Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory
11g Release 1 (11.1.1)
E10046-06
  Go To Table Of Contents
Contents		 Go To Index
Index
Previous
Previous 		 Next
Next		  

19 Configuring Oracle Virtual Directory for Integrated Directory Solutions

This chapter explains how to configure Oracle Virtual Directory for integration with commonly used directory and identity management technologies and contains the following topics:


Note:

You can use Oracle Virtual Directory with most LDAP-enabled technologies. The information in this chapter highlights Oracle Virtual Directory features and capabilities that simplify common integrations.

Contact your Oracle support representative for assistance with other Oracle Virtual Directory integrations.

19.1 Configuring Oracle Virtual Directory for Oracle Access Manager

Perform the following steps to configure Oracle Virtual Directory for integration with Oracle Access Manager (OAM) using Oracle Directory Services Manager's Setup for Oracle Access Manager Quick Config Wizard. The Setup for Oracle Access Manager Quick Config Wizard walks you through the steps to create the required Local Store Adapter and also the appropriate adapter type, either LDAP, Database, or Custom, for the data repository that Oracle Access Manager uses.

  1. Log in to Oracle Directory Services Manager.

  2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

  3. Expand the Quick Config Wizards entry in the Advanced tree.

  4. Click Setup for Oracle Access Manager in the tree. The Setup for Oracle Access Manager screen appears.

  5. Enter the namespace for the Local Store Adapter in DN format in the Namespace used for creating Local Store Adapter (LSA) field and click Apply. The Adapters screen appears.

  6. Create an adapter for the data repository that Oracle Access Manager uses. Perform one of the following procedures that is appropriate for the data repository that Oracle Access Manager uses:

    To create an LDAP Adapter for Oracle Access Manager, perform the following steps:

    1. Click the Create OAM LDAP Adapter button. The Preparing OVD for OAM - Create LDAP Adapter dialog box appears.

    2. Enter a unique name for the LDAP Adapter in the Adapter Name field. Select the appropriate template for the LDAP Adapter by choosing an option from the Adapter Template list. Choose Default if you are not integrating with Microsoft Active Directory or Oracle Directory Server Enterprise Edition (formerly Sun Java System Directory Server). Refer to "Understanding Adapter Templates" for more information. Click Next. The Connection screen of the Preparing OVD for OAM - Create LDAP Adapter dialog box appears.

    3. Perform steps 516 in "Creating LDAP Adapters" to configure the LDAP Adapter for OAM.

    4. Review the summary of settings and click Finish to create the LDAP Adapter for OAM. The new LDAP Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.

    To create a Database Adapter for Oracle Access Manager, perform the following steps:

    1. Click the Create OAM Database Adapter button. The Preparing OVD for OAM - Create Database Adapter dialog box appears.

    2. Enter a unique name for the Database Adapter in the Adapter Name field. Select the appropriate template for the Database Adapter by choosing an option from the Adapter Template list. Refer to "Understanding Adapter Templates" for more information. Click Next. The Connection screen of the Preparing OVD for OAM - Create Database Adapter dialog box appears.

    3. Perform steps 510 in "Creating Database Adapters" to configure the Database Adapter for OAM.

    4. Review the summary of settings and click Finish to create the Database Adapter for OAM. The new Database Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.

    To create a Custom Adapter for Oracle Access Manager, perform the following steps:

    1. Click the Create OAM Custom Adapter button. The Preparing OVD for OAM - Create Custom Adapter dialog box appears.

    2. Enter a unique name for the Custom Adapter in the Adapter Name field.

    3. Enter a valid base DN in the Adapter Suffix/Namespace field.

    4. Click Next on the Preparing OVD for OAM - Create Custom Adapter dialog box. The Configure plug-in screen appears.

    5. Enter a name for the Plug-in in the Name field.

    6. Enter the Plug-in class name in the Class field, or click Browse, then select the plug-in from the Plug-In Selection box, and then click OK.

    7. Add parameters and values to the Plug-in by clicking the Create button in the Parameters table, selecting a parameter from the Name list, and entering a value for the parameter in the Value field.

    8. Click the Next on the Configure plug-in screen.

    9. Review the summary of settings and click Finish to create the Custom Adapter for OAM. The new Custom Adapter for OAM appears in the list of adapters on the Setup for Oracle Access Manager screen.

  7. Configure the adapter for the data repository that Oracle Access Manager uses by selecting Adapter from the Oracle Directory Services Manager task selection bar and then clicking the name of the adapter to configure in the Adapter tree.


    See Also:

    The following sections for more information on configuring each type of adapter:

19.1.1 Modifying Oracle Access Manager Adapter Settings

To modify settings for an Oracle Access Manager integration adapter:

  1. Click the name of the adapter you want to modify on the Setup for Oracle Access Manager page. The adapter's settings appear at the bottom of the page.

  2. Modify the appropriate adapter settings. Refer to Chapter 12, "Creating and Configuring Oracle Virtual Directory Adapters" for more information on adapter settings.

  3. Click Apply at the bottom of the adapter settings screen to apply the changes.

19.2 Integrating with Oracle's Enterprise User Security

Integrating Oracle Virtual Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in an external LDAP repository without any additional synchronization.

This topic describes how to integrate Oracle Virtual Directory with Oracle's Enterprise User Security and contains the following sections:

19.2.1 Preparing Oracle Virtual Directory for the Enterprise User Security Integration

Regardless of which external directory you are storing your user identities in, you must perform the steps in this section first. After you complete the steps in this section, proceed with the integration by referring to Integrating Oracle Virtual Directory with External Directories.

Perform the following steps to prepare Oracle Virtual Directory for integration with with Enterprise User Security:

  1. Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.

  2. If one does not already exist, create an LDAP listener that is secured with SSL No Authentication Mode by referring to Chapter 11, "Creating and Managing Oracle Virtual Directory Listeners."

  3. Create and add the subschemasubentry and Dynamic Groups plug-ins as global server plug-ins. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.


Important:

The steps for integrating Oracle Virtual Directory with Enterprise User Security from this point forward differ depending on which external directory you are storing your user identities in.

Continue the integration with Enterprise User Security by referring to Integrating Oracle Virtual Directory with External Directories.

19.2.2 Integrating Oracle Virtual Directory with External Directories

This section contains instructions for integrating Oracle Virtual Directory with Enterprise User Security for use with specific external directories. Perform the steps in the appropriate section that are specific to the external directory in which you are storing your user identities. This sections contains the following sections:

19.2.2.1 User Identities in Microsoft Active Directory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Active Directory:

19.2.2.1.1 Configuring Active Directory for the Integration

Perform the following steps to configure Active Directory for the integration:


Note:

If you are using Kerberos authentication in the integration, do not perform steps 3 and 4 in the following procedure.

  1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  2. Load the Enterprise User Security required schema, extendAD, into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. The extendAD file is located in the $ORACLE_HOME/ovd/eus/ directory. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
-D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
–AD Active_Directory_Domain_DN

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

  3. Install the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

    1. Copy the $ORACLE_HOME/ovd/eus/oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.

    2. Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

    3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
KDCSVC
WDIGEST
scecli
oidpwdcn

    4. Restart the Active Directory system after making these changes.

  4. Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:

    1. Change the password of an Active Directory user.

    2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Active Directory.

    3. Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

  5. If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.

    After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.

19.2.2.1.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create three new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other the Local Store Adapters must be dc=com, unless your Active Directory domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

    • The Database File and Backup File fields for each of the adapters must be unique.

  4. Update and load the entries into the Local Store Adapters by performing the following steps:

    1. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

      Note:

      The loadOVD.ldif file contains entries for Oracle Context and schema version that Enterprise User Security queries.

    2. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Active Directory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.


      Note:

      The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.

    3. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif

  5. Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Active Directory host information, including the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the EUS_ActiveDirectory template for the adapter.

    • Enable the Use SSL/TLS option.

    • Set SSL Authentication Mode to Server Only Authentication / Mutual Authentication.

  6. Configure the Enterprise User Security plug-ins by performing the following steps:

    1. Click the Advanced tab, click the EUS_ActiveDirectory entry under Mapping Templates, and then click the Apply to deploy the mapping.

    2. Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.

    3. Select the ObjectclassMapper plug-in, click the Edit button, click the Create Namespace button, enter cn=OracleContext,<YOUR Mapped DOMAIN DN in Oracle Virtual Directory> in the Namespace field, and then click the OK button.

    4. Select the ActiveDirectory Password plug-in, click the Edit button, click the Create Namespace button, and enter cn=OracleContext,<YOUR Mapped DOMAIN DN in Oracle Virtual Directory> in the Namespace field.

      Click the Create Namespace button again, enter cn=users,<YOUR Mapped DOMAIN DN in Oracle Virtual Directory> in the Namespace field, and then click the OK button.

    5. Click the Create Mapping button, then select EUSActiveDirectory.py, then enter a unique mapping name, then click the Create Namespace button, then enter cn=users,<YOUR Mapped DOMAIN DN in Oracle Virtual Directory> in the Namespace field, and then click the OK button.

    6. Click the Apply button.

  7. Configure the Access Control Lists (ACLs) for the integration. Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for details about each ACL. After you configure the ACLs, continue the integration by proceeding to step 8.

  8. Create an LDAP Adapter for the Enterprise User Security administrative group using the following settings and by entering the Active Directory host information. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the Active_Directory template for the adapter.

    • Use cn=OracleContextAdmins,cn=users, <YOUR Active_Directory_Domain_DN> as the Remote Base.

    • Use the following for the Mapped Namespace:

      cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR Mapped DOMAIN DN in
Oracle Virtual Directory>

  9. Configure the mappings and plug-ins for the Enterprise User Security administrative group adapter by performing the following steps:

    1. Click the Advanced tab, click Active_Directory_to_inetOrg, and then click the Apply button to deploy the mapping.

    2. Click the Adapter tab, click the adapter for the Enterprise User Security administrative group, click the Plug-ins tab, click the Create Mapping button, select ActiveDirectorytoinetOrg.py, enter a unique mapping name, and then click OK.

    3. Click the Create Plugin button, click the Select button, select the EUSMemberDNMapping plug-in, click OK, enter a unique plug-in name, create the localDomainDN and remoteDomainDN parameters, and then click OK.

      Where localDomainDN is the domain DN that you see from Oracle Virtual Directory and remoteDomainDN is the domain DN in your back-end directory. Note that the localDomainDN and remoteDomainDN may be different if you have DN mapping configured.

    4. Click the Apply button.


    Note:

    You may not see the group membership changes immediately after your changes in Active Directory. This is because of Active Directory's group membership refresh interval configuration.

  10. Update the realm information with Root Oracle Context by performing the following steps:

    1. Edit the modifyRealm.ldif file to use your Active Directory domain name. If you use DN mappings between Oracle Virtual Directory and Active Directory, use the mapped DN in Oracle Virtual Directory.

    2. Update the realm information using the following command:

      ORACLE_HOME/bin/ldapmodify –h Oracle_Virtual_Directory_Host –p port \
-D bindDN -q –v –f modifyRealm.ldif

    Note:

    To update the Active Directory-Oracle Virtual Directory configuration, edit the modifyRealm.ldif file and execute ldapmodify with the updated modifyRealm.ldif file.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and for use with Microsoft Active Directory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.2.2 User Identities in Microsoft Active Directory and Metadata in Oracle Internet Directory

Perform the following steps to integrate Oracle Virtual Directory with Enterprise User Security when user identities are stored in Active Directory and to store metadata in Oracle Internet Directory:


Note:

If you are using Kerberos authentication in the integration, do not perform steps 6 and 7 in the following procedure.

  1. Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.

  2. If one does not already exist, create an LDAP listener that is secured with SSL by referring to Chapter 11, "Creating and Managing Oracle Virtual Directory Listeners.".

  3. Create and add the Dynamic Groups plug-ins as global server plug-ins. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.

  4. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  5. Load the Enterprise User Security required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
-D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
–AD Active_Directory_Domain_DN -commonattr

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

  6. Install the Oracle Internet Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

    1. Locate the oidpwdcn.dll file and copy it to the Active Directory WINDOWS\system32 directory.

    2. Use regedt32 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

    3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
KDCSVC
WDIGEST
scecli
oidpwdcn

    4. Restart the Active Directory system after making these changes.

  7. Verify the Oracle Internet Directory Password Change Notification plug-in by performing the following steps:

    1. Change the password of an Active Directory user.

    2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Active Directory.

    3. Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

  8. If you are using Kerberos authentication on Windows 2000 or Windows 2003 with Oracle Database Advanced Security, you must configure it now by referring to the Oracle Database Advanced Security Administrator's Guide.

    After you configure the Kerberos authentication, make sure you can log in to the database using your Active Directory user credential before proceeding to the next steps.

  9. Extend the Oracle Internet Directory LDAP attribute and objectclass using the following command:

    ORACLE_HOME/bin/ldapmodify -h OID_Host_Name -p OID_Port -D bindDN \
-q -v -f OIDSchema.ldif

  10. Create four new LDAP Adapters using the following settings and by entering the Oracle Internet Directory host information. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    For the first three new LDAP Adapters:

    • Use the Oracle_Internet_Directory adapter template.

    • The Adapter Remote Base and Mapped Namesapce for the first adapter must be cn=OracleContext.

    • The Adapter Remote Base and Mapped Namesapce for the second adapter must be cn=OracleSchemaVersion

    • The Adapter Remote Base and Mapped Namespace for the third adapter must be cn=subschemasubentry.

    For the fourth new LDAP Adapter:

    • Use the EUS_OID adapter template.

    • The Adapter Remote Base and Mapped Namesapce for the fourth adapter must be cn=oraclecontext,your_OID_realm.

  11. Create a new Local Store Adapter using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template.

    • The Adapter Suffix must be dc=com, unless your Oracle Internet Directory realm is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

  12. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Active Directory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.


    Note:

    The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.

  13. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif

  14. Create a new LDAP Adapter for the user search base in Active Directory using the following settings and by entering the Active Directory host information, including the Remote Base. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the EUS_ActiveDirectory template for the adapter.

    • For Remote Base, enter the container in Active Directory, for example: cn=users,dc=adrealm,dc=com

  15. Check if the EUSActiveDirectory.py mapping is already deployed. If it is, go to step 16 now.

    If the EUSActiveDirectory.py mapping is not deployed, you must create a mapping for the Active Directory user search base adapter by clicking the Create Mapping button, then select EUSActiveDirectory.py, then enter a unique mapping name, then click the OK button, and then click the Apply button.

  16. Add the Mapped Namespace to the orclcommonusersearchbase under cn=Common,cn=Products,cn=oraclecontext,<OID realm>. You can use an LDIF file such as:

    dn: cn=Common,cn=Products,cn=oraclecontext,dc=oracle,dc=com
changetype: modify
add: orclcommonusersearchbase
orclcommonusersearchbase: cn=users,dc=adrealm,dc=com

  17. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    Target DN cn=subschemasubentry
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN cn=subschemasubentry
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN cn=OracleContext
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN cn=OracleContext
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN cn=OracleSchemaVersion
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN cn=OracleSchemaVersion
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN dc=com
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN dc=com
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN dc=com
    Scope subtree
    Applies To authpassword
    Deny All operations
    Access Public


    Note:

    The following ACL must be the last ACL in the ACL list for dc=com.

    Target DN dc=com
    Scope subtree
    Applies To authpassword
    Grant Search and Read
    Access Group with DN of: cn=EUSDBGroup,<Your Mapped OID domain>.

  18. Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:

    Target DN cn=OracleContext,<YOUR DOMAIN>
    Scope subtree
    Applies To Entry
    Grant All
    Access Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>

    Target DN cn=OracleContext,<YOUR DOMAIN>
    Scope subtree
    Applies To All Attributes
    Grant All
    Access Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>

  19. Set the ACLs in the Oracle Internet Directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.

19.2.2.3 User Identities in Oracle Directory Server Enterprise Edition

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Directory Server Enterprise Edition:

19.2.2.3.1 Configuring Oracle Directory Server Enterprise Edition for the Integration

Perform the following steps to configure Oracle Directory Server Enterprise Edition for the integration:

  1. Extend the iPlanet LDAP attribute and objectclass using the following command:

    ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./iPlanetSchema.ldif

  2. Create a realm in iPlanet by performing the following steps:

    1. Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create a realm in iPlanet using the realmiPlanet.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./realmiPlanet.ldif

  3. Configure the user and group containers by either creating new user and group containers, or using existing user and group containers.

    Creating New User and Group Containers

    1. Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create user and group containers in iPlanet using the iPlanetContainers.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./iPlanetContainers.ldif

    Using Existing User and Group Containers

    1. Open the useiPlanetContainers.ldif file.

    2. Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string with the name of your user container.

    3. Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.


      Note:

      Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container.

    4. Run the following command to create a realm in iPlanet using the useiPlanetContainers.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./useiPlanetContainers.ldif
19.2.2.3.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create three new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other the Local Store Adapters must be dc=com, unless your Sun Java System Directory domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

    • The Database File and Backup File fields for each of the adapters must be unique.

  4. Update and load the entries into the Local Store Adapters by performing the following steps:

    1. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

    2. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Oracle Directory Server Enterprise Edition and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.


      Note:

      The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.

    3. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif

  5. Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Oracle Directory Server Enterprise Edition host information, including the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the EUS_Sun template for the adapter.

    • The proxy DN user must be able to read the userPassword attribute in the Oracle Directory Server Enterprise Edition.

    After creating the LDAP Adapter for Enterprise User Security, DBCA adds a user under cn=oraclecontext, <YOUR Mapped DOMAIN DN in Oracle Virtual Directory>. Make sure this user can read the userPassword attribute in the Oracle Directory Server Enterprise Edition.

  6. Configure the Enterprise User Security plug-ins by performing the following steps:

    1. Click the Advanced tab, click the EUS_Sun entry under Mapping Templates, and then click the Apply to deploy the mapping.

    2. Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.

    3. Select the ObjectclassMapper plug-in, click the Create Namespace button, enter cn=OracleContext,<YOUR Mapped DOMAIN DN in Oracle Virtual Directory> in the Namespace field, and then click the OK button.

    4. Click the Create Mapping button, then select EUS_Sun.py, then enter a unique mapping name, then click the Create Namespace button, then enter the name of your domain in the Namespace field, and then click the OK button.

    5. Click the Apply button.

  7. Configure the Access Control Lists (ACLs) for the integration. Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for details about each ACL. After you configure the ACLs, continue the integration by proceeding to step 8.

  8. Update the realm information with Root Oracle Context by performing the following steps:

    1. Edit the modifyRealm.ldif file to use your Oracle Directory Server Enterprise Edition domain name. If you use DN mappings between Oracle Virtual Directory and Oracle Directory Server Enterprise Edition, use the mapped DN in Oracle Virtual Directory.

    2. Update the realm information using the following command:

      ORACLE_HOME/bin/ldapmodify –h Oracle_Virtual_Directory_Host –p port \
-D bindDN –q –v –f modifyRealm.ldif

    Note:

    To update the Oracle Directory Server Enterprise Edition-Oracle Virtual Directory configuration, edit the modifyRealm.ldif file and execute ldapmodify with the updated modifyRealm.ldif file.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.2.4 User Identities in Novell eDirectory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Novell eDirectory:

19.2.2.4.1 Configuring Novell eDirectory for the Integration

Perform the following steps to configure Novell eDirectory for the integration:

  1. Extend the eDirectory LDAP attribute and objectclass using the following command:

    ORACLE_HOME/bin/ldapmodify -h eDirectory_Host_Name -p eDirectory_Port \
-D bindDN -q -v -f eDirSchema.ldif

  2. Modify X-NDS_CONTAINMENT in the groupofuniquenames objectclass by executing the following command:

    ORACLE_HOME/bin/ldapmodify -h eDirectory_Host_Name -p eDirectory_Port \
-D bindDN -q -v -f eDirgoun.ldif

  3. Create a realm in Novell eDirectory by performing the following steps:

    1. Open the eDirRealm.ldif file and replace all instances of the dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create a realm in eDirectory using the eDirRealm.ldif:

      ORACLE_HOME/bin/ldapmodify -h eDirectory_Host_Name -p eDirectory_Port \
-D bindDN -q -v -f eDirRealm.ldif

  4. Configure the user and group containers by performing the following steps:

    1. Open the eDirUserContainer.ldif file.

    2. Replace all instances of the ou=users,dc=oracle,dc=com string with the name of your user container.

    3. Replace all instances of the ou=groups,dc=oracle,dc=com string with the name of your group container.


      Note:

      Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container.

    4. Run the following command to configure the user and group containers:

      ORACLE_HOME/bin/ldapmodify -h eDirectory_Host_Name -p eDirectory_Port \
-D bindDN -q -v -f eDirUserContainer.ldif

  5. Enable Universal Password in eDirectory and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.

19.2.2.4.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Download the NMAS toolkit from the Novell Developer Community Web site.

  3. Upload this library to Oracle Virtual Directory by using Oracle Directory Services Manager. Refer to "Loading Libraries into the Oracle Virtual Directory Server" for more information.

    Restart the Oracle Virtual Directory server.

  4. Start Oracle Directory Services Manager and connect to the Oracle Virtual Directory server.

  5. Create three new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other Local Store Adapter must be dc=com, unless your eDirectory domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

    • The Database File and Backup File fields for each of the adapters must be unique.

  6. Update and load the entries into the Local Store Adapters by performing the following steps:

    1. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

    2. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Novell eDirectory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.


      Note:

      The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.

    3. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif

  7. Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Novell eDirectory host information, including the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the EUS_eDirectory template for the adapter.

    • Enable the Use SSL/TLS option.

  8. Configure the Enterprise User Security plug-ins by performing the following steps:

    1. Click the Advanced tab, click the EUS_EDir entry under Mapping Templates, and then click the Apply to deploy the mapping.

    2. Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.

    3. Select the ObjectclassMapper plug-in, click the Create Namespace button, enter cn=OracleContext,<YOUR Mapped DOMAIN DN in Oracle Virtual Directory> in the Namespace field, and then click the OK button.

    4. Click the Create Mapping button, then select EUS_EDir.py, then enter a unique mapping name, and then click the OK button.

    5. Click the Apply button.

  9. Configure the Access Control Lists (ACLs) for the integration. Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for details about each ACL. After you configure the ACLs, continue the integration by proceeding to step 10.

  10. Update the realm information with Root Oracle Context by performing the following steps:

    1. Edit the modifyRealm.ldif file to use your Novell eDirectory domain name. If you use DN mappings between Oracle Virtual Directory and Novell eDirectory, use the mapped DN in Oracle Virtual Directory.

    2. Update the realm information using the following command:

      ORACLE_HOME/bin/ldapmodify –h Oracle_Virtual_Directory_Host –p port \
-D bindDN –q –v –f modifyRealm.ldif

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Novell eDirectory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.2.5 User Identities in Oracle Internet Directory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Internet Directory:

19.2.2.5.1 Configuring Oracle Internet Directory for the Integration

To configure Oracle Internet Directory for the integration, extend the Oracle Internet Directory LDAP attribute and objectclass using the following command:

ORACLE_HOME/bin/ldapmodify -h OID_Host_Name -p OID_Port -D bindDN -q -v \
-f ./OIDSchema.ldif
19.2.2.5.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Ensure you have performed all steps in "Preparing Oracle Virtual Directory for the Enterprise User Security Integration" before proceeding with this procedure.

  2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  3. Create three new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other the Local Store Adapters must be dc=com, unless your Oracle Internet Directory domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

    • The Database File and Backup File fields for each of the adapters must be unique.

  4. Update and load the entries into the Local Store Adapters by performing the following steps:

    1. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

    2. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Oracle Internet Directory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.


      Note:

      The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.

    3. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif

  5. Create an LDAP Adapter for Enterprise User Security using the EUS_OID adapter template and by entering the Oracle Internet Directory host information, including the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

  6. Configure the Access Control Lists (ACLs) for the integration. Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for details about each ACL. After you configure the ACLs, continue the integration by proceeding to step 7.

  7. Update the realm information with Root Oracle Context by performing the following steps:

    1. Edit the modifyRealm.ldif file to use your Oracle Internet Directory domain name. If you use DN mappings between Oracle Virtual Directory and Oracle Internet Directory, use the mapped DN in Oracle Virtual Directory.

    2. Update the realm information using the following command:

      ORACLE_HOME/bin/ldapmodify –h Oracle_Virtual_Directory_Host –p port -D \
bindDN -q –v –f modifyRealm.ldif

    Note:

    To update the Oracle Internet Directory-Oracle Virtual Directory configuration, edit the modifyRealm.ldif file and execute ldapmodify with the updated modifyRealm.ldif file.

The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Internet Directory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrator's Guide.

19.2.3 Configuring Access Control Lists for the Enterprise User Security Integration

This section describes the Access Control Lists (ACLs) you must configure in Oracle Virtual Directory for the Enterprise User Security integration regardless of which external repository you are using to store user identities in. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

Perform the following steps to configure Oracle Virtual Directory ACLs for the Enterprise User Security integration:

  1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

    Target DN cn=OracleContext
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN cn=OracleContext
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN cn=OracleSchemaVersion
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN cn=OracleSchemaVersion
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN dc=com
    Scope subtree
    Applies To Entry
    Grant Browse DN and Return DN
    Access Public

    Target DN dc=com
    Scope subtree
    Applies To All Attributes
    Grant Search and Read
    Access Public

    Target DN dc=com
    Scope subtree
    Applies To authpassword
    Deny All operations
    Access Public


    Note:

    The following ACL must be the last ACL in the ACL list for dc=com.

    Target DN dc=com
    Scope subtree
    Applies To authpassword
    Grant Search and Read
    Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.

    Note: Replace dc=dbdemo,dc=orion,dc=com with the DN of your namespace

  2. Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:

    Target DN cn=OracleContext,<YOUR DOMAIN>
    Scope subtree
    Applies To Entry
    Grant All
    Access Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>

    Target DN cn=OracleContext,<YOUR DOMAIN>
    Scope subtree
    Applies To All Attributes
    Grant All
    Access Group with DN of:

    cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN>

  3. Set the ACLs in the external directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.

  4. Give write permission to the cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<YOUR DOMAIN> group.

19.2.4 Configuring Oracle Virtual Directory to Support Multiple Enterprise User Security Domains

Perform the following steps to configure Oracle Virtual Directory to allow Enterprise User Security users contained in multiple domains to authenticate to a database:

  1. Configure the first domain using the instructions in Integrating Oracle Virtual Directory with External Directories.


    Note:

    If you are not using Enterprise Roles, you may use any directory server for the first domain. However, if you plan to use Enterprise Roles, Oracle recommends using Oracle Internet Directory as the first domain. Microsoft Active Directory and Novell eDirectory have DN syntax validation and if the second domain's DN does not exist in the first domain, you cannot complete this configuration.

  2. If it does not already exist, add the realm root for the second domain by performing the following steps:

    1. Create an LDIF file using the following example. Replace the VARIABLES with the appropriate DN and orclsubscriberfullname of the second domain:

      dn: DN_OF_SECOND_DOMAIN
dc: DC_OF_SECOND_DOMAIN
o: O_OF_SECOND_DOMAIN
objectclass: domain
objectclass: organization
objectclass: orclSubscriber
orclsubscriberfullname: ORCLSUBSCRIBERFULLNAME_OF_SECOND_DOMAIN
orclVersion: 90400

      Where DN_OF_SECOND_DOMAIN is the domain DN of the second domain that you want to see in Oracle Virtual Directory.

    2. Update Oracle Virtual Directory with the new LDIF file. For example:

      ORACLE_HOME/bin/ldapadd -h Oracle_Virtual_Directory_Host –p Port \
-D bindDN -q -v -f LDIF_File

  3. Create a new LDAP Adapter for the second domain using the EUS_Directory-Type adapter template that is specific to the directory type. Enter the host name, port number, proxy DN, and password of the second domain. Be sure to configure the Remote Base and Mapped Namespace (where the namespace is the DN_OF_SECOND_DOMAIN from the previous step). Refer to "Creating LDAP Adapters" for information about creating LDAP Adapters.

  4. Configure the Mappings for the second domain LDAP Adapter by clicking the Create Mapping button on the Plug-Ins tab for the adapter. The Mapping you use depends on the type of directory you are using.


    Note:

    Do not configure a Mapping if you are using Oracle Internet Directory.

    • Use EUS_EDir.py for Novell eDirectory

    • Use EUS_ActiveDirectory.py for Active Directory

    • Use EUS_Sun.py for Oracle Directory Server Enterprise Edition

  5. Update Access Control Lists to protect the user entry and to allow the database account to access the password. You may skip this step if the Access Control Lists that were configured for the first domain cover the second domain's mapped namespace.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:


      Note:

      In the following ACLs, Mapped Namespace for second domain is the DN you used for the Oracle Virtual Directory Mapped Namespace in step #3.

      Target DN Mapped Namespace for second domain
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN Mapped Namespace for second domain
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN Mapped Namespace for second domain
      Scope subtree
      Applies To orclaccountstatusevent
      Deny All operations
      Access Public

      Target DN Mapped Namespace for second domain
      Scope subtree
      Applies To orclaccountstatusevent
      Grant Write
      Access Group with DN of cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.

      Note: Replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain

      Target DN Mapped Namespace for second domain
      Scope subtree
      Applies To authpassword
      Deny All operations
      Access Public


      Note:

      The following ACL must be the last ACL in the ACL list for the Mapped Namespace for second domain.

      Target DN Mapped Namespace for second domain
      Scope subtree
      Applies To authpassword
      Grant Search and Read
      Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.

      Note: Replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain.

  6. Update the Oracle Context with the newly added namespace by performing the following steps:

    1. Create an LDIF file like the following example and replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain:

      dn: cn=Common,cn=Products,cn=OracleContext,dc=dbdemo,dc=orion,dc=com
changetype: modify
add: orclcommonusersearchbase
orclcommonusersearchbase: Mapped_Namespace_for_Second_Domain

    2. Update Oracle Virtual Directory using the LDIF file. For example:

      ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p Port \
-D bindDN -q -v -f LDIF_File

  7. Repeat steps 2-6 to support additional domains.


Note:

To login to the database as an enterprise user from any of these additional domains, you must create the User-Schema Mappings for the additional user containers from Enterprise Security Manager or Enterprise Manager.

Refer to Oracle® Database Enterprise User Security Administrator's Guide for instructions.

19.2.5 Enabling User Account Lockout

LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Enterprise User Security integration can use this lockout feature and enforce the back-end LDAP server's password lockout policy as follows:

  • An incorrect login to the Oracle Database records a login failure to the back-end LDAP server

  • A correct login to the Oracle Database resets the login failure count in the back-end LDAP server


    Note:

    This functionality is not available for integrations that use Active Directory.

  • A locked user account cannot be used to log in to the Oracle Database

After performing the Oracle Virtual Directory-Enterprise User Security integration, you can enable user account lockout by performing the following steps:


Note:

If you are using Oracle Internet Directory as the back-end LDAP server, skip steps 1 and 2 in the following procedure.

  1. Create and configure the euslockout plug-in for the Enterprise User Security integration LDAP Adapter by referring to Managing Adapter Plug-ins. When you configure the euslockout plug-in, you must:

    • Create a directoryType parameter with a value according to your back-end LDAP server, such as ActiveDirectory for Active Directory, iPlanet for Oracle Directory Server Enterprise Edition, or eDirectory for Novell eDirectory.

    • Create a namespace using the name of your user container.

  2. If you are using Oracle Directory Server Enterprise Edition as a back-end LDAP server, you must configure an additional plug-in parameter on the Enterprise User Security integration LDAP Adapter. If you are using Novell eDirectory as a back-end LDAP server, go to step 3.

    1. Query the Oracle Directory Server Enterprise Edition to determine its passwordMaxFailure value. For example:

      ORACLE_HOME/bin/ldapsearch -h Sun_Java_System_Directory_Server_Name \
-D bindDN -q -s base -b "cn=password policy,cn=config" objectclass="*" passwordmaxfailure

    2. Set the passwordMaxFailure parameter in the EUSiPlanet plug-in using the value returned from the query. Click the EUSiPlanet plug-in, then click the Create New Parameter button. Select passwordMaxFailure and enter the value in the Parameter field. Click OK.

  3. Create the following Access Control Lists. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

    Target DN Your_User_Container
    Scope subtree
    Applies To orclaccountstatusevent
    Deny All operations
    Access Public

    Target DN Your_User_Container
    Scope subtree
    Applies To orclaccountstatusevent
    Grant Write
    Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.

    Note: Replace dc=dbdemo,dc=orion,dc=com with the DN of your namespace.

  4. For Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory, ensure the proxy user configured for the Enterprise User Security LDAP Adapter has permission to modify the account lockout related attributes.

19.2.6 Integration Limitations

The following is a list of Oracle Virtual Directory-Enterprise User Security integration known limitations:

  • The following functionality is not supported in the integration:

    • DN mapping between Microsoft Active Directory and Oracle Virtual Directory if the Active Directory domain containing the domain DN is mapped to Oracle Virtual Directory. For example, if the Active Directory DN is dc=us,dc=oracle,dc=com and you try to map it to dc=oracle,dc=com in Oracle Virtual Directory, this type of DN mapping is not supported.

    • Administrative Groups except for OracleContextAdmins

    • Enterprise Security Manager console to Oracle Internet Directory Delegated Administration Services

    • Password Policy

    • Client certificate authentication

    • Kerberos authentication when integrating for use with Oracle Directory Server Enterprise Edition and Oracle Internet Directory

    • User Migration Utility (UMU)

    • Multiple Domain environments

    • JDBC Thin Driver—you must use the OCI driver

    • Combined Microsoft Active Directory and Oracle Directory Server Enterprise Edition environments

  • Resetting the account lockout counter after a correct login is not available for Oracle Virtual Directory-Enterprise User Security integrations with Active Directory. Alternatively, Active Directory can reset the account lockout counter after a specified period has elapsed. You can use this option to prevent the lockout counter from accumulating indefinitely.

  • In the Enterprise Security Manager interface:

    • Listed databases may sometimes include an Active Directory tombstone entry.

    • Database and Oracle Internet Directory version information is not available.

19.3 Integrating with Oracle's Net Services

This topic describes how to integrate Oracle Virtual Directory with Oracle Database Net Services to centralize name services with Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. This topic contains the following sections:

19.3.1 Overview

Oracle Virtual Directory can be integrated with Oracle's Net Services database product. Integrating Oracle Virtual Directory and Net Services enhances and simplifies your name service capabilities by allowing you to leverage service entries stored in an external LDAP repository without any additional synchronization.

19.3.2 Starting the Integration

This section lists the common steps required for all Oracle Virtual Directory-Net Services integrations. Perform the steps in this section first to start the integration, then proceed to a subsequent section specific to Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. Different steps are presented depending on whether you are integrating Oracle Virtual Directory with Net Services for use with Oracle Internet Directory, Microsoft Active Directory, or Oracle Directory Server Enterprise Edition. Only perform the steps appropriate for your environment.

Perform the following steps to start the Oracle Virtual Directory-Net Services integration process:

  1. Create a back-up copy of the ORACLE_HOME/ovd/eus/ directory.

  2. Create the subschemasubentry plug-in as global server plug-in. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.

19.3.3 Integrating for Use with Microsoft Active Directory

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Microsoft Active Directory. Perform these only after you have completed the steps in the "Starting the Integration" section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Microsoft Active Directory includes the following tasks:

19.3.3.1 Configuring Active Directory for the Integration

Perform the following steps to configure Active Directory for the integration:

  1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

  2. Load the Net Services required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOME/jdk/bin directory.

    java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
-D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
–AD Active_Directory_Domain_DN

    Note:

    An example of a valid Active Directory domain DN is: dc=oracle,dc=com

19.3.3.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.

    • The Database File and Backup File fields for each of the adapters must be unique.

  3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

  4. Create an LDAP Adapter for Net Services using the following settings and by entering the Active Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the ONames_ActiveDirectory adapter template.

    • Select the BindOnly Pass Through Credential option.

  5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

      Target DN cn=OracleContext
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN cn=OracleContext
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN cn=OracleSchemaVersion
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

    2. Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins administrative group as follows:

      Target DN cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>
      Scope subtree
      Applies To Entry
      Grant All
      Access Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>

      Target DN cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>
      Scope subtree
      Applies To All Attributes
      Grant All
      Access Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>

  6. Create an LDAP Adapter for the OracleNetAdmins administrative group using the following settings and by entering the Active Directory host information, including port number, proxy DN, and password. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the Active_Directory adapter template.

    • Enter cn=OracleNetAdmins,cn=users, <YOUR Active_Directory_Domain_DN> as the Remote Base.

    • Enter cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED DOMAIN DN in Oracle Virtual Directory> as the Mapped Namespace.

  7. Configure a mapping and plug-in for the OracleNetAdmins administrative group adapter by performing the following steps:

    1. Click the Advanced tab, then click Active_Directory_to_inetOrg, and then click the Apply button to deploy the mapping.

    2. Click the Adapter tab, then click the adapter for the OracleNetAdmins administrative group, then click the Plug-ins tab, then click the Create Mapping button, then select Active_Directory_to_inetOrg.py, then enter a unique mapping name, and then click OK.

    3. Click the Create Plug-in button, then click the Select button, then select the EUSMemberDNMapping plug-in, then click OK, then enter a unique plug-in name, then create the localDomainDN and remoteDomainDN parameters, and then click OK. Note that the localDomainDN and remoteDomainDN may be different if you have DN mapping configured.

    4. Click the Apply button.


    Note:

    You may not see the group membership changes immediately after your changes in Active Directory. This is because of Active Directory's group membership refresh interval configuration.

The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Microsoft Active Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.

19.3.4 Integrating for Use with Oracle Directory Server Enterprise Edition

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition. Perform these only after you have completed the steps in the "Starting the Integration" section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition includes the following tasks:

19.3.4.1 Configuring Oracle Directory Server Enterprise Edition for the Integration

Perform the following steps to configure Oracle Directory Server Enterprise Edition for the integration:

  1. Extend the iPlanet LDAP attribute and objectclass using the following command:

    ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./iPlanetSchema.ldif

  2. Create a realm in iPlanet by performing the following steps:

    1. Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create a realm in iPlanet using the realmiPlanet.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./realmiPlanet.ldif

  3. Configure the user and group containers by either creating new user and group containers, or by using existing user and group containers.

    Creating New User and Group Containers

    1. Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

    2. Run the following command to create user and group containers in iPlanet using the iPlanetContainers.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./iPlanetContainers.ldif

    Using Existing User and Group Containers

    1. Open the useiPlanetContainers.ldif file.

    2. Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string with the name of your user container.

    3. Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.


      Note:

      Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container.

    4. Run the following command to create a realm in iPlanet using the useiPlanetContainers.ldif file:

      ORACLE_HOME/bin/ldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn="directory manager" -q -v -a -f ./useiPlanetContainers.ldif

19.3.4.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.

    • The Database File and Backup File fields for each of the adapters must be unique.

  3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

  4. Create an LDAP Adapter for Net Services using the following settings and by entering the Oracle Directory Server Enterprise Edition host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

    • Use the ONames_Sun adapter template.

    • Select the BindOnly Pass Through Credential option.

  5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

      Target DN cn=OracleContext
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN cn=OracleContext
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN cn=OracleSchemaVersion
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN cn=OracleSchemaVersion
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

    2. Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins administrative group as follows:

      Target DN cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>
      Scope subtree
      Applies To Entry
      Grant All
      Access Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>

      Target DN cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>
      Scope subtree
      Applies To All Attributes
      Grant All
      Access Group with DN of:

      cn=OracleNetAdmins,cn=OracleContext,<YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE>

    3. Set the ACLs in the external directory to protect the data under cn=OracleContext,<YOUR DOMAIN>.

The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.

19.3.5 Integrating for Use with Oracle Internet Directory

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Internet Directory. Perform these only after you have completed the steps in the "Starting the Integration" section.

  1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.

  2. Create two new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

    • Use the Local_Storage_Adapter template for each adapter.

    • The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion.

    • The Database File and Backup File fields for each of the adapters must be unique.

  3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME/ovd/eus/ directory.

    ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif

  4. Create an LDAP Adapter for Net Services using the ONames_OID adapter template and by entering the Oracle Internet Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

  5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

    1. Create the following ACLs. Refer to "Creating Access Control Lists Using Oracle Directory Services Manager" for information on creating ACLs:

      Target DN cn=OracleContext
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN cn=OracleContext
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN cn=OracleSchemaVersion
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN cn=OracleSchemaVersion
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

      Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com
      Scope subtree
      Applies To Entry
      Grant Browse DN and Return DN
      Access Public

      Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com
      Scope subtree
      Applies To All Attributes
      Grant Search and Read
      Access Public

The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Oracle Internet Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrator's Guide.

  Previous
Previous 		 Next
Next
  Go To Table Of Contents
Contents		 Go To Index
Index