This chapter assumes you have installed and configured Oracle Internet Directory as described in: Oracle Fusion Middleware Installation Guide for Oracle Identity Management. This chapter describes the management interfaces and documents the first tasks you must perform as an administrator of Oracle Internet Directory.
It contains the following sections:
Using Oracle Enterprise Manager Fusion Middleware Control to Manage Oracle Internet Directory
Using Oracle Directory Services Manager to Manage Oracle Internet Directory
Using Command-Line Utilities to Manage Oracle Internet Directory
Basic Tasks for Configuring and Managing Oracle Internet Directory
Perform these tasks after you complete installation and basic configuration of Oracle Internet Directory.
Set the environment variables described at the beginning of "Using Command-Line Utilities to Manage Oracle Internet Directory".
See Appendix P, "Starting and Stopping the Oracle Stack" for information.
The default Oracle Internet Directory configuration must be tuned in almost all deployments. You must change the values of the certain configuration attributes, based on your deployment. See "Basic Tuning Recommendations", especially Table 33-1, "Minimum Values for Oracle Database Instance Parameters" and Table 33-2, "LDAP Server Attributes to Tune".
For more information about tuning, see Chapter 33, "Tuning and Sizing Oracle Internet Directory." For descriptions of all the attributes, see Chapter 9, "Managing System Configuration Attributes" and Chapter 39, "Managing Replication Configuration Attributes."
Anonymous searches, except those on the root DSE, are disabled by default. In some deployment environments, clients might need access to more than the root DSE. If you have such a deployment, set the orclanonymousbindsflag attribute to 1. See "Managing Anonymous Binds" for more information.
On many operating systems, only processes running with superuser privilege can use port numbers less than 1024. By default, Oracle Identity Management 11g Installer does not assign privileged ports to Oracle Internet Directory, although you can override the default by using staticports.ini. (See Oracle Fusion Middleware Installation Guide for Oracle Identity Management.)
If you want to change the SSL and non-SSL ports to numbers in the privileged range after installation, proceed as follows:
As the root user, execute ORACLE_HOME/oidRoot.sh.
Reassign the port numbers in one of the following ways:
Change the SSL Port and Non-SSL Port values on the General tab of the Server Properties page in Oracle Enterprise Manager Fusion Middleware Control, as described in"Configuring Server Properties".
Change the values of orclnonsslport and orclsslport in the instance-specific configuration entry by using ldapmodify, as described in "Setting System Configuration Attributes by Using ldapmodify".
If you changed the ports by using the command line, run opmnctl updatecomponentregistration, as described in "Updating the Component Registration of an Oracle Instance by Using opmnctl". (This step is not necessary if you are running a standalone instance of Oracle Internet Directory, as described in "Creating Additional Oracle Internet Directory Instances".)
Restart Oracle Internet Directory, as described in"Restarting the Oracle Internet Directory Server by Using Oracle Enterprise Manager Fusion Middleware Control" or "Restarting the Oracle Internet Directory Server by Using opmnctl".
Oracle Enterprise Manager Fusion Middleware Control is a graphical user interface that provides a comprehensive systems management platform for Oracle Fusion Middleware. Fusion Middleware Control organizes a wide variety of performance data and administrative functions into distinct, Web-based home pages for the domain, Oracle instances, middleware system components, and applications.
Note:
If you selected None when prompted for a domain while installing Oracle Internet Directory, Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager will not be available.Oracle Internet Directory is a target type in Oracle Enterprise Manager Fusion Middleware Control. To use the interface to Oracle Internet Directory:
Connect to Fusion Middleware Control.
Note:
Refer to the Oracle Identity Management Certification Information on the Oracle Technology Network web site for information about supported browsers for Oracle Directory Services Manager. You can access the Oracle Technology Network web site at:http://www.oracle.com/technology/index.htmlThe URL is of the form:
https://host:port/em
In the left panel topology tree, expand the domain, then Fusion Middleware, then Identity and Access. Alternatively, from the domain home page, expand Fusion Middleware, then Identity and Access. Instances of Oracle Internet Directory are listed in both places. To view the full name of a component instance, move the mouse over the instance name.
Select the Oracle Internet Directory component you want to manage.
Use the Oracle Internet Directory menu to select tasks.
You can use the Oracle Internet Directory menu to navigate to other Fusion Middleware Control pages for Oracle Internet Directory, navigate to Oracle Directory Services Manager pages for Oracle Internet Directory, and perform other tasks, as described in Table 7-1.
Table 7-1 Using the Oracle Internet Directory Menu
Oracle Directory Services Manager is an interface for managing instances of Oracle Internet Directory and Oracle Virtual Directory. It is a replacement for Oracle Directory Manager, which is now deprecated. Oracle Directory Services Manager enables you to configure the structure of the directory, define objects in the directory, add and configure users, groups, and other entries. ODSM is the interface you use to manage entries, schema, security, and other directory features.
You can also use ODSM to manage system configuration attributes, which can be useful if Fusion Middleware Control is not available or if you must modify an attribute that has no Fusion Middleware Control interface. See "Managing System Configuration Attributes by Using Oracle Directory Services Manager Data Browser" and "Managing Entries by Using Oracle Directory Services Manager".
This section contains the following topics:
You can invoke Oracle Directory Services Manager directly or from Oracle Enterprise Manager Fusion Middleware Control.
Note:
Refer to the Oracle Identity Management Certification Information on the Oracle Technology Network web site for information about supported browsers for Oracle Directory Services Manager. You can access the Oracle Technology Network web site at:http://www.oracle.com/technology/index.htmlTo invoke Oracle Directory Services Manager directly, enter the following URL into your browser's address field:
http://host:port/odsm
In the URL to access Oracle Directory Services Manager, host is the name of the managed server where Oracle Directory Services Manager is running. port is the managed server port number from the WebLogic server. You can determine the exact port number by examining the $Fusion_Middleware_Home/Oracle_Identity_Management_domain/servers/wls_ods/data/nodemanager/wls_ods1.url file, where Fusion_Middleware_Home represents the root directory where Fusion Middleware is installed.
To invoke Oracle Directory Services Manager from Fusion Middleware Control, select Directory Services Manager from the Oracle Internet Directory menu in the Oracle Internet Directory target, then Data Browser, Schema, Security, or Advanced.
Alternatively, select Directory Services Manager from the Oracle Virtual Directory menu in the Oracle Virtual Directory target, then Data Browser, Schema, Adapter, Extensions, or Quick configuration wizard.
A new browser window, containing the ODSM Welcome screen, pops up.
When the ODSM Welcome screen appears, you can connect to either an Oracle Internet Directory server or a Oracle Virtual Directory server.
This section contains the following topics:
Logging in to the Directory Server from Oracle Directory Services Manager
Logging Into the Directory Server from Oracle Directory Services Manager Using SSL
Note:
The user name of the superuser used to log in to Oracle Directory Services Manager must consist of ASCII characters only. You cannot log in to Oracle Directory Services Manager using a user name that contains non-ASCII characters.
After you have logged into ODSM, you can connect to multiple directory instances from the same browser window.
Avoid using multiple windows of the same browser program to connect to different directories at the same time. Doing so can cause a Target unreachable error.
You can log in to the same ODSM instance from different browser programs, such as Internet Explorer and Firefox, and connect each to a different directory instance.
If you change the browser language setting, you must update the session in order to use the new setting. To update the session, either reenter the ODSM URL in the URL field and press Enter or quit and restart the browser.
You log in to a directory server's non-SSL port from Oracle Directory Services Manager as follows:
Click the small arrow to the right of the label Click to connect to a directory. It opens a dialog box containing three sections:
Live Connections–current connections that you can return to.
Disconnected Connections–a list of directory servers you have connected to and then disconnected from. Oracle Directory Services Manager saves information about connections that you've used previously and lists them, by optional Name or by server, so that you can select them again.
New Connections–used to initiate a new connection
To reconnect to a live connection, click it.
To select a disconnected connection, click the entry. You see a short version of the Login Dialog with most fields filled in. To remove a selection from the list, select it and then select Delete.
To initiate a connection to a new directory server, click Create a New Connection or type Ctrl+N. The New Connection Dialog appears.
Select OID or OVD.
Optionally, enter an alias name to identify this entry on the Disconnected Connections list.
Enter the server and non-SSL port for the Oracle Internet Directory or Oracle Virtual Directory instance you want to manage.
After you have logged in to an Oracle Internet Directory or Oracle Virtual Directory server, you can use the navigation tabs to select other pages.
The Oracle Directory Services Manager home pages for Oracle Internet Directory and Oracle Virtual Directory list version information about Oracle Directory Services Manager itself, as well as the directory and database. It also lists directly statistics.
If you are unfamiliar with SSL authentication modes, see "SSL Authentication Modes".
When you log in to the server's SSL port, you follow the procedure in "Logging in to the Directory Server from Oracle Directory Services Manager", except that you specify the SSL port in Step 5 and do not deselect SSL Enabled in Step 6. After you click Connect in Step 9, you might be presented with a certificate, depending on the type of SSL authentication.
If the directory server is using SSL No Authentication mode (the default), you are not presented with a certificate. SSL No Authentication provides data confidentiality and integrity only but no authentication using X509 certificates.
If the directory server is using SSL Server Authentication Only Mode, when you click connect in Step 9, you are presented with the server's certificate. After manually verifying the authenticity of the server certificate, you can accept the certificate permanently, accept the certificate for the current session only, or reject the certificate. If you accept the certificate permanently, the certificate is stored in its Java Key Store (JKS). From then on, you are not prompted to accept the certificate when you connect to that server. If you accept the certificate only for the current session, you are prompted to accept or reject the certificate every time you connect to the server. If you reject the certificate, ODSM closes the connection to the server.
See Also:
"ODSM's Key Store".If the server is using SSL Client and Server Authentication Mode, when you click Connect in Step 9, you are presented with a certificate. Follow the instructions in "SSL Server Only Authentication".
After OSDM accepts the server's certificate, ODSM sends its own certificate to the server for authentication. The server accepts ODSM's certificate if that certificate is present in its trusted list of certificates.
If the DN of ODSM's certificate is present in the server, you do not need to provide the username and password in the connection dialog.
If the DN of ODSM's certificate is not present in the server, you must provide the user name and password.
ODSM's certificate is a self-signed certificate. You must use the keytool command to assign a CA signed certificate to ODSM. See Appendix O, "Oracle Directory Services Manager Keystore Management.".
Perform the following steps to configure Oracle HTTP Server to route Oracle Directory Services Manager requests to multiple Oracle WebLogic Servers in a clustered Oracle WebLogic Server environment:
Create a backup copy of the Oracle HTTP Server's httpd.conf file. The backup copy provides a source to revert to if you encounter problems after performing this procedure.
Add the following text to the end of the Oracle HTTP Server's httpd.conf file and replace the variable placeholder values with the host names and managed server port numbers specific to your environment. Be sure to use the <Location /odsm/ > as the first line in the entry. Using <Location /odsm/faces > or <Location /odsm/faces/odsm.jspx > can distort the appearance of the Oracle Directory Services Manager interface.
<Location /odsm/ > SetHandler weblogic-handler WebLogicCluster host-name-1:managed-server-port,host-name_2:managed_server_port </Location>
Stop, then start the Oracle HTTP Server to activate the configuration change.
Note:
Oracle Directory Services Manager loses its connection and displays a session time-out message if the Oracle WebLogic Server in the cluster that it is connected to fails. Oracle Directory Services Manager requests are routed to the secondary Oracle WebLogic Server in the cluster that you identified in the httpd.conf file after you log back in to Oracle Directory Services Manager.To use most Oracle Internet Directory command-line utilities and Database client utilities like sqlplus, you must set the following environmental variables:
ORACLE_HOME - The location of non-writable files in your Oracle Identity Management installation.
ORACLE_INSTANCE - The location of writable files in your Oracle Identity Management installation.
TNS_ADMIN - The directory where the database connect string is defined in the tnsnames.ora file. By default it is the $ORACLE_INSTANCE/config directory. The database connect alias as defined in tnsnames.ora is OIDDB by default.
NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8) - The default language set at installation is AMERICAN_AMERICA.
PATH - The following directory locations should be added to your PATH:
$ORACLE_HOME/bin
$ORACLE_HOME/ldap/bin
$ORACLE_INSTANCE/bin
Many of the activities that you can perform at the command line can also be performed in Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory Services Manager. A few functions are only available from the command line.
Oracle Internet Directory supports the standard LDAP command-line utilities ldapadd, ldapaddmt, ldapbind, ldapcompare, ldapdelete, ldapmoddn, ldapmodify, ldapmodifymt, and ldapsearch. For example:
ldapbind -D "cn=orcladmin" -q -h "myserver.example.com" -p 3060
ldapsearch -b "cn=subschemasubentry" -s base "objectclass=*" -p 3060 \
-D "cn=orcladmin" -q
This book contains many examples of LDAP tool use.
See Also:
The chapter "Oracle Internet Directory Data Management Tools" in Oracle Fusion Middleware User Reference for Oracle Identity Management for a detailed description of each tool.For security reasons, avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen and might appear in log files or in the output from the ps command. When you supply a password at a prompt, it is not visible on the screen, in ps output, or in log files. Use the -q and -Q options, respectively, instead of the -P password and -w password options.
The LDAP tools have been modified to disable the options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1. Use this feature whenever possible.
See Also:
"Using Passwords with Command-Line Tools" in Oracle Fusion Middleware User Reference for Oracle Identity Management.Oracle Internet Directory provides several tools to help you manage large numbers of entries. See Chapter 14, "Performing Bulk Operations."
See Also:
The chapter "Oracle Internet Directory Data Management Tools" in Oracle Fusion Middleware User Reference for Oracle Identity Management for a detailed description of each tool.The Oracle WebLogic Scripting Tool (WLST) is a Jython-based command-line scripting environment that you can use to manage and monitor WebLogic Server domains. To use it to manage and monitor Oracle Internet Directory, you must navigate to the custom MBean tree where Oracle Internet Directory is located. Then you can list, get values, and change values of the managed beans (MBeans) that represent Oracle Internet Directory resources. See "Managing System Configuration Attributes by Using WLST" and "Configuring SSL by Using WLST".
The following provides a summary of the steps you must take to configure and manage a basic Oracle Internet Directory environment:
Start and stop the LDAP server. See Chapter 8
Manage system configuration attributes. See Chapter 9.
Manage directory entries. See Chapter 13.
Manage directory schema. See Chapter 19.
Configure auditing. Chapter 21.
Manage log files. See Chapter 22.
Configure SSL. See Chapter 25.
Configure password policies. See Chapter 27.
Configure access control. See Chapter 28.
Get sizing and tuning recommendations for Oracle Internet Directory deployments. See "Obtaining Recommendations by Using the Tuning and Sizing Wizard".
Set up replication. See Chapter 37 and Appendix C.
Convert an Advanced Replication-based replication agreement to an LDAP-based replication agreement. See "Converting an Oracle Database Advanced Replication-Based Agreement to an LDAP-Based Agreement by Using remtool".
Modify an existing replication setup. See Chapter 40.
This guide describes other tasks that you might need to perform, depending on your Oracle Fusion Middleware environment.