Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
To Create an Administrator with Root User Privileges
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating ODSEE Roles in an Oracle Unified Directory Server
11. Managing Password Policies
Oracle Directory Server Enterprise Edition (ODSEE) includes a roles subsystem that is used to provide a specialized type of grouping mechanism. This capability is not included directly in Oracle Unified Directory, because it is based on non-standard functionality, uses Netscape-proprietary schema elements, and is not widely used in LDAP-enabled applications.
However, Oracle Unified Directory does provide all of the functionality offered by ODSEE roles, and this functionality is available for use with standard grouping mechanisms. If you have an application that was specifically written to rely on the roles functionality available in ODSEE and cannot work with standard grouping mechanisms, you can configure Oracle Unified Directory to simulate ODSEE roles to satisfy such applications.
Note - If your application needs to create and destroy role entries (for example, an entry containing one of the subordinates of the nsRoleDefinition object class), that functionality is currently not available in Oracle Unified Directory.
If the application needs only to determine whether a user is a member of a given role, it should only need to look at the nsRole attribute in the target user's entry to determine whether the DN of the appropriate role is present. In this case, you can simulate role functionality by following these steps.
After these steps are completed, the nsRole virtual attribute appears as an operational attribute in user entries, and should include the DNs of all groups in which that user is a member. Note that nsRole is an operational attribute, and must be explicitly requested for it to be returned in search results. You must also ensure that the authenticated user has permission to see that attribute.
This schema is provided in the LDIF file named 03-dsee-roles.ldif.
Make sure that the group has an appropriate set of members.
The nsRole attribute will include a list of the DNs of all groups in which the target user is a member. Use the dsconfig command to create the virtual attribute, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ create-virtual-attribute \ --type is-member-of --name nsRole --set attribute-type:nsRole --set enabled:true
Follow this procedure if the application you are using expects to be able to alter membership by placing the name of the corresponding role in the nsRoleDN virtual attribute in a user's entry.
After these steps are completed, any user entry that contains an nsRoleDN value of "cn=Test Role,ou=Roles,dc=example,dc=com" also has that DN present in the nsRole operational attribute.
For example, if the application is going to add an nsRoleDN value of "cn=Test Role,ou=Roles,dc=example,dc=com", add the following entry:
dn: cn=Test Role,ou=Roles,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: Test Role memberURL: ldap:///dc=example,dc=com??sub?(nsRoleDN=\ cn=Test Role,ou=Roles,dc=example,dc=com)