Skip Headers
Oracle Internet Directory Administrator's Guide
10g (

Part Number B15991-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

4 Post-Installation Tasks and Information

At the end of a successful installation, the OID Monitor, oidmon, and an instance of the Directory Server, oidldapd, are running.


  • You can run multiple instances of the directory server is on the same computer. For example, you can run one instance in SSL mode and another in non-SSL mode.

  • If you restart the computer, you can restart Oracle Application Server Infrastructure by following the steps described in the section "Starting OracleAS Infrastructure" in Oracle Application Server Administrator's Guide.

  • The Oracle Internet Directory servers—that is, the directory server, the directory replication server, and the Oracle Directory Integration and Provisioning server daemons—can be started only by the operating system user who installed the Oracle Internet Directory software.

Before configuring and using Oracle Internet Directory, you must perform the tasks described in this chapter.

This section contains these topics:

4.1 Task 1: Reset the Default Security Configuration

To meet the needs of your environment, you must customize the default security configuration. Table 4-1 lists and describes the tasks you must perform to do this.

Table 4-1 Tasks to Reset the Default Security Configuration

Task Area Description

Protect the subSchemaSubEntry subentry and its children

Information about the directory is contained in the subentry subSchemaSubEntry and its children. Oracle recommends that you control access to these objects.

Establish access to entries

When you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish:

  • Permissions to load entries into this hierarchy

  • Directory access for clients that need read, modify, and write access to directory entries

Modify default access policies

Oracle Internet Directory is installed with a default security configuration described in Chapter 21, "Delegation of Privileges for an Oracle Technology Deployment". Before you begin using the directory, you can modify this default configuration to meet the needs of your environment and ensure that each user has the appropriate authorization.

Modify the default password policy

Password polices are sets of rules that govern how passwords are used. Oracle Internet Directory is installed with a default password policy that you can modify to meet the needs of your environment.

Modify the password of the super user

The super user has full access to directory information. The default user name of the super user is orcladmin; the default password is the Oracle Application Server Administrator password that was specified during installation. Modify this password immediately after installation.

Enable privacy mode for sensitive attributes

You must enable privacy mode to ensure that users cannot retrieve sensitive attributes in clear text. See "Privacy of Retrieved Sensitive Attributes".

See Also:


Be careful when modifying the default ACLs in any Oracle Context. Doing so can disable the security of Oracle components in your environment. See component-specific documentation for details on whether you can safely modify the default ACLs in an Oracle Context.

4.2 Task 2: Reset the Default Password for the Database

Oracle Internet Directory uses a password when connecting to its desginated Oracle database. The default for this password is the same as that specified during installation for the Oracle Application Server administrator (ias_admin). Change this default password by using the OID Database Password Utility.

See Also:

The oidpasswd command-line tool reference in Oracle Identity Management User Reference for syntax and usage notes

4.3 Task 3: Run the OID Database Statistics Collection Tool

If you load data into the directory by any means other than the bulkload tool (bulkload), then you must run the OID Database Statistics Collection tool, $ORACLE_HOME/ldap/admin/oidstats.sql, after loading. This enables the Oracle Optimizer to choose an optimal plan for executing queries corresponding to LDAP operations. You can run OID Database Statistics Collection tool at any time without shutting down any of the OID daemons.

See Also:

The oidstats.sql command-line reference in Oracle Identity Management User Reference

4.4 Tasks to Perform After Upgrading from Release 9.0.2

If you have upgraded Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, perform the following tasks.

4.4.1 Set ACL Policy on Groups Container after Upgrade from Release 9.0.2

When upgrading Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, the following ACL policy needs to be set on the groups container in the realm. The ACL policy should allow members of the group cn=Common Group Attributes,cn=groups,Oracle_Context_DN browse, search, and read access for private and public groups—that is, for groups where orclIsVisible is either not set or is set to TRUE or FALSE. This ACL is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section "Default Privileges for Reading Common Group Attributes".

The "Common Group Attributes" group is used by OracleAS Portal to query private and public groups. The ACI must to be added on the groups container. Change the Realm DN to the DN of the Realm and the DN of groups container in the realm to the appropriate group search base.

dn: DN of groups container in the realm
changetype: modify 
add: orclaci 
orclaci: access to entry filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (browse) 
orclaci: access to attr=(*) filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (search, read) orclaci: access to entry filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (browse) 
orclaci: access to attr=(*) filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (search, read)

4.5 Determining LDAP Port Assignment on UNIX and Linux

During installation of Oracle Application Server or third-party products, you might be prompted for an Oracle Internet Directory or LDAP port. To find the specific port number assigned to Oracle Internet Directory at installation, see the file $ORACLE_HOME/config/ Look for the entries OIDport and OIDsslport.

The default port for enabling LDAP at Oracle Internet Directory installation time is 389. The Oracle Universal Installer always tries that port as its first choice. However, on many UNIX computers, /etc/services includes a line for LDAP reserving port 389. When that line is present, the Installer opts instead for a port number between 3060 to 3129, inclusive.

To confirm the port at which Oracle Internet Directory is running, simply run the ldapbind command-line tool, supplying either the host name and port number specified in the portlist.ini file or an alternative port specified during the Oracle Internet Directory installation.