Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
At the end of a successful installation, the OID Monitor, oidmon
, and an instance of the Directory Server, oidldapd
, are running.
Notes:
|
Before configuring and using Oracle Internet Directory, you must perform the tasks described in this chapter.
This section contains these topics:
To meet the needs of your environment, you must customize the default security configuration. Table 4-1 lists and describes the tasks you must perform to do this.
Table 4-1 Tasks to Reset the Default Security Configuration
Task Area | Description |
---|---|
Protect the |
Information about the directory is contained in the subentry |
Establish access to entries |
When you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish:
|
Modify default access policies |
Oracle Internet Directory is installed with a default security configuration described in Chapter 21, "Delegation of Privileges for an Oracle Technology Deployment". Before you begin using the directory, you can modify this default configuration to meet the needs of your environment and ensure that each user has the appropriate authorization. |
Modify the default password policy |
Password polices are sets of rules that govern how passwords are used. Oracle Internet Directory is installed with a default password policy that you can modify to meet the needs of your environment. |
Modify the password of the super user |
The super user has full access to directory information. The default user name of the super user is |
Enable privacy mode for sensitive attributes |
You must enable privacy mode to ensure that users cannot retrieve sensitive attributes in clear text. See "Privacy of Retrieved Sensitive Attributes". |
See Also:
|
Caution: Be careful when modifying the default ACLs in any Oracle Context. Doing so can disable the security of Oracle components in your environment. See component-specific documentation for details on whether you can safely modify the default ACLs in an Oracle Context. |
Oracle Internet Directory uses a password when connecting to its desginated Oracle database. The default for this password is the same as that specified during installation for the Oracle Application Server administrator (ias_admin). Change this default password by using the OID Database Password Utility.
See Also: Theoidpasswd command-line tool reference in Oracle Identity Management User Reference for syntax and usage notes |
If you load data into the directory by any means other than the bulkload tool (bulkload
), then you must run the OID Database Statistics Collection tool, $ORACLE_HOME/ldap/admin/oidstats.sql
, after loading. This enables the Oracle Optimizer to choose an optimal plan for executing queries corresponding to LDAP operations. You can run OID Database Statistics Collection tool at any time without shutting down any of the OID daemons.
If you have upgraded Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, perform the following tasks.
When upgrading Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, the following ACL policy needs to be set on the groups container in the realm. The ACL policy should allow members of the group cn=Common Group Attributes,cn=groups,
Oracle_Context_DN
browse, search, and read access for private and public groups—that is, for groups where orclIsVisible
is either not set or is set to TRUE
or FALSE
. This ACL is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section "Default Privileges for Reading Common Group Attributes".
The "Common Group Attributes" group is used by OracleAS Portal to query private and public groups. The ACI must to be added on the groups container. Change the Realm DN
to the DN of the Realm and the DN of groups container in the realm
to the appropriate group search base.
dn: DN of groups container in the realm changetype: modify add: orclaci orclaci: access to entry filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (browse) orclaci: access to attr=(*) filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (search, read) orclaci: access to entry filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (browse) orclaci: access to attr=(*) filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (search, read)
During installation of Oracle Application Server or third-party products, you might be prompted for an Oracle Internet Directory or LDAP port. To find the specific port number assigned to Oracle Internet Directory at installation, see the file $ORACLE_HOME/config/ias.properties
. Look for the entries OIDport
and OIDsslport
.
The default port for enabling LDAP at Oracle Internet Directory installation time is 389. The Oracle Universal Installer always tries that port as its first choice. However, on many UNIX computers, /etc/services
includes a line for LDAP reserving port 389. When that line is present, the Installer opts instead for a port number between 3060 to 3129, inclusive.
To confirm the port at which Oracle Internet Directory is running, simply run the ldapbind
command-line tool, supplying either the host name and port number specified in the portlist.ini
file or an alternative port specified during the Oracle Internet Directory installation.