37 Configuring Server Chaining

Directory server chaining is a new feature of Oracle Internet Directory, introduced at 10g (10.1.4.0.1). It was implemented using the new Java Plug-in framework.

This chapter contains the following topics:

• Introduction to Configuring Server Chaining

• Configuring Server Chaining

• Creating Server Chaining Configuration Entries

• Debugging Server Chaining

• Configuring an Active Directory Plug-in for Password Change Notification

Note:

All references to Oracle Single Sign-On in this chapter refer to Oracle Single Sign-On 10g (10.1.4.3.0) or later.

37.1 Introduction to Configuring Server Chaining

Server chaining enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration. With server chaining, you can use Oracle Internet Directory's authorization framework when identity data resides outside of Oracle Internet Directory. Server chaining is certified only with Enterprise User Security. No other Oracle applications can be used with server chaining.

Server chaining does not replace Oracle Directory Integration Platform. Rather, it offers complementary functionality to Oracle Directory Integration Platform.

Server chaining is different from a virtual directory. A virtual directory, such as Oracle Virtual Directory, is a flexible virtualization layer between multiple identity repositories and applications. It offers complementary services to identity synchronization and directory servers. With a virtual directory, organizations can create consolidated, logical or virtual views of data that may span multiple directories and databases.

Server chaining is a simpler, more flexible solution, embedded in Oracle Internet Directory server, and particular suited to Enterprise User Security customers. It is easy to administer and upgrade. It also provides Oracle Internet Directory's authorization framework without extra configuration steps.

As of 11g Release 1 (11.1.1), you can configure server chaining to use SSL.

37.1.1 Supported External Servers

Oracle Internet Directory server chaining supports the following external servers:

• Microsoft Active Directory

• Sun Java System Directory Server, formerly known as SunONE iPlanet

• Oracle Directory Server Enterprise Edition

• Novell eDirectory

An implementation of Oracle Internet Directory can connect with one Active Directory server, one Sun Java System Directory Server, one Novell eDirectory, or with all three.

Note:

Oracle Internet Directory server chaining does not support Active Directory Lightweight Directory Service (AD LDS), formerly known as ADAM.

37.1.2 Integrated Oracle Products

The following products have been integrated with Oracle Internet Directory server chaining:

• Oracle Single Sign-On 10g (10.1.4.3.0) or later

• Enterprise User Security

37.1.2.1 Oracle Single Sign-On

When server chaining is enabled, a user from the external directory can log in through Oracle Single Sign-On as if authenticated locally within Oracle Internet Directory, rather than the external repository.

37.1.2.2 Enterprise User Security

Oracle Internet Directory server chaining enables you to implement Enterprise User Security without synchronizing identity data with Oracle Internet Directory through Oracle Directory Integration Platform. Your identity data remains in the external repository and the Oracle Internet Directory data store contains only Enterprise User Security-related metadata.

With Sun Java System Directory Server as the external directory, server chaining supports password-based authentication with Enterprise User Security. For further details, see Note 802927.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.

With Active Directory as the external directory, server chaining supports Kerberos- based authentication and password-based authentication with Enterprise User Security. The external users can log in to Oracle Database after the Enterprise User Security authentication setup is completed. For further details, see "Configuring an Active Directory Plug-in for Password Change Notification", which is based on Note 452385.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.

See Also:

Oracle Database Enterprise User Security Administrator's Guide for more information on configuring Enterprise User Security for password authentication and Kerberos authentication.

37.1.3 Supported Operations

Server chaining supports the following operations:

• Bind

• Compare

• Modify

• Search

The compare, modify, and search operations can be enabled or disabled by setting configuration parameters.

When an Oracle Internet Directory client application issues an LDAP search request, Oracle Internet Directory integrates the search results from its own data and the external directories.

When an Oracle Internet Directory client application issues an LDAP bind, compare, or modify request, Oracle Internet Directory redirects the request to the external directory.

In 10g (10.1.4.0.1) and later, the compare operation is only supported for the userpassword attribute.

In 10g (10.1.4.0.1) and later, attribute modification is supported in two cases:

• The external attribute has the same name as the Oracle Internet Directory attribute. This is true for most standard LDAP attributes.

• The external attribute is mapped to an Oracle Internet Directory attribute, and neither the external nor the Oracle Internet Directory attribute is an operational attribute.

Note:

You cannot modify an Active Directory user password from Oracle Internet Directory through server chaining.

37.1.4 Server Chaining with Replication

If you use server chaining in a replication environment, set it up on all nodes so that the entries remain consistent across nodes. Configure server chaining so that the mapped external directories are the same for all the replicated nodes.

37.2 Configuring Server Chaining

Oracle Internet Directory is shipped with disabled sample server chaining entries.

For Active Directory, the DN for the server chaining entry is

cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry 

For Oracle Directory Server Enterprise Edition and Sun Java System Directory Server, the entry DN is

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry

Novell eDirectory, the entry DN is

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry 

You configure server chaining by customizing these entries for your environment and enabling them. You can do this either from the command line or by using Oracle Directory Services Manager.

This section contains the following topics:

• Configuring Server Chaining by Using Oracle Directory Services Manager

• Configuring Server Chaining from the Command Line

37.2.1 Configuring Server Chaining by Using Oracle Directory Services Manager

Oracle Directory Services Manager provides a convenient interface for modifying the Oracle Internet Directory server chaining configuration entries. To configure server chaining by using Oracle Directory Services Manager, perform the following steps:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in "Invoking Oracle Directory Services Manager".

2. From the task selection bar, select Advanced.

3. Expand Server Chaining. Server Chaining entries appear in the left panel. Current entries include iPlanet (Oracle Directory Server Enterprise Edition and Sun Java System Directory Server) and Active Directory.

4. To modify a server chaining configuration entry, select it. The Server Chaining Management tab appears in the right pane.

5. Modify External Host Name, External Port Number, Login User DN, and Login User Password as necessary.

6. To enable server chaining authentication, modification, or search, select the corresponding checkbox.

7. Modify the other fields as necessary.

8. After modifying an external user container, group container, or login credential, verify the value by clicking Verify User Container, Verify Group Container, or Verify Login Credential, respectively.

   If the verification fails, examine the values you entered for errors. If the problem persists, consult the external directory administrator to verify the accuracy of the values you entered.

9. If you want to add an attribute mapping, click the Add attribute mappings to list icon under Attribute Mapping. To edit an existing mapping, select the mapping and click the Edit Attribute Mapping icon under Attribute Mapping. The New Attribute Mapping window appears. Enter the External Directory Attribute and the OID Attribute. To locate Oracle Internet Directory attribute by browsing, click Select then select the attribute in the Attribute Selection window.

10. Click OK to create the mapping or click Cancel to abandon it.

11. To delete a mapping, select the mapping and click the Delete selected attribute mapping icon. When the Delete Confirm dialog appears, click Delete to delete the mapping or Cancel to abandon deletion.

12. Click OK to enable the configuration changes or click Cancel to abandon the changes.

37.2.2 Configuring Server Chaining from the Command Line

Perform the following steps to configure server chaining from the command line:

1. Create an LDIF file to manually add the user and group containers. To determine the DNs for these containers, see the section Requirements for User and Group Containers. For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com, and the group search base is cn=groups,dc=us,dc=oracle,dc=com, then you would use the following entries in your LDIF file:

   dn: cn=AD,cn=users,dc=us,dc=oracle,dc=com
   cn: AD
   objectclass: orclcontainer
   objectclass: top
    
   dn: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
   cn: iPlanet
   objectclass: orclcontainer
   objectclass: top
    
   dn: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
   cn: AD
   objectclass: orclcontainer
   objectclass: top
    
   dn: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
   cn: iPlanet
   objectclass: orclcontainer
   objectclass: top
   

2. Use ldapadd and the LDIF file you just created to add the entries.

   ldapadd -p port -h host -D "binddn" -q -v -f container_ldif_file_name
   

3. Create another LDIF file to modify and enable the server chaining configuration entries. For example LDIF files, see "Active Directory Example" and "Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example". A table of attributes is provided in "Creating Server Chaining Configuration Entries". Attribute mapping is explained in Attribute Mapping.

4. Modify the server chaining configuration entries using the ldapmodify command and the LDIF file you just created. Use a command line of the form:

   ldapmodify -D "cn=orcladmin" -q -p port -h host -D "binddn" \
      -v -f entry_ldif_file_name
   

37.3 Creating Server Chaining Configuration Entries

This section contains the following topics:

• Configuration Entry Attributes

• Requirements for User and Group Containers

• Attribute Mapping

• Active Directory Example

• Active Directory with SSL Example

• Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example

• Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) with SSL Example

• eDirectory Example

• eDirectory with SSL Example

37.3.1 Configuration Entry Attributes

Table 37-1 lists the configuration entry attributes for server chaining.

Table 37-1 Configuration Entry Attributes for Server Chaining

Attribute	Required	Description
orclOIDSCExtHost	Yes	The host name of the external directory host. This is a single value attribute.
orclOIDSCExtPort	Yes	The port number of the external directory host. This is a single value attribute. The default value is 3060.
orclOIDSCExtDN	Yes	The DN in the external directory. Server chaining binds against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. This is a single value attribute.
orclOIDSCExtPassword	Yes	The password for the DN of the external directory. This is a single value attribute. Be sure to enable privacy mode to ensure that users cannot retrieve this attribute in clear text. See "Configuring Privacy of Retrieved Sensitive Attributes".
orclOIDSCExtUserContainer	Yes	The user container in the external directory from which to perform the user search operation. This is a single value attribute.
orclOIDSCExtGroupContainer	Yes	The group container in the external directory from which to perform the group search operation. This is a single value attribute. This attribute is optional if the external user container and the external group container are the same. In this case the group search operations are performed on the external user container.
orclOIDSCTargetUserContainer	Yes	The user container in Oracle Internet Directory in which the external users reside. For more information, see "Requirements for User and Group Containers".
orclOIDSCTargetGroupContainer	Yes	The group container in Oracle Internet Directory in which the external groups reside. For more information, see "Requirements for User and Group Containers".
orclOIDSCAttrMapping	No	Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the eMail attribute from Active Directory to the mail attribute in Oracle Internet Directory, set this attribute to: orclOIDSCAttrMapping;mail:eMail For more information, see "Attribute Mapping"
orclOIDSCExtSearchEnabled	Yes	External search capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.
orclOIDSCExtModifyEnabled	Yes	External modify capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.
orclOIDSCExtAuthEnabled	Yes	External authentication capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.
orclOIDSCSSLEnabled	No	SSL connection to the external directory. 0 = disabled (default), 1 = enabled. This is a single value attribute. Required if SSL is enabled.
orclOIDSCExtSSLPort	No	The SSL port number of the external directory host. This is a single value attribute.
OrclOIDSCWalletLocation	No	The filename and path of the wallet that contains the server certificate of the external directory. This is a single value attribute. Required if SSL is enabled
orclOIDSCWalletPassword	No	The wallet password. This is a single value attribute. Required if SSL is enabled
mapUIDtoADAttribute	No	Specifies the mapping of OID attribute "uid" to an attribute in Active Directory. You can map "uid" to any non-binary attributes defined in Active Directory. The default value is "name". This is a single value attribute.
showExternalGroupEntries	No	In a search against the group container: "base" - show entries with objectclass group (default), "sub" - show entries without objectclass "user" and "computer". This is a single value attribute. Applicable with Active Directory only.
showExternalUserEntries	No	In a one level search with an entry one level below the user container as the base: "base" - do not show any entry (default), "sub" - show entries in the subtree below the base of the search. This is a single value attribute. Applicable with Active Directory only.
addOrcluserv2ToADUsers	No	Add "orcluserv2" objectclass to entries that have objectclass user. 0 = disabled (default), 1 = enabled. This is a single value attribute. Applicable with Active Directory only.

37.3.2 Requirements for User and Group Containers

The target user and group containers must be under the Oracle Internet Directory search base in order to work with Oracle Single Sign-On. Use the container names cn=AD for Active Directory and cn=iPlanet for Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet). For example, if your user search base is:

cn=users,dc=us,dc=oracle,dc=com

you would use

cn=AD,cn=users,dc=us,dc=oracle,dc=com

as the target user container for the Active Directory users or

cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com

as the target user container for the Sun Java System Directory Server users. Similarly, if your group search base is:

cn=groups,dc=us,dc=oracle,dc=com

you would use

cn=AD,cn=groups,dc=us,dc=oracle,dc=com

as the target container for the Active Directory s or

cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com

as the target container for the Oracle Directory Server Enterprise Edition or Sun Java System Directory Server groups.

The target user and group containers exist only for the external directories. All the users and groups that appear under these nodes are populated by the external directories. Do not add entries under these containers directly from Oracle Internet Directory.

37.3.3 Attribute Mapping

If an attribute in an external directory and an Oracle Internet Directory attribute are the same, then no mapping is required. Server chaining performs some attribute mapping by default. The default mapping list is as follows:

Table 37-2 Default Attribute Mapping to Active Directory

Oracle Internet Directory Attribute	Active Directory Attribute
orclguid	objectGUID
uid	name
orclsamaccountname	samaccountname
krbprincipalname	userprincipalname

For Active Directory server chaining, you can use the mapUIDtoADAttribute attribute to map uid to any non-binary attributes defined in Active Directory.

Table 37-3 Default Attribute Mapping to Sun Java System Directory Server

Oracle Internet Directory Attribute	Sun Java System Directory Server Attribute
orclguid	nsuniqueid
authpassword	userpassword
krbprincipalname	mail

Table 37-4 Default Attribute Mapping to Novell eDirectory

Oracle Internet Directory Attribute	Novell eDirectory Attribute
orclguid	guid
orclsamaccountname	uid
krbprincipalname	mail

The following objects cannot be mapped:

• Operational attributes

• Object classes

• Oracle Internet Directory- specific attributes. These attributes typically have names starting with orcl.

37.3.4 Active Directory Example

The following example shows server chaining configured to use the Active Directory server dlin-pc9.us.example.com, port 3060, as its external directory store. The SSL capability has been enabled. All the attributes are explained in Table 37-1.

cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry
orclOIDSCExtHost: dlin-pc9.us.example.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com
orclOIDSCExtPassword: *******
orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com
orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCAttrMapping;description: title
orcloidscsslenabled: 0

The following example is the LDIF file used to modify the configuration entry:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=administrator,cn=users,dc=oidvd,dc=com
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc9.us.example.com
-
replace: orcloidscextport
orcloidscextport: 3060
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
-
replace: orcloidscsslenabled
orcloidscsslenabled:1

37.3.5 Active Directory with SSL Example

The following example shows server chaining configured to use the Active Directory server ad.example.com, SSL port 3133, and the wallet located at /adwallet/ewallet.p12.

cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry
orclOIDSCExtHost: ad.example.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com
orclOIDSCExtPassword: *******
orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com
orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 3133
orclOIDSCWalletLocation: /adwallet/ewallet.p12
orclOIDSCWalletPassword: ********

Perform the following steps to configure server chaining with SSL from the command line:

1. Configure Active Directory server chaining without SSL, as described in the previous section.

2. Create an LDIF file like the following to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Active Directory server:

   dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
   changetype: modify 
   replace: orcloidscsslenabled 
   orcloidscsslenabled:1 
   - 
   replace: orcloidscextsslport 
   orcloidscextsslport: 3133 
   - 
   replace: orcloidscwalletlocation 
   orcloidscwalletlocation: /adwallet/ewallet.p12 
   - 
   replace: orcloidscwalletpassword 
   orcloidscwalletpassword: passw0rd
   

3. To apply the changes, use a command line such as

   ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
   

37.3.6 Active Directory with New Attributes Example

The attributes mapUIDtoADAttribute, showExternalGroupEntries, showExternalUserEntries, and addOrcluserv2ToADUsers have been added since Oracle Internet Directory 10g (10.1.4.0.1). To add these attributes to an existing Active Directory server chaining entry, modify the following LDIF file with the appropriate values:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
changetype: modify 
replace: mapUIDtoADAttribute
mapUIDtoADAttribute: name
-
replace: showExternalGroupEntries
showExternalGroupEntries: base
-
replace: showExternalUserEntries
showExternalUserEntries: base
-
replace: addOrcluserv2ToADUsers
addOrcluserv2ToADUsers: 0

Use a command line such as

ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name

to modify the configuration entry.

37.3.7 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example

The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.example.com, port 103060, as its external directory store. All the attributes are explained in Table 37-1.

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: dlin-pc10.us.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled:0

The following example is the LDIF file used to modify the configuration entry:

dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=directory manager
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc10.us.example.com
-
replace: orcloidscextport
orcloidscextport: 10389
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: ou=people,dc=example,dc=com
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: ou=groups,dc=example,dc=com
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1

37.3.8 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) with SSL Example

The following example shows server chaining configured to use the Sun Java System Directory Server sunone.example.com, SSL port 10636, and the wallet located at /ipwallet/ewallet.p12

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636 
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********

Perform the following steps to configure server chaining with SSL from the command line:

1. Configure server chaining without SSL, as described in the previous section.

2. Create the following LDIF file to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Oracle Directory Server Enterprise Edition/Sun Java System Directory Server.

   dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
   changetype: modify
   replace: orcloidscsslenabled
   orcloidscsslenabled:1
   -
   replace: orcloidscextsslport
   orcloidscextsslport: 10636 
   -
   replace: orcloidscwalletlocation
   orcloidscwalletlocation: /ipwallet/ewallet.p12
   -
   replace: orcloidscwalletpassword
   orcloidscwalletpassword: passw0rd
   

3. Execute a command such as

   ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
   

   to modify the configuration entry.

37.3.9 eDirectory Example

A sample eDirectory configuration looks like this:

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: edirhost.domain.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=admin,o=domain
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=users,o=domain
orclOIDSCExtGroupContainer: ou=groups,o=domain
orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled:0 

37.3.10 eDirectory with SSL Example

A sample edirectory configuration with SSL looks like this:

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: edirhost.domain.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=admin,o=domain
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=users,o=domain
orclOIDSCExtGroupContainer: ou=groups,o=domain
orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 3133
orclOIDSCWalletLocation: /edir/ewallet.p12
orclOIDSCWalletPassword: ******** 

37.4 Debugging Server Chaining

To debug server chaining, perform the following steps:

1. Set the Oracle Internet Directory server debug logging level, as described in "Managing Logging by Using Fusion Middleware Control" or "Managing Logging from the Command Line". Use the logging level value 402653184. This value enables logging of all messages related to the Java plug-in framework.

2. Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry. set the attribute orcloidscDebugEnabled to 1.

   For example, to set orcloidscDebugEnabled to 1 in cn=oidscad,cn=oid server chaining,cn=subconfigsubentry, you would type:

   $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
   

   where file contains:

   dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
   changetype: modify
   replace: orcloidscDebugEnabled
   orcloidscDebugEnabled: 1
   

   See Also:

   The Java Plug-in Debugging and Logging section in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management.

37.5 Configuring an Active Directory Plug-in for Password Change Notification

When you use Enterprise User Security (EUS) with Server Chaining, a hash password is required in order to authenticate users. This section describes how to install a plug-in in the Microsoft Active Directory (AD) server so that this hash password is available to users accessed through Oracle Internet Directory. Customers planning to configure Enterprise User Security (EUS) to work with users accessed through Server Chaining must configure this feature.

The steps are as follows

1. In Active Directory, create an attribute called orclCommonAttribute to store the hash password. Use a command line such as:

   ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f orclca.ldif
   

   Use an orclca.ldif file similar to the following example. Replace DC=bill,DC=com with the actual Active Directory domain name and choose an appropriate attributeID.

   dn: cn=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com 
   objectClass: top
   objectClass: attributeSchemacn: orclcommonattribute
   distinguishedName: CN=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com
   instanceType: 4
   uSNCreated: 16632
   attributeID: 1.9.9.9.9.9.9.9.9
   attributeSyntax: 2.5.5.3
   isSingleValued: TRUE
   uSNChanged: 16632
   showInAdvancedViewOnly: TRUE
   adminDisplayName: orclCommonAttribute
   oMSyntax: 27
   lDAPDisplayName: orclCommonAttribute
   name: orclcommonattribute
   objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bill,DC=com
   

2. Associate the attribute with the user objectclass. Use a command line such as:

   ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f user.ldif
   

   In the following file, user.ldif, replace DC=bill,DC=com with the actual Active Directory domain name.

   dn: CN=User,CN=Schema,CN=Configuration,DC=bill,DC=com
   changetype: modify
   add: mayConatin
   mayContain: orclCommonAttribute 
   

   It might take Active Directory a few minutes to refresh the schema.

3. Install the password change notification plug-in, as follows:

   1. Copy %ORACLE_HOME%\ldap\admin\oidpwdcn.dll to the Active Directory WINDOWS\system32 folder.

   2. Use regedt32 to modify the registry. In the line:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, add oidpwdcn to the end. It should look like the following:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      

   3. Restart Active Directory.

   4. Verify that the plug-in is installed properly by resetting the password of a user. The orclCommonAttribute should contain the hash password value.

4. Reset the password for all the Active Directory users so that the password verifier is present for all the users.