| Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
| Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
You can use Oracle Internet Directory as a centralized directory for user authentication and authorization in a UNIX or Linux environment. The advantages of doing so include:
Oracle Internet Directory replaces the traditional /etc/passwd file or Network Information System/Yellow Pages (NIS/YP)
Password policy enforcement is easier
Users can be classified into multiple privilege groups and managed with different privileges, depending on the server or service that they are using.
The Oracle White Paper Centralizing UNIX Authentication and User Provisioning with Oracle Internet Directory describes, in detail, the steps required to implement this solution. That document provides nearly complete information on using Oracle Internet Directory with Pluggable Authentication Modules (PAM). You should, however, read this appendix in addition to the white paper. This appendix includes the following sections:
In 10g Release 2 (10.1.2) and later releases, you need not customize the schema as described in the white paper. The necessary attributes and object classes are available in a standard Oracle Internet Directory installation. One potential exception is the customized login attribute. You might need to add a custom login attribute to the schema, as explained in the next section.
By default, Oracle products, such as OracleAS Portal, use the Oracle Internet Directory attribute uid for authentication and authorization. Also by default, UNIX-based operating systems and PAM use the attribute uid for authentication and authorization. Unfortunately, Oracle and UNIX have different requirements for acceptable uid strings. For example, the email address, user@address is a common uid format in Oracle Internet Directory installations. UNIX, however, does not allow the @ character in a uid. There are two ways to deal with this discrepancy:
Use a custom login attribute for PAM authentication and authorization. This requires a modification to the Oracle Internet Directory schema, as well as modifications to PAM. See the Oracle White Paper Centralizing UNIX Authentication and User Provisioning with Oracle Internet Directory for more information.
Use the Oracle Internet Directory uid attribute with UNIX, but choose an alternative format to the email address. For example, you could use a short user name such as jsmith.
