want to enforce account lockout for a specific IP address. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password. |
| IP Lockout Maximum Failure | Specify the maximum number of failed logins from a specific IP address after which the account is locked. |
Table C-13 Fields in the Password Policies Password Syntax Tab Page
| Field | Description |
|---|---|
| Minimum Number of Characters of Password | Specify the minimum number of characters required in a password. |
| Number of Numeric Characters in Password | Specify the number of numeric characters required in a password. |
| Number of Password History | Specify how many of a user's previous passwords the directory server is to store. If a user attempts to reuse one of the passwords the directory server has stored, then the password is rejected. The directory server does not maintain a password history by default. |
| Password Illegal Values | Enter the common words and attribute types whose values cannot be used as a valid password. By default, all words are acceptable password values. |
Table C-14 Fields in the Password Verifier Profile Dialog Box
| Field | Description |
|---|---|
| Path to Password Verifier Entry | The full DN of this password verifier entry. Use this to locate a particular password verifier entry. You cannot modify this field. |
| Password Verifier Entry | RDN of this password verifier. You cannot modify this field. |
| Owner | The DN of the administrator of the verifier entry. You can modify this field. |
| Application ID | The unique identifier of the Oracle application. It is generated during application installation. You cannot modify this field. |
| Oracle Password Parameters | Parameters containing information for generating this password verifier. Use this field to specify the hashing algorithm for this password verifier. The syntax is:
crypto:
For example, if you are using the ORCLLM hashing algorithm, then you would enter: crypto:ORCLLM If you are using SASL/MD5, for example, you can enter the following: |
Table C-15 Fields in the New Plug-in Dialog Box
| Field | Description |
|---|---|
| Mandatory Properties Tab Page |
|
| Plug-in Enable | Acceptable values are:
This attribute is optional. |
| Plug-in Entry Name | For example, cn=my_plugin. This field is mandatory. |
| Plug-in Replacement | For WHEN timing plug-in only. Possible values are:
This property can be enabled only if the Plug-in LDAP Operation property is ldapbind, ldapcompare, or ldapmodify. This attribute is optional. |
| Plug-in Kind | PL/SQL. This field is mandatory. |
| Plug-in LDAP Operation | One of the following values:
This field is mandatory. |
| Plug-in Package Name | This field is mandatory. |
| Plug-in Timing | One of the following values:
This attribute is optional. |
| Plug-in Type | operational--Operation plug-ins augment existing LDAP operations. The work they perform depends on whether they execute before, after, or in addition to normal directory server operations.
This field is mandatory. See Also: Chapter 30, " Oracle Internet Directory Plug-in Framework" |
| Optional Properties Tab Page |
|
| Plug-in Attribute List | A list of semicolon-separated attribute names that controls whether the plug-in takes effect. If the target attribute is included in the list, then the plug-in is invoked. |
| Plug-in Entry Properties | An LDAP search filter type. For example, if you specify orclPluginEntryProperties:(&(objectclass=inetorgperson)(sn=Cezanne)), then the plug-in will not be invoked if the target entry has objectclass equal to inetorgperson and sn equal to Cezanne.
|
| Plug-in Request Group | A group list that controls if the plug-in takes effect. You can use this group to specify who can actually invoke the plug-in.
For example, if you specify |
| Plug-in Result Code | An integer value to specify the LDAP result code. If this value is specified, then plug-in will be invoked only if the LDAP operation is in that result code scenario.
This is only for the POST plug-in type. |
| Plug-in Subscriber DN List | A semicolon separated DN list that controls if the plug-in takes effect. For example:
orclPluginSubscriberDNList=dc=COM,c=us; dc=us,dc=oracle,dc=com;dc=org,dc=us;o=IMC,c=US The target DN of an LDAP operation is included in the list, then the plug-in is invoked. |
| Plug-in Version | Supported plug-in version number. This attribute is optional. |
Table C-16 Fields in the Replication Server Configuration Set: General Tab Page
Table C-17 Fields in the ASR Agreement Tab Page
| Field | Description |
|---|---|
| Excluded Naming Contexts | The root of a subtree to be excluded from replication.
This is a multivalued attribute. You can modify this field. |
| HIQ Schedule | The interval, in minutes, at which the directory replication server repeats the change application process. You can modify this field. |
| Keep LDAP Connection Alive | This attribute determines whether connections from the directory replication server to the directory server are kept active or established every time the changelog processing is done based on various schedules. You can modify this field. |
| Replica Agreement ID | Naming attribute for the replication agreement entry. |
| Replica Agreement Protocol | This attribute defines the replication protocol for change propagation to the replica.
Values:
|
| Replication Group Nodes | For Advanced Replication-based groups, enter the orclreplicaid values of all the nodes in this replication group. This list must be identical on all nodes in the group.
This attribute is not applicable to LDAP-based replication agreements. |
| Update Schedule | Replication update interval for new changes and those being retried. The value is in minutes. You can modify this field. |
Table C-18 Fields in the Replica Node: General Tab Page
| Attribute | Description |
|---|---|
| Replica ID | Naming attribute for the replica subentry. Its value is unique to each directory server node that is initialized at installation. The value of this attribute, assigned during installation, is unique to each directory node, and matches that of the orclreplicaID attribute at the root DSE. You cannot modify this value.
|
| Replica Secondary URI | Contains the set of ldapURI format addresses that can be used if the orclReplicaURI values cannot be used.
|
| Replica State | Defines the state of the replica such as bootstrap, online, and so on. Possible values:
|
| Replica Type | Defines the type of replica such as read-only or read/write.
Possible values:
|
| Replica URI | Contains information in ldapURI format that can be used to open a connection to this replica
|
| See Also | DN of the infrastructure database used by Oracle Internet Directory. This field is not modifiable. |
Table C-19 Columns in the Replica Agreements Tab Page
| Column | Description |
|---|---|
| Consumer Replica DN | This attribute specifies the DN of the replica to identify a consumer in the replication agreement.
You can modify this field. |
| HIQ Schedule | The interval, in minutes, at which the directory replication server repeats the change application process. You can modify this field. |
| Keep LDAP Connection Alive | This attribute determines whether connections from the directory replication server to the directory server are kept active or established every time the changelog processing is done based on various schedules. You can modify this field. |
| Last Applied Change Number | This attribute indicates the status of the consumer replica with respect to the supplier in an LDAP-based replication agreement. This attribute is not applicable for Advanced Replication-based agreements. |
| Replica Agreement ID | Naming attribute for the replication agreement entry. |
| Replication Protocol | This attribute defines the replication protocol for change propagation to the replica.
Values:
|
| Update Schedule | Replication update interval for new changes and those being retried. The value is in minutes. You can modify this field. |
Table C-20 Fields in the Replica Naming Context Tab Page
| Field | Description |
|---|---|
| Excluded Attributes | For partial replication only.
Within the included naming context, an attribute to be excluded from replication. This is a multivalued attribute. |
| Excluded Naming Contexts | The root of a subtree to be excluded from replication.
This is a multivalued attribute. You can modify this field. For LDAP-based replication, from within the naming context specified in the For replication agreements based on Advanced Replication, you can specify one or more subtrees to be excluded from replication. |
| Included Naming Contexts | The naming context included in a partial replica.
This is a single valued attribute. For each naming context object, you can specify only one unique subtree. In partial replication, except for subtrees listed in the Note: Only LDAP-based replication agreements respect this attribute to define one or more partial replicas. If this attribute contains any values in an Advanced Replication-based replication agreement, then it is ignored. You can modify this attribute. |
Table C-21 Fields in the Change Log Window
| Field | Description |
|---|---|
| Change Log Number | The unique identifier of this change |
| Change Log Operation | The type of operation that this change effected--for example, add, modify, delete, compare |
| Change Log Target DN | The DN of the entry upon which this change was effected |
| Change Log Target DN Changes | The changes made to the entry |
| Change Retry Count | The number of attempts to apply this change to another node in a replicated environment |
| Modifier's Name | The name of the user who effected the change |
| Operation Time | The time at which the change took place |
| Orcl GUID | The global unique identifier of the entry on which the change is made |
| Orcl Parent GUID | The global unique identifier of the parent of the entry on which the change is made |
| Server Name | The name of the server from which the change was issued |
This section contains these topics:
Table C-22 Object Class Properties Listed in Searches in Oracle Directory Manager
Table C-23 Search Filters for Object Classes
Table C-24 Buttons Used in Searches for Object Classes in Oracle Directory Manager
| Button | Description |
|---|---|
| New | Creates a new search criteria bar in the Criteria field. This button is enabled only when the Criteria bar has been deleted. |
| And | Creates another search criteria bar in the Criteria field. Matches all object classes having one specified criterion with those that also have another specified criterion. |
| Or | Creates another search criteria bar in the Criteria field. Matches all object classes with either one specified attribute or another. |
| Not | Negates the criterion in the selected search criteria bar and retrieves all object classes that do not have the specified criterion. |
| Delete | Deletes a selected search criteria bar |
Table C-25 Fields in the New Object Class Dialog Box
Table C-26 Columns in the Attributes Tab Page in Oracle Directory Manager
| Column | Description |
|---|---|
| Name | The standardized attribute type names |
| Indexed | Check boxes indicating whether attributes are indexed |
| Object ID | Standardized object identifier for each attribute |
| Description | Words describing each attribute |
| Syntax | The standardized rules for data entry applicable to each attribute type |
| Size | Maximum size allowed for each object |
| Usage | Standards specifying how the attribute can be used. There are four options:
|
| Ordering | Standards specifying how precedence is established for values |
| Equality | Standards specifying how equality is determined in compare and search operations |
| Substring | Regular expression matching string |
| Single Value | Attribute types containing a maximum of one value |
| Super | Super attribute for each attribute |
Table C-27 Search Filters for Attributes
| Option | Description |
|---|---|
| Begins With | Searches by using only the first few characters of the property's value. For example, the phrase Syntax Begins With 1.3 gives you a list of all attributes in which the first few numbers of the syntax identifier are 1.3.
|
| Ends With | Searches by using only the last few characters of the property's value. For example, the phrase Name Ends With License gives you a list of all attributes with that ending, such as carLicense.
|
| Contains | Searches for attributes that include the property with the value you enter. For example, the phrase Ordering Contains time gives you a list of all attributes with the word time in the Ordering column.
|
| Exact Match | Searches for a value that is exactly the same as that found in the attribute property you specified. For example, the phrase Equality Exact Match caseIgnoreMatch gives you a list of all attributes that have the caseIgnoreMatch matching rule.
|
| Greater or Equal | Searches for an attribute that has a property that is numerically or alphabetically greater than or equal to the value you enter. For example, the phrase Name Greater or Equal orcl gives you a list of attributes from those beginning with orcl to those beginning with letters at the end of the alphabet.
|
| Less or Equal | Searches for an attribute that has a property that is numerically or alphabetically less than or equal to the value you enter. For example, the phrase Name Less or Equal orcl gives you a list of attributes from those beginning with orcl to those beginning with letters at the start of the alphabet.
|
| Not Null | Searches for all attributes in which the attribute property you selected is present. For example, the phrase Description Not Null gives you a list of all attributes which have text in the description field.
|
Table C-28 Buttons in Searches for Attributes in Oracle Directory Manager
| Button | Description |
|---|---|
| New | Creates a new search criteria bar in the Criteria field. This button is enabled only when the Criteria field is empty. |
| And | Creates another search criteria bar in the Criteria field. Matches all attributes with one specified property with those that also have another specified property. |
| Or | Creates another search criteria bar in the Criteria field. Matches all attributes with either one specified property or another. |
| Not | Negates the criteria in the selected search criteria bar and matches all attributes that do not have the property specified. |
| Delete | Deletes a selected search criteria bar |
Table C-29 Fields in the General Tab Page of the New Attribute Type Dialog
| Field | Description |
|---|---|
| Name | Name for this attribute |
| Object ID | Object ID for this attribute. The Object ID is a standardized numerical sequence based on IETF standards. It must be unique. Normally this is derived from the identifier assigned by registration agencies, such as ANSI or ISO.
For an explanation of the standard identifiers, see the current LDAP standards available through the IETF Web site at |
| Description | Optional field for your information only |
| Syntax | Standardized rules for data entry applicable to this attribute type |
| Size | Maximum size allowed for this object |
| Single Value | Indicator that this attribute type contains a maximum of one value. |
Table C-30 Fields in the Advanced Tab Page of the New Attribute Type Dialog
| Field | Description |
|---|---|
| Indexed | Select this box to add the attribute to the index, thereby making it available for use in a search. Only those attributes that have an equality matching rule can be indexed. |
| Usage | Specify standards for how the attribute can be used. Options are:
|
| Ordering | Specify standards for how precedence is established for values. |
| Equality | Specify standards for how equality is determined in compare and search operations. |
| Substring | Specify the matching rule. |
| Super | Add the super attribute for this attribute. To do this:
To delete a super attribute from the Super field, select it, then choose Delete. |
Table C-32 Fields in the New Content Rule Dialog Box
| Field | Description |
|---|---|
| Structural Object Class | The name of the structural object class to which you want to assign this content rule |
| Object ID | The unique identifier of the content rule you are creating |
| Label | A descriptive friendly name of this content rule |
| Auxiliary Classes | The auxiliary object classes whose attributes you want to associate with the specified structural object class. To specify an auxiliary class:
|
| Mandatory Attributes | The mandatory attributes you want to associate with the specified structural object class. To specify a mandatory attribute:
|
| Optional Attributes | The optional attributes you want to associate with the specified structural object class. To specify an optional attribute:
|
Table C-33 Fields in the Content Rule Dialog Box
| Field | Description |
|---|---|
| Structural Object Class | The name of the structural object class to which you want to assign this content rule |
| Object ID | The unique identifier of the content rule you are creating |
| Label | A descriptive friendly name of this content rule |
| Auxiliary Classes | The auxiliary object classes whose attributes you want to associate with the specified structural object class. To specify an auxiliary class:
|
| Mandatory Attributes | The mandatory attributes you want to associate with the specified structural object class. To specify a mandatory attribute:
|
| Optional Attributes | The optional attributes you want to associate with the specified structural object class. To specify an optional attribute:
|
This section contains these topics:
System Operational Attributes Fields in Oracle Directory Manager
Super, Guest, and Proxy User Fields in Oracle Directory Manager
Table C-34 Fields in the Configuration Sets Dialog Box—General Tab Page
Table C-35 Fields in the Configuration Sets—SSL Settings Tab Page
| Field | Description |
|---|---|
| SSL Authentication | Choose one of the following:
|
| SSL Enable | Choose one of the following:
|
| SSL Wallet URL | Type the location of the server-side SSL wallet. If you elect to change the location of the wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on UNIX, you could set this parameter as follows:
file:/home/my_dir/my_wallet On Microsoft Windows, you could set this parameter as follows: file:C:\my_dir\my_wallet |
| SSL Port | The default SSL port is 636. You can change the SSL port. |
Table C-36 System Operation Attributes Displayed in Oracle Directory Manager
| Field | Description | Default Value | Modifiable? |
|---|---|---|---|
| Allow Anonymous Binds | Indicator of whether anonymous binds are allowed or not. If set to 1, then anonymous binds are allowed. If set to 0 (zero), then they are not allowed.
|
1 | Yes |
| Alternate Server | When connectivity to the local server is lost, clients have the option of accessing one of the servers listed in this attribute. Specify other Oracle directory servers in the system that have the same set of naming contexts as that of the local server. The format is:
ldap://host_name:port_number See Also: "Setting the Alternate Server List by Using Oracle Directory Manager" |
None | Yes |
| Configuration Set Location | DN of the entry holding the top of the naming context in this server | cn=subconfigsubentry
|
No |
| Critical Event Level | Specify critical events related to security and system resources that you want recorded.
Please note that for events other than super user, proxy and replication login, the value of the See Also: "Configuring Critical Events" for a list of critical events that can be monitored |
0 | Yes |
| DIP Repository | Used by the directory replication server, and indicates whether change logs are to be generated in the consumer node for the Oracle directory integration and provisioning server to consume. | FALSE | Yes |
| Directory Version | The version or release of Oracle Internet Directory that you are using | 9.0.4.0.0 | No |
| Enable Entry Cache | Specify whether entry caching, described in "Entry Caching", is enabled. The value for enabled is 1; the value for disabled is 0.
|
1 | Yes |
| Enable Group Cache | The cache of privilege groups and ACL groups in the directory server. Using this cache improves the performance of access control evaluation for users when privilege and ACP groups are used in ACI.
Use the group cache when a privilege group membership does not change frequently. If a privilege group membership does change frequently, then it is best to turn off the group cache. This is because, in such a case, computing a group cache increases overhead. |
1 | Yes |
| Enable Match DN Processing | If the base DN of a search request is not found, then the directory server returns the nearest DN that matches the specified base DN. Whether the directory server tries to find the nearest match DN is controlled by this attribute. If set to 1, then match DN processing is enabled. If set to 0, then match DN processing is disabled.
|
1 | Yes |
| Enable Statistics Gathering | Indicator of whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to 1. To disable, set it to 0.
|
0 | Yes |
| Entry Cache Size in Bytes | The maximum number of bytes of RAM that the entry cache can use. | 100M | Yes |
| Indexed Attribute Locations | Specify the DN for the file containing all indexed attributes | cn=catalogs
|
No |
| Maximum Entries in Entry Cache | Specify the maximum number of entries that can be present in the entry cache. | 25,000 | Yes |
| Maximum TCP Connection Idle Time | Specify how long the server should keep an idle connection open before closing it. | 120 |
|
| Naming Contexts | Specify the topmost DNs of naming contexts in this server that you want to publish. You must have super user privileges to publish a DN as a naming context. | None | Yes |
| Password Encryption | Hash algorithm for encrypting the password. Options are:
|
MD4 | Yes |
| Process Instance Location | DN of the entry holding the Instance Registry in this server | cn=subregistrysubentry
|
No |
| Query Entry Return Limit | Maximum number of entries to be returned by a search | 1000 | Yes |
| Replica ID | Unique identifier of a node in a replication agreement |
|
|
| Replication Agreements | DN of the entry holding the replication agreement | cn=orclareplagreements
|
No |
| Replication Log Location | DN of the entry holding the change log in this server | cn=changelog
|
No |
| Replication Status Location | DN of the entry holding the change status in this server | cn=changestatus
|
No |
| Schema Definition Location | DN of the schema | cn=subschemasubentry
|
No |
| Server Mode | Indicator of whether data can be written to the server. You can change this value to either read/write or read-only. Change the default to read-only during replication process. | read/write | Choices are Read/Write, Read/Modify and Read-Only |
| Server Operation Time Limit | Maximum amount of time, in seconds, allowed for a search to be completed | 3600 | Yes |
| Simple Modify Changelog Attribute | In a multimaster replication group, resolving conflicts for changes in some attribute values can require considerable resources. You can avoid this performance degradation by specifying those attributes in this field.
When you specify attributes in this field, any changes to the values of those attributes are reflected in the change log. However, in a multimaster replication group, conflict resolution for those attributes is turned off. |
uniquemember
member |
Yes |
| Statistics Collection Interval | Specify how often you want to gather sample statistics—that is, the number of minutes in the interval. Set this to 1 or more minutes. | 60
|
Yes |
| Statistics Level | Specify whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to 1. To disable, set it to 0.
|
0 | Yes |
| Supported Control List | Enter extension information for any LDAP operation. The control types supported by Oracle Internet Directory are listed as values of the supportedcontrol attribute in the root DSE. Each control type has an associated object identifier defined by the LDAP standard.The values of the supportedcontrol attribute are standard object identifiers assigned to control types.
|
manageDSACtrl
|
No |
| Supported Extension | The unique identifiers of proprietary extensions to LDAP operations that are supported in this release of Oracle Internet Directory.
In Release 9.0.4, there is one extended operation. It enables a plug-in using a PL/SQL package in the database to bind to the directory server. |
2.16.840.1.113894.1.9.1 | No |
| Supported LDAP Version | LDAP version that Oracle Internet Directory supports | LDAP Version 2
|
No |
| Supported SASL Mechanisms | Some clients can use the Simple Authentication and Security Layer (SASL). This field indicates the authentication mechanisms supported by the directory server.
See Also: "Authentication by Using Simple Authentication and Security Layer (SASL)" |
DIGEST-MD5
|
No |
| Upgrade in Progress | Reserved for upgrade | FALSE | No |
Table C-37 Fields in the System Passwords Tab Page
| Field | Description |
|---|---|
| Super User Name | Type the super user name, or choose Browse to search for it. The default is orcladmin.
|
| Super User Password | Type the super user password. The default is the same as the password you specified for the Oracle Application Server administrator (ias_admin) during installation. You should change this password immediately. |
| Guest Login Name | Type the guest login name, or choose Browse to search for it. Guests have privileges determined by the access control list (ACL) in the directory. The default is guest.
|
| Guest Login Password | Type the guest login password. The default is guest.
|
| Proxy Login Name | Type the proxy login name, or choose Browse to search for it. Proxy users have privileges determined by the ACPs in the directory. The default is proxy.
|
| Proxy Login Password | Type the proxy login password. The default is proxy. You should change this password immediately.
|
Table C-38 Fields in the Query Optimization Tab Page
| Field | Description |
|---|---|
| Attributes with Low Cardinality | Enter the attributes you want to designate as skewed.
See Also: "Optimizing Searches" for a discussion of skewed attributes |
| Common Name | The common name of the entry containing information about skewed attributes, namely, dsaconfig. You cannot modify this field.
|
| Distinguished Name | The DN of the entry containing information about skewed attributes. You cannot modify this field. |
| LDAP Connection Timeout | Enter the maximum number of seconds that the directory client can remain idle before the connection is terminated. The default is 0, meaning that there is no timeout.
|
| Maximum Entry Size in Cache | Specify the upper size limit of entries stored in the cache. The default is 5000—that is, 5 kilobytes.
|
| Object Class | The object classes associated with the dsaconfig entry.
|
| Time limit mode | When you set the server operation time limit as described in "Setting System Operational Attributes", you specified the maximum number of seconds allowed for a search to be completed.
In this field, to adjust server performance, set the search time limit to be either accurate or approximate. If you specify it as accurate, then searches end precisely at the specified number of seconds. If you specify it as approximate, then searches end within a few seconds of the specified number of seconds. In smaller workloads, the latter provides better performance. |
Table C-39 Search Filters for Entries
Table C-40 Buttons Used in Searches for Entries
| Button | Description |
|---|---|
| New | Creates a new search criteria bar in the Criteria field. This button is enabled only when the Criteria field is empty. |
| And | Creates another search criteria bar in the Criteria field. Matches all entries with one specified attribute with those that also have another specified attribute. For example, cn=Baldwins And title=Laborer retrieves all Baldwins who are also laborers.
|
| Or | Creates another search criteria bar in the Criteria field. Matches all entries with either one specified attribute or another. For example, title=Laborer Or title=Foreman retrieves all employees who are either laborers or foremen.
|
| Not | Negates the criterion in the selected search criteria bar and retrieves all entries that do not have the specified criterion. For example, cn=Frank And Not title=Laborer retrieves all persons named Frank who are not laborers.
|
| Delete | Deletes a selected search criteria bar |
| Advanced | Adds a search criteria bar when including attribute options in the search. Use this syntax: attribute;attribute_option filter attribute_option_value
For example, Note: Before an attribute option can be used in searches, the parent attribute of that attribute option must be indexed. For example, in the case of the attribute option See Also: |
Table C-41 Fields in the SSL Settings Tab Page
| Field | Description |
|---|---|
| SSL Authentication | Choose one of the following:
|
| SSL Enable | Choose one of the following:
|
| SSL Wallet URL | Type the location of the server-side SSL wallet. If you elect to change the location of the wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on UNIX, you could set this parameter as follows:
file:/home/my_dir/my_wallet On Microsoft Windows, you could set this parameter as follows: file:C:\my_dir\my_wallet |
| SSL Port | The default SSL port is 636. You can change the SSL port. |
This section describes the fields in Oracle Directory Manager for administering directory synchronization. These are fields for registering a directory integration profile
Table C-42 Fields on the General Tab Page for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
| Profile Name | Specify the name of the Profile. The name you enter is used as the RDN component of the DN for this integration profile. For example, specifying a profile name MSAccess creates an integration profile named orclodipagentname=MSAccess,cn=subscriber profile, cn=changelog subscriber, cn=oracle internet directory.
This field is mandatory. There is no default. |
| Synchronization Mode | Specify whether this is an import or an export operation. An import operation pulls changes from a connected directory into Oracle Internet Directory. An export operation pushes changes from Oracle Internet Directory into a connected directory.
This field is mandatory. The default is |
| Profile Status | Specify whether the profile is enabled or disabled.
This field is mandatory. The default is |
| Profile Password | Specify the password that directory integration and provisioning server is to use when binding to Oracle Internet Directory on behalf of the profile. This field is mandatory and the default is welcome.
|
| Scheduling Interval | Specify the number of seconds between synchronization attempts between a connected directory and Oracle Internet Directory.
This field is mandatory. The default is |
| Maximum Number of Retries | Specify the maximum number of times the directory integration and provisioning server is to attempt synchronization before it disables synchronization. This field is mandatory.
The default is 5. The first retry takes place 1 minute after the first failure. The second retry happens 2 minutes after the second failure, and subsequently the retry takes place n minutes after the n-th failure. |
| Profile Version | Version of Oracle Directory Integration and Provisioning with which this profile was created. |
Table C-43 Fields on the Execution Tab for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
| Agent Execution Command | Specify the agent executable name and the arguments used by the directory integration and provisioning server to execute the agent. This field is optional. There is no default.
A typical execution command is of the form, odicmd user=%orclodipcondirAccessAccount pass=%orclodipcondiraccesspassword Where are the command-line arguments. The value to be passed for the user is derived from the attribute A typical example is given in the Oracle Human Resources agent. |
| Connected Directory Account | Specify the account to be used by the connector/agent for accessing the connected directory. For example, if the connected directory is a database, then the account might be Scott. If the connected directory is another LDAP-compliant directory, then the account might be cn=Directory Manager.
This field is optional. There is no default. |
| Connected Directory Account Password | Specify the password the connector/agent is to use when accessing the connected directory. This field is optional. There is no default. |
| Additional Config Info | This field displays additional information that the directory integration and provisioning server passes to an agent. You cannot modify this field through Oracle Directory Manager. The only way to modify it is to use ldapuploadagentfile.sh. There is no default. |
| Connected Directory URL | Connect details required to connect to the connected directory. This parameter refers to the host name and port number as host:port:sslmode
To connect by using SSL, enter Make sure the certificate to connect to the directory is stored in the wallet, the location of which is specified in the file Note: To connect to SunONE Directory Server by using SSL, the server certificate needs to be loaded into the wallet. See Also: The chapter on Oracle Wallet Manager in Oracle Advanced Security Administrator's Guide |
| Interface Type | The format used by the import or export file. Options are DB, LDAP, LDIF, and TAGGED. This field is optional. The default is TAGGED.
|
Table C-44 Fields on the Mapping Tab Page for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
| Mapping Rules | This field displays the mapping rules for converting data between a connected directory and Oracle Internet Directory. There is no default.
Note: You cannot edit the mapping rules file by using Oracle Directory Manager. You edit the mapping rules in a file manually and then upload it to the profile by using the provided script, |
| Connected Directory Matching Filter | Specify the attribute that uniquely identifies an entry in the connected directory. |
| OID Matching Filter | Specify the attribute that uniquely identifies records in Oracle Internet Directory. This attribute is used as a key to synchronize Oracle Internet Directory and the connected directory. This field is optional. |
Table C-45 Fields on the Status Tab Page for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
| OID Last Applied Change Number
(Import operations only) |
For export operations, specify the identifier of the last change from Oracle Internet Directory that has been applied to the connected directory. The default is 0. The field can be consciously modified by the end user whenever appropriate. The profile should be in the disabled mode. If the number is increased, then any change log entries numbered between the original value and the new value will not be applied.
|
| Last Execution Time | The most recent absolute time that the agent was executed. The default is the time at which the connector is created. Modifying this field will be misleading. |
| Last Successful Execution Time | The most recent absolute time that the agent succeeded. The default is the time at which the connector is created. Modifying this field will be misleading. |
| Synchronization Status | Synchronization success/failure. |
| Synchronization Errors | The last error message. You cannot modify this field. There is no default. |
| Last Applied Change Number
(Export operations only) |
The number of the change log entry that was most recently applied successfully to the connected directory. The field can be consciously modified by the end user whenever appropriate. The profile should be in the disabled mode. If the number is increased, then any change log entries numbered between the original value and the new value will not be applied. |
