Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
Displaying the Configuration of Directory Server Instance
Modifying the Configuration Using DSCC
Modifying the Configuration From the Command Line
Configuring Administration Users
To Create an Administration User with Root Access
To Configure the Directory Manager
Protecting Configuration Information
Changing Directory Server Port Numbers
To Modify a Port Number, Enable a Port, and Disable a Port
Setting the Server as Read-Only
To Enable or Disable the Server Read-Only Mode
To Configure Heap Memory Threshold
Setting Resource Limits For Each Client Account
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
In addition to processing requests in the Lightweight Directory Access Protocol (LDAP), Directory Server also responds to requests sent in the Directory Service Markup Language version 2 (DSMLv2). DSML is another way for a client to encode directory operations. The server processes DSML as any other request, with all of the same access control and security features. DSML processing allows many other types of clients to access your directory contents.
Directory Server supports the use of DSMLv2 over the Hypertext Transfer Protocol (HTTP/1.1) and uses the Simple Object Access Protocol (SOAP) version 1.1 as a programming protocol to transport the DSML content. For more information about these protocols and for examples of DSML requests, see Chapter 13, Directory Server DSMLv2, in Oracle Directory Server Enterprise Edition Reference.
This section covers the following topics:
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dsconf set-server-prop -h host -p port dsml-enabled:on
$ dsconf set-server-prop -h host -p port dsml-secure-port:port
$ dsconf set-server-prop -h host -p port dsml-port:port
By default, this port is set to disabled
$ dsadm restart instance-path
Next Steps
According to the parameters and attribute values you defined, DSML clients may use the following URLs to send requests to this server:
http://host:DSML-port/relative-URL
https://host:secure-DSML-port/relative-URL
Note - The relative-URL can be read and set using the dsml-relative-root-url property.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dsconf set-server-prop -h host -p port dsml-enabled:off
$ dsconf set-server-prop -h host -p port dsml-secure-port:disabled
$ dsasm restart instance-path
You can configure the level of security that is required to accept DSML requests. To do this, you must configure DSML client authentication.
$ dsconf set-server-prop -h host -p port dsml-client-auth-mode:dsml-mode
By default the dsml-client-auth-mode property is set to client-cert-first.
dsml-mode can be one of:
http-basic-only - This is the default value. The server uses the contents of the HTTP Authorization header to find a user name that can be mapped to an entry in the directory. This process and its configuration are encrypted through SSL but do not use client certification. This is described in DSML Identity Mapping.
client-cert-only - The server uses credentials from the client certificate to identify the client. With this value, all DSML clients must use the secure HTTPS port to send DSML requests and provide a certificate. The server checks that the client certificate matches an entry in the directory. See Chapter 5, Directory Server Security for more information.
client-cert-first - The server will attempt to authenticate clients first with a client certificate if one is provided. Otherwise, the server will authenticate clients using the contents of the Authorization header.
If no certificate and no Authorization header is provided in the HTTP request, the server performs the DSML request with anonymous binding. Anonymous binding is also used in the following cases:
The client provides a valid Authorization header but no certificate when client-cert-only is specified.
The client provides a valid certificate but no Authorization header when http-basic-only is specified.
Regardless of the client authentication method, if a certificate is provided but it cannot be matched to an entry, or if the HTTP Authorization header is specified but cannot be mapped to a user entry, the DSML request is rejected with error message 403: “Forbidden”.
When performing basic authentication without a certificate, Directory Server uses a mechanism called identity mapping to determine the bind DN to use when accepting DSML requests. This mechanism extracts information from the Authorization header of the HTTP request to determine the identity to use for binding.
The default identity mapping for DSML/HTTP is given by the following entry in your server configuration.
dn: cn=default,cn=HTTP-BASIC,cn=identity mapping,cn=config objectClass: top objectClass: nsContainer objectClass: dsIdentityMapping cn: default dsSearchBaseDN: ou=people dsSearchFilter: (uid=${Authorization})
This configuration indicates that the server should use the HTTP user ID as the uid value for a DN stored in a Directory Server suffix. For example, if the HTTP user is bjensen, the server tries to execute the bind using the DN uid=bjensen,ou=people.
For the mapping to work properly you must therefore complete the value of dsSearchBaseDN. For example, you can change the value of dsSearchBaseDN to ou=people,dc=example,dc=com. Then if the HTTP user is bjensen, the server tries to execute the bind using the DN uid=bjensen,ou=people,dc=example,dc=com.
dn: cn=default,cn=HTTP-BASIC,cn=identity mapping,cn=config objectClass: top objectClass: nsContainer objectClass: dsIdentityMapping cn: default dsSearchBaseDN: ou=people,dc=example,dc=com dsSearchFilter: (uid=${Authorization})
Within the mapping entry attribute dsSearchFilter, you can use placeholders of the format ${header} where header is the name of an HTTP header.
The following are the most common headers used in DSML mappings.
This string is replaced with the user name contained in an HTTP Authorization header. An authorization header contains both a username and its password, but only the user name is substituted in this placeholder.
This string is replaced with the email address that might be contained in an HTTP From header.
This string is replaced with the hostname and port number in the URL of the DSML request, which are those of the server.
To have DSML requests perform a different kind of identity mapping, define a new identity mapping for HTTP headers.
The mapping entries must be located below the entry cn=HTTP-BASIC,cn=identity mapping,cn=config.
Use the ldapmodify command to add this entry from the command line, as described in Adding Entries Using ldapmodify.
Custom mappings are evaluated first. If no custom mapping is successful, the default mapping is evaluated. If all mappings fail to determine the bind DN for the DSML request, the DSML request is forbidden and rejected (error 403).