Skip Headers
Oracle® Internet Directory Administrator's Guide
10
g
(10.1.4.0.1)
Part Number B15991-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Internet Directory?
New Features Introduced with Oracle Internet Directory 10
g
(10.1.4.0.1)
New Features Introduced with Oracle Internet Directory 10g Release 2 (10.1.2)
New Features Introduced with Oracle Internet Directory 10
g
(9.0.4)
About Oracle Internet Directory Release 9.2
New Features Introduced with Oracle Internet Directory Release 9.0.2
New Features Introduced with Oracle Internet Directory Release 3.0.1
New Features Introduced with Oracle Internet Directory Release 2.1.1
Part I Getting Started
1
Links to Common Tasks
1.1
Object Classes and Attributes
1.2
Replication
1.3
Security, Password Policies, and User Accounts
1.4
Realms
1.5
Server Processes, Instances, and Configuration Set Entries
1.6
System Operational Attributes
1.7
Naming Contexts
1.8
Binds, Connections, Aliases, and Directory Discovery
1.9
Referential Integrity
1.10
Entries
1.11
Groups
1.12
Logging, Auditing, and Monitoring
1.13
Tuning
1.14
Garbage Collection
1.15
Server Chaining and Data Migration
1.16
Plug-ins
2
Introduction to LDAP and Oracle Internet Directory
2.1
What Is a Directory?
2.1.1
The Expanding Role of Online Directories
2.1.2
The Problem: Too Many Special-Purpose Directories
2.2
What Is the Lightweight Directory Access Protocol (LDAP)?
2.2.1
LDAP and Simplified Directory Management
2.2.2
LDAP Version 3
2.3
Oracle Identity Management
2.4
What Is Oracle Internet Directory?
2.4.1
Overview of Oracle Internet Directory
2.4.2
Components of Oracle Internet Directory
2.4.3
Advantages of Oracle Internet Directory
2.4.3.1
Scalability
2.4.3.2
High Availability
2.4.3.3
Security
2.4.3.4
Integration with the Oracle Environment
2.5
How Oracle Components Use Oracle Internet Directory
2.5.1
Easier and More Cost-Effective Administration of Applications
2.5.2
Tighter Security Through Centralized Security Policy Administration
2.5.3
Integration of Multiple Directories
3
Directory Concepts and Architecture
3.1
Oracle Internet Directory Architecture
3.1.1
An Oracle Internet Directory Node
3.1.2
An Oracle Directory Server Instance
3.1.3
Directory Metadata
3.1.4
Configuration Set Entries
3.2
Example: How Oracle Internet Directory Works
3.3
Entries
3.3.1
Distinguished Names (DNs) and Directory Information Trees (DITs)
3.3.2
Entry Caching
3.4
Attributes
3.4.1
Kinds of Attribute Information
3.4.2
Single-Valued and Multivalued Attributes
3.4.3
Common LDAP Attributes
3.4.4
Attribute Syntax
3.4.5
Attribute Matching Rules
3.4.6
Attribute Options
3.5
Object Classes
3.5.1
Subclasses, Superclasses, and Inheritance
3.5.2
Object Class Types
3.5.2.1
Structural Object Classes
3.5.2.2
Auxiliary Object Classes
3.5.2.3
Abstract Object Classes
3.6
Naming Contexts
3.7
Security
3.8
Globalization Support
3.9
Distributed Directories
3.9.1
Directory Replication
3.9.2
Directory Partitioning
3.10
Knowledge References and Referrals
3.11
Oracle Delegated Administration Services and the Oracle Internet Directory Self-Service Console
3.12
The Service Registry and Service to Service Authentication
3.13
Oracle Directory Integration Platform
3.14
Oracle Internet Directory and Identity Management
3.14.1
About Identity Management
3.14.2
About the Oracle Identity Management Infrastructure
3.14.3
Identity Management Realms
3.14.3.1
Default Identity Management Realm
3.14.3.2
Identity Management Policies
3.15
Resource Information
3.15.1
Resource Type Information
3.15.2
Resource Access Information
3.15.3
Location of Resource Information in the DIT
4
Post-Installation Tasks and Information
4.1
Task 1: Reset the Default Security Configuration
4.2
Task 2: Reset the Default Password for the Database
4.3
Task 3: Run the OID Database Statistics Collection Tool
4.4
Tasks to Perform After Upgrading from Release 9.0.2
4.4.1
Set ACL Policy on Groups Container after Upgrade from Release 9.0.2
4.5
Determining LDAP Port Assignment on UNIX and Linux
5
Directory Administration and Monitoring Tools
5.1
Using Oracle Identity Management Grid Control Plug-in
5.2
Using Oracle Directory Manager
5.2.1
Starting Oracle Directory Manager
5.2.2
Connecting to a Directory Server by Using Oracle Directory Manager
5.2.3
Navigating Oracle Directory Manager
5.2.3.1
Overview of Oracle Directory Manager
5.2.3.2
The Oracle Directory Manager Menu Bar
5.2.3.3
The Oracle Directory Manager Toolbar
5.2.4
Connecting to Additional Directory Servers by Using Oracle Directory Manager
5.2.5
Disconnecting from a Directory Server by Using Oracle Directory Manager
5.2.6
Configuring the Display and Duration of Searches in Oracle Directory Manager
5.2.7
Performing Administrative Tasks by Using Oracle Directory Manager
5.3
Using Oracle Internet Directory Server Manageability
5.4
Using Command-Line Tools
5.4.1
Command-Line Tools for Starting, Stopping, and Monitoring Oracle Internet Directory Servers
5.4.2
Command-Line Tools for Managing Entries and Attributes
5.4.3
Command-Line Tools for Performing Bulk Operations
5.4.4
Command-Line Tools for Managing Replication
5.4.5
OID Migration Tool (ldifmigrator)
5.4.6
OID Database Statistics Tool (oidstats.sql)
5.4.7
OID Database Password Utility (oidpasswd)
6
Process Control of Oracle Internet Directory Components
6.1
Tools and Daemons Important to Oracle Internet Directory Process Control
6.2
Oracle Internet Directory Integration with OPMN
6.2.1
Semantics of OPMN Monitoring Oracle Internet Directory
6.2.2
Oracle Internet Directory Snippet in OPMN.XML
6.2.3
Semantics of OPMN Starting Oracle Internet Directory
6.2.4
Semantics of OPMN Stopping Oracle Internet Directory
6.2.5
Semantics of OPMN Monitoring OIDMON
6.3
Oracle Internet Directory Process Control–Best Practices
6.3.1
Changing the Configuration of the Default OID LDAP Server Instance
6.3.2
Configuring Additional Oracle Internet Directory LDAP Server Instances
6.3.3
Deconfiguring the Default Oracle Internet Directory LDAP Server Instance
6.3.4
Configuring an Instance of the Oracle Internet Directory Replication Server
6.3.5
Configuring an Oracle Directory Integration Platform Server Instance
6.4
OIDMON and the ODS_PROCESS Table
6.5
OIDCTL Process Control Semantics
Part II Basic Directory Administration
7
Oracle Directory Server Administration
7.1
Managing Server Configuration Set Entries
7.1.1
Preliminary Considerations for Managing Configuration Set Entries
7.1.2
Managing Server Configuration Set Entries by Using Oracle Directory Manager
7.1.2.1
Viewing Configuration Set Entries by Using Oracle Directory Manager
7.1.2.2
Adding Configuration Set Entries by Using Oracle Directory Manager
7.1.2.3
Modifying Configuration Set Entries by Using Oracle Directory Manager
7.1.2.4
Deleting Configuration Set Entries by Using Oracle Directory Manager
7.1.3
Managing Server Configuration Set Entries by Using Command-Line Tools
7.1.3.1
Adding Configuration Set Entries by Using ldapadd
7.1.3.2
Modifying and Deleting Configuration Set Entries by Using ldapmodify
7.2
Setting System Operational Attributes
7.2.1
Setting System Operational Attributes by Using Oracle Directory Manager
7.2.2
Setting System Operational Attributes by Using ldapmodify
7.3
Managing Naming Contexts
7.3.1
Publishing Naming Contexts by Using Oracle Directory Manager
7.3.2
Publishing Naming Contexts by Using ldapmodify
7.4
Managing Super Users, Guest Users, and Proxy Users
7.4.1
About Super Users, Guest, Users, and Proxy Users
7.4.2
Managing Super Users, Guest Users, and Proxy Users by Using Oracle Directory Manager
7.4.3
Managing Super Users, Guest Users, and Proxy Users by Using ldapmodify
7.5
Managing Anonymous Binds
7.6
Viewing Active Server Instance Information
7.7
Closing Idle LDAP Connections
7.8
Changing the Password to the Oracle Internet Directory Database Server
7.9
Dereferencing Alias Entries
7.9.1
About Alias Entries
7.9.2
Examples: Using Alias Entry Dereferencing
7.9.2.1
Example: Adding an Alias Entry
7.9.2.2
Examples: Searching the Directory with Alias Entries
7.9.2.3
Example: Modifying Alias Entries
7.9.3
Success and Error Messages
7.10
Locating Directory Servers in a Distributed Environment
7.10.1
Static Directory Server Discovery by Using the Directory Server Usage File (ldap.ora)
7.10.2
Dynamic Directory Server Discovery by Using the Domain Name System (DNS)
7.10.2.1
How a Client Locates a Directory Server by Using DNS
7.10.2.2
Registering a Directory Server with the Domain Name System
8
Directory Entries Administration
8.1
Managing Entries by Using Oracle Directory Manager
8.1.1
Searching for Entries by Using Oracle Directory Manager
8.1.2
Viewing Attributes for a Specific Entry by Using Oracle Directory Manager
8.1.3
Adding Entries by Using Oracle Directory Manager
8.1.3.1
Adding a New Entry by Using Oracle Directory Manager
8.1.3.2
Adding an Entry by Copying an Existing Entry in Oracle Directory Manager
8.1.3.3
Example: Adding a User Entry by Using Oracle Directory Manager
8.1.4
Modifying Entries by Using Oracle Directory Manager
8.1.4.1
Example: Modifying a User Entry by Using Oracle Directory Manager
8.1.5
Managing Entries with Attribute Options by Using Oracle Directory Manager
8.1.5.1
Adding an Attribute Option to an Existing Entry by Using Oracle Directory Manager
8.1.5.2
Modifying an Attribute Option by Using Oracle Directory Manager
8.1.5.3
Deleting an Attribute Option by Using Oracle Directory Manager
8.2
Managing Entries by Using Command-Line Tools
8.2.1
Command-Line Tools for Managing Entries
8.2.1.1
Example: Adding a User Entry by Using ldapadd
8.2.1.2
Example: Modifying a User Entry by Using ldapmodify
8.2.2
Managing Entries with Attribute Options by Using Command-Line Tools
8.2.2.1
Example: Adding an Attribute Option by Using ldapmodify
8.2.2.2
Example: Deleting an Attribute Option by Using ldapmodify
8.2.2.3
Example: Searching for Entries with Attribute Options by Using ldapsearch
8.3
Managing Knowledge References and Referrals
8.3.1
Configuring Smart Referrals
8.3.2
Configuring Default Referrals
8.3.3
Client-Side Referral Caching
8.3.3.1
How Client-Side Referral Caching Works
9
Using Bulk Tools
9.1
bulkload
9.1.1
bulkload Command Line Parameters
9.1.2
Importing an LDIF File by Using bulkload
9.1.2.1
Task 1: Back Up the Oracle Database Server
9.1.2.2
Task 2: Find Out the Oracle Internet Directory Password
9.1.2.3
Task 3: Check Input for Schema and Data Consistency Violations and Generate the Input Files for SQL*Loader
9.1.2.4
Task 4: Load the Input Files
9.1.2.5
If Bulk Loading Fails
9.1.3
More bulkload Examples
9.1.3.1
Example 1. Loading in Bulk Mode
9.1.3.2
Example 2. Loading in Incremental or Append Mode
9.1.3.3
Example 3. Index Verification
9.1.3.4
Example 4. Index Re-creation
9.1.3.5
Example 5. Data Recovery
9.2
bulkmodify
9.2.1
bulkmodify Command Line Parameters
9.2.2
bulkmodify Usage Examples
9.2.2.1
Example 1. Adding a Description for All Entries Under a Specified Naming Context
9.2.2.2
Example 2. Adding telephonenumber for All Entries Under a Specified Naming Context with the Same Manager
9.2.2.3
Example 3. Replacing an Attribute for All Entries Under a Specified Naming Context
9.3
bulkdelete
9.3.1
bulkdelete Command Line Parameters
9.3.2
bulkdelete Usage Examples
9.3.2.1
Example 1. Delete All Entries Under a Specified Naming Context from Database
9.3.2.2
Example 2. Delete Entries Under a Naming Context and Make them Tombstone Entries
9.3.2.3
Example 3. Delete Entries Under Specified Naming Contexts Given in File and Make them Tombstone Entries.
9.4
ldifwrite
9.4.1
ldifwrite Command Line Parameters
9.4.2
ldifwrite Usage Examples
9.4.2.1
Example 1. Dumping All Entries Under a Specified Naming Context to an LDIF File
9.4.2.2
Example 2. Dumping Part of a Specified Naming Context to an LDIF File
9.4.2.3
Example 3. Dumping Entries Under a Specified Naming Context to an LDIF File
9.5
catalog
9.5.1
catalog Command Line Parameters
9.5.2
catalog Usage Examples
9.5.2.1
Example 1. Changes a Searchable Attribute into a Non-searchable Attribute
9.5.2.2
Example 2. Changes a Non-searchable Attribute into a Searchable Attribute
10
Attribute Uniqueness in the Directory
10.1
About Attribute Uniqueness
10.2
Rules for Creating Attribute Uniqueness
10.2.1
Specifying Multiple Attribute Names in an Attribute Uniqueness Constraint
10.2.2
Specifying Multiple Subtrees in an Attribute Uniqueness Constraint
10.2.3
Specifying Multiple Scopes in an Attribute Uniqueness Constraint
10.2.4
Specifying Multiple Object Classes in an Attribute Uniqueness Constraint
10.2.5
Specifying Multiple Subtrees, Scopes, and Object Classes in an Attribute Uniqueness Constraint
10.3
Managing Attribute Uniqueness
10.3.1
Location of Attribute Uniqueness Entries
10.3.2
Managing Attribute Uniqueness by Using Oracle Directory Manager
10.3.2.1
Creating an Attribute Uniqueness Constraint Entry
10.3.2.2
Modifying an Attribute Uniqueness Constraint Entry by Using Oracle Directory Manager
10.3.2.3
Deleting an Attribute Uniqueness Constraint Policy by Using Oracle Directory Manager
10.3.3
Managing Attribute Uniqueness by Using Command-Line Tools
10.3.3.1
Enabling and Disabling Attribute Uniqueness by Using Command-Line Tools
10.3.3.2
Creating Attribute Uniqueness Constraint Entries by Using Command-Line Tools
10.3.3.3
Modifying Attribute Uniqueness Constraint Entries by Using Command-Line Tools
10.3.3.4
Deleting Attribute Uniqueness Constraint Entries by Using Command-Line Tools
10.4
Limitations of Attribute Uniqueness in Oracle Internet Directory 10
g
(10.1.4.0.1)
11
Directory Schema Administration
11.1
About the Directory Schema
11.2
Object Classes in the Directory
11.2.1
About Object Class Management
11.2.1.1
Inheritance
11.2.1.2
Mandatory and Optional Attributes in Object Classes
11.2.1.3
Addition of Entries in Top-Down Sequence
11.2.1.4
Object Class Explosion
11.2.2
Guidelines for Adding, Modifying, and Deleting Object Classes
11.2.2.1
Guidelines for Adding Object Classes
11.2.2.2
Guidelines for Modifying Object Classes
11.2.2.3
Guidelines for Deleting Object Classes
11.2.3
Managing Object Classes by Using Oracle Directory Manager
11.2.3.1
Searching for Object Classes by Using Oracle Directory Manager
11.2.3.2
Viewing Properties of Object Classes by Using Oracle Directory Manager
11.2.3.3
Adding Object Classes by Using Oracle Directory Manager
11.2.3.4
Modifying Object Classes by Using Oracle Directory Manager
11.2.3.5
Deleting Object Classes by Using Oracle Directory Manager
11.2.4
Managing Object Classes by Using Command-Line Tools
11.2.4.1
Example: Adding a New Object Class
11.2.4.2
Example: Adding a New Attribute to an Auxiliary or User-Defined Object Class
11.3
Attributes in the Directory
11.3.1
About Attribute Management
11.3.1.1
Rules for Adding Attributes
11.3.1.2
Rules for Modifying Attributes
11.3.1.3
Rules for Deleting Attributes
11.3.2
Managing Attributes by Using Oracle Directory Manager
11.3.2.1
Viewing All Directory Attributes by Using Oracle Directory Manager
11.3.2.2
Searching for Attributes by Using Oracle Directory Manager
11.3.2.3
Adding an Attribute by Using Oracle Directory Manager
11.3.2.4
Modifying an Attribute by Using Oracle Directory Manager
11.3.2.5
Deleting an Attribute by Using Oracle Directory Manager
11.3.2.6
Indexing an Attribute by Using Oracle Directory Manager
11.3.3
Managing Attributes by Using Command-Line Tools
11.3.3.1
Adding and Modifying Attributes by Using ldapmodify
11.3.3.2
Deleting Attributes by Using ldapmodify
11.3.3.3
Indexing an Attribute by Using Command-Line Tools
11.4
How to Extend the Number of Attributes Associated with Entries
11.4.1
Extending the Number of Attributes Prior to Creating Entries in the Directory
11.4.2
Extending the Number of Attributes for Existing Entries by Creating an Auxiliary Object Class
11.4.3
Extending the Number of Attributes for Existing Entries by Creating a Content Rule
11.4.3.1
Rules for Creating and Modifying Content Rules
11.4.3.2
Schema Enforcement When Using Content Rules
11.4.3.3
Searches for Object Classes Listed in Content Rules
11.4.3.4
Managing Content Rules
11.5
Attribute Aliases In the Directory
11.5.1
Features of Attribute Aliases
11.5.2
Attribute Alias Rules
11.5.3
Managing Attribute Aliases by Using Command-Line Tools
11.5.3.1
Adding a New Attribute With Attribute Aliases
11.5.3.2
Adding or Modifying Attribute Aliases in Existing Attributes
11.5.3.3
Deleting Attribute Aliases
11.5.4
Using Attribute Aliases
11.5.4.1
Using Attribute Aliases with ldapsearch
11.5.4.2
Using Attribute Aliases with ldapadd
11.5.4.3
Using Attribute Aliases with ldapmodify
11.5.4.4
Using Attribute Aliases with ldapdelete
11.5.4.5
Using Attribute Aliases with ldapmoddn
11.5.5
Object Identifier Support in LDAP Operations
11.6
Matching Rules in the Directory
11.6.1
Viewing Matching Rules by Using Oracle Directory Manager
11.6.2
Viewing Matching Rules by Using ldapsearch
11.7
Syntaxes in the Directory
11.7.1
Viewing Syntaxes by Using Oracle Directory Manager
11.7.2
Viewing Syntaxes by Using by Using ldapsearch
12
Referential Integrity
12.1
Configuring and Enabling Referential Integrity
12.2
Disabling Referential Integrity
13
Dynamic and Static Groups in Oracle Internet Directory
13.1
About Groups
13.1.1
Static Groups
13.1.1.1
Schema Elements for Creating Static Groups
13.1.2
Dynamic Groups
13.1.2.1
Enhancements to and Limitations of Dynamic Groups in Oracle Internet Directory 10
g
(10.1.4.0.1)
13.1.2.2
Schema Elements for Creating a Dynamic Group
13.1.3
Hierarchies
13.1.4
Querying Group Entries
13.1.5
When to Use Each Kind of Group
13.2
Managing Group Entries
13.2.1
Managing Static Group Entries by Using Oracle Directory Manager
13.2.1.1
Creating Static Group Entries by Using Oracle Directory Manager
13.2.1.2
Modifying a Static Group Entry by Using Oracle Directory Manager
13.2.2
Managing Static Group Entries by Using Command-Line Tools
13.2.2.1
Creating a Static Group Entry by Using ldapadd
13.2.2.2
Modifying a Static Group by Using ldapmodify
13.2.3
Examples of Dynamic Group Entries
13.2.3.1
Example: a Dynamic Group Entry Using the labeledURI Attribute
13.2.3.2
Example: a Dynamic Group Entry Using the CONNECT BY Assertion
13.2.4
Managing Dynamic Groups by Using Oracle Directory Manager
13.2.4.1
Creating Dynamic Group Entries by Using Oracle Directory Manager
13.2.4.2
Modifying a Dynamic Group Entry by Using Oracle Directory Manager
13.2.5
Managing Dynamic Groups by Using Command-Line Tools
13.2.5.1
Creating a Dynamic Group Entry by Using ldapadd
13.2.5.2
Example: Creating a Dynamic Group Entry by Using ldapadd
13.2.5.3
Example: Modifying a Dynamic Group by Using ldapmodify
14
Logging, Auditing, and Monitoring the Directory
14.1
Log File Locations
14.2
Using Debug Logging
14.2.1
About Oracle Internet Directory Debug Logging
14.2.2
About Log Messages
14.2.2.1
Log Messages for Specified LDAP Operations
14.2.2.2
Log Messages Not Associated with Specified LDAP Operations
14.2.2.3
Example: Trace Messages in Oracle Internet Directory Server Log File
14.2.2.4
How to Interpret Trace Messages in the Log File
14.2.3
Setting Debug Logging Levels
14.2.3.1
Setting Debug Logging Levels by Using Oracle Directory Manager
14.2.3.2
Setting Debug Logging Levels by Using the OID Control Utility
14.2.4
Setting the Operation Debug Dimension
14.2.4.1
Setting the Operation Debug Dimension by Using Oracle Directory Manager
14.2.4.2
Setting the Operation Debug Dimension by Using ldapmodify
14.2.5
Force Flushing the Trace Information to a Log File
14.3
Using the Audit Log
14.3.1
Structure of Audit Log Entries
14.3.2
Position of Audit Log Entries in the DIT
14.3.3
Auditable Events
14.3.4
Setting the Audit Level
14.3.4.1
Setting the Audit Level by Using Oracle Directory Manager
14.3.4.2
Setting the Audit Level by Using ldapmodify
14.3.5
Searching for Audit Log Entries
14.3.5.1
Searching for Audit Log Entries by Using Oracle Directory Manager
14.3.5.2
Searching for Audit Log Entries by Using ldapsearch
14.3.6
Purging the Audit Log
14.4
Monitoring Oracle Internet Directory Servers
14.4.1
Capabilities of Oracle Internet Directory Server Manageability
14.4.2
Oracle Internet Directory Server Manageability Architecture and Components
14.4.3
Location of Configuration Information for Oracle Internet Directory Server Manageability
14.4.4
Account Used for Accessing Server Manageability Information
14.4.5
Configuring Oracle Internet Directory Server Manageability
14.4.5.1
Configuring Security Events Tracking
14.4.5.2
Configuring a User for Connection and Operation Statistics Collection
14.4.5.3
Configuring Critical Events
14.4.6
Purging of Audit and Statistics Entries
14.4.7
Viewing Oracle Internet Directory Server Manageability Information
14.4.7.1
Viewing Information with the oiddiag Tool
14.4.7.2
Viewing Information with the Oracle Identity ManagementGrid Control Plug-in
14.4.7.3
Viewing Information with the Oracle Enterprise Manager 10
g
Application Server Control Console
15
Backup and Restoration of a Directory
15.1
Backing Up and Restoring a Small Directory or Specific Naming Context
15.2
Backing Up and Restoring a Large Directory
Part III Directory Security
16
Directory Security Concepts
16.1
Data Integrity and Oracle Internet Directory
16.2
Data Privacy and Oracle Internet Directory
16.2.1
Privacy During Data Transmission
16.2.2
Privacy of Retrieved Sensitive Attributes
16.3
Authorization in Oracle Internet Directory
16.4
Authentication in Oracle Internet Directory
16.4.1
Direct Authentication
16.4.2
Indirect Authentication
16.4.3
External Authentication
16.5
Protection of User Passwords for Directory Authentication
16.6
Password Policies in Oracle Internet Directory
16.7
Authentication by Using Simple Authentication and Security Layer (SASL)
17
Secure Sockets Layer (SSL) and the Directory
17.1
Supported Cipher Suites
17.2
SSL Client Scenarios
17.3
Limitations of the Use of SSL in10
g
(10.1.4.0.1)
17.4
Configuring and Testing Oracle Internet Directory With SSL
17.4.1
Configuring SSL Parameters
17.4.1.1
Configuring SSL Parameters by Using Oracle Directory Manager
17.4.1.2
Configuring SSL Parameters by Using Command-Line Tools
17.4.2
Configure Oracle Internet Directory for SSL
17.4.3
Testing SSL Connections From the Command Line
17.4.3.1
Testing SSL With Encryption Only
17.4.3.2
Testing SSL With Server Authentication
17.4.3.3
Testing SSL With Client and Server Authentication
17.4.4
Testing SSL Connections With Oracle Directory Manager
17.5
Other Components and SSL
18
Directory Access Control
18.1
Overview of Access Control Policy Administration
18.1.1
Access Control Management Constructs
18.1.1.1
Access Control Policy Points (ACPs)
18.1.1.2
The orclACI Attribute for Prescriptive Access Control
18.1.1.3
The orclEntryLevelACI Attribute for Entry-Level Access Control
18.1.1.4
Security Groups
18.1.2
Access Control Information Components
18.1.2.1
Object: To What Are You Granting Access?
18.1.2.2
Subject: To Whom Are You Granting Access?
18.1.2.3
Operations: What Access Are You Granting?
18.1.3
Access Level Requirements for LDAP Operations
18.2
How ACL Evaluation Works
18.2.1
Precedence Rules Used in ACL Evaluation
18.2.1.1
Precedence at the Entry Level
18.2.1.2
Precedence at the Attribute Level
18.2.2
Use of More Than One ACI for the Same Object
18.2.3
Exclusionary Access to Directory Objects
18.2.4
ACL Evaluation For Groups
18.3
Managing Access Control by Using Oracle Directory Manager
18.3.1
Configuring Oracle Directory Manager for Access Control Management
18.3.1.1
Configuring the Display of ACPs in Oracle Directory Manager
18.3.1.2
Configuring Searches for ACPs When Using Oracle Directory Manager
18.3.2
Viewing an ACP by Using Oracle Directory Manager
18.3.3
Adding an ACP by Using Oracle Directory Manager
18.3.3.1
Task 1: Specify the Entry That Will Be the ACP
18.3.3.2
Task 2: Configure Structural Access Items
18.3.3.3
Task 3: Configure Content Access Items
18.3.4
Adding an ACP by Using the ACP Creation Wizard of Oracle Directory Manager
18.3.4.1
Task 1: Specify the Entry That Will Be the ACP
18.3.4.2
Task 2: Configure Structural Access Items by Using the ACP Creation Wizard
18.3.4.3
Task 3: Configure Content Access Items by Using the ACP Creation Wizard
18.3.5
Modifying an ACP by Using Oracle Directory Manager
18.3.5.1
Task 1: Specify the Entry That You Want to Modify
18.3.5.2
Task 2: Modify Structural Access Items
18.3.5.3
Task 3: Modify Content Access Items
18.3.6
Granting Entry-Level Access by Using Oracle Directory Manager
18.3.7
Example: Managing ACPs by Using Oracle Directory Manager
18.3.7.1
Create a New ACP
18.3.7.2
Create a Third ACI
18.3.7.3
Create a Fourth ACI
18.4
Managing Access Control by Using Command-Line Tools
18.4.1
Example: Restricting the Kind of Entry a User Can Add
18.4.2
Example: Setting Up an Inheritable ACP by Using ldapmodify
18.4.3
Example: Setting Up Entry-Level ACIs by Using ldapmodify
18.4.4
Example: Using Wild Cards
18.4.5
Example: Selecting Entries by DN
18.4.6
Example: Using Attribute and Subject Selectors
18.4.7
Example: Granting Read-Only Access
18.4.8
Example: Granting Selfwrite Access to Group Entries
18.4.9
Example: Defining a Completely Autonomous Policy to Inhibit Overriding Policies
19
Password Policies in Oracle Internet Directory
19.1
About Password Policies
19.1.1
What a Password Policy Is
19.1.2
Fine-Grained Password Policies
19.1.3
Default Password Policy
19.1.4
Password Policy Attributes
19.1.5
Directory Server Verification of Password Policy Information
19.2
Managing Password Policies, Accounts, and Passwords
19.2.1
Managing Password Policies by Using Oracle Directory Manager
19.2.1.1
Viewing Password Policies by Using Oracle Directory Manager
19.2.1.2
Modifying Password Policies by Using Oracle Directory Manager
19.2.1.3
Creating Password Policies by Using Oracle Directory Manager
19.2.2
Managing Password Policies, Accounts, and Passwords by Using Command-Line Tools
19.2.2.1
Example: Setting Password Policies by Using Command-Line Tools
19.2.2.2
Examples: Managing Password Policies by Using Command-Line Tools
19.2.2.3
Example: Enabling and Disabling Accounts by Using Command-Line Tools
19.2.2.4
Example: Unlocking Accounts by Using Command-Line Tools
19.2.2.5
Example: Forcing a Password Change by Using Command-Line Tools
19.2.3
Managing Accounts and Passwords by Using the Self-Service Console
19.2.3.1
Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service Console
19.2.3.2
Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console
19.2.3.3
Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console
19.3
Password Policy Error Messages
20
Directory Storage of Password Verifiers
20.1
About Centralized Storage of User Authentication Credentials
20.2
Storing and Managing Password Verifiers for Authenticating to Oracle Internet Directory
20.2.1
Password Verifiers and Authentication to the Directory
20.2.2
Hashing Schemes for Creating Password Verifiers
20.2.3
Managing Password Protection by Using Oracle Directory Manager
20.2.4
Managing Password Protection by Using ldapmodify
20.3
Storing and Managing Password Verifiers for Authenticating to Oracle Components
20.3.1
About Password Verifiers for Oracle Components
20.3.2
Attributes for Storing Password Verifiers
20.3.3
Default Verifiers for Oracle Components
20.3.4
Example: How Password Verification Works for an Oracle Component
20.3.5
Managing Password Verifier Profiles for Oracle Components by Using Oracle Directory Manager
20.3.5.1
Viewing and Modifying a Password Verifier Profile for an Oracle Component by Using Oracle Directory Manager
20.3.6
Managing Password Verifier Profiles for Oracle Components by Using Command-Line Tools
20.3.6.1
Viewing a Password Verifier Profile by Using Command-Line Tools
20.3.6.2
Example: Modifying a Password Verifier Profile by Using Command-Line Tools
20.4
Verifier Generation Using Dynamic Parameters
20.4.1
Generating Dynamic Password Verifiers
20.4.2
Configuring Oracle Internet Directory to Generate Dynamic Password Verifiers
21
Delegation of Privileges for an Oracle Technology Deployment
21.1
Delegation in the Oracle Identity Management Model
21.1.1
How Delegation Works
21.1.2
Delegation in an Oracle Application Server Environment
21.1.3
About the Default Configuration
21.1.4
Overview: Privileges for Administering the Oracle Technology Stack
21.2
Delegation of Privileges for User and Group Management
21.2.1
How Privileges Are Granted for Managing User and Group Data
21.2.2
Default Privileges for Managing User Data
21.2.2.1
Creating Users for a Realm
21.2.2.2
Modifying Attributes of a User
21.2.2.3
Deleting a User
21.2.2.4
Delegating User Administration
21.2.3
Default Privileges for Managing Group Data
21.2.3.1
Creating Groups
21.2.3.2
Modifying the Attributes of Groups
21.2.3.3
Deleting Groups
21.2.3.4
Delegating Group Administration
21.3
Delegation of Privileges for Deployment of Oracle Components
21.3.1
How Deployment Privileges Are Granted
21.3.2
Oracle Application Server Administrators
21.3.3
User Management Application Administrators
21.3.4
Trusted Application Administrators
21.4
Delegation of Privileges for Component Runtime
21.4.1
Default Privileges for Reading and Modifying User Passwords
21.4.2
Default Privileges for Comparing User Passwords
21.4.3
Default Privileges for Comparing Password Verifiers
21.4.4
Default Privileges for Proxying on Behalf of End Users
21.4.5
Default Privileges for Managing the Oracle Context
21.4.6
Default Privileges for Reading Common User Attributes
21.4.7
Default Privileges for Reading Common Group Attributes
21.4.8
Default Privileges for Reading the Service Registry
21.4.9
Default Privileges for Administering the Service Registry
Part IV Directory Deployment
22
Directory Deployment Considerations
22.1
The Expanding Role of Directories
22.2
Logical Organization Of Directory Information
22.3
Physical Distribution: Partitions, Replicas, and High Availability
22.3.1
An Ideal Deployment
22.3.2
Partitioning Considerations
22.3.3
Replication Considerations
22.3.4
High Availability Considerations
22.4
Oracle Directory Integration Platform
22.5
Capacity Planning, Sizing, and Tuning
22.5.1
Capacity Planning
22.5.2
Sizing Considerations
22.5.3
Tuning Considerations
23
Deployment of Oracle Identity Management Realms
23.1
Planning the Directory Information Tree for Identity Management
23.1.1
Planning the Overall Directory Structure
23.1.2
Planning the Names and Containment of Users and Groups
23.1.2.1
Considerations for Users
23.1.2.2
Considerations for Groups
23.1.3
Planning the Identity Management Realm
23.1.4
Migrating a DIT from a Third-Party Directory
23.2
Identity Management Realms in an Enterprise Deployment
23.2.1
Single Identity Management Realm in the Enterprise
23.2.2
Multiple Identity Management Realms in the Enterprise
23.3
Identity Management Realms in a Hosted Deployment
23.4
Identity Management Realm Implementation in Oracle Internet Directory
23.5
Default Directory Information Tree and the Identity Management Realm
23.6
Administration of Identity Management Realms
23.6.1
Customizing the Default Identity Management Realm
23.6.1.1
Changing the Location of Users and Groups In The Default Identity Management Realm
23.6.2
Creating Additional Identity Management Realms for Hosted Deployments
24
Capacity Planning for the Directory
24.1
About Capacity Planning
24.2
Getting to Know Directory Usage Patterns: A Case Study
24.3
I/O Subsystem Requirements
24.3.1
About the I/O Subsystem
24.3.2
Rough Estimates of Disk Space Requirements
24.3.3
Detailed Calculations of Disk Space Requirements
24.4
Memory Requirements
24.5
Network Requirements
24.6
CPU Requirements
24.6.1
CPU Configuration
24.6.2
Rough Estimates of CPU Requirements
24.6.3
Detailed Calculations of CPU Requirements
24.7
Summary of Capacity Plan for Acme Corporation
25
Tuning Considerations for the Directory
25.1
About Tuning
25.2
Tools for Performance Tuning
25.3
CPU Usage Tuning
25.3.1
Tuning CPU for Oracle Internet Directory Processes
25.3.2
Tuning CPU for Oracle Foreground Processes
25.3.3
Taking Advantage of Processor Affinity on SMP Systems
25.3.4
Other Alternatives for a CPU Constrained System
25.4
Memory Tuning
25.4.1
Tuning the System Global Area (SGA) for the Oracle Database
25.4.2
Other Alternatives for a Memory-Constrained System
25.4.3
Tuning Security Event Tracking
25.4.3.1
Tuning Memory Allocated for Event Tracking
25.4.3.2
Tuning Memory Used for Each Operation
25.5
Disk Tuning
25.6
Database Tuning
25.6.1
Required Parameters
25.6.2
Parameters Dependent on Oracle Internet Directory Server Configuration
25.6.2.1
Using Shared Server Process
25.6.3
SGA Parameters Dependent on Hardware Resources
25.7
Entry Caching
25.8
Caching of Connection DNs
25.9
Optimizing Searches
25.9.1
Optimizing Subtree Searches
25.9.2
Optimizing Searches for Large Group Entries
25.9.2.1
Entry Cache Enabled Configuration
25.9.2.2
Entry Cache Disabled Configuration
25.9.3
Optimizing Searches for Skewed Attributes
25.9.3.1
Optimizing Searches for Skewed Attributes by Using Oracle Directory Manager
25.9.3.2
Optimizing Searches for Skewed Attributes by Using ldapmodify
25.10
Setting the Time Limit Mode
25.10.1
Setting the Time Limit Mode by Using Oracle Directory Manager
25.10.2
Setting the Time Limit Mode by Using ldapmodify
25.11
Setting the Timeout for Client/Server Connections
25.12
Setting the Timeout for Write Operations
26
Garbage Collection in Oracle Internet Directory
26.1
About the Oracle Internet Directory Garbage Collection Framework
26.1.1
Components of the Oracle Internet Directory Garbage Collection Framework
26.1.1.1
Garbage Collection Plug-in
26.1.1.2
Background Database Processes
26.1.2
How Oracle Internet Directory Garbage Collection Works
26.1.3
Garbage Collector Entries and the Oracle Internet Directory Statistics Collector Entry
26.1.4
Change Log Purging in Multimaster Replication
26.2
Modifying Oracle Internet Directory Garbage Collectors
26.2.1
Modifying a Garbage Collector by Using Oracle Directory Manager
26.2.2
Modifying a Garbage Collector by Using Command-Line Tools
26.2.2.1
Example 1: Modifying a Garbage Collector
26.2.2.2
Example 2: Disabling a Garbage Collector Change Log
26.2.3
Modifying the Oracle Internet Directory Statistics Collector
26.3
Enabling, Disabling, and Monitoring Logging for Oracle Internet Directory Garbage Collectors
26.3.1
Enabling Logging for Oracle Internet Directory Garbage Collectors
26.3.2
Disabling Logging for Oracle Internet Directory Garbage Collectors
26.3.3
Monitoring Garbage Collection Logging
27
Migration of Data from Other Data Repositories
27.1
The Default Directory Structure of Oracle Internet Directory
27.2
Migrating Data from LDAP-Compliant Directories
27.2.1
Tools
27.2.1.1
bulkload
27.2.1.2
dipassistant
27.2.1.3
Oracle Directory Integration Platform Server
27.2.2
Common Usage Scenarios
27.2.2.1
Scenario 1: Using an LDIF File and bulkload
27.2.2.2
Scenario 2: Using dipassistant Directly
27.2.2.3
Scenario 3: Using an LDIF File and dipassistant
27.2.2.4
Scenario 4: Using dipassistant, bulkload, and LDIF Files
27.2.2.5
Scenario 5: Using the Oracle Directory Integration Platform Server
27.2.3
Tasks For Migrating Data from LDAP-Compliant Directories
27.2.3.1
Task 1: Export Data from the Non-Oracle Internet Directory Server into LDIF File Format
27.2.3.2
Task 2: Analyze the LDIF User Data for Any Required Schema Additions Referenced in the LDIF Data
27.2.3.3
Task 3: Extend the Schema in Oracle Internet Directory
27.2.3.4
Task 4: Remove Any Proprietary Directory Data from the LDIF File
27.2.3.5
Task 5: Remove Operational Attributes from the LDIF File
27.2.3.6
Task 6: Remove Incompatible userPassword Attribute Values from the LDIF File
27.2.3.7
Task 7: Run the bulkload check="TRUE" Mode and Determine Any Remaining Schema Violations or Duplication Errors
27.3
Migrating User Data from Application-Specific Repositories
27.3.1
The Intermediate Template File
27.3.2
Reconciling Data in Application Repository with Data Already in Oracle Internet Directory
27.3.3
Tasks For Migrating Data from Application-Specific Repositories
27.3.3.1
Task 1: Create an Intermediate Template File
27.3.3.2
Task 2: Run the OID Migration Tool
28
Server Chaining
28.1
Supported External Servers
28.2
Integrated Oracle Products
28.3
Supported Operations
28.4
Server Chaining with Replication
28.5
Configuring Server Chaining
28.5.1
Configuring Server Chaining from the Command Line
28.5.2
Configuring Server Chaining by Using Oracle Directory Manager
28.5.3
Requirements for User and Group Containers
28.5.4
Attribute Mapping
28.6
Server Chaining Configuration Entries
28.6.1
Configuration Entry Attributes
28.6.2
Active Directory Example
28.6.3
Sun Java System Directory Server (iPlanet) Example
28.7
Debugging Server Chaining
Part V Directory Replication
29
Oracle Internet Directory Replication Concepts
29.1
Replication Concepts
29.1.1
Content to be Replicated: Full or Partial
29.1.2
Direction: One-Way or Two-Way
29.1.3
Transport Mechanism: Advanced Database Replication or LDAP
29.1.4
Directory Replication Group (DRG) Types
29.2
Directory Replication Groups
29.2.1
Data Transfer Between Nodes in a Directory Replication Group
29.2.2
Single-Master Replication Groups
29.2.3
Multimaster Replication Groups
29.2.4
Fan-Out Replication Groups
29.2.5
Types of Directory Replication Compared
29.2.6
Multimaster Replication with Fan-Out
29.3
Replication Configuration Objects in the Directory
29.3.1
The Replication Configuration Container
29.3.2
The Replica Subentry
29.3.3
The Replication Agreement Entry
29.3.3.1
Replication Agreement Entry Attributes
29.3.3.2
Advanced Replication Agreements
29.3.3.3
LDAP Replication Agreements
29.3.3.4
Two-Way LDAP Replication Agreements
29.3.4
The Replication Naming Context Container Entry
29.3.5
The Replication Naming Context Object Entry
29.3.6
Directory Replication Server Configuration Parameters
29.3.7
Examples of Replication Configuration Objects in the Directory
29.4
Replication Security
29.4.1
Authentication and the Directory Replication Server
29.4.2
Secure Sockets Layer (SSL) and Oracle Internet Directory Replication
29.5
Change Logs in Directory Replication
29.6
Oracle Database Advanced Replication
29.6.1
Features of Oracle Database Advanced Replication
29.6.2
Architecture for Oracle Advanced Database Replication
29.7
LDAP-Based Replication
29.8
Conflict Resolution in Oracle Replication
29.8.1
Levels at Which Replication Conflicts Occur
29.8.2
Typical Causes of Conflicts
29.8.3
Automated Resolution of Conflicts
29.9
Replication Failover
29.10
Included and Excluded Naming Contexts in Partial Replication
29.11
Oracle Database Advanced Replication Filtering
29.12
LDAP Replication Filtering
29.12.1
Rules for LDAP Replication Filtering
29.12.2
Examples of LDAP Replication Filtering
29.12.3
Rules for Managing Naming Contexts and Attributes
29.12.4
Optimization of Partial Replication Naming Context for Better Performance
30
Oracle Internet Directory Replication Installation and Configuration
30.1
Oracle Internet Directory Versions and Replication
30.2
Preliminary Information for Installing and Configuring a Replication Group
30.2.1
Oracle Internet Directory Installation
30.2.2
If You are Installing Oracle Internet Directory as a Master
30.2.3
If You are Installing Oracle Internet Directory as an Advanced Replication-Based Replica or as a One-Way or Two-Way LDAP-Based Replica
30.2.4
The Replication Environment Management Tool
30.3
Installing and Configuring Multimaster Replication
30.3.1
Rules for Configuring Directory Replication Based on Oracle Database Advanced Replication
30.3.2
Installing and Configuring a Multimaster Replication Group
30.3.2.1
Task 1: Install Oracle Internet Directory as a Master on the Master Definition Site (MDS)
30.3.2.2
Task 2: Install the Oracle Internet Directory as a Replica, on the Remote Master Sites (RMS)
30.3.2.3
Task 3: Set Up Oracle Database Advanced Replication for a Directory Replication Group
30.3.2.4
Task 4 (Optional): Load Data into the Directory
30.3.2.5
Task 5: Ensure that Oracle Directory Server Instances are Started on All the Nodes
30.3.2.6
Task 6: Start the Replication Servers on All Nodes in the DRG
30.3.2.7
Task 7: Test Directory Replication
30.3.3
Adding a Node for Multimaster Replication (Oracle Database Advanced Replication Types Only)
30.3.3.1
Prepare the Oracle Net Services Environment
30.3.3.2
Task 1: Stop the Directory Replication Server on All Nodes
30.3.3.3
Task 2: Identify a Sponsor Node and Install Oracle Internet Directory as a Replica on the Remote Site
30.3.3.4
Task 3: Switch the Sponsor Node to Read-Only Mode
30.3.3.5
Task 4: Back up the Sponsor Node by Using ldifwrite
30.3.3.6
Task 5: Perform Advanced Replication Add Node Setup
30.3.3.7
Task 6: Switch the Sponsor Node to Updatable Mode
30.3.3.8
Task 7: Start the Directory Replication Server on All Nodes Except the New Node
30.3.3.9
Task 8: Load Data into the New Node by Using bulkload
30.3.3.10
Task 9: Start the Directory Server on the New Node
30.3.3.11
Task 10: Start the Directory Replication Server on the New Node
30.3.4
Deleting a Node from a Multimaster Replication Group
30.3.4.1
Task 1: Stop the Directory Replication Server on All Nodes
30.3.4.2
Task 2: Stop All Oracle Internet Directory Processes in the Node to be Deleted
30.3.4.3
Task 3: Delete the Node from the Master Definition Site
30.3.4.4
Task 4: Start the Directory Replication Server on All Nodes
30.4
Installing and Configuring One-Way or Two-Way LDAP-Based Replication
30.4.1
Rules for Configuring LDAP-Based Replication
30.4.2
Back Up Your LDAP Data by Using ldifwrite and bulkload
30.4.3
Installing and Configuring a One-Way or Two-Way LDAP Replica with Default Settings
30.4.3.1
Task 1: Identify and Start the Directory Server on the Supplier Node
30.4.3.2
Task 2: Installing Oracle Internet Directory As An LDAP Replica
30.4.3.3
Task 3: Ensure the Directory Replication Servers are Started
30.4.4
Installing and Configuring an LDAP-Based Replica with Customized Settings
30.4.4.1
Configuring an LDAP-Based Replica by Using Automatic Bootstrapping
30.4.4.2
Configuring an LDAP-Based Replica by Using the ldifwrite Tool
30.4.5
Password Policy and Fan-out Replication
30.4.6
Deleting an LDAP-Based Replica
30.4.6.1
Task 1: Stop the Directory Replication Server on the Node to be Deleted
30.4.6.2
Task 2: Delete the Replica from the Replication Group
30.4.6.3
Task 3: Stop the Directory Server on the Node to be Deleted
30.4.7
Determining What Is to Be Replicated in LDAP-Based Partial Replication
30.4.7.1
Viewing and Modifying Replica Naming Context Objects by Using Oracle Directory Manager
30.4.7.2
Adding Replica Naming Context Objects by Using Oracle Directory Manager
30.4.7.3
Deleting Replica Naming Context Objects by Using Oracle Directory Manager
30.4.7.4
Modifying Replica Naming Context Object Parameters by Using ldapmodify
30.5
Resolving Conflicts Manually in a Replication Group
30.5.1
Monitoring Replication Change Conflicts
30.5.2
Examples of Conflict Resolution Messages
30.5.3
About the Human Intervention Queue Manipulation Tool
30.5.4
About the Oracle Internet Directory Comparison and Reconciliation Tool
30.6
Example: Installing and Configuring a Multimaster Replication Group with Fan-Out
30.7
Configuring Replication Failover
30.7.1
Limitations and Warnings for Replication Failover
30.7.2
Determining Which Type of Replication Failover to Use
30.7.3
Performing a Stateless Replication Failover
30.7.3.1
Task 1: Stop all Directory Replication Server on related Nodes
30.7.3.2
Task 2: Break Old Replication Agreement and Setup New Agreement
30.7.3.3
Task 3: Save Last Change Number
30.7.3.4
Task 4: Compare and Reconcile New Supplier and Consumer
30.7.3.5
Task 5: Update Last Applied Change Number of New Agreement
30.7.3.6
Task 6: Clean Up Old Agreement on Old Supplier
30.7.3.7
Task 7: Start all Directory Replication Server on related Nodes
30.7.4
Performing a Time-Based Replication Failover
30.7.4.1
Task 1: Configure Change Log Garbage Collection Object on New Supplier
30.7.4.2
Task 2: Save Last Change Number from New Supplier
30.7.4.3
Task 3: Enable Change Log Regeneration on New Supplier
30.7.4.4
Task 4: Wait for the Desired Time Period to Elapse
30.7.4.5
Task 5: Stop all Directory Replication Servers on Related Nodes
30.7.4.6
Task 6: Break Old Replication Agreement and Set Up New Agreement
30.7.4.7
Task 7: Update Last Applied Change Number of New Agreement
30.7.4.8
Task 8: Clean Up Old Agreement on Old Supplier
30.7.4.9
Task 9: Start All Directory Replication Servers on Related Nodes
31
Oracle Internet Directory Replication Monitoring and Management
31.1
Viewing and Modifying Directory Replication Server Configuration Parameters
31.1.1
Viewing Configuration Parameters of the Directory Replication Server by Using Oracle Directory Manager
31.1.2
Modifying Configuration Parameters of the Directory Replication Server by Using Oracle Directory Manager
31.1.3
Modifying Directory Replication Server Configuration Parameters by Using Command-Line Tools
31.2
Viewing and Modifying Parameters for Particular Replica Nodes
31.2.1
Viewing and Modifying Parameters for a Particular Replica Node by Using Oracle Directory Manager
31.2.2
Modifying a Particular Replica Node by Using Command-Line Tools
31.3
Modifying Parameters for Replication Agreements
31.3.1
Modifying Parameters for Replication Agreements Based on Oracle Database Advanced Replication
31.3.1.1
Viewing and Modifying Replication Agreements Based on Oracle Database Advanced Replication by Using Oracle Directory Manager
31.3.1.2
Managing Replication Agreements Based on Advanced Replication by Using ldapmodify
31.3.2
Modifying Parameters for Replication Agreements Based on LDAP
31.3.2.1
Viewing and Modifying LDAP-Based Replication Agreement Parameters by Using Oracle Directory Manager
31.3.2.2
Modifying LDAP-Based Replication Agreement Parameters by Using ldapmodify
31.4
Changing the Replication Administrator's Password on All Nodes Using Oracle Database Advanced Replication
31.5
Managing the Change Log
31.6
Modifying the Speed of Directory Replication
31.6.1
Modifying the Speed of Directory Replication When Using Oracle Database Advanced Replication
31.6.2
Modifying the Speed of Directory Replication When Using LDAP-Based Replication
31.7
Managing and Monitoring Topology
31.8
The Compare and Reconcile Tool
31.8.1
Conflict Scenarios
31.8.2
Operations Supported by oidcmprec
31.8.3
Output from oidcmprec
31.8.4
How oidcmprec Works
31.8.5
Setting the Source and Destination Directories
31.8.6
Selecting the DIT for the Operation
31.8.7
Selecting the Attributes for the Operation
31.8.8
Controlling Change Log Generation
31.8.9
Using a Parameter File
31.8.10
Including Directory Schema
31.8.11
Overriding Predefined Conflict Resolution Rules
31.8.12
Using the User-Defined Compare and Reconcile Operation
31.8.13
Known Limitations of the oidcmprec Tool
Part VI Directory Plug-ins
32
Oracle Internet Directory Server Plug-in Framework
32.1
About Directory Server Plug-ins
32.2
LDAP Operations and Timings Supported by the Directory
32.2.1
Pre-Operation Server Plug-ins
32.2.2
Post-Operation Server Plug-ins
32.2.3
When-Operation Server Plug-ins
32.2.4
When_Replace-Operation Server Plug-ins
32.3
Creating Plug-ins
32.4
Registering and Managing Plug-ins
32.4.1
Registering and Managing Plug-ins by Using Oracle Directory Manager
32.4.1.1
Adding a Plug-in Configuration Entry by Using Oracle Directory Manager
32.4.1.2
Editing a Plug-in by Using Oracle Directory Manager
32.4.1.3
Deleting a Plug-in by Using Oracle Directory Manager
32.4.2
Registering and Managing Plug-ins by Using Command-Line Tools
32.4.2.1
Example: Adding a Plug-in Configuration Entry by Using Command-Line Tools
32.4.2.2
Example: Modifying a Plug-in Configuration Entry by Using Command-Line Tools
32.4.2.3
Example: Deleting a Plug-in Configuration Entry by Using Command-Line Tools
33
Oracle Internet Directory Plug-In for Password Policies
33.1
How the Password Policy Plug-in Works
33.2
Example: Installing, Configuring, and Enabling a Customized Password Policy Plug-in
33.2.1
Loading and Registering the PL/SQL Program
33.2.2
Coding the Password Policy Plug-in
33.2.3
Debugging the Password Policy Plug-in
33.2.4
Contents of Sample PL/SQL Package pluginpkg.sql
34
Setting Up the Customized External Authentication Plug-in
34.1
Native Authentication Contrasted with External Authentication
34.2
Example: Installing, Configuring, and Enabling the External Authentication Plug-in
34.2.1
Sample PL/SQL Package oidexaup.sql
34.2.2
Debugging the External Authentication Plug-in
34.2.3
Contents of PL/SQL Package oidexaup.sql
Part VII Appendixes
A
Windows and Fields in Oracle Directory Manager
A.1
Connection Management Fields in Oracle Directory Manager
A.2
Access Control Management Fields in Oracle Directory Manager
A.3
Attribute Uniqueness Fields in Oracle Directory Manager
A.4
Garbage Collection Management Fields in Oracle Directory Manager
A.5
Oracle Internet Directory Statistics Collection Management Fields in Oracle Directory Manager
A.6
Password Policy Fields in Oracle Directory Manager
A.7
Password Verifier Fields in Oracle Directory Manager
A.8
Plug-in Management Fields in Oracle Directory Manager
A.9
Replication Fields in Oracle Directory Manager
A.10
Schema Management Fields in Oracle Directory Manager
A.10.1
Object Classes Fields in Oracle Directory Manager
A.10.2
Attributes Fields in Oracle Directory Manager
A.10.3
Matching Rules Fields in Oracle Directory Manager
A.10.4
Content Rules Management Fields in Oracle Directory Manager
A.11
Server Management Fields in Oracle Directory Manager
A.11.1
Configuration Sets Fields in Oracle Directory Manager
A.11.2
System Operational Attributes Fields in Oracle Directory Manager
A.11.3
Super, Guest, and Proxy User Fields in Oracle Directory Manager
A.11.4
Query Optimization Fields in Oracle Directory Manager
A.11.5
Entry Search Fields and Buttons in Oracle Directory Manager
A.12
SSL Management Fields in Oracle Directory Manager
A.13
Synchronization Fields in Oracle Directory Manager
A.14
Server Chaining Management
B
The LDAP Filter Definition
C
The Access Control Directive Format
C.1
Schema for orclACI
C.2
Schema for orclEntryLevelACI
D
Globalization Support in the Directory
D.1
About Character Sets and the Directory
D.1.1
About Unicode
D.1.2
About Oracle and UTF-8
D.1.3
Migration from UTF8 to AL32UTF8 when Upgrading Oracle Internet Directory
D.2
The NLS_LANG Environment Variable
D.3
Using Non-AL32UTF8 Databases
D.4
Using Globalization Support with LDIF Files
D.4.1
An LDIF file Containing Only ASCII Strings
D.4.2
An LDIF file Containing UTF-8 Encoded Strings
D.4.2.1
CASE 1: Native Strings (Non-UTF-8)
D.4.2.2
CASE 2: UTF-8 Strings
D.4.2.3
CASE 3: BASE64 Encoded UTF-8 Strings
D.4.2.4
CASE 4: BASE64 Encoded Native Strings
D.5
Using Globalization Support with Command-Line LDAP Tools
D.5.1
Specifying the -E Argument When Using Each Tool
D.5.2
Examples: Using the -E Argument with Command-Line LDAP Tools
D.6
Setting NLS_LANG in the Client Environment
D.7
Using Globalization Support with Bulk Tools
D.7.1
Using Globalization Support with bulkload
D.7.2
Using Globalization Support with ldifwrite
D.7.3
Using Globalization Support with bulkdelete
D.7.4
Using Globalization Support with bulkmodify
E
Setting up Access Controls for Creation and Search Bases for Users and Groups
E.1
Setting up Access Controls for the User Search Base and the User Creation Base
E.2
Setting up Access Controls for the Group Search Base and the Group Creation Base
F
The Multimaster Replication Process
F.1
How the Multimaster Replication Process Adds a New Entry to a Consumer
F.2
How the Multimaster Replication Process Deletes an Entry
F.3
How the Multimaster Replication Process Modifies an Entry
F.4
How the Multimaster Replication Process Modifies a Relative Distinguished Name
F.5
How the Multimaster Replication Process Modifies a Distinguished Name
G
Searching the Directory for User Certificates
G.1
Certificate Mapping
G.2
Search Types
H
LDAP Replica States
I
Addition of a Directory Node by Using the Database Copy Procedure
I.1
Definitions
I.2
Prerequisites
I.3
Sponsor Directory Site Environment
I.4
New Directory Site Environment
I.5
Preliminary Tasks To Be Performed on the New Node
I.6
Addition of an Oracle Advanced Database Replication-Based Directory Node
I.6.1
Tasks To Be Performed on the Sponsor Advanced Replication Node
I.6.2
Tasks To Be Performed on the New Advanced Replication Node
I.6.3
Verification of an Advanced Replication-Based Replica Node
I.7
Addition of an LDAP Replication-Based Directory Node
I.7.1
Tasks To Be Performed on the Sponsor LDAP Replication Node
I.7.2
Tasks To Be Performed on the New LDAP Replication Node
I.7.3
Verification of an LDAP-Based Replica Node
J
UNIX Authentication and User Provisioning with Oracle Internet Directory
J.1
Schema Customization
J.2
UID Attribute Issues
K
RFCs Supported by Oracle Internet Directory
L
Troubleshooting Oracle Internet Directory
L.1
Problems and Solutions
L.1.1
Installation Errors
L.1.2
TCP/IP Problems
L.1.2.1
Do Not Use TCP-Based Monitoring of Oracle Internet Directory Server Availability on Microsoft Windows 2003 Server
L.1.2.2
Do Not Install DaimondCS Port Explorer
L.1.3
Directory Server Error Messages and Causes
L.1.3.1
Oracle Database Server Error Due to Interrupted Client Connection
L.1.3.2
Oracle Database Server Error Due to Schema Modifications
L.1.3.3
Constraint Violation Error Due to Editing a User or Group or Creating a Realm
L.1.3.4
Standard Error Messages Returned from Oracle Directory Server
L.1.3.5
Additional Directory Server Error Messages
L.1.4
Troubleshooting Password Policies
L.1.4.1
Password Policy Error Messages
L.1.5
Troubleshooting Directory Performance
L.1.5.1
Poor LDAP Search Performance
L.1.5.2
Poor LDAP Add or Modify Performance
L.1.6
Troubleshooting Starting, Stopping, and Restarting of the Directory Server
L.1.6.1
About the Tools for Starting, Stopping, and Restarting the Directory Server Instance
L.1.6.2
Problems Starting, Stopping, and Restarting the Directory Server
L.1.7
Troubleshooting Oracle Internet Directory Replication
L.1.7.1
Replication Server Does Not Start
L.1.7.2
Repository Creation Assistant Error
L.1.7.3
Errors in Replication Bootstrap
L.1.7.4
Changes Are Not Replicated
L.1.7.5
Replication Stops Working
L.1.8
Troubleshooting SSL Setup
L.1.9
Troubleshooting Change Log Garbage Collection
L.1.9.1
Change Logs Are Not Purged
L.1.10
Troubleshooting Dynamic Password Verifiers
L.1.11
Troubleshooting Oracle Internet Directory Password Wallets
L.1.11.1
Oracle Internet Directory Server Does Not Start
L.1.11.2
Password Not Synchronized
L.1.12
Troubleshooting bulkload
L.1.13
Troubleshooting bulkdelete and bulkmodify
L.1.14
Troubleshooting catalog
L.2
Need More Help?
Glossary
Index