19.2 Installing and Configuring Windows NT External Authentication and Auto-Provisioning Plug-ins

This section contains these topics:

• Installing and Enabling the Windows NT External Authentication and Provisioning Plug-ins

• Managing the Windows NT External Authentication and Provisioning Plug-ins

19.2.1 Installing and Enabling the Windows NT External Authentication and Provisioning Plug-ins

The SQL script oidspnti.sql installs the plug-ins that enable Oracle Internet Directory for external authentication against the Microsoft Windows primary domain controller and auto-provisioning.

Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities: Cygwin 1.3.2.2-1 or later. Visit: http://sources.redhat.com MKS Toolkit 6.1. Visit: http://www.datafocus.com/

To install the script:

1. Verify that the Oracle Internet Directory server is running.

2. Run the script by entering the following commands:

   cd $ORACLE_HOME/ldap/admin
   sh oidspnti.sh
   
   

3. Enter the Oracle Internet Directory host name and port number. The default port number is 389.

4. Enter the password of the Oracle administrator (orcladmin), the directory super user.

5. Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container is then authenticated against the Microsoft Windows NT domain. Note that this need not necessarily be the user search base supplied in the Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the Microsoft Windows NT domain. If more than one value is specified, then use semi-colons (;) to separate them.

6. Enter the plug-in request group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext. If you enter this value for the plug-in request group DN, then only the requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, should be specified.

7. Choose Auto Registration. The default is Yes. Upon registration, each entry is assigned the object class orclNTUser.

At the completion of these steps, the plug-ins are installed.

19.2.2 Managing the Windows NT External Authentication and Provisioning Plug-ins

This section tells you how to:

• Enable and disable the plug-ins

• Enable and disable auto-provisioning

• Remove the plug-ins

• Debug the Windows NT external authentication plug-in

19.2.2.1 Enabling the Windows NT External Authentication Plug-in

To enable external authentication, enter these two commands:

ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF
dn: cn=ntwhencompare,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF
dn: cn=ntwhenbind,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

19.2.2.2 Disabling the Windows NT External Authentication Plug-in

To disable the external authentication plug-ins, set the value of the attribute orclpluginenable to 0 in each of the preceding command.

19.2.2.3 Enabling Auto-Provisioning

To enable auto provisioning, enter the following command:

ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF
dn: cn=ntpostsearch,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

19.2.2.4 Disabling Auto-Provisioning

To disable auto provisioning, use the previous command, but set the value of the attribute orclpluginenable to 0.

19.2.2.5 Removing Windows NT External Authentication and Auto-Provisioning Plug-ins

To remove external authentication and auto-provisioning, delete the two plug-in entries from Oracle Internet Directory:

ldapdelete -h host -p port D cn=orcladmin -w password
"cn=ntwhencompare,cn=plugin,cn=subconfigsubentry"

ldapdelete -h host -p port D cn=orcladmin -w password
"cn=ntwhenbind,cn=plugin,cn=subconfigsubentry"

ldapdelete -h host -p port D cn=orcladmin -w password
"cn=ntpostsearch,cn=plugin,cn=subconfigsubentry"

19.2.2.6 Debugging the Windows NT External Authentication Plug-in

If you are experiencing unknown errors, then you can enable the plug-in debugging. To do this, enter:

sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls

To check the plug-in debugging log:

sqlplus ods/ods
select * from plg_debug_log order by id;

To delete the plug-in debugging log:

sqlplus ods/ods
truncate table plg_debug_log

To disable plug-in debugging:

sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls

Note: If you need to change the Windows NT external authentication plug-in setup—that is, the information you entered in the installation steps—then rerun the installation script. Before you rerun the script, remove the Windows NT external authentication plug-ins by following the preceding instructions.