Contents
- Audience
- Documentation Accessibility
- Structure
- Related Documents
- Conventions
- New Features in the Release 10.1.2 SDK
- New Features in the Release 9.0.4 SDK
- 1.1 Benefits of Integrating with Oracle Identity Management
- 1.2 Oracle Identity Management Services Available for Application Integration
- 1.3 Integrating Existing Applications with Oracle Identity Management
- 1.4 Integrating New Applications with Oracle Identity Management
- 1.5 Integrating J2EE Applications with Oracle Identity Management
- 1.6 Directory Programming: An Overview
- 1.6.1 Programming Languages Supported by the SDK
- 1.6.2 SDK Components
- 1.6.3 Application Development in the Directory Environment
- 1.6.3.1 Architecture of a Directory-Enabled Application
- 1.6.3.2 Directory Interactions During the Application Life Cycle
- 1.6.3.3 Services and APIs for Integrating Applications with Oracle Internet Directory
- 1.6.3.4 Integrating Existing Applications with Oracle Internet Directory
- 1.6.3.5 Integrating New Applications with Oracle Internet Directory
- 1.6.4 Other Components of Oracle Internet Directory
- 2.1 History of LDAP
- 2.2 LDAP Models
- 2.2.1 Naming Model
- 2.2.2 Information Model
- 2.2.3 Functional Model
- 2.2.4 Security Model
- 2.2.4.1 Authentication
- 2.2.4.2 Access Control and Authorization
- 2.2.4.3 Data Integrity
- 2.2.4.4 Data Privacy
- 2.2.4.5 Password Policies
- 2.3 About the Standard LDAP APIs
- 2.3.1 API Usage Model
- 2.3.2 Getting Started with the C API
- 2.3.3 Getting Started with the DBMS_LDAP Package
- 2.3.4 Getting Started with the Java API
- 2.4 Initializing an LDAP Session
- 2.4.1 Initializing the Session by Using the C API
- 2.4.2 Initializing the Session by Using DBMS_LDAP
- 2.4.3 Initializing the Session by Using JNDI
- 2.5 Authenticating an LDAP Session
- 2.5.1 Authenticating an LDAP Session by Using the C API
- 2.5.2 Authenticating an LDAP Session by Using DBMS_LDAP
- 2.6 Searching the Directory
- 2.6.1 Program Flow for Search Operations
- 2.6.2 Search Scope
- 2.6.3 Filters
- 2.6.4 Searching the Directory by Using the C API
- 2.6.5 Searching the Directory by Using DBMS_LDAP
- 2.7 Terminating the Session
- 2.7.1 Terminating the Session by Using the C API
- 2.7.2 Terminating the Session by Using DBMS_LDAP
- 3.1 Using Oracle Extensions to the Standard APIs
- 3.1.1 Using the API Extensions in PL/SQL
- 3.1.2 Using the API Extensions in Java
- 3.1.2.1 The oracle.java.util Package
- 3.1.2.2 PropertySetCollection, PropertySet, and Property Classes
- 3.1.3 How the Standard APIs and The Oracle Extensions Are Installed
- 3.2 Creating an Application Identity in the Directory
- 3.2.1 Creating an Application Identity
- 3.2.2 Assigning Privileges to an Application Identity
- 3.3 User Management Functionality
- 3.3.1 User Operations Performed by Directory-Enabled Applications
- 3.3.2 User Management APIs
- 3.3.2.1 Java API for User Management
- 3.3.2.2 C API for User Management
- 3.3.2.3 PL/SQL API for User Management
- 3.3.3 User Authentication
- 3.3.3.1 Java API for User Authentication
- 3.3.3.2 PL/SQL API for User Authentication
- 3.3.3.3 C API for User Authentication
- 3.3.4 User Creation
- 3.3.4.1 Java API for User Creation
- 3.3.4.2 PL/SQL API for User Creation
- 3.3.4.3 C API for User Creation
- 3.3.5 User Object Retrieval
- 3.3.5.1 Java API for User Object Retrieval
- 3.3.5.2 PL/SQL API for User Object Retrieval
- 3.3.5.3 C API for User Object Retrieval
- 3.4 Group Management Functionality
- 3.5 Identity Management Realm Functionality
- 3.5.1 Realm Object Retrieval for the Java API
- 3.6 Server Discovery Functionality
- 3.6.1 Benefits of Oracle Internet Directory Discovery Interfaces
- 3.6.2 Usage Model for Discovery Interfaces
- 3.6.3 Determining Server Name and Port Number From DNS
- 3.6.3.1 Mapping the DN of the Naming Context
- 3.6.3.2 Search by Domain Component of Local Machine
- 3.6.3.3 Search by Default SRV Record in DNS
- 3.6.4 Environment Variables for DNS Server Discovery
- 3.6.5 Programming Interfaces for DNS Server Discovery
- 3.6.6 Java APIs for Server Discovery
- 3.6.7 Examples: Java API for Directory Server Discovery
- 3.7 SASL Authentication Functionality
- 3.7.1 SASL Authentication by Using the DIGEST-MD5 Mechanism
- 3.7.1.1 Steps Involved in SASL Authentication by Using DIGEST-MD5
- 3.7.1.2 JAVA APIs for SASL Authentication by Using DIGEST-MD5
- 3.7.2 SASL Authentication by Using External Mechanism
- 3.8 Proxying on Behalf of End Users
- 3.9 Creating Dynamic Password Verifiers
- 3.9.1 Request Control for Dynamic Password Verifiers
- 3.9.2 Syntax for DynamicVerifierRequestControl
- 3.9.3 Parameters Required by the Hashing Algorithms
- 3.9.4 Configuring the Authentication APIs
- 3.9.4.1 Parameters Passed If ldap_search Is Used
- 3.9.4.2 Parameters Passed If ldap_compare Is Used
- 3.9.5 Response Control for Dynamic Password Verifiers
- 3.9.6 Obtaining Privileges for the Dynamic Verifier Framework
- 3.10 Dependencies and Limitations for the PL/SQ LDAP API
- 4.1 Introduction to the Oracle Directory Provisioning Integration Service
- 4.2 Developing Provisioning-Integrated Applications
- 4.2.1 Example of a Provisioning-Integrated Application
- 4.2.1.1 Requirements of the Employee Self Service Application
- 4.2.1.2 Registering the Employee Self Service Application in Oracle Internet Directory
- 4.2.1.3 Identifying the Management Context for the Employee Self Service Application
- 4.2.1.4 Determining Provisioning Mode for the Employee Self Service Application
- 4.2.1.5 Determining Events for the Employee Self Service Application
- 4.2.1.6 Provisioning the Employee Self Service Application for an Identity Management Realm
- 4.2.1.7 Determining Scheduling Parameters for the Employee Self Service Application
- 4.2.1.8 Determining the Interface Connection Information for the Employee Self Service Application
- 4.2.1.9 Implementing the Interface Specification for the Employee Self Service Application
- 4.2.1.10 Creating the Provisioning Subscription Profile for the Employee Self Service Application
- 4.3 Provisioning Integration Prerequisites
- 4.4 Development Usage Model for Provisioning Integration
- 4.4.1 Initiating Provisioning Integration
- 4.4.2 Returning Provisioning Information to the Directory
- 4.5 Development Tasks for Provisioning Integration
- 4.5.1 Application Installation
- 4.5.2 User Creation and Enrollment
- 4.5.3 User Deletion
- 4.5.4 Extensible Event Definitions
- 4.5.5 Application Deinstallation
- 4.5.6 LDAP_NTFY Function Definitions
- 4.5.6.1 FUNCTION user_exists
- 4.5.6.2 FUNCTION group_exists
- 4.5.7 FUNCTION event_ntfy
- 5.1 Plug-in Prerequisites
- 5.2 Plug-in Benefits
- 5.3 What Is the Plug-in Framework?
- 5.4 Operation-Based Plug-ins Supported by the Directory
- 5.4.1 Pre-Operation Plug-ins
- 5.4.2 Post-Operation Plug-ins
- 5.4.3 When-Operation Plug-ins
- 5.5 Designing, Creating, and Using Plug-ins
- 5.5.1 Designing Plug-ins
- 5.5.1.1 Types of Plug-in Operations
- 5.5.1.2 Naming Plug-ins
- 5.5.2 Creating Plug-ins
- 5.5.2.1 Package Specifications for Plug-in Module Interfaces
- 5.5.3 Compiling Plug-ins
- 5.5.3.1 Dependencies
- 5.5.3.2 Recompiling Plug-ins
- 5.5.3.3 Granting Permission
- 5.5.4 Registering Plug-ins
- 5.5.4.1 The orclPluginConfig Object Class
- 5.5.4.2 Adding a Plug-in Configuration Entry by Using Command-Line Tools
- 5.5.4.3 Example 1
- 5.5.4.4 Example 2
- 5.5.5 Managing Plug-ins
- 5.5.5.1 Modifying Plug-ins
- 5.5.5.2 Debugging Plug-ins
- 5.5.6 Enabling and Disabling Plug-ins
- 5.5.7 Exception Handling
- 5.5.7.1 Error Handling
- 5.5.7.2 Program Control Handling between Oracle Internet Directory and Plug-ins
- 5.5.8 Plug-in LDAP API
- 5.5.9 Plug-ins and Replication
- 5.5.10 Plug-in and Database Tools
- 5.5.11 Security
- 5.5.12 Plug-in Debugging
- 5.5.13 Plug-in LDAP API Specifications
- 5.6 Examples of Plug-ins
- 5.6.1 Example 1: Search Query Logging
- 5.6.2 Example 2: Synchronizing Two DITs
- 5.7 Binary Support in the Plug-in Framework
- 5.7.1 Binary Operations with ldapmodify
- 5.7.2 Binary Operations with ldapadd
- 5.7.3 Binary Operations with ldapcompare
- 5.8 Database Object Types Defined
- 5.9 Specifications for Plug-in Procedures
- 6.1 What Is Oracle Delegated Administration Services?
- 6.1.1 How Applications Benefit from Oracle Delegated Administration Services
- 6.2 Integrating Applications with the Delegated Administration Services
- 6.2.1 Integration Profile
- 6.2.2 Oracle Delegated Administration Services Integration Methodology and Considerations
- 6.3 Java APIs Used to Access URLs
- 7.1 What Is mod_osso?
- 7.2 Protecting Applications Using mod_osso: Two Methods
- 7.2.1 Protecting URLs Statically
- 7.2.2 Protecting URLs with Dynamic Directives
- 7.3 Developing Applications Using mod_osso
- 7.3.1 Developing Statically Protected PL/SQL Applications
- 7.3.2 Developing Statically Protected Java Applications
- 7.3.3 Developing Java Applications That Use Dynamic Directives
- 7.3.3.1 Java Example #1: Simple Authentication
- 7.3.3.2 Java Example #2: Single Sign-Off
- 7.3.3.3 Java Example #3: Forced Authentication
- 7.3.4 A Word About Non-GET Authentication
- 7.4 Security Issues: Single Sign-Off and Application Logout
- 7.4.1 Application Login: Code Examples
- 7.4.1.1 Bad Code Example #1
- 7.4.1.2 Bad Code Example #2
- 7.4.1.3 Recommended Code
- 7.4.2 Application Logout: Recommended Code
- 8.1 About the Oracle Internet Directory C API
- 8.1.1 Oracle Internet Directory SDK C API SSL Extensions
- 8.1.1.1 SSL Interface Calls
- 8.1.1.2 Wallet Support
- 8.2 Functions in the C API
- 8.2.1 The Functions at a Glance
- 8.2.2 Initializing an LDAP Session
- 8.2.2.1 ldap_init and ldap_open
- 8.2.3 LDAP Session Handle Options
- 8.2.3.1 ldap_get_option and ldap_set_option
- 8.2.4 Authenticating to the Directory
- 8.2.4.1 ldap_sasl_bind, ldap_sasl_bind_s, ldap_simple_bind, and ldap_simple_bind_s
- 8.2.5 SASL Authentication Using Oracle Extensions
- 8.2.5.1 ora_ldap_create_cred_hdl, ora_ldap_set_cred_props, ora_ldap_get_cred_props, and ora_ldap_free_cred_hdl
- 8.2.6 SASL Authentication
- 8.2.6.1 ora_ldap_init_SASL
- 8.2.7 Working With Controls
- 8.2.8 Closing the Session
- 8.2.8.1 ldap_unbind, ldap_unbind_ext, and ldap_unbind_s
- 8.2.9 Performing LDAP Operations
- 8.2.9.1 ldap_search_ext, ldap_search_ext_s, ldap_search, and ldap_search_s
- 8.2.9.2 Reading an Entry
- 8.2.9.3 Listing the Children of an Entry
- 8.2.9.4 ldap_compare_ext, ldap_compare_ext_s, ldap_compare, and ldap_compare_s
- 8.2.9.5 ldap_modify_ext, ldap_modify_ext_s, ldap_modify, and ldap_modify_s
- 8.2.9.6 ldap_rename and ldap_rename_s
- 8.2.9.7 ldap_add_ext, ldap_add_ext_s, ldap_add, and ldap_add_s
- 8.2.9.8 ldap_delete_ext, ldap_delete_ext_s, ldap_delete, and ldap_delete_s
- 8.2.9.9 ldap_extended_operation and ldap_extended_operation_s
- 8.2.10 Abandoning an Operation
- 8.2.10.1 ldap_abandon_ext and ldap_abandon
- 8.2.11 Obtaining Results and Peeking Inside LDAP Messages
- 8.2.11.1 ldap_result, ldap_msgtype, and ldap_msgid
- 8.2.12 Handling Errors and Parsing Results
- 8.2.12.1 ldap_parse_result, ldap_parse_sasl_bind_result, ldap_parse_extended_result, and ldap_err2string
- 8.2.13 Stepping Through a List of Results
- 8.2.13.1 ldap_first_message and ldap_next_message
- 8.2.14 Parsing Search Results
- 8.2.14.1 ldap_first_entry, ldap_next_entry, ldap_first_reference, ldap_next_reference, ldap_count_entries, and ldap_count_references
- 8.2.14.2 ldap_first_attribute and ldap_next_attribute
- 8.2.14.3 ldap_get_values, ldap_get_values_len, ldap_count_values, ldap_count_values_len, ldap_value_free, and ldap_value_free_len
- 8.2.14.4 ldap_get_dn, ldap_explode_dn, ldap_explode_rdn, and ldap_dn2ufn
- 8.2.14.5 ldap_get_entry_controls
- 8.2.14.6 ldap_parse_reference
- 8.3 Sample C API Usage
- 8.3.1 C API Usage with SSL
- 8.3.2 C API Usage Without SSL
- 8.3.3 C API Usage for SASL-Based DIGEST-MD5 Authentication
- 8.4 Required Header Files and Libraries for the C API
- 8.5 Dependencies and Limitations of the C API
- 9.1 Summary of Subprograms
- 9.2 Exception Summary
- 9.3 Data Type Summary
- 9.4 Subprograms
- 9.4.1 FUNCTION init
- 9.4.2 FUNCTION simple_bind_s
- 9.4.3 FUNCTION bind_s
- 9.4.4 FUNCTION unbind_s
- 9.4.5 FUNCTION compare_s
- 9.4.6 FUNCTION search_s
- 9.4.7 FUNCTION search_st
- 9.4.8 FUNCTION first_entry
- 9.4.9 FUNCTION next_entry
- 9.4.10 FUNCTION count_entries
- 9.4.11 FUNCTION first_attribute
- 9.4.12 FUNCTION next_attribute
- 9.4.13 FUNCTION get_dn
- 9.4.14 FUNCTION get_values
- 9.4.15 FUNCTION get_values_len
- 9.4.16 FUNCTION delete_s
- 9.4.17 FUNCTION modrdn2_s
- 9.4.18 FUNCTION err2string
- 9.4.19 FUNCTION create_mod_array
- 9.4.20 PROCEDURE populate_mod_array (String Version)
- 9.4.21 PROCEDURE populate_mod_array (Binary Version)
- 9.4.22 PROCEDURE populate_mod_array (Binary Version. Uses BLOB Data Type)
- 9.4.23 FUNCTION get_values_blob
- 9.4.24 FUNCTION count_values_blob
- 9.4.25 FUNCTION value_free_blob
- 9.4.26 FUNCTION modify_s
- 9.4.27 FUNCTION add_s
- 9.4.28 PROCEDURE free_mod_array
- 9.4.29 FUNCTION count_values
- 9.4.30 FUNCTION count_values_len
- 9.4.31 FUNCTION rename_s
- 9.4.32 FUNCTION explode_dn
- 9.4.33 FUNCTION open_ssl
- 9.4.34 FUNCTION msgfree
- 9.4.35 FUNCTION ber_free
- 9.4.36 FUNCTION nls_convert_to_utf8
- 9.4.37 FUNCTION nls_convert_to_utf8
- 9.4.38 FUNCTION nls_convert_from_utf8
- 9.4.39 FUNCTION nls_convert_from_utf8
- 9.4.40 FUNCTION nls_get_dbcharset_name
- 11.1 Summary of Subprograms
- 11.2 Subprograms
- 11.2.1 User-Related Subprograms
- 11.2.1.1 Function authenticate_user
- 11.2.1.2 Function create_user_handle
- 11.2.1.3 Function set_user_handle_properties
- 11.2.1.4 Function get_user_properties
- 11.2.1.5 Function set_user_properties
- 11.2.1.6 Function get_user_extended_properties
- 11.2.1.7 Function get_user_dn
- 11.2.1.8 Function check_group_membership
- 11.2.1.9 Function locate_subscriber_for_user
- 11.2.1.10 Function get_group_membership
- 11.2.2 Group-Related Subprograms
- 11.2.2.1 Function create_group_handle
- 11.2.2.2 Function set_group_handle_properties
- 11.2.2.3 Function get_group_properties
- 11.2.2.4 Function get_group_dn
- 11.2.3 Subscriber-Related Subprograms
- 11.2.3.1 Function create_subscriber_handle
- 11.2.3.2 Function get_subscriber_properties
- 11.2.3.3 Function get_subscriber_dn
- 11.2.3.4 Function get_subscriber_ext_properties
- 11.2.4 Property-Related Subprograms
- 11.2.5 Miscellaneous Subprograms
- 11.2.5.1 Function normalize_dn_with_case
- 11.2.5.2 Function get_property_names
- 11.2.5.3 Function get_property_values
- 11.2.5.4 Function get_property_values_len
- 11.2.5.5 Procedure free_propertyset_collection
- 11.2.5.6 Function create_mod_propertyset
- 11.2.5.7 Function populate_mod_propertyset
- 11.2.5.8 Procedure free_mod_propertyset
- 11.2.5.9 Procedure free_handle
- 11.2.5.10 Function check_interface_version
- 11.2.5.11 Function get_property_values_blob
- 11.2.5.12 Procedure property_value_free_blob
- 11.3 Function Return Code Summary
- 11.4 Data Type Summary
- 12.1 Directory Entries for the Service Units
- 12.2 DAS Units and Corresponding URL Parameters
- 12.3 DAS URL API Parameter Descriptions
- 12.4 Search-and-Select Service Units for Users or Groups
- 12.4.1 Invoking Search-and-Select Service Units for Users or Groups
- 12.4.2 Receiving Data from the User or Group Search-and-Select Service Units
- 13.1 Versioning of Provisioning Files and Interfaces
- 13.2 Extensible Event Definition Configuration
- 13.3 Inbound and Outbound Events
- 13.4 PL/SQL Bidirectional Interface (Version 2.0)
- 13.5 Provisioning Event Interface (Version 1.1)
- 13.5.1 Predefined Event Types
- 13.5.2 Attribute Type
- 13.5.3 Attribute Modification Type
- 13.5.4 Event Dispositions Constants
- 13.5.5 Callbacks
- 13.5.5.1 GetAppEvent()
- 13.5.5.2 PutAppEventStatus()
- 13.5.5.3 PutOIDEvent()
- A.1 LDAP Data Interchange Format (LDIF) Syntax
- A.2 Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers
- A.2.1 The OID Monitor (oidmon) Syntax
- A.2.1.1 Starting the OID Monitor
- A.2.1.2 Stopping the OID Monitor
- A.2.1.3 Starting and Stopping OID Monitor in a Cold Failover Cluster Configuration
- A.2.2 The OID Control Utility (oidctl) Syntax
- A.2.2.1 Starting and Stopping an Oracle Directory Server Instance
- A.2.2.2 Troubleshooting Directory Server Instance Startup
- A.2.2.3 Starting and Stopping an Oracle Directory Replication Server Instance
- A.2.2.4 Starting the Oracle Directory Integration and Provisioning Server
- A.2.2.5 Stopping the Oracle Directory Integration and Provisioning Server
- A.2.2.6 Restarting Oracle Internet Directory Server Instances
- A.2.2.7 Starting and Stopping Directory Servers on a Virtual Host or an Oracle Application Server Cluster (Identity Management)
- A.3 Entry and Attribute Management Command-Line Tools Syntax
- A.3.1 The Catalog Management Tool (catalog.sh) Syntax
- A.3.2 ldapadd Syntax
- A.3.3 ldapaddmt Syntax
- A.3.4 ldapbind Syntax
- A.3.5 ldapcompare Syntax
- A.3.6 ldapdelete Syntax
- A.3.7 ldapmoddn Syntax
- A.3.8 ldapmodify Syntax
- A.3.9 ldapmodifymt Syntax
- A.3.10 ldapsearch Syntax
- A.3.10.1 Examples of ldapsearch Filters
- A.4 Oracle Directory Integration and Provisioning Platform Command-Line Tools Syntax
- A.4.1 The Directory Integration and Provisioning Assistant (dipassistant) Syntax
- A.4.1.1 Creating, Modifying, and Deleting Synchronization Profiles
- A.4.1.2 Listing All Synchronization Profiles in Oracle Internet Directory
- A.4.1.3 Viewing the Details of a Specific Synchronization Profile
- A.4.1.4 Performing an Express Configuration of the Active Directory Connector Profiles
- A.4.1.5 Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant
- A.4.1.6 Properties Expected by the Bootstrapping Command
- A.4.1.7 Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server
- A.4.1.8 Changing the Password of the Administrator of Oracle Directory Integration and Provisioning Platform
- A.4.1.9 Moving an Integration Profile to a Different Identity Management Node
- A.4.1.10 Limitations of the Directory Integration and Provisioning Assistant in Oracle Internet Directory 10g Release 2 (10.1.2)
- A.4.2 The schemasync Tool Syntax
- A.4.3 The Oracle Directory Integration and Provisioning Server Registration Tool (odisrvreg)
- A.4.4 Syntax for Provisioning Subscription Tool (oidprovtool)
- B.1 Capabilities of DSML
- B.2 Benefits of DSML
- B.3 DSML Syntax
- B.3.1 Top-Level Structure
- B.3.2 Directory Entries
- B.3.3 Schema Entries
- B.4 Tools Enabled for DSML