4 Post-Installation Tasks and Information

At the end of a successful installation, the OID Monitor, oidmon, and an instance of the Directory Server, oidldapd, are running.

Notes: You can run multiple instances of the directory server is on the same computer. For example, you can run one instance in SSL mode and another in non-SSL mode. If you restart the computer, you can restart Oracle Application Server Infrastructure by following the steps described in the section "Starting OracleAS Infrastructure" in Oracle Application Server Administrator's Guide. The Oracle Internet Directory servers—that is, the directory server, the directory replication server, and the Oracle Directory Integration and Provisioning server daemons—can be started only by the operating system user who installed the Oracle Internet Directory software.

Before configuring and using Oracle Internet Directory, you must perform the tasks described in this chapter.

This section contains these topics:

• Task 1: Reset the Default Security Configuration

• Task 2: Reset the Default Password for the Database

• Task 3: Run the OID Database Statistics Collection Tool

• Tasks to Perform After Upgrading from Release 9.0.2

• Determining LDAP Port Assignment on UNIX and Linux

4.1 Task 1: Reset the Default Security Configuration

To meet the needs of your environment, you must customize the default security configuration. Table 4-1 lists and describes the tasks you must perform to do this.

Table 4-1 Tasks to Reset the Default Security Configuration

Task Area	Description
Protect the subSchemaSubEntry subentry and its children	Information about the directory is contained in the subentry subSchemaSubEntry and its children. Oracle recommends that you control access to these objects.
Establish access to entries	When you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish: Permissions to load entries into this hierarchy Directory access for clients that need read, modify, and write access to directory entries
Modify default access policies	Oracle Internet Directory is installed with a default security configuration described in Chapter 21, "Delegation of Privileges for an Oracle Technology Deployment". Before you begin using the directory, you can modify this default configuration to meet the needs of your environment and ensure that each user has the appropriate authorization.
Modify the default password policy	Password polices are sets of rules that govern how passwords are used. Oracle Internet Directory is installed with a default password policy that you can modify to meet the needs of your environment.
Modify the password of the super user	The super user has full access to directory information. The default user name of the super user is orcladmin; the default password is the Oracle Application Server Administrator password that was specified during installation. Modify this password immediately after installation.
Enable privacy mode for sensitive attributes	You must enable privacy mode to ensure that users cannot retrieve sensitive attributes in clear text. See "Privacy of Retrieved Sensitive Attributes".

See Also: Chapter 3, "Directory Concepts and Architecture" for an introduction to security features of Oracle Internet Directory, and to the default DIT for Oracle components using Oracle Internet Directory Chapter 16, " Directory Security Concepts" for an introduction to data integrity, data privacy, authentication, authorization, and password policies Chapter 18, "Directory Access Control" for a detailed explanation of access control options and instructions for setting up security Chapter 23, "Deployment of Oracle Identity Management Realms" for a detailed explanation of the Oracle Context schema Chapter 19, "Password Policies in Oracle Internet Directory" for an explanation of the default password policy

Caution: Be careful when modifying the default ACLs in any Oracle Context. Doing so can disable the security of Oracle components in your environment. See component-specific documentation for details on whether you can safely modify the default ACLs in an Oracle Context.

4.2 Task 2: Reset the Default Password for the Database

Oracle Internet Directory uses a password when connecting to its desginated Oracle database. The default for this password is the same as that specified during installation for the Oracle Application Server administrator (ias_admin). Change this default password by using the OID Database Password Utility.

See Also: The oidpasswd command-line tool reference in Oracle Identity Management User Reference for syntax and usage notes

4.3 Task 3: Run the OID Database Statistics Collection Tool

If you load data into the directory by any means other than the bulkload tool (bulkload), then you must run the OID Database Statistics Collection tool, $ORACLE_HOME/ldap/admin/oidstats.sql, after loading. This enables the Oracle Optimizer to choose an optimal plan for executing queries corresponding to LDAP operations. You can run OID Database Statistics Collection tool at any time without shutting down any of the OID daemons.

See Also: The oidstats.sql command-line reference in Oracle Identity Management User Reference

4.4 Tasks to Perform After Upgrading from Release 9.0.2

If you have upgraded Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, perform the following tasks.

4.4.1 Set ACL Policy on Groups Container after Upgrade from Release 9.0.2

When upgrading Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, the following ACL policy needs to be set on the groups container in the realm. The ACL policy should allow members of the group cn=Common Group Attributes,cn=groups,Oracle_Context_DN browse, search, and read access for private and public groups—that is, for groups where orclIsVisible is either not set or is set to TRUE or FALSE. This ACL is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section "Default Privileges for Reading Common Group Attributes".

The "Common Group Attributes" group is used by OracleAS Portal to query private and public groups. The ACI must to be added on the groups container. Change the Realm DN to the DN of the Realm and the DN of groups container in the realm to the appropriate group search base.

dn: DN of groups container in the realm
changetype: modify 
add: orclaci 
orclaci: access to entry filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (browse) 
orclaci: access to attr=(*) filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (search, read) orclaci: access to entry filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (browse) 
orclaci: access to attr=(*) filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (search, read)

4.5 Determining LDAP Port Assignment on UNIX and Linux

During installation of Oracle Application Server or third-party products, you might be prompted for an Oracle Internet Directory or LDAP port. To find the specific port number assigned to Oracle Internet Directory at installation, see the file $ORACLE_HOME/config/ias.properties. Look for the entries OIDport and OIDsslport.

The default port for enabling LDAP at Oracle Internet Directory installation time is 389. The Oracle Universal Installer always tries that port as its first choice. However, on many UNIX computers, /etc/services includes a line for LDAP reserving port 389. When that line is present, the Installer opts instead for a port number between 3060 to 3129, inclusive.

To confirm the port at which Oracle Internet Directory is running, simply run the ldapbind command-line tool, supplying either the host name and port number specified in the portlist.ini file or an alternative port specified during the Oracle Internet Directory installation.