Directory server chaining is a new feature of Oracle Internet Directory, introduced at 10g (10.1.4.0.1). It was implemented using the new Java Plug-in framework.
This chapter contains the following topics:
Section 38.3, "Creating Server Chaining Configuration Entries"
Section 38.5, "Configuring an Active Directory Plug-in for Password Change Notification"
Note:
All references to Oracle Single Sign-On in this chapter refer to Oracle Single Sign-On 10g (10.1.4.3.0) or later.
Server chaining enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration. With server chaining, you can use Oracle Internet Directory's authorization framework when identity data resides outside of Oracle Internet Directory. Server chaining is certified only with Enterprise User Security. No other Oracle applications can be used with server chaining.
Server chaining does not replace Oracle Directory Integration Platform. Rather, it offers complementary functionality to Oracle Directory Integration Platform.
Server chaining is different from a virtual directory. A virtual directory, such as Oracle Virtual Directory, is a flexible virtualization layer between multiple identity repositories and applications. It offers complementary services to identity synchronization and directory servers. With a virtual directory, organizations can create consolidated, logical or virtual views of data that may span multiple directories and databases.
Server chaining is a simpler, more flexible solution, embedded in Oracle Internet Directory server, and particular suited to Enterprise User Security customers. It is easy to administer and upgrade. It also provides Oracle Internet Directory's authorization framework without extra configuration steps.
As of 11g Release 1 (11.1.1), you can configure server chaining to use SSL.
Oracle Internet Directory server chaining supports the following external servers:
An implementation of Oracle Internet Directory can connect with one Active Directory server, one Sun Java System Directory Server, one Novell eDirectory, or with all three.
Note:
Oracle Internet Directory server chaining does not support Active Directory Lightweight Directory Service (AD LDS), formerly known as ADAM.
The following products have been integrated with Oracle Internet Directory server chaining:
Oracle Single Sign-On 10g (10.1.4.3.0) or later
Enterprise User Security
When server chaining is enabled, a user from the external directory can log in through Oracle Single Sign-On as if authenticated locally within Oracle Internet Directory, rather than the external repository.
Oracle Internet Directory server chaining enables you to implement Enterprise User Security without synchronizing identity data with Oracle Internet Directory through Oracle Directory Integration Platform. Your identity data remains in the external repository and the Oracle Internet Directory data store contains only Enterprise User Security-related metadata.
With Sun Java System Directory Server as the external directory, server chaining supports password-based authentication with Enterprise User Security.
With Active Directory as the external directory, server chaining supports Kerberos- based authentication and password-based authentication with Enterprise User Security. The external users can log in to Oracle Database after the Enterprise User Security authentication setup is completed. For further details, see Section 38.5, "Configuring an Active Directory Plug-in for Password Change Notification," which is based on Note 452385.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for more information on configuring Enterprise User Security for password authentication and Kerberos authentication.
Server chaining supports the following operations:
Bind
Compare
Modify
Search
The compare, modify, and search operations can be enabled or disabled by setting configuration parameters.
When an Oracle Internet Directory client application issues an LDAP search request, Oracle Internet Directory integrates the search results from its own data and the external directories.
When an Oracle Internet Directory client application issues an LDAP bind, compare, or modify request, Oracle Internet Directory redirects the request to the external directory.
In 10g (10.1.4.0.1) and later, the compare operation is only supported for the userpassword
attribute.
In 10g (10.1.4.0.1) and later, attribute modification is supported in two cases:
The external attribute has the same name as the Oracle Internet Directory attribute. This is true for most standard LDAP attributes.
The external attribute is mapped to an Oracle Internet Directory attribute, and neither the external nor the Oracle Internet Directory attribute is an operational attribute.
Note:
You cannot modify an Active Directory user password from Oracle Internet Directory through server chaining.
Oracle Internet Directory is shipped with disabled sample server chaining entries.
For Active Directory, the DN for the server chaining entry is
cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry
For Oracle Directory Server Enterprise Edition and Sun Java System Directory Server, the entry DN is
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
Novell eDirectory, the entry DN is
cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
You configure server chaining by customizing these entries for your environment and enabling them. You can do this either from the command line or by using Oracle Directory Services Manager.
This section contains the following topics:
Section 38.2.1, "Configuring Server Chaining by Using Oracle Directory Services Manager"
Section 38.2.2, "Configuring Server Chaining from the Command Line"
Oracle Directory Services Manager provides a convenient interface for modifying the Oracle Internet Directory server chaining configuration entries. To configure server chaining by using Oracle Directory Services Manager, perform the following steps:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Advanced.
Expand Server Chaining. Server Chaining entries appear in the left panel. Current entries include iPlanet (Oracle Directory Server Enterprise Edition and Sun Java System Directory Server) and Active Directory.
To modify a server chaining configuration entry, select it. The Server Chaining Management tab appears in the right pane.
Modify External Host Name, External Port Number, Login User DN, and Login User Password as necessary.
To enable server chaining authentication, modification, or search, select the corresponding checkbox.
Modify the other fields as necessary.
After modifying an external user container, group container, or login credential, verify the value by clicking Verify User Container, Verify Group Container, or Verify Login Credential, respectively.
If the verification fails, examine the values you entered for errors. If the problem persists, consult the external directory administrator to verify the accuracy of the values you entered.
If you want to add an attribute mapping, click the Add attribute mappings to list icon under Attribute Mapping. To edit an existing mapping, select the mapping and click the Edit Attribute Mapping icon under Attribute Mapping. The New Attribute Mapping window appears. Enter the External Directory Attribute and the OID Attribute. To locate Oracle Internet Directory attribute by browsing, click Select then select the attribute in the Attribute Selection window.
Click OK to create the mapping or click Cancel to abandon it.
To delete a mapping, select the mapping and click the Delete selected attribute mapping icon. When the Delete Confirm dialog appears, click Delete to delete the mapping or Cancel to abandon deletion.
Click OK to enable the configuration changes or click Cancel to abandon the changes.
Perform the following steps to configure server chaining from the command line:
Create an LDIF file to manually add the user and group containers. To determine the DNs for these containers, see Section 38.3.2, "Requirements for User and Group Containers." For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com
, and the group search base is cn=groups,dc=us,dc=oracle,dc=com
, then you would use the following entries in your LDIF file:
dn: cn=AD,cn=users,dc=us,dc=oracle,dc=com cn: AD objectclass: orclcontainer objectclass: top dn: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com cn: iPlanet objectclass: orclcontainer objectclass: top dn: cn=AD,cn=groups,dc=us,dc=oracle,dc=com cn: AD objectclass: orclcontainer objectclass: top dn: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com cn: iPlanet objectclass: orclcontainer objectclass: top
Use ldapadd
and the LDIF file you just created to add the entries.
ldapadd -p port -h host -D "binddn" -q -v -f container_ldif_file_name
Create another LDIF file to modify and enable the server chaining configuration entries. For example LDIF files, see Section 38.3.4, "Active Directory Example" and Section 38.3.7, "Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example." A table of attributes is provided in Section 38.3, "Creating Server Chaining Configuration Entries" Attribute mapping is explained in Section 38.3.3, "Attribute Mapping."
Modify the server chaining configuration entries using the ldapmodify
command and the LDIF file you just created. Use a command line of the form:
ldapmodify -D "cn=orcladmin" -q -p port -h host -D "binddn" \ -v -f entry_ldif_file_name
This section contains the following topics:
Table 38-1 lists the configuration entry attributes for server chaining.
Table 38-1 Configuration Entry Attributes for Server Chaining
Attribute | Required | Description |
---|---|---|
|
Yes |
The host name of the external directory host. This is a single value attribute. |
|
Yes |
The port number of the external directory host. This is a single value attribute. The default value is 3060. |
|
Yes |
The DN in the external directory. Server chaining binds against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. This is a single value attribute. |
|
Yes |
The password for the DN of the external directory. This is a single value attribute. Be sure to enable privacy mode to ensure that users cannot retrieve this attribute in clear text. See Section 28.7, "Configuring Privacy of Retrieved Sensitive Attributes." |
|
Yes |
The user container in the external directory from which to perform the user search operation. This is a single value attribute. |
|
Yes |
The group container in the external directory from which to perform the group search operation. This is a single value attribute. This attribute is optional if the external user container and the external group container are the same. In this case the group search operations are performed on the external user container. |
|
Yes |
The user container in Oracle Internet Directory in which the external users reside. For more information, see Section 38.3.2, "Requirements for User and Group Containers." |
|
Yes |
The group container in Oracle Internet Directory in which the external groups reside. For more information, see Section 38.3.2, "Requirements for User and Group Containers." |
|
No |
Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the
For more information, see Section 38.3.3, "Attribute Mapping." |
|
Yes |
External search capability. |
|
Yes |
External modify capability. |
|
Yes |
External authentication capability. |
|
No |
SSL connection to the external directory. 0 = disabled (default), 1 = enabled. This is a single value attribute. Required if SSL is enabled. |
|
No |
The SSL port number of the external directory host. This is a single value attribute. |
|
No |
The filename and path of the wallet that contains the server certificate of the external directory. This is a single value attribute. Required if SSL is enabled |
|
No |
The wallet password. This is a single value attribute. Required if SSL is enabled |
|
No |
Specifies the mapping of OID attribute "uid" to an attribute in Active Directory. You can map "uid" to any non-binary attributes defined in Active Directory. The default value is "name". This is a single value attribute. |
|
No |
In a search against the group container: "base" - show entries with objectclass group (default), "sub" - show entries without objectclass "user" and "computer". This is a single value attribute. Applicable with Active Directory only. |
|
No |
In a one level search with an entry one level below the user container as the base: "base" - do not show any entry (default), "sub" - show entries in the subtree below the base of the search. This is a single value attribute. Applicable with Active Directory only. |
|
No |
Add "orcluserv2" objectclass to entries that have objectclass user. 0 = disabled (default), 1 = enabled. This is a single value attribute. Applicable with Active Directory only. |
The target user and group containers must be under the Oracle Internet Directory search base in order to work with Oracle Single Sign-On. Use the container names cn=AD
for Active Directory and cn=iPlanet
for Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet). For example, if your user search base is:
cn=users,dc=us,dc=oracle,dc=com
you would use
cn=AD,cn=users,dc=us,dc=oracle,dc=com
as the target user container for the Active Directory users or
cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
as the target user container for the Sun Java System Directory Server users. Similarly, if your group search base is:
cn=groups,dc=us,dc=oracle,dc=com
you would use
cn=AD,cn=groups,dc=us,dc=oracle,dc=com
as the target container for the Active Directory s or
cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
as the target container for the Oracle Directory Server Enterprise Edition or Sun Java System Directory Server groups.
The target user and group containers exist only for the external directories. All the users and groups that appear under these nodes are populated by the external directories. Do not add entries under these containers directly from Oracle Internet Directory.
If an attribute in an external directory and an Oracle Internet Directory attribute are the same, then no mapping is required. Server chaining performs some attribute mapping by default. The default mapping list is as follows:
Table 38-2 Default Attribute Mapping to Active Directory
Oracle Internet Directory Attribute | Active Directory Attribute |
---|---|
|
|
|
|
|
|
|
|
For Active Directory server chaining, you can use the mapUIDtoADAttribute attribute to map uid
to any non-binary attributes defined in Active Directory.
Table 38-3 Default Attribute Mapping to Sun Java System Directory Server
Oracle Internet Directory Attribute | Sun Java System Directory Server Attribute |
---|---|
|
|
|
|
|
|
Table 38-4 Default Attribute Mapping to Novell eDirectory
Oracle Internet Directory Attribute | Novell eDirectory Attribute |
---|---|
|
|
|
|
|
|
The following objects cannot be mapped:
Operational attributes
Object classes
Oracle Internet Directory- specific attributes. These attributes typically have names starting with orcl
.
The following example shows server chaining configured to use the Active Directory server dlin-pc9.us.example.com
, port 3060
, as its external directory store. The SSL capability has been enabled. All the attributes are explained in Table 38-1.
cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry orclOIDSCExtHost: dlin-pc9.us.example.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com orclOIDSCExtPassword: ******* orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCAttrMapping;description: title orcloidscsslenabled: 0
The following example is the LDIF file used to modify the configuration entry:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=administrator,cn=users,dc=oidvd,dc=com
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc9.us.example.com
-
replace: orcloidscextport
orcloidscextport: 3060
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
-
replace: orcloidscsslenabled
orcloidscsslenabled:1
The following example shows server chaining configured to use the Active Directory server ad.example.com, SSL port 3133, and the wallet located at /adwallet/ewallet.p12
.
cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry orclOIDSCExtHost: ad.example.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com orclOIDSCExtPassword: ******* orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 3133 orclOIDSCWalletLocation: /adwallet/ewallet.p12 orclOIDSCWalletPassword: ********
Perform the following steps to configure server chaining with SSL from the command line:
Configure Active Directory server chaining without SSL, as described in the previous section.
Create an LDIF file like the following to enable SSL connection to the external directory. Replace the values of orcloidscextsslport
, orcloidscwalletlocation
and orcloidscwalletpassword
with values that match the actual Active Directory server:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscsslenabled orcloidscsslenabled:1 - replace: orcloidscextsslport orcloidscextsslport: 3133 - replace: orcloidscwalletlocation orcloidscwalletlocation: /adwallet/ewallet.p12 - replace: orcloidscwalletpassword orcloidscwalletpassword: passw0rd
To apply the changes, use a command line such as
ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
The attributes mapUIDtoADAttribute
, showExternalGroupEntries
, showExternalUserEntries
, and addOrcluserv2ToADUsers
have been added since Oracle Internet Directory 10g (10.1.4.0.1). To add these attributes to an existing Active Directory server chaining entry, modify the following LDIF file with the appropriate values:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: mapUIDtoADAttribute mapUIDtoADAttribute: name - replace: showExternalGroupEntries showExternalGroupEntries: base - replace: showExternalUserEntries showExternalUserEntries: base - replace: addOrcluserv2ToADUsers addOrcluserv2ToADUsers: 0
Use a command line such as
ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
to modify the configuration entry.
The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.example.com
, port 103060
, as its external directory store. All the attributes are explained in Table 38-1.
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: dlin-pc10.us.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled:0
The following example is the LDIF file used to modify the configuration entry:
dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=directory manager
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc10.us.example.com
-
replace: orcloidscextport
orcloidscextport: 10389
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: ou=people,dc=example,dc=com
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: ou=groups,dc=example,dc=com
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
The following example shows server chaining configured to use the Sun Java System Directory Server sunone.example.com, SSL port 10636, and the wallet located at /ipwallet/ewallet.p12
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********
Perform the following steps to configure server chaining with SSL from the command line:
Configure server chaining without SSL, as described in the previous section.
Create the following LDIF file to enable SSL connection to the external directory. Replace the values of orcloidscextsslport
, orcloidscwalletlocation
and orcloidscwalletpassword
with values that match the actual Oracle Directory Server Enterprise Edition/Sun Java System Directory Server.
dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscsslenabled orcloidscsslenabled:1 - replace: orcloidscextsslport orcloidscextsslport: 10636 - replace: orcloidscwalletlocation orcloidscwalletlocation: /ipwallet/ewallet.p12 - replace: orcloidscwalletpassword orcloidscwalletpassword: passw0rd
Execute a command such as
ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
to modify the configuration entry.
A sample eDirectory configuration looks like this:
cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: edirhost.domain.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=admin,o=domain orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=users,o=domain orclOIDSCExtGroupContainer: ou=groups,o=domain orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled:0
A sample edirectory configuration with SSL looks like this:
cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: edirhost.domain.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=admin,o=domain orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=users,o=domain orclOIDSCExtGroupContainer: ou=groups,o=domain orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 3133 orclOIDSCWalletLocation: /edir/ewallet.p12 orclOIDSCWalletPassword: ********
To debug server chaining, perform the following steps:
Set the Oracle Internet Directory server debug logging level, as described in Section 24.2, "Managing Logging by Using Fusion Middleware Control" or Section 24.3, "Managing Logging from the Command Line." Use the logging level value 402653184. This value enables logging of all messages related to the Java plug-in framework.
Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry
. set the attribute orcloidscDebugEnabled
to 1
.
For example, to set orcloidscDebugEnabled
to 1
in cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
, you would type:
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
where file contains:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1
See Also:
Java plug-in debugging and logging information in the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management.
When you use Enterprise User Security (EUS) with Server Chaining, a hash password is required in order to authenticate users. This section describes how to install a plug-in in the Microsoft Active Directory (AD) server so that this hash password is available to users accessed through Oracle Internet Directory. Customers planning to configure Enterprise User Security (EUS) to work with users accessed through Server Chaining must configure this feature.
The steps are as follows
In Active Directory, create an attribute called orclCommonAttribute
to store the hash password. Use a command line such as:
ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f orclca.ldif
Use an orclca.ldif file similar to the following example. Replace DC=bill,DC=com
with the actual Active Directory domain name and choose an appropriate attributeID
.
dn: cn=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com objectClass: top objectClass: attributeSchema cn: orclcommonattribute distinguishedName: CN=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com instanceType: 4 uSNCreated: 16632 attributeID: 1.9.9.9.9.9.9.9.9 attributeSyntax: 2.5.5.3 isSingleValued: TRUE uSNChanged: 16632 showInAdvancedViewOnly: TRUE adminDisplayName: orclCommonAttribute oMSyntax: 27 lDAPDisplayName: orclCommonAttribute name: orclcommonattribute objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bill,DC=com
Associate the attribute with the user objectclass. Use a command line such as:
ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f user.ldif
In the following file, user.ldif, replace DC=bill,DC=com
with the actual Active Directory domain name.
dn: CN=User,CN=Schema,CN=Configuration,DC=bill,DC=com changetype: modify add: mayConatin mayContain: orclCommonAttribute
It might take Active Directory a few minutes to refresh the schema.
Install the password change notification plug-in, as follows:
Copy %ORACLE_HOME%\ldap\admin\oidpwdcn.dll
to the Active Directory WINDOWS\system32
folder.
Use regedt32
to modify the registry. In the line:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
, add oidpwdcn
to the end. It should look like the following:
RASSFM KDCSVC WDIGEST scecli oidpwdcn
Restart Active Directory.
Verify that the plug-in is installed properly by resetting the password of a user. The orclCommonAttribute
should contain the hash password value.
Reset the password for all the Active Directory users so that the password verifier is present for all the users.