| Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
| Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
This appendix lists and describes the various windows and fields Oracle Directory Manager. It contains these topics:
Access Control Management Fields in Oracle Directory Manager
Garbage Collection Management Fields in Oracle Directory Manager
Oracle Internet Directory Statistics Collection Management Fields in Oracle Directory Manager
Table A-1 Fields in the Credentials Tab Page
| Field | Description |
|---|---|
|
The first time you log in, do so either as the super user or anonymously. If you intend to configure SSL features during this session, login as the super user. If you are logging in as the super user, in the User box, type If you are logging in anonymously, leave the User box empty. If you have already set up the user's entry by using LDAP command-line tools, you can enter that user's entry in one of two ways:
|
|
|
If you are logging in as the super user and you specified a password for the super user during installation, in the Password field, type the password you specified. Otherwise, type the default password, namely, If you are logging in anonymously, leave the Password filed empty. If you want to login as a specific directory user, enter the corresponding password. See Also: "Managing Super Users, Guest Users, and Proxy Users" for instructions on how to change the password |
|
|
From the Server list, select the host containing the directory server to which you want to connect. If you are already connected to a directory server, and you want to connect to one on a different host:
To add a directory server to the list:
To modify a directory server on the list:
|
|
|
Port |
The default port (389) appears in this field. If there is more than one directory server instance on the same host, then each directory server instance has a different port, and, when you select the directory server instance, that port number appears in this field. To change this port number:
|
|
Selecting this check box causes all commands you issue by using Oracle Directory Manager to be sent over Secure Sockets Layer (SSL). You can connect to a directory server either with or without SSL. If you connect by using SSL, then Oracle Directory Manager becomes an SSL client. You can connect in this way if both of the following two conditions are met:
|
Table A-2 Fields in the SSL Tab Page
Table A-3 lists and describes the access control management fields in oracle directory manager.
Table A-3 Fields in the Access Control Management Pane
| Field | Description |
|---|---|
|
Path to the Subtree Control Point |
Contains the path defined by the ACP. |
|
Subtree Control Point |
Contains the ACP. |
Table A-4 lists and describes the authentication choices—that is, the methods by which users can be authenticated to the directory.
Table A-4 Fields in Authentication Choice List
| Authentication Choice | Description |
|---|---|
|
MD5Digest. |
Binding by using MD5Digest blocks Simple, Proxy and Anonymous access. |
|
PKCS12 |
Binding by using PKCS12 blocks MD5Digest, Simple, Proxy and Anonymous access |
|
Proxy |
|
|
Simple |
|
Table A-5 lists and describes the encryption choices—that is, the method by which data is encrypted.
Table A-5 Fields in Encryption Choice List
| Authentication Choice | Description |
|---|---|
|
SASL |
Simple Authentication and Security Layer |
|
SSL No Authentication |
Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. In this case, SSL encryption/decryption only is used. |
|
SSL One Way |
Only the directory server authenticates itself to the client. The directory server sends the client a certificate verifying that the server is authentic. |
Table A-6 Entities to Whom You Are Granting Access in the By Whom Tab Page
| Entity | Description |
|---|---|
|
Everyone (*) |
All who try to access the entry |
|
A Specific Group |
A previously defined group name |
|
A previously defined directory entry |
|
|
A Subtree |
An entire subtree in the directory, which you select |
|
When Session User's Distinguished Name (DN) Is Identified By Attribute |
Anyone whose DN is an attribute in the entry. For example, you might want to grant read access to a group entry to members of the group. |
|
When Session User's Group Is Identified By Attribute |
Any group whose DN is an attribute in the entry. |
|
When Session User's Unique ID (orclGUID) Is Identified by Attribute |
The global user identifier ( |
|
When Session User's Distinguished Name (DN) Matches the Accessed Entry |
Anyone who has correctly logged in as the entry specified |
Table A-7 Access Rights for Attributes
| Access Right | Description |
|---|---|
|
Read |
Right to read attribute values. Even if read permission is available for an attribute, it cannot be returned unless there is browse permission on the entry itself. |
|
Search |
Right to use an attribute in a search filter |
|
Write |
Right to modify/add/delete the attributes of an entry. |
|
Selfwrite |
Right to add oneself to, delete oneself from, or modify one's own entry in a list of DNs group entry attribute. Use this to allow members to maintain themselves on lists. For example, the following command allows people within a group to add or remove only their own DN from the member attribute: access to attr=(member) by dnattr=(member) (selfwrite) The |
|
Compare |
Right to perform compare operation on the attribute value |
Table A-8 Fields in the New Constraint Dialog Box
| Field | Description |
|---|---|
|
Attribute Uniqueness Constraint Name |
Name of the attribute uniqueness constraint you are creating |
|
Unique Attribute Name |
The attribute you want the directory server to check |
|
Unique Attribute Object Class |
The object class where the attribute uniqueness constraint is enforced—for example, person. By default, it is enforced on all object classes. |
|
Unique Attribute Scope |
The filter you want the directory server to use when searching for an attribute constraint. For example:
|
|
Unique Attribute Subtree |
The subtree where the attribute uniqueness constraint is enforced. By default, it is enforced from the root directory. |
Table A-9 Fields in the Garbage Collector Window
| Field | Description |
|---|---|
|
Garbage Collector Name |
You cannot modify this field. |
|
Purge Base |
The base DN of the naming context to which the garbage collection task is to be applied. You cannot modify this field. |
|
Purge Debug |
Indicator of whether to enable or disable debug logging for this garbage collector |
|
Purge Enable Status |
Enable or disable this garbage collector. The default is Enable. |
|
Purge File Location |
Absolute path name of the directory in which the log file is located |
|
Purge File Name |
Name of the log file |
|
Purge Interval |
The interval, in hours, after which the Garbage Collection job is executed again. For example, if you set this value to 12, then garbage collection occurs every 12 hours. This attribute is optional. The default value is |
|
Purge Now |
Entering any value in this field means that, when you choose Apply, the garbage collection begins immediately. At that point, the value in this field automatically reverts to null. |
|
Purge Start |
Time, in seconds, when the Garbage collector runs for the first time. The format is |
|
Purge Target Age |
Age, in hours, of the target objects. Objects older than the age specified in this attribute are purged at midnight. This attribute is optional. The default value is 12. |
|
Purge Transaction Size |
Number of objects to be purge in one committed transaction. This attribute is optional. The default value is |
The Oracle Internet Directory statistics collector supports three of the modifiable fields described in Table A-9. They are Purge Interval, Purge Now, and Purge Start.
Table A-10 Fields in the Password Policies General Tab Page
| Field | Description |
|---|---|
|
Must Supply Old Password When Modifying Password |
Select whether the user must supply old password with new one when modifying password. By default, the old password is not required. |
|
User Password Reversible Encryption |
Select to store the password in a reversible encrypted format. By default, this option is disabled. |
|
Reset Password upon Next Login |
Select to have the password reset the next time the user logs in. By default, this option is disabled. |
|
Old Password can be New Password |
Allows the old password to be used as a new password. By default, this option is disabled. |
|
Allow hash consumption |
Select to enables or disable logins using the hashed password value. By default, this option is enabled. |
|
Grace Login Constraint |
Select one of the following constraints for grace logins after a password has expired:
|
|
Number of Grace Logins after Password Expiration |
Enter the maximum number of grace logins allowed after a password expires. The default value is 0. (By default, no grace logins.are allowed.) |
|
Period for Grace Logins after Password Expiration |
Enter the number of seconds allowed for the grace logins after a password has expired. (By default, no grace logins are allowed.) |
|
Password Expiry Time |
Enter the number of seconds that a given password is valid. If this attribute is not present, or if the value is 0, then the password does not expire. By default, user passwords never expire. |
|
Minimum Age for Password to Self-Modify |
|
|
Password Expiration Warning |
Enter the number of seconds before password expiration that the directory server sends the user a warning. If password expiration is enabled, then, by default, the directory server sends the user a warning three days before the password expires. The directory server sends the warning at each logon. If the user does not modify the password before it expires, then the directory server enforces the modification. This means that the user is locked out until the password is changed by the administrator. For this feature to work, the client application must support it. |
|
Display Name |
Enter the name for this password policy. |
Table A-11 Fields in the Password Policies Account Lockout Tab Page
| Field | Description |
|---|---|
|
Global Lockout Duration |
Enter the number of seconds a user is locked out of the global directory if both of the following are true:
You can set user lockout for a specific duration, or until the administrator resets the user's password. The default value is 24 hours. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password. |
|
Password Maximum Failure |
Enter the number of consecutive failed bind attempts after which a user account is locked. |
|
Password Failure Count Interval |
Enter the number of seconds after which the password failure times are purged from the user entry. |
Table A-12 Fields in the Password Policies IP Lockout Tab Page
| Field | Description |
|---|---|
|
IP Lockout Duration |
Specify the number of seconds you want to enforce account lockout for a specific IP address. |
|
IP Lockout Maximum Failure |
Specify the maximum number of failed logins from a specific IP address after which the account is locked. |
Table A-13 Fields in the Password Policies Password Syntax Tab Page
| Field | Description |
|---|---|
|
Number of Numeric Characters |
Specify the number of numeric characters required in a password. |
|
Number of Passwords in History |
Specify the maximum number of used passwords allowed. |
|
Illegal Password Values |
Enter values that you want disallowed in passwords. |
|
Minimum Number of Characters of Password |
Specify the minimum number of characters required in a password. |
|
Minimum Number of Alphabetic Characters |
Specify the minimum number of alphabetic characters required in a password. |
|
Minimum Number of Special Characters |
Specify the minimum number of characters that are not alphanumeric (special characters), such as |
|
Minimum Number of Uppercase Characters |
Specify the minimum number of uppercase characters required in a password. |
|
Minimum Number of Lowercase Characters |
specify the minimum number of lowercase characters required in a password. |
|
Maximum Number of Repeated Characters |
Specify the maximum number of repeated characters required in a password. |
Table A-14 Fields in the Password Verifier Profile Dialog Box
| Field | Description |
|---|---|
|
Path to Password Verifier Entry |
The full DN of this password verifier entry. Use this to locate a particular password verifier entry. You cannot modify this field. |
|
Password Verifier Entry |
RDN of this password verifier. You cannot modify this field. |
|
Owner |
The DN of the administrator of the verifier entry. You can modify this field. |
|
Application ID |
The unique identifier of the Oracle application. It is generated during application installation. You cannot modify this field. |
|
Oracle Password Parameters |
Parameters containing information for generating this password verifier. Use this field to specify the hashing algorithm for this password verifier. The syntax is: crypto:hashing_algorithm
For example, if you are using the ORCLLM hashing algorithm, then you would enter: crypto:ORCLLM If you are using SASL/MD5, for example, you can enter the following: crypto:SASL/MD5 $ realm:dc=com |
Table A-15 Fields in the New Plug-in Dialog Box, Mandatory Properties tab page
| Field | Description |
|---|---|
|
Plug-in Enable |
Either disabled (default) or enabled. |
|
Plug-in Is Replacement |
Either disabled (default) or enabled. For when_replace timing, select Enable and then set Plug-in Timing to WHEN. |
|
Plug-in Package Name |
Name of the package for this plug-in. |
|
Plug-in Type |
Operational. Operation plug-ins augment existing LDAP operations. The work they perform depends on whether they execute before, after, or in addition to normal directory server operations. See Also: Chapter 32, " Oracle Internet Directory Server Plug-in Framework" |
|
Plug-in Kind |
PL/SQL or Java. |
|
Plug-in LDAP Operation |
One of the following values:
|
|
Plug-in Timing |
One of the following values:
|
Table A-16 Fields in the New Plug-in Diag Box, Optional Properties Tab Page
| Field | Description |
|---|---|
|
Plug-in Class Reload Enabled |
Either enabled (default) or disabled. |
|
Plug-in Version |
Supported plug-in version number. |
|
Plug-in Subscriber DN List |
A semicolon separated DN list that controls if the plug-in takes effect. For example: orclPluginSubscriberDNList=dc=COM,c=us; dc=us,dc=oracle,dc=com;dc=org,dc=us;o=IMC,c=US The target DN of an LDAP operation is included in the list, then the plug-in is invoked. |
|
Plug-in Attribute List |
A list of semicolon-separated attribute names that controls whether the plug-in takes effect. If the target attribute is included in the list, then the plug-in is invoked. Only for ldapcompare and ldapmodify plug-ins. |
|
Plug-in Result Code |
An integer value to specify the LDAP result code. If this value is specified, then plug-in will be invoked only if the LDAP operation is in that result code scenario. Only for the POST plug-in type. |
|
Plug-in Entry Properties |
An LDAP search filter type. For example, if you specify the following, the plug-in is not invoked if the target entry has orclPluginEntryProperties:(&(objectclass=inetorgperson)(sn=Cezanne)) When you click the Browse button, you can filter the entry properties. Using this example, in the Entry Filter dialog box, you would enter inetorgperson and Cezanne as the entry properties criteria. |
|
Plug-in Request Group |
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can actually invoke the plug-in For example, if you specify orclpluginrequestgropu:cn=security,cn=groups,dc=oracle,dc=com when you register the plug-in the plug-in will not be invoked unless the LDAP request comes from the person who belongs to the group cn=security,cn=groups,dc=oracle,dc=com. |
|
Plug-in Binary Flex Field |
The custom binary information passed to the Java plug-in. This is a file location, for example, |
|
Flex Fields |
Allows you to create your own custom flex field values. |
Table A-17 Fields in the Edit Plug-in Dialog Box, Mandatory Properties tab page:
| Field | Description |
|---|---|
|
Plug-in Enable |
Either disabled (default) or enabled. |
|
Plug-in Is Replacement |
Either disabled (default) or enabled. For when_replace timing, select Enable and then set Plug-in Timing to WHEN. |
|
Plug-in Package Name |
Name of the package for this plug-in. |
|
Plug-in Type |
Operational. Operation plug-ins augment existing LDAP operations. The work they perform depends on whether they execute before, after, or in addition to normal directory server operations. See Also: Chapter 32, " Oracle Internet Directory Server Plug-in Framework" |
|
Plug-in Kind |
PL/SQL or Java. |
|
Plug-in LDAP Operation |
One of the following values:
|
|
Plug-in Timing |
One of the following values:
|
Table A-18 Fields in the Edit Plug-in Dialog Box, Optional Properties tab page
| Field | Description |
|---|---|
|
Plug-in Class Reload Enabled |
Either enabled (default) or disabled. |
|
Plug-in Version |
Supported plug-in version number. |
|
Plug-in Subscriber DN List |
A semicolon separated DN list that controls if the plug-in takes effect. For example: orclPluginSubscriberDNList=dc=COM,c=us; dc=us,dc=oracle,dc=com;dc=org,dc=us;o=IMC,c=US The target DN of an LDAP operation is included in the list, then the plug-in is invoked. |
|
Plug-in Attribute List |
A list of semicolon-separated attribute names that controls whether the plug-in takes effect. If the target attribute is included in the list, then the plug-in is invoked. Only for ldapcompare and ldapmodify plug-ins. |
|
Plug-in Result Code |
An integer value to specify the LDAP result code. If this value is specified, then plug-in will be invoked only if the LDAP operation is in that result code scenario. Only for the POST plug-in type. |
|
Plug-in Entry Properties |
An LDAP search filter type. For example, if you specify the following, the plug-in is not invoked if the target entry has orclPluginEntryProperties:(&(objectclass=inetorgperson)(sn=Cezanne)) When you click the Browse button, you can filter the entry properties. Using this example, in the Entry Filter dialog box, you would enter inetorgperson and Cezanne as the entry properties criteria. |
|
Plug-in Request Group |
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can actually invoke the plug-in For example, if you specify orclpluginrequestgropu:cn=security,cn=groups,dc=oracle,dc=com when you register the plug-in the plug-in will not be invoked unless the LDAP request comes from the person who belongs to the group cn=security,cn=groups,dc=oracle,dc=com. |
|
Plug-in Binary Flex Field |
The custom binary information passed to the Java plug-in. This is a file location, for example, |
|
Flex Fields |
Allows you to create your own custom flex field values. |
Table A-20 Fields in the Replication Server Configuration Set: General Tab Page
Table A-21 Fields in the ASR Agreement Tab Page
| Field | Description |
|---|---|
|
Consumer Replica DN |
This attribute specifies the DN of the replica to identify a consumer in the replication agreement. You cannot modify this attribute. |
|
Excluded Naming Contexts |
This attribute lists all the naming contexts that are excluded from replication on a multimaster replica. It is not applicable to an LDAP-based replica. |
|
HIQ Schedule |
The interval, in minutes, at which the directory replication server repeats the change application process. You can modify this field. |
|
Replication Group Nodes |
For Advanced Replication-based groups, enter the This attribute is not applicable to LDAP-based replication agreements. |
|
Keep LDAP Connection Alive |
This attribute determines whether connections from the directory replication server to the directory server are kept active or established every time the changelog processing is done based on various schedules. You can modify this field. |
|
Replica Agreement ID |
Naming attribute for the replication agreement entry. Values: |
|
Replica Agreement Protocol |
This attribute defines the replication protocol for change propagation to the replica. Values:
|
|
Update Schedule |
This attribute specifies the replication update interval for new changes and those being retried. The value is in minutes. You can modify this field. |
Table A-22 Fields in the Replica Node: General Tab Page
| Attribute | Description |
|---|---|
|
Replica URI |
Contains information in ldapURI format that can be used to open a connection to this replica. |
|
Replica Secondary URI |
Contains the set of ldapURI format addresses that can be used if the |
|
Current Replica State |
A read-only attribute that defines the current state of the replica. Possible values are:
|
|
Replica State |
Specifies the desired state of the replica. Possible values are:
|
|
Replica Type |
Defines the type of replica such as read-only or read/write. Possible values:
|
Table A-23 Columns in the Replica Agreements Tab Page
| Column | Description |
|---|---|
|
Consumer Replica DN |
This attribute specifies the DN of the replica to identify a consumer in the replication agreement. You cannot modify this field. |
|
HIQ Schedule |
The interval, in minutes, at which the directory replication server repeats the change application process. You can modify this field. |
|
Keep LDAP Connection Alive |
This attribute determines whether connections from the directory replication server to the directory server are kept active or established every time the changelog processing is done based on various schedules. You can modify this field. |
|
Last Applied Change Number |
This attribute indicates the status of the consumer replica with respect to the supplier in an LDAP-based replication agreement. This attribute is not applicable for Advanced Replication-based agreements. |
|
Replica Agreement ID |
Naming attribute for the replication agreement entry. |
|
Replication Protocol |
This attribute defines the replication protocol for change propagation to the replica. Values:
|
|
Update Schedule |
This attribute defines the replication update interval for new changes and those being retried. The value is in minutes. You can modify this field. |
Table A-24 Fields in the Replica Agreement: Replica Naming Context Tab Page
| Field | Description |
|---|---|
|
Excluded Attributes |
For partial replication only. Within the included naming context, an attribute to be excluded from replication. This is a multivalued attribute. |
|
Excluded Naming Contexts |
The root of a subtree to be excluded from replication. This is a multivalued attribute. You can modify this field. For LDAP-based replication, from within the naming context specified in the For replication agreements based on Advanced Replication, you can specify one or more subtrees to be excluded from replication. |
|
Included Naming Contexts |
The naming context included in a partial replica. This is a single valued attribute. For each naming context object, you can specify only one unique subtree. In partial replication, except for subtrees listed in the Note: Only LDAP-based replication agreements respect this attribute to define one or more partial replicas. If this attribute contains any values in an Advanced Replication-based replication agreement, then it is ignored. You can modify this attribute. |
|
Synchronize Filter |
This check box appears only if this is a two-way replica agreement. When the check box is selected (the default) the configuration is the same in both directions. When this check box is not selected, an additional Naming Context tab page appears. The new page allows you to separately configure the naming context in the other direction. |
Table A-25 Fields in the NewReplica Agreement: Naming Context Tab Page
| Field | Description |
|---|---|
|
Excluded Attributes |
For partial replication only. Within the included naming context, an attribute to be excluded from replication. This is a multivalued attribute. |
|
Excluded Naming Contexts |
The root of a subtree to be excluded from replication. This is a multivalued attribute. You can modify this field. For LDAP-based replication, from within the naming context specified in the For replication agreements based on Advanced Replication, you can specify one or more subtrees to be excluded from replication. |
|
Included Naming Contexts |
The naming context included in a partial replica. This is a single valued attribute. For each naming context object, you can specify only one unique subtree. In partial replication, except for subtrees listed in the Note: Only LDAP-based replication agreements respect this attribute to define one or more partial replicas. If this attribute contains any values in an Advanced Replication-based replication agreement, then it is ignored. |
Table A-26 Columns in the Replica Agreement: Window
| Column | Description |
|---|---|
|
Agreement Type |
A read-only field. Possible values are:
|
|
Consumer Replica DN |
This attribute specifies the DN of the replica to identify a consumer in the replication agreement. You cannot modify this field. |
|
Excluded Naming Contexts |
This attribute lists all the naming contexts that are excluded from replication on a multimaster replica. It is not applicable to an LDAP-based replica. |
|
HIQ Schedule |
The interval, in minutes, at which the directory replication server repeats the change application process. You can modify this field. |
|
Included Naming Contexts |
This attribute is required to list all the naming contexts that are included on the partial replica. Note: Only LDAP-based replication agreements respect these attributes to define partial replicas. If this attribute contains any values in an Oracle Database Advanced Replication-based agreement, then it will be ignored. You can modify this field. |
|
Keep LDAP Connection Alive |
This attribute determines whether connections from the directory replication server to the directory server are kept active or established every time the changelog processing is done based on various schedules. You can modify this field. |
|
Replica Agreement ID |
Naming attribute for the replication agreement entry. |
|
Replica Agreement Protocol |
This attribute defines the replication protocol for change propagation to the replica. Values:
|
|
Update Schedule |
This attribute specifies the replication update interval for new changes and those being retried. The value is in minutes. You can modify this field. |
|
Replication Status |
For a one-way agreement type, this table shows one row of data. For a two-way agreement type, it shows two rows of data. The table indicates the supplier and consumer nodes, the last applied change, and the last transported change. |
Table A-27 Fields in the Change Log Window
| Field | Description |
|---|---|
|
Change Log Number |
The unique identifier of this change |
|
Change Log Operation |
The type of operation that this change effected--for example, add, modify, delete, compare |
|
Change Log Target DN |
The DN of the entry upon which this change was effected |
|
Change Log Target DN Changes |
The changes made to the entry |
|
Change Retry Count |
The number of attempts to apply this change to another node in a replicated environment |
|
Modifier's Name |
The name of the user who effected the change |
|
Operation Time |
The time at which the change took place |
|
Orcl GUID |
The global unique identifier of the entry on which the change is made |
|
Orcl Parent GUID |
The global unique identifier of the parent of the entry on which the change is made |
|
Server Name |
The name of the server from which the change was issued |
This section contains these topics:
Table A-28 Object Class Properties Listed in Searches in Oracle Directory Manager
| Option | Description |
|---|---|
|
Name of the object class for which you are searching. For example, the phrase |
|
|
Object identifier for the object class for which you are searching. For example, the phrase The object identifier is a standardized numerical sequence based on IETF standards. It must be unique, and should comply with the system established within your organization. Normally it is derived from the identifier assigned by registration agencies, such as ANSI or ISO. |
|
|
Word in the description field. For example, the phrase |
|
|
Type of object class for which you are searching, whether abstract, structural, or auxiliary |
|
|
Class from which the object class for which you are searching is derived. Clicking Add displays the Super Class Selector dialog box from which you can select the superclass(es) you want to add. |
|
|
Mandatory attributes of the object class for which you are searching. For example, the phrase |
|
|
Optional attributes of the object class for which you are searching |
Table A-29 Search Filters for Object Classes
| Filter | Description |
|---|---|
|
Searches by using only the first few characters of the property of the object class for which you are searching. For example, the phrase |
|
|
Searches by using only the last few characters of the property of the object class for which you are searching. For example, the phrase |
|
|
Contains |
Searches for object classes in which the property you selected includes, but is not necessarily limited to, the value you enter. For example, the phrase |
|
Searches for an object class in which the property you selected is exactly the same as the value you enter. For example, the phrase |
|
|
Searches for an object class in which the property you selected is numerically or alphabetically greater than or equal to the value you enter. For example, the phrase |
|
|
Searches for an object class in which the property you selected is numerically or alphabetically less than or equal to the value you enter. For example, the phrase |
|
|
Searches for all object classes in which the property you selected is present. For example, the phrase |
Table A-30 Buttons Used in Searches for Object Classes in Oracle Directory Manager
| Button | Description |
|---|---|
|
New |
Creates a new search criteria bar in the Criteria field. This button is enabled only when the Criteria bar has been deleted. |
|
And |
Creates another search criteria bar in the Criteria field. Matches all object classes having one specified criterion with those that also have another specified criterion. |
|
Or |
Creates another search criteria bar in the Criteria field. Matches all object classes with either one specified attribute or another. |
|
Not |
Negates the criterion in the selected search criteria bar and retrieves all object classes that do not have the specified criterion. |
|
Delete |
Deletes a selected search criteria bar |
Table A-31 Fields in the New Object Class Dialog Box
| Option | Description |
|---|---|
|
Name of the object class. |
|
|
Object identifier. This is a standardized numerical sequence based on IETF standards. It must be unique, and should comply with the system established within your organization. Normally it is derived from the identifier assigned by registration agencies, such as ANSI or ISO. |
|
|
Use this optional field for your information only. |
|
|
Type of object class: Abstract, Structural, Auxiliary, None. |
|
|
Class(es) from which to derive this object class. This object class will inherit all the attributes of the superclass(es) you select. Every structural object class must have top as one of its superclasses. Clicking Add displays the Super Class Selector dialog box from which you can select the superclass(es) you want to add. |
|
|
Attributes for which values must be entered. Clicking Add displays the Mandatory Attributes Selector dialog box from which you can select the mandatory attributes you want to add. |
|
|
Attributes for which values are not required. Clicking Add displays the Optional Attributes Selector dialog box from which you can select the optional attributes you want to add. |
Table A-32 Columns in the Attributes Tab Page in Oracle Directory Manager
| Column | Description |
|---|---|
|
Name |
The standardized attribute type names |
|
Indexed |
Check boxes indicating whether attributes are indexed |
|
Object ID |
Standardized object identifier for each attribute |
|
Description |
Words describing each attribute |
|
Syntax |
The standardized rules for data entry applicable to each attribute type |
|
Size |
Maximum size allowed for each object |
|
Usage |
Standards specifying how the attribute can be used. There are four options:
|
|
Ordering |
Standards specifying how precedence is established for values |
|
Equality |
Standards specifying how equality is determined in compare and search operations |
|
Substring |
Regular expression matching string |
|
Single Value |
Attribute types containing a maximum of one value |
|
Super |
Super attribute for each attribute |
Table A-33 Search Filters for Attributes
| Option | Description |
|---|---|
|
Begins With |
Searches by using only the first few characters of the property's value. For example, the phrase |
|
Ends With |
Searches by using only the last few characters of the property's value. For example, the phrase |
|
Contains |
Searches for attributes that include the property with the value you enter. For example, the phrase |
|
Exact Match |
Searches for a value that is exactly the same as that found in the attribute property you specified. For example, the phrase |
|
Greater or Equal |
Searches for an attribute that has a property that is numerically or alphabetically greater than or equal to the value you enter. For example, the phrase |
|
Less or Equal |
Searches for an attribute that has a property that is numerically or alphabetically less than or equal to the value you enter. For example, the phrase |
|
Not Null |
Searches for all attributes in which the attribute property you selected is present. For example, the phrase |
Table A-34 Buttons in Searches for Attributes in Oracle Directory Manager
| Button | Description |
|---|---|
|
New |
Creates a new search criteria bar in the Criteria field. This button is enabled only when the Criteria field is empty. |
|
And |
Creates another search criteria bar in the Criteria field. Matches all attributes with one specified property with those that also have another specified property. |
|
Or |
Creates another search criteria bar in the Criteria field. Matches all attributes with either one specified property or another. |
|
Not |
Negates the criteria in the selected search criteria bar and matches all attributes that do not have the property specified. |
|
Delete |
Deletes a selected search criteria bar |
Table A-35 Fields in the General Tab Page of the New Attribute Type Dialog
| Field | Description |
|---|---|
|
Name |
Name for this attribute |
|
Object ID |
Object ID for this attribute. The Object ID is a standardized numerical sequence based on IETF standards. It must be unique. Normally this is derived from the identifier assigned by registration agencies, such as ANSI or ISO. For an explanation of the standard identifiers, see the current LDAP standards available through the IETF Web site at |
|
Description |
Optional field for your information only |
|
Syntax |
Standardized rules for data entry applicable to this attribute type |
|
Size |
Maximum size allowed for this object |
|
Single Value |
Indicator that this attribute type contains a maximum of one value. |
Table A-36 Fields in the Advanced Tab Page of the New Attribute Type Dialog
| Field | Description |
|---|---|
|
Indexed |
Select this box to add the attribute to the index, thereby making it available for use in a search. Only those attributes that have an equality matching rule can be indexed. |
|
Usage |
Specify standards for how the attribute can be used. Options are:
|
|
Ordering |
Specify standards for how precedence is established for values. |
|
Equality |
Specify standards for how equality is determined in compare and search operations. |
|
Substring |
Specify the matching rule. |
|
Super |
Add the super attribute for this attribute. To do this:
To delete a super attribute from the Super field, select it, then choose Delete. |
Table A-38 Fields in the New Content Rule Dialog Box
| Field | Description |
|---|---|
|
Structural Object Class |
The name of the structural object class to which you want to assign this content rule |
|
Object ID |
The unique identifier of the content rule you are creating |
|
Label |
A descriptive friendly name of this content rule |
|
Auxiliary Classes |
The auxiliary object classes whose attributes you want to associate with the specified structural object class. To specify an auxiliary class:
|
|
Mandatory Attributes |
The mandatory attributes you want to associate with the specified structural object class. To specify a mandatory attribute:
|
|
Optional Attributes |
The optional attributes you want to associate with the specified structural object class. To specify an optional attribute:
|
Table A-39 Fields in the Content Rule Dialog Box
| Field | Description |
|---|---|
|
Structural Object Class |
The name of the structural object class to which you want to assign this content rule |
|
Object ID |
The unique identifier of the content rule you are creating |
|
Label |
A descriptive friendly name of this content rule |
|
Auxiliary Classes |
The auxiliary object classes whose attributes you want to associate with the specified structural object class. To specify an auxiliary class:
|
|
Mandatory Attributes |
The mandatory attributes you want to associate with the specified structural object class. To specify a mandatory attribute:
|
|
Optional Attributes |
The optional attributes you want to associate with the specified structural object class. To specify an optional attribute:
|
This section contains these topics:
System Operational Attributes Fields in Oracle Directory Manager
Super, Guest, and Proxy User Fields in Oracle Directory Manager
Table A-40 Fields in the Configuration Sets Dialog Box: General Tab Page
Table A-41 Fields in the Configuration Sets: SSL Settings Tab Page
| Field | Description |
|---|---|
|
SSL Authentication |
Choose one of the following:
|
|
SSL Enable |
Choose one of the following:
|
|
SSL Wallet URL |
Type the location of the server-side SSL wallet. If you elect to change the location of the wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on UNIX, you could set this parameter as follows: file:/home/my_dir/my_wallet On Microsoft Windows, you could set this parameter as follows: file:C:\my_dir\my_wallet |
|
SSL Port |
The default SSL port is 636. You can change the SSL port. |
Table A-42 System Operation Attributes Displayed in Oracle Directory Manager
| Field | Description | Default Value | Modifiable? |
|---|---|---|---|
|
Allow Anonymous Binds |
Indicator of whether anonymous binds are allowed or not. If set to |
1 |
Yes |
|
Alternate Server |
When connectivity to the local server is lost, clients have the option of accessing one of the servers listed in this attribute. Specify other Oracle directory servers in the system that have the same set of naming contexts as that of the local server. The format is: ldap://host_name:port_number See Also: "Setting the Alternate Server List by Using Oracle Directory Manager" in Oracle Application Server High Availability Guide |
None |
Yes |
|
DN of the entry holding the top of the naming context in this server |
|
No |
|
|
Critical Event Level |
Specify critical events related to security and system resources that you want recorded. Please note that for events other than super user, proxy and replication login, the value of the See Also: "Configuring Critical Events" for a list of critical events that can be monitored |
0 |
Yes |
|
DIP Repository |
Used by the directory replication server, and indicates whether change logs are to be generated in the consumer node for the Oracle directory integration and provisioning server to consume. |
FALSE |
Yes |
|
The version or release of Oracle Internet Directory that you are using |
9.0.4.0.0 |
No |
|
|
Specify whether entry caching, described in "Entry Caching", is enabled. The value for enabled is 1; the value for disabled is |
1 |
Yes |
|
|
Enable Group Cache |
The cache of privilege groups and ACL groups in the directory server. Using this cache improves the performance of access control evaluation for users when privilege and ACP groups are used in ACI. Use the group cache when a privilege group membership does not change frequently. If a privilege group membership does change frequently, then it is best to turn off the group cache. This is because, in such a case, computing a group cache increases overhead. |
1 |
Yes |
|
Enable Match DN Processing |
If the base DN of a search request is not found, then the directory server returns the nearest DN that matches the specified base DN. Whether the directory server tries to find the nearest match DN is controlled by this attribute. If set to 1, then match DN processing is enabled. If set to |
1 |
Yes |
|
Enable Statistics Gathering |
Indicator of whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to |
0 |
Yes |
|
Entry Cache Size in Bytes |
The maximum number of bytes of RAM that the entry cache can use. |
100M |
Yes |
|
Specify the DN for the file containing all indexed attributes |
|
No |
|
|
Maximum Entries in Entry Cache |
Specify the maximum number of entries that can be present in the entry cache. |
25,000 |
Yes |
|
Maximum TCP Connection Idle Time |
Specify how long the server should keep an idle connection open before closing it. |
120 |
|
|
Naming Contexts |
Specify the topmost DNs of naming contexts in this server that you want to publish. You must have super user privileges to publish a DN as a naming context. |
None |
Yes |
|
Hash algorithm for encrypting the password. Options are:
|
MD4 |
Yes |
|
|
DN of the entry holding the Instance Registry in this server |
|
No |
|
|
Maximum number of entries to be returned by a search |
1000 |
Yes |
|
|
Replica ID |
Unique identifier of a node in a replication agreement |
||
|
DN of the entry holding the replication agreement |
|
No |
|
|
DN of the entry holding the change log in this server |
|
No |
|
|
DN of the entry holding the change status in this server |
|
No |
|
|
DN of the schema |
|
No |
|
|
Indicator of whether data can be written to the server. You can change this value to either read/write or read-only. Change the default to read-only during replication process. |
read/write |
Choices are Read/Write, Read/Modify and Read-Only |
|
|
Maximum amount of time, in seconds, allowed for a search to be completed |
3600 |
Yes |
|
|
Simple Modify Changelog Attribute |
In a multimaster replication group, resolving conflicts for changes in some attribute values can require considerable resources. You can avoid this performance degradation by specifying those attributes in this field. When you specify attributes in this field, any changes to the values of those attributes are reflected in the change log. However, in a multimaster replication group, conflict resolution for those attributes is turned off. |
uniquemember member |
Yes |
|
Statistics Collection Interval |
Specify how often you want to gather sample statistics—that is, the number of minutes in the interval. Set this to 1 or more minutes. |
|
Yes |
|
Statistics Level |
Specify whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to |
0 |
Yes |
|
Supported Control List |
Enter extension information for any LDAP operation. The control types supported by Oracle Internet Directory are listed as values of the |
|
No |
|
Supported Extension |
The unique identifiers of proprietary extensions to LDAP operations that are supported in this release of Oracle Internet Directory. In Release 9.0.4, there is one extended operation. It enables a plug-in using a PL/SQL package in the database to bind to the directory server. |
2.16.840.1.113894.1.9.1 |
No |
|
Supported LDAP Version |
LDAP version that Oracle Internet Directory supports |
|
No |
|
Supported SASL Mechanisms |
Some clients can use the Simple Authentication and Security Layer (SASL). This field indicates the authentication mechanisms supported by the directory server. See Also: "Authentication by Using Simple Authentication and Security Layer (SASL)" |
|
No |
|
Upgrade in Progress |
Reserved for upgrade |
FALSE |
No |
Table A-43 Fields in the System Passwords Tab Page
| Field | Description |
|---|---|
|
Super User Name |
Type the super user name, or choose Browse to search for it. The default is |
|
Super User Password |
Type the super user password. The default is the same as the password you specified for the Oracle Application Server administrator (ias_admin) during installation. You should change this password immediately. |
|
Guest Login Name |
Type the guest login name, or choose Browse to search for it. Guests have privileges determined by the access control list (ACL) in the directory. The default is |
|
Guest Login Password |
Type the guest login password. The default is |
|
Proxy Login Name |
Type the proxy login name, or choose Browse to search for it. Proxy users have privileges determined by the ACPs in the directory. The default is |
|
Proxy Login Password |
Type the proxy login password. The default is |
Table A-44 Fields in the Query Optimization Tab Page
| Field | Description |
|---|---|
|
Trigger Dynamic Group Cache Refresh |
Select to force a refresh of the dynamic group cache. |
|
Skip Referral Process |
Select to skip referral in SQL generated for searches. If there are no referral entries in the directory; skipping referral will help optimizing search performance. |
|
Force Flush Debug Messages |
Select to enable debug messages to be written to the log file when a message is logged by the directory server. This feature is disabled by default. |
|
Maximum Number of Cached Users Group Connection |
Specifies the number of connection DNs whose privileged groups can be cached. The default value is 25000 identities (connection DNs). Increase the value if your installation has more than 25000 users. |
|
Maximum Number of Cached Search Entries in BER |
Specifies the maximum allowed BER entry. When searching a subtree, the server does not write to the client until this number of entries have been processed. By default this value is 5. If the entries are larger than 8000 bytes, then reduce this value to 1. |
|
Maximum Time for OID Server to Read/Write to LDAP Client |
Specifies, in seconds, the network read/write time out. When an LDAP client initiates an operation, then does not respond to the server for this number of seconds, the server closes the connection. The default is 300 seconds. |
|
Maximum Entry Size in Cache |
Specifies, in bytes, the upper size limit of entries stored in the cache. The default is 5000--that is, 5 kilobytes. |
|
Monitored Users' DNs |
Specifies the list of user DNs for which to track LDAP operations. |
|
Level for Security Events Tracking |
Specifies levels of bind and compare information collection. Possible levels are:
Bind and Compare levels may be added. For example, 18 specifies Bind DN and IP address, plus Compare DN, IP address and failure details. |
|
Maximum RAM Space Used to Track Security Events |
Specifies the maximum memory, in bytes, that is used to track security events. The default is 100 megabytes. |
|
PKI Mapping/Matching Rule |
Specifies the matching rule for mapping a user's PKI certificate DN to the user's entry DN in Oracle Internet Directory. The following matching rule values are allowed:
|
|
Dump Flags |
Dump Flags |
|
LDAP Connection Timeout |
Enter the maximum number of seconds that the directory client can remain idle before terminating the connection. The default is |
|
Time Limit Mode |
To adjust server performance, set the search time limit to be either accurate or approximate. If you specify it as accurate, then searches end precisely at the specified number of seconds. If you specify it as approximate, then searches end within a few seconds of the specified number of seconds. In smaller workloads, specifying it as approximate provides better performance. |
|
Attributes with Low Cardinality |
Enter the attributes you want to designate as skewed. See Also: "Optimizing Searches" for a discussion of skewed attributes |
Table A-45 Search Filters for Entries
| Filter | Description |
|---|---|
|
Begins With |
Searches by using only the first few characters of the attribute's value. For example, |
|
Ends With |
Searches for an entry by using only the last few characters of the specified attribute's value. For example, |
|
Contains |
Searches for an entry in which the attribute you specified includes, but is not necessarily limited to, the value you enter. For example, |
|
Searches for an entry whose specified attribute is the same as the value you enter. For example, c |
|
|
Searches for an entry in which the specified attribute is numerically or alphabetically greater than or equal to the value you enter. For example, |
|
|
Searches for entries in which the specified attribute is numerically or alphabetically less than or equal to the value you enter. For example, |
|
|
Determines if an entry with the specified attribute is present at that level of the tree. You do not need to enter a value to use this relationship. The phrase |
Table A-46 Buttons Used in Searches for Entries
| Button | Description |
|---|---|
|
New |
Creates a new search criteria bar in the Criteria field. This button is enabled only when the Criteria field is empty. |
|
And |
Creates another search criteria bar in the Criteria field. Matches all entries with one specified attribute with those that also have another specified attribute. For example, |
|
Or |
Creates another search criteria bar in the Criteria field. Matches all entries with either one specified attribute or another. For example, |
|
Not |
Negates the criterion in the selected search criteria bar and retrieves all entries that do not have the specified criterion. For example, |
|
Delete |
Deletes a selected search criteria bar |
|
Advanced |
Adds a search criteria bar when including attribute options in the search. Use this syntax: attribute For example, Note: Before an attribute option can be used in searches, the parent attribute of that attribute option must be indexed. For example, in the case of the attribute option See Also: |
Table A-47 Fields in the SSL Settings Tab Page
| Field | Description |
|---|---|
|
SSL Authentication |
Choose one of the following:
|
|
SSL Enable |
Choose one of the following:
|
|
SSL Wallet URL |
Type the location of the server-side SSL wallet. If you elect to change the location of the wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on UNIX, you could set this parameter as follows: file:/home/my_dir/my_wallet On Microsoft Windows, you could set this parameter as follows: file:C:\my_dir\my_wallet |
|
SSL Port |
The default SSL port is 636. You can change the SSL port. |
This section describes the fields in Oracle Directory Manager for administering directory synchronization. These are fields for registering a directory integration profile
Table A-48 Fields on the General Tab Page for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
|
Profile Name |
Specify the name of the Profile. The name you enter is used as the RDN component of the DN for this integration profile. For example, specifying a profile name This field is mandatory. There is no default. |
|
Synchronization Mode |
Specify whether this is an import or an export operation. An import operation pulls changes from a connected directory into Oracle Internet Directory. An export operation pushes changes from Oracle Internet Directory into a connected directory. This field is mandatory. The default is |
|
Profile Status |
Specify whether the profile is enabled or disabled. This field is mandatory. The default is |
|
Profile Password |
Specify the password that directory integration server is to use when binding to Oracle Internet Directory on behalf of the profile. This field is mandatory and the default is |
|
Scheduling Interval |
Specify the number of seconds between synchronization attempts between a connected directory and Oracle Internet Directory. This field is mandatory. The default is |
|
Maximum Number of Retries |
Specify the maximum number of times the directory integration server is to attempt synchronization before it disables synchronization. This field is mandatory. The default is 5. The first retry takes place 1 minute after the first failure. The second retry happens 2 minutes after the second failure, and subsequently the retry takes place n minutes after the n-th failure. |
|
Profile Version |
Version of Oracle Directory Integration Platform with which this profile was created. |
Table A-49 Fields on the Execution Tab for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
|
Agent Execution Command |
Specify the agent executable name and the arguments used by the directory integration server to execute the agent. This field is optional. There is no default. A typical execution command is of the form, odicmd user=%orclodipcondirAccessAccount pass=%orclodipcondiraccesspassword Where user=%orclodipcondirAccessAccount pass=%orclodipcondiraccesspassword are the command-line arguments. The value to be passed for the user is derived from the attribute A typical example is given in the Oracle Human Resources agent. |
|
Connected Directory Account |
Specify the account to be used by the connector/agent for accessing the connected directory. For example, if the connected directory is a database, then the account might be This field is optional. There is no default. |
|
Connected Directory Account Password |
Specify the password the connector/agent is to use when accessing the connected directory. This field is optional. There is no default. |
|
Additional Config Info |
This field displays additional information that the directory integration server passes to an agent. You cannot modify this field through Oracle Directory Manager. The only way to modify it is to use ldapuploadagentfile.sh. There is no default. |
|
Connected Directory URL |
Connect details required to connect to the connected directory. This parameter refers to the host name and port number as To connect by using SSL, enter Make sure the certificate to connect to the directory is stored in the wallet, the location of which is specified in the file Note: To connect to SunONE Directory Server by using SSL, the server certificate needs to be loaded into the wallet. See Also: The chapter on Oracle Wallet Manager in Oracle Advanced Security Administrator's Guide |
|
Interface Type |
The format used by the import or export file. Options are |
Table A-50 Fields on the Mapping Tab Page for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
|
Mapping Rules |
This field displays the mapping rules for converting data between a connected directory and Oracle Internet Directory. There is no default. Note: You cannot edit the mapping rules file by using Oracle Directory Manager. You edit the mapping rules in a file manually and then upload it to the profile by using |
|
Connected Directory Matching Filter |
Specify the attribute that uniquely identifies an entry in the connected directory. |
|
OID Matching Filter |
Specify the attribute that uniquely identifies records in Oracle Internet Directory. This attribute is used as a key to synchronize Oracle Internet Directory and the connected directory. This field is optional. |
Table A-51 Fields on the Status Tab Page for Synchronization in Oracle Directory Manager
| Field | Description |
|---|---|
|
OID Last Applied Change Number (Import operations only) |
For export operations, specify the identifier of the last change from Oracle Internet Directory that has been applied to the connected directory. The default is |
|
Last Execution Time |
The most recent absolute time that the agent was executed. The default is the time at which the connector is created. Modifying this field will be misleading. |
|
Last Successful Execution Time |
The most recent absolute time that the agent succeeded. The default is the time at which the connector is created. Modifying this field will be misleading. |
|
Synchronization Status |
Synchronization success/failure. |
|
Synchronization Errors |
The last error message. You cannot modify this field. There is no default. |
|
Last Applied Change Number (Export operations only) |
The number of the change log entry that was most recently applied successfully to the connected directory. The field can be consciously modified by the end user whenever appropriate. The profile should be in the disabled mode. If the number is increased, then any change log entries numbered between the original value and the new value will not be applied. |
Table A-52 Fields on the Server Chaining Management Window (for Active Directory or iPlanet)
| Field | Description |
|---|---|
|
Enable Authentication |
Enable external authentication capability. |
|
Enable Modification |
Enable external modification capability. |
|
Enable Search |
Enable external search capability. |
|
User Container |
The user container in the external directory from which to perform the user search operation. |
|
Target User Container |
The user container in Oracle Internet Directory in which the external users reside. |
|
Group Container |
The group container in the external directory from which to perform the group search operation. |
|
Target Group Container |
The group container in the external directory from which to perform the group search operation. |
|
Host |
The host name of the external directory host. This is a single value attribute |
|
Port |
The port number of the external directory host. The default value is 389 |
|
Login User DN |
The DN in the external directory. Server chaining will bind against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. |
|
Login User Password |
The password for the DN of the external directory. |
|
Attribute Mapping |
Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the eMail attribute from the target directory to the mail attribute in Oracle Internet Directory, set this attribute to: OID Attribute: mail, Target Directory Attribute: eMail |
