Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
Directory server chaining is a new feature of Oracle Internet Directory, introduced at 10g (10.1.4.0.1). It was implemented using the new Java Plug-in framework.
Server chaining enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration. With server chaining, you can use Oracle Internet Directory's authorization framework when identity data resides outside of Oracle Internet Directory.
Server chaining does not replace Oracle Directory Integration Platform. Rather, it offers complementary functionality to Oracle Directory Integration Platform.
Server chaining is different from a virtual directory. A virtual directory, such as Oracle Virtual Directory, is a flexible virtualization layer between multiple identity repositories and applications. It offers complementary services to identity synchronization and directory servers. With a virtual directory, organizations can create consolidated, logical or virtual views of data that may span multiple directories and databases.
Server chaining is a simpler, more flexible solution, embedded in Oracle Internet Directory server, and particular suited to OracleAS Single Sign-On, OracleAS Portal, Oracle Delegated Administration Services and Enterprise User Security customers. It is easier to administer and upgrade. It also provides Oracle Internet Directory's authorization framework without extra configuration steps.
This chapter contains the following topics:
Oracle Internet Directory server chaining supports the following external servers:
Microsoft Active Directory
Sun Java System Directory Server, formerly known as SunONE iPlanet
An implementation of Oracle Internet Directory can connect with one Active Directory server, one Sun Java System Directory Server, or with both.
The following products have been integrated with Oracle Internet Directory server chaining:
Oracle Application Server Single Sign-On
Enterprise User Security
When server chaining is enabled, a user from the external directory can:
Log in through OracleAS Single Sign-On
Oracle Internet Directory server chaining enables you to implement Enterprise User Security without synchronizing identity data with Oracle Internet Directory. Your identity data remains in the external repository and Oracle Internet Directory's data store contains only server chaining metadata.
With Sun Java System Directory Server as the external directory, server chaining supports password-based authentication with Enterprise User Security. With Active Directory as the external directory, server chaining supports Kerberos- based authentication with Enterprise User Security. The external users can log in to Oracle Database once the Enterprise User Security authentication setup is completed.
See Also: Oracle Database Enterprise User Administrator's Guide for more information on configuring Enterprise User Security for password authentication and Kerberos authentication. |
Server chaining supports the following operations:
Bind
Compare
Modify
Search
The compare, modify, and search operations can be enabled or disabled by setting configuration parameters.
When an Oracle Internet Directory client application issues an LDAP search request, Oracle Internet Directory integrates the search results from its own data and the external directories.
When an Oracle Internet Directory client application issues an LDAP bind, compare, or modify request, Oracle Internet Directory redirects the request to the external directory.
In 10g (10.1.4.0.1), the compare operation is only supported for the userpassword
attribute.
In 10g (10.1.4.0.1), attribute modification is supported in two cases:
The external attribute has the same name as the Oracle Internet Directory attribute. This is true for most standard LDAP attributes.
The external attribute is mapped to an Oracle Internet Directory attribute, and neither the external nor the Oracle Internet Directory attribute is an operational attribute.
Note: You cannot modify an Active Directory user password from Oracle Internet Directory through server chaining. |
If you use server chaining in a replication environment, set it up on all nodes so that the entries remain consistent across nodes. Configure server chaining so that the mapped external directories are the same for all the replicated nodes.
Oracle Internet Directory is shipped with disabled sample server chaining entries.
For Active Directory, the DN for the server chaining entry is
cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry
For Sun Java System Directory Server, the entry DN is
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
You configure server chaining by customizing these entries for your environment and enabling them. You can do this either from the command line or by using Oracle Directory Manager.
This section contains the following topics:
Perform the following steps to configure server chaining from the command line:
Create an LDIF file to manually add the user and group containers. To determine the DNs for these containers, see the section Requirements for User and Group Containers. For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com
, and the group search base is cn=groups,dc=us,dc=oracle,dc=com
, then you would use the following entries in your LDIF file:
dn: cn=AD,cn=users,dc=us,dc=oracle,dc=com cn: AD objectclass: orclcontainer objectclass: top dn: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com cn: iPlanet objectclass: orclcontainer objectclass: top dn: cn=AD,cn=groups,dc=us,dc=oracle,dc=com cn: AD objectclass: orclcontainer objectclass: top dn: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com cn: iPlanet objectclass: orclcontainer objectclass: top
Use ldapadd
and the LDIF file you just created to add the entries.
ldapadd -p port -h host -D "binddn" -w password -v -f container_ldif_file_name
Create another LDIF file to modify and enable the server chaining configuration entries. For example LDIF files, see "Active Directory Example" and "Sun Java System Directory Server (iPlanet) Example". A table of attributes is provided in "Server Chaining Configuration Entries". Attribute mapping is explained in Attribute Mapping.
Modify the server chaining configuration entries using the ldapmodify
command and the LDIF file you just created. Use a command line of the form:
ldapmodify -p port -h host -D "binddn" -w password -v -f entry_ldif_file_name
Oracle Directory Manager provides a convenient interface for modifying the Oracle Internet Directory server chaining configuration entries. To configure server chaining by using Oracle Directory Manager, perform the following steps:
In the navigator pane, expand Oracle Internet Directory Servers, then directory server instance.
Select Server Chaining. The Server Chaining Management window appears in the right pane.
To modify a server chaining configuration entry, select it, then choose Edit. The Server Chaining Management Window for iPlanet (Sun Java System Directory Server) or Active directory appears.
Click Apply to enable the configuration changes.
See Table A-52or the online help for descriptions of the fields in the Server Chaining Management Window. Most of the fields correspond with attributes described in Configuration Entry Attributes.
The next section, Requirements for User and Group Containers, provides additional information about the External User Container and External Group Container fields. Attribute mapping is explained in Attribute Mapping.
The target user and group containers must be under the Oracle Internet Directory search base in order to work with OracleAS Portal, OracleAS Single Sign-On, and Oracle Delegated Administration Services. Use the container names cn=AD
for Active Directory and cn=iPlanet
for Sun Java System Directory Server (iPlanet). For example, if your user search base is:
cn=users,dc=us,dc=oracle,dc=com
you would use
cn=AD,cn=users,dc=us,dc=oracle,dc=com
as the target user container for the Active Directory users or
cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
as the target user container for the Sun Java System Directory Server users. Similarly, if your group search base is:
cn=groups,dc=us,dc=oracle,dc=com
you would use
cn=AD,cn=groups,dc=us,dc=oracle,dc=com
as the target container for the Active Directory s or
cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
as the target container for the Sun Java System Directory Server groups.
The target user and group containers exist only for the external directories. All the users and groups that appear under these nodes are populated by the external directories. Do not add entries under these containers directly from Oracle Internet Directory.
If an attribute in an external directory and an Oracle Internet Directory attribute are the same, then no mapping is required. Server chaining performs some attribute mapping by default. The default mapping list is as follows:
Table 28-1 Default Attribute Mapping to Active Directory
Oracle Internet Directory Attribute | Active Directory Attribute |
---|---|
orclguid |
objectGUID |
uid |
name |
orclsamaccountname |
samaccountname |
krbprincipalname |
userprincipalname |
Table 28-2 Default Attribute Mapping to Sun Java System Directory Server
Oracle Internet Directory Attribute | Sun Java System Directory Server Attribute |
---|---|
orclguid |
nsuniqueid |
authpassword |
userpassword |
krbprincipalname |
|
The following objects cannot be mapped:
Operational attributes
Object classes
Oracle Internet Directory- specific attributes. These attributes typically have names starting with orcl
.
This section contains the following topics:
Table 28-3 lists the configuration entry attributes for server chaining.
Table 28-3 Configuration Entry Attributes for Server Chaining
Attribute | Required | Description |
---|---|---|
|
Yes |
The host name of the external directory host. This is a single value attribute. |
|
Yes |
The port number of the external directory host. This is a single value attribute. The default value is 389. |
|
Yes |
The DN in the external directory. Server chaining will bind against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. This is a single value attribute. |
|
Yes |
The password for the DN of the external directory. This is a single value attribute. Be sure to enable privacy mode to ensure that users cannot retrieve this attribute in clear text. See "Privacy of Retrieved Sensitive Attributes". |
|
Yes |
The user container in the external directory from which to perform the user search operation. This is a single value attribute. |
|
No |
The group container in the external directory from which to perform the group search operation. This is a single value attribute. This attribute is optional if the external user container and the external group container are the same. In this case the group search operations are performed on the external user container. |
|
Yes |
The user container in Oracle Internet Directory in which the external users reside. For more information, see "Requirements for User and Group Containers". |
|
Yes |
The group container in Oracle Internet Directory in which the external groups reside. For more information, see "Requirements for User and Group Containers". |
|
No |
Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the
For more information, see "Attribute Mapping" |
|
Yes |
External search capability. |
|
Yes |
External modify capability. |
|
Yes |
External authentication capability. |
The following example shows server chaining configured to use the Active Directory server dlin-pc9.us.oracle.com
, port 389
, as its external directory store. All the attributes are explained in Table 28-3.
cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry orclOIDSCExtHost: dlin-pc9.us.oracle.com orclOIDSCExtPort: 389 orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com orclOIDSCExtPassword: ******* orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCAttrMapping;description: title
The following example is the LDIF file used to modify the configuration entry:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscextdn orcloidscextdn: administrator@dlin.net - replace: orcloidscextpassword orcloidscextpassword: welcome1 - replace: orcloidscexthost orcloidscexthost: dlin-pc9.us.oracle.com - replace: orcloidscextport orcloidscextport: 389 - replace: orcloidsctargetusercontainer orcloidsctargetusercontainer: cn=ad,cn=users,dc=us,dc=oracle,dc=com - replace: orcloidsctargetgroupcontainer orcloidsctargetgroupcontainer: cn=ad,cn=groups,dc=us,dc=oracle,dc=com - replace: orcloidscextusercontainer orcloidscextusercontainer: cn=users,dc=dlin,dc=net - replace: orcloidscextgroupcontainer orcloidscextgroupcontainer: cn=users,dc=dlin,dc=net - replace: orcloidscextsearchenabled orcloidscextsearchenabled: 1 - replace: orcloidscextmodifyenabled orcloidscextmodifyenabled: 1 - replace: orcloidscextauthenabled orcloidscextauthenabled: 1
The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.oracle.com
, port 10389
, as its external directory store. All the attributes are explained in Table 28-3.
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: dlin-pc10.us.oracle.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=people,dc=acme,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=acme,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1
The following example is the LDIF file used to modify the configuration entry:
dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscextdn orcloidscextdn: cn=directory manager - replace: orcloidscextpassword orcloidscextpassword: welcome1 - replace: orcloidscexthost orcloidscexthost: dlin-pc10.us.oracle.com - replace: orcloidscextport orcloidscextport: 10389 - replace: orcloidsctargetusercontainer orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com - replace: orcloidsctargetgroupcontainer orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com - replace: orcloidscextusercontainer orcloidscextusercontainer: ou=people,dc=us,dc=oracle,dc=com - replace: orcloidscextgroupcontainer orcloidscextgroupcontainer: ou=groups,dc=us,dc=oracle,dc=com - replace: orcloidscextsearchenabled orcloidscextsearchenabled: 1 - replace: orcloidscextmodifyenabled orcloidscextmodifyenabled: 1 - replace: orcloidscextauthenabled orcloidscextauthenabled: 1
To debug server chaining, perform the following steps:
Set the Oracle Internet Directory server debug logging level, as described in "Setting Debug Logging Levels". Use the logging level value 402653184. This value enables logging of all messages related to the Java plug-in framework.
Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry
. set the attribute orcloidscDebugEnabled
to 1
.
For example, to set orcloidscDebugEnabled
to 1
in cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
, you would type:
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -w orcladminpwd <<EOF dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1 EOF
See Also: The Java Plug-in Debugging and Logging section in Oracle Identity Management Application Developer's Guide. |