| Oracle® Content Database Administrator's Guide for Oracle WebCenter Suite 10g (10.1.3.2) Part Number B32191-01 |
|
|
View PDF |
| Oracle® Content Database Administrator's Guide for Oracle WebCenter Suite 10g (10.1.3.2) Part Number B32191-01 |
|
|
View PDF |
Oracle Content DB supports three types of user repository: Oracle Internet Directory, a third-party LDAP solution (such as iPlanet or Open LDAP), or a file-based user repository. This chapter explains how to use each type of user repository with Oracle Content DB.
This chapter contains the following topics:
You can use Oracle Internet Directory, part of Oracle Identity Management, as the user repository for Oracle Content DB. Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines LDAP Version 3 with the high performance, scalability, robustness, and availability of an Oracle Database.
To use Oracle Internet Directory as your Oracle Content DB user repository, you must first install OracleAS Infrastructure, which contains Oracle Identity Management. You must install at least Oracle Internet Directory. Then, provide required details about Oracle Internet Directory during Oracle Content DB installation.
This section provides the following topics:
If you are using Oracle Internet Directory as the user repository for Oracle Content DB, use the orcladmin user name and password to log in to Oracle Content DB for the first time. This user has all the application administration roles.
After you have created additional users in Oracle Internet Directory, and after those users have logged in to Oracle Content DB, you can delegate application administration roles to other users, as needed.
You can use a variety of administration tools to manage users in Oracle Internet Directory. For example, you can use Oracle Internet Directory command-line tools like ldapadd and ldapmodify, you can use the Oracle Internet Directory Self-Service Console (oiddas), or you can use Oracle Directory Manager.
|
See Also:
|
Oracle Content DB supports the following third-party LDAP solutions:
To use a third-party LDAP solution as your user repository for Oracle Content DB, you must first install the third-party LDAP server. Then, provide required details about your third-party LDAP server during Oracle Content DB installation.
For complete information about which third-party LDAP solutions are supported by Oracle Content DB, see Oracle Application Server Certification Information.
|
Note: You cannot configure SSL for the connection between Oracle Content DB and a third-party LDAP server during installation. You can only set up SSL for the connection between Oracle Content DB and a third-party LDAP server after installation. See "Setting Up Server Only SSL Between Oracle Content DB and Your LDAP Server" for more information. |
This section contains the following topics:
If you are using a third-party LDAP server as the user repository for Oracle Content DB, use the user name and password you provided during Oracle Content DB installation to log in to Oracle Content DB for the first time. This user has all the application administration roles.
After you have created additional users in your user repository, and after those users have logged in to Oracle Content DB, you can delegate application administration roles to other users, as needed.
You can choose to use a file-based user repository with Oracle Content DB. File-based user repositories store user data in a file on each middle-tier computer. To use a file-based user repository as your user repository for Oracle Content DB, select File-Based in the Specify User Repository screen during Oracle Content DB installation.
This section contains the following topics:
If you are using a file-based user repository with Oracle Content DB, use the contentadmin user name to log in to Oracle Content DB for the first time. The password for this user is the same as the Oracle Content DB schema password. This user has all the application administration roles.
After you have created additional users, and after those users have logged in to Oracle Content DB, you can delegate application administration roles to other users, as needed.
LDAP-based user repositories, such as Oracle Internet Directory and third-party LDAP solutions, provide a centralized user list against which users are authenticated. In contrast, file-based user repositories store user lists on each middle tier in the jazn-data.xml file. The jazn-data.xml file is located in ORACLE_HOME/content/settings.
Because of this, if you have multiple Oracle Content DB middle tiers, you must ensure that the jazn-data.xml files on each middle tier are kept in sync. For example, when you add, modify, or delete users in a file-based user repository, you must add, modify, or delete them on each middle tier.
Because of this limitation, using a file-based user repository is not recommended for production systems. You should use Oracle Internet Directory or a third-party LDAP solution for production deployments of Oracle Content DB.
You can use the Application Server Control to manage users in a file-based user repository (recommended), or you can use the OracleAS JAAS Provider Admintool.
Using the Application Server Control is the best way to manage users in a file-based user repository. For example, to add users using the Application Server Control, follow these steps:
Connect to the Application Server Control.
On the Cluster Topology page, in the Members table, click the OC4J_Content link.
Click the Administration tab.
In the Security Providers table row, under the Security heading, click the Go to Task icon.
In the Application Level Security section, in the content table row, click the Edit icon. Do not click the content link.
Click the Realms tab.
For the ContentDB realm, in the Users column, click the number that shows how many users are in the realm.
Click Create.
Fill in the fields, as necessary. Do not create user names that contain the slash (/) character.
If you have multiple middle tiers, repeat these steps for the OC4J_Content instances for the other middle tiers.
|
See Also: Oracle Containers for J2EE Security Guide for full information on using the Application Server Control to manage users in a file-based user repository |
You can use the OracleAS JAAS Provider Admintool to manage users in a file-based user repository. The Admintool is a lightweight Java application that provides administration for users, roles, policies, and login modules for a file-based user repository. However, you must restart OC4J_Content for changes made by the Admintool to take effect.
You can add, modify, and delete users with the Admintool even if Oracle Content DB is not running.
Admintool functions can be called directly from the command line, or through an interactive shell. The Admintool is located in ORACLE_HOME/j2ee/home/jazn.jar.
The general command-line syntax is as follows:
% java -jar jazn.jar [-user username -password pwd] [option1 option2 ... ]
The following example shows how to add a user through the interactive shell:
% java -jar jazn.jar -shell AbstractLoginModule username : oc4jadmin AbstractLoginModule password : admin_password JAZN:> adduser jazn.com user_name user_password
|
See Also: Oracle Containers for J2EE Security Guide for full information on using the OracleAS JAAS Provider Admintool |
User provisioning is done on-demand the first time a user logs in to Oracle Content DB. Because users are not provisioned until they log in for the first time, they may not be available in Oracle Content DB even though they exist in the user repository.
For example, after you add a user to your user repository, you may want to add that user to a particular Library in Oracle Content DB. However, you will not be able to search for and add the user until after the user has logged in for the first time.
All user searches in Oracle Content DB are made against the list of users who have already been provisioned in Oracle Content DB. User searches are not made against the actual user repository.
After you delete users in your user repository, you must run the deleteuser script to remove the users from the Oracle Content DB schema. You must run this script regardless of whether you are using Oracle Internet Directory, a third-party LDAP solution, or a file-based user repository.
The deleteuser script is located in:
ORACLE_HOME/content/bin
To use the script, follow these steps:
Create a text file that lists the names of the users you deleted in your user repository. For example:
john.smith jane.doe
|
Note: The format of user names can vary, depending on the format used by your user repository (for example,bob, john.smith, or jane.doe@mydomain.com). Make sure to specify user names in the same format as your user repository. In other words, list actual user names that are used to log in to Oracle Content DB. |
At the command line, go to ORACLE_HOME/content/bin.
Run the following command:
./deleteuser ORACLE_HOME input_file
For ORACLE_HOME, provide the full path name of the Oracle home. For input_file, provide the name and path of the file you created in Step 1. For example:
./deleteuser $ORACLE_HOME $ORACLE_HOME/content/bin/userstobedeleted.txt
Because all files in Oracle Content DB reside in Libraries, users do not own content. All content belongs to the Library in which it is located. When users are deleted from Oracle Content DB, any data that was uploaded by that user remains in the Oracle Content DB repository.
In some cases, you may want to delete the Personal Library of a deleted user. To do this, you must sign on to Oracle Content DB as a user with the Content Administrator role and switch to Administration Mode. You can then navigate to the appropriate Personal Library and delete it.
In the Oracle Content DB Web client, user information appears in two places: in the User Profile screen, available only to User Administrators, and the User Preferences screen, available to all users.
In the Oracle Content DB Web client, in Administration mode, user administrators can view user profile information for each user. The following fields are displayed:
User Name
First Name
Last Name
E-mail Address
Personal Library
If you are using an LDAP server for your user repository (either Oracle Internet Directory or a third-party LDAP server), some of these values may be provided by the LDAP server. Values provided by the LDAP server are read-only in Oracle Content DB; in order to update these preferences, you must update the information in the LDAP server. The information is then updated in Oracle Content DB by the User Connect Agent. Alternatively, the user administrator can manually refresh the information for a particular user from the Oracle Content DB Web client.
User profile values that are not provided by the LDAP server can be updated in Oracle Content DB by the User Administrator. These values will exist only in Oracle Content DB and will not exist in the user repository.
Similar to user profiles, users can view their preferences in the Oracle Content DB Web client. If you are using an LDAP server for your user repository (either Oracle Internet Directory or a third-party LDAP server), some of these values may be provided by the LDAP server. Values provided by the LDAP server are read-only in Oracle Content DB; in order to update these preferences, the user must update their information in the LDAP server. The information is then updated in Oracle Content DB by the User Connect Agent. Alternatively, the user can manually refresh their profile information from the Oracle Content DB Web client.
User preferences that are not provided by the LDAP server can be updated by the user in Oracle Content DB. These values will exist only in Oracle Content DB and will not exist in the user repository.
If you are using a file-based user repository as your Oracle Content DB user repository, there is no way to provide the First Name, Last Name, and E-mail Address user profile values when you create users. To set these values, log in to the Oracle Content DB Web client as a User Administrator and switch to Administration mode. Then, access the user profile for each user you added and set these attributes.
End users cannot provide values for the First Name, Last Name, and E-mail Address attributes. Only User Administrators can edit these values.
