39 Configuring Directory Server Chaining

Directory server chaining for Oracle Internet Directory allows you to map entries that reside in external or third-party LDAP directories to part of the directory tree and then access those entries through Oracle Internet Directory, without synchronization or data migration. With server chaining, you can use the Oracle Internet Directory authorization framework when the actual identity data resides outside of Oracle Internet Directory.

This chapter includes the following sections:

Note:

In this chapter, references to Oracle Single Sign-On refer to Oracle Single Sign-On 10g (10.1.4.3.0) or later. References to Oracle Enterprise User Security refer to the 10g release only.

39.1 Understanding Directory Server Chaining Configuration

This section provide a contextual description about directory server chaining and include a list of Oracle products and other external directory servers that can be integrated with Oracle Internet Directory server chaining

This section has the following topics :

39.1.1 About Oracle Internet Directory Server Chaining

Directory server chaining was first introduced for Oracle Internet Directory 10g (10.1.4.0.1) and was implemented using the Java plug-in framework. As of 11g Release 1 (11.1.1.0.0), you can also configure server chaining to use SSL. Server chaining does not replace Oracle Directory Integration Platform, but instead offers complementary functionality to that product.

Server chaining is different from a virtual directory such as Oracle Virtual Directory. A virtual directory is a flexible virtualization layer between multiple identity repositories and applications. A virtual directory offers complementary services to identity synchronization and directory servers. Organizations can create consolidated logical or virtual views of data that can span multiple directories and databases.

39.1.2 Supported External Directory Servers

Oracle Internet Directory server chaining supports external directory servers:

The supported external directory servers are:

  • Microsoft Active Directory

    Note:

    Oracle Internet Directory server chaining does not support Microsoft Active Directory Lightweight Directory Service (AD LDS), formerly known as ADAM.

  • Oracle Directory Server Enterprise Edition (ODSEE)

  • Sun Java System Directory Server (formerly known as Sun ONE or iPlanet Directory Server)

  • Novell eDirectory

Oracle Internet Directory can connect with one Active Directory server, one Sun Java System Directory Server, one Novell eDirectory, or with all three directory servers.

39.1.3 Integrating Oracle Products with Oracle Internet Directory Server Chaining

The following Oracle products have been integrated with Oracle Internet Directory server chaining:

39.1.3.1 Oracle Single Sign-On10g (10.1.4.3.0) or Later

When server chaining is enabled, a user from the external directory can log in through Oracle Single Sign-On as if authenticated locally within Oracle Internet Directory, rather than the external repository.

39.1.3.2 Enterprise User Security 10g Only

Oracle Internet Directory server chaining enables you to implement Enterprise User Security 10g without synchronizing identity data with Oracle Internet Directory through Oracle Directory Integration Platform. Your identity data remains in the external repository and the Oracle Internet Directory data store contains only Enterprise User Security-related metadata.

With Sun Java System Directory Server as the external directory, server chaining supports password-based authentication with Enterprise User Security.

With Active Directory as the external directory, server chaining supports Kerberos- based authentication and password-based authentication with Enterprise User Security. The external users can log in to Oracle Database after the Enterprise User Security authentication setup is completed. For further details, see Configuring an Active Directory Plug-in for Password Change Notification, which is based on Note 452385.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.

See Also:

Oracle Database Enterprise User Security Administrator's Guide for more information on configuring Enterprise User Security for password authentication and Kerberos authentication.

39.1.4 Supported Operations for Server Chaining

Server chaining supports the following operations:

  • Bind

  • Compare

  • Modify

  • Search

The compare, modify, and search operations can be enabled or disabled by setting configuration parameters.

When an Oracle Internet Directory client application issues an LDAP search request, Oracle Internet Directory integrates the search results from its own data and the external directories.

When an Oracle Internet Directory client application issues an LDAP bind, compare, or modify request, Oracle Internet Directory redirects the request to the external directory.

In 10g (10.1.4.0.1) and later, the compare operation is only supported for the userpassword attribute.

In 10g (10.1.4.0.1) and later, attribute modification is supported in two cases:

  • The external attribute has the same name as the Oracle Internet Directory attribute. This is true for most standard LDAP attributes.

  • The external attribute is mapped to an Oracle Internet Directory attribute, and neither the external nor the Oracle Internet Directory attribute is an operational attribute.

Note:

You cannot modify an Active Directory user password from Oracle Internet Directory through server chaining.

39.1.5 About the Role of Server Chaining in Replication

If you use server chaining in a replication environment, set it up on all nodes so that the entries remain consistent across nodes.

Configure server chaining so that the mapped external directories are the same for all the replicated nodes.

39.2 Configuring Server Chaining

The following topics describe about the server chaining entries and how to customize those entries for your environment:

39.2.1 About Server Chaining Entries

Oracle Internet Directory is shipped with disabled sample server chaining entries.

The DNs for the server chaining entries are:

  • Active Directory: cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry

  • Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (formerly Sun ONE or iPlanet): cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry

  • Novell eDirectory: cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry

You configure server chaining by customizing the preceding entries for your environment and then enabling them. You can perform this configuration either from the command line or by using Oracle Directory Services Manager as described later in this section.

From 11g Release 1 (11.1.1.9.0) onward, you can add your own entry under cn=OID Server Chaining, cn=subconfigsubentry to configure server chaining. Here, it is mandatory to add the orcloidscdirtype attribute to the new entry. This attribute specifies the external directory for which you want to configure server chaining, and can have one of the following values:

  • For Active directory: ad

  • For Novell eDirectory: edir

  • For Sun Java System Directory Server: iplanet

For instance, if an entry has orcloidscdirtype=edir, then in other words it implies that this entry is configured for connecting with eDirectory. Likewise, you can have your own set of entries.

Note:

Only one active entry for an external directory server type is supported.

39.2.2 Configuring Server Chaining by Using Oracle Directory Services Manager

Oracle Directory Services Manager provides a convenient interface for modifying the Oracle Internet Directory server chaining configuration entries.

To configure server chaining by using Oracle Directory Services Manager:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Advanced.
  3. Expand Server Chaining. Server Chaining entries appear in the left panel. Current entries include iPlanet (Oracle Directory Server Enterprise Edition and Sun Java System Directory Server) and Active Directory.
  4. To modify a server chaining configuration entry, select it. The Server Chaining Management tab appears in the right pane.
  5. Modify External Host Name, External Port Number, Login User DN, and Login User Password as necessary.
  6. To enable server chaining authentication, modification, or search, select the corresponding checkbox.
  7. Modify the other fields as necessary.
  8. After modifying an external user container, group container, or login credential, verify the value by clicking Verify User Container, Verify Group Container, or Verify Login Credential, respectively.

    If the verification fails, examine the values you entered for errors. If the problem persists, consult the external directory administrator to verify the accuracy of the values you entered.

  9. If you want to add an attribute mapping, click the Add attribute mappings to list icon under Attribute Mapping. To edit an existing mapping, select the mapping and click the Edit Attribute Mapping icon under Attribute Mapping. The New Attribute Mapping window appears. Enter the External Directory Attribute and the OID Attribute. To locate Oracle Internet Directory attribute by browsing, click Select then select the attribute in the Attribute Selection window.
  10. Click OK to create the mapping or click Cancel to abandon it.
  11. To delete a mapping, select the mapping and click the Delete selected attribute mapping icon. When the Delete Confirm dialog appears, click Delete to delete the mapping or Cancel to abandon deletion.
  12. Click OK to enable the configuration changes or click Cancel to abandon the changes.

39.2.3 Configuring Server Chaining from the Command Line

You can configure server chaining from the command line:

  1. Create an LDIF file to manually add the user and group containers. To determine the DNs for these containers, see Naming Conventions for User and Group Containers. For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com, and the group search base is cn=groups,dc=us,dc=oracle,dc=com, then you would use the following entries in your LDIF file:
    dn: cn=AD,cn=users,dc=us,dc=oracle,dc=com
    cn: AD
    objectclass: orclcontainer
    objectclass: top
     
    dn: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
    cn: iPlanet
    objectclass: orclcontainer
    objectclass: top
     
    dn: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
    cn: AD
    objectclass: orclcontainer
    objectclass: top
     
    dn: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
    cn: iPlanet
    objectclass: orclcontainer
    objectclass: top
    
  2. Use ldapadd and the LDIF file you just created to add the entries.
    ldapadd -p port -h host -D "binddn" -q -v -f container_ldif_file_name
    
  3. Create another LDIF file to modify and enable the server chaining configuration entries. For example LDIF files, see Example of Configuring an Active Directory for Server Chaining and Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining. A table of attributes is provided in Creating Server Chaining Configuration Entries Attribute mapping is explained in Mapping of Oracle Internet Directory Attributes to External Directory Attributes.
  4. Modify the server chaining configuration entries using the ldapmodify command and the LDIF file you just created. Use a command line of the form:
    ldapmodify -D "cn=orcladmin" -q -p port -h host -D "binddn" \
       -v -f entry_ldif_file_name
    

39.3 Creating Server Chaining Configuration Entries

The following topics describe how to configure external directory servers for server chaining either with or without SSL:

39.3.1 Server Chaining Configuration Entry Attributes

This section lists and describes the server chaining configuration entry attributes.

Table 39-1 lists the configuration entry attributes for server chaining.

Table 39-1 Configuration Entry Attributes for Server Chaining

Attribute Required Description

orclOIDSCExtHost

Yes

The host name of the external directory host. This is a single value attribute.

orclOIDSCExtPort

Yes

The port number of the external directory host. This is a single value attribute. The default value is 3060.

orclOIDSCExtDN

Yes

The DN in the external directory. Server chaining binds against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. This is a single value attribute.

orclOIDSCExtPassword

Yes

The password for the DN of the external directory. This is a single value attribute. Be sure to enable privacy mode to ensure that users cannot retrieve this attribute in clear text. See Enabling Privacy Mode of Sensitive Attributes.

orclOIDSCExtUserContainer

Yes

The user container in the external directory from which to perform the user search operation. This is a single value attribute.

orclOIDSCExtGroupContainer

Yes

The group container in the external directory from which to perform the group search operation. This is a single value attribute.

If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), this value must be the same as the value used for the user container (orclOIDSCExtUserContainer attribute).

orclOIDSCTargetUserContainer

Yes

The user container in Oracle Internet Directory in which the external users reside. For more information, see Naming Conventions for User and Group Containers.

orclOIDSCTargetGroupContainer

Yes

The group container in Oracle Internet Directory in which the external groups reside. For more information, see Naming Conventions for User and Group Containers.

orclOIDSCAttrMapping

No

Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the eMail attribute from Active Directory to the mail attribute in Oracle Internet Directory, set this attribute to:

orclOIDSCAttrMapping;mail:eMail

For more information, see Mapping of Oracle Internet Directory Attributes to External Directory Attributes.

orclOIDSCExtSearchEnabled

Yes

External search capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.

orclOIDSCExtModifyEnabled

Yes

External modify capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.

orclOIDSCExtAuthEnabled

Yes

External authentication capability. 0 = disabled (default), 1 = enabled. This is a single value attribute.

orclOIDSCSSLEnabled

No

SSL connection to the external directory. 0 = disabled (default), 1 = enabled. This is a single value attribute. Required if SSL is enabled.

orclOIDSCExtSSLPort

No

The SSL port number of the external directory host. This is a single value attribute.

OrclOIDSCWalletLocation

No

The filename and path of the wallet that contains the server certificate of the external directory. This is a single value attribute. Required if SSL is enabled

orclOIDSCWalletPassword

No

The wallet password. This is a single value attribute. Required if SSL is enabled

mapUIDtoADAttribute

No

Specifies the mapping of OID attribute "uid" to an attribute in Active Directory. You can map "uid" to any non-binary attributes defined in Active Directory. The default value is "name". This is a single value attribute.

showExternalGroupEntries

No

In a search against the group container: "base" - show entries with objectclass group (default), "sub" - show entries without objectclass "user" and "computer". This is a single value attribute. Applicable with Active Directory only.

showExternalUserEntries

No

In a one level search with an entry one level below the user container as the base: "base" - do not show any entry (default), "sub" - show entries in the subtree below the base of the search. This is a single value attribute. Applicable with Active Directory only.

addOrcluserv2ToADUsers

No

Add "orcluserv2" objectclass to entries that have objectclass user. 0 = disabled (default), 1 = enabled. This is a single value attribute. Applicable with Active Directory only.

39.3.2 Naming Conventions for User and Group Containers

The target user and group containers must be under the Oracle Internet Directory search base in order to work with Oracle Single Sign-On.

For user and group containers, use the following names:

  • Active Directory: cn=AD

  • Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet or Sun ONE Directory Server): cn=iPlanet

  • Novell eDirectory: cn=edir

For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com

Use the following names for the target user containers:

  • Active Directory: cn=AD,cn=users,dc=us,dc=oracle,dc=com

  • Oracle Directory Server Enterprise Edition or Sun Java System Directory Server: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com

  • Novel eDirectory: cn=edir,cn=users,dc=us,dc=oracle,dc=com

Similarly, if your group search base is cn=groups,dc=us,dc=oracle,dc=com

Use the following names for the target group containers:

  • Active Directory: cn=AD,cn=groups,dc=us,dc=oracle,dc=com

  • Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet or Sun ONE Directory Server): cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com

  • Novel eDirectory: cn=edir,cn=groups,dc=us,dc=oracle,dc=com

Note:

The target user and group containers exist only for the external directories. All the users and groups that appear under these nodes are populated by the external directories. Do not add entries under these containers directly from Oracle Internet Directory.

If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), the value for the group container (orclOIDSCExtGroupContainer attribute) must be the same as the value used for the user container (orclOIDSCExtUserContainer attribute).

39.3.3 Mapping of Oracle Internet Directory Attributes to External Directory Attributes

If an attribute in an external directory and an Oracle Internet Directory attribute are the same, then no mapping is required. Server chaining performs some attribute mapping by default.

The following topics describe the default attribute mapping of Oracle Internet Directory to external directories:

39.3.3.1 Default Attribute Mapping to Active Directory

The following table lists the default attribute mapping of Oracle Internet Directory to Active Directory:

Table 39-2 Default Attribute Mapping to Active Directory

Oracle Internet Directory Attribute Active Directory Attribute

orclguid

objectGUID

uid

name

orclsamaccountname

samaccountname

krbprincipalname

userprincipalname

For Active Directory server chaining, you can use the mapUIDtoADAttribute attribute to map uid to any non-binary attributes defined in Active Directory.

39.3.3.2 Default Attribute Mapping to Sun Java System Directory Server

The following table lists the default attribute mapping of Oracle Internet Directory to Sun Java System Directory Server:

Table 39-3 Default Attribute Mapping to Sun Java System Directory Server

Oracle Internet Directory Attribute Sun Java System Directory Server Attribute

orclguid

nsuniqueid

authpassword

userpassword

krbprincipalname

mail

39.3.3.3 Default Attribute Mapping to Novell eDirectory

The following table lists the default attribute mapping of Oracle Internet Directory to Novell eDirectory:

Table 39-4 Default Attribute Mapping to Novell eDirectory

Oracle Internet Directory Attribute Novell eDirectory Attribute

orclguid

guid

orclsamaccountname

uid

krbprincipalname

mail

The following objects cannot be mapped:

  • Operational attributes

  • Object classes

  • Oracle Internet Directory- specific attributes. These attributes typically have names starting with orcl.

39.3.4 Example of Configuring an Active Directory for Server Chaining

The following example shows server chaining configured to use the Active Directory server dlin-pc9.us.example.com, port 3060, as its external directory store. The SSL capability has been enabled.

All the attributes are explained in Table 39-1.

cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry
orclOIDSCExtHost: dlin-pc9.us.example.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com
orclOIDSCExtPassword: *******
orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com
orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCAttrMapping;description: title
orcloidscsslenabled: 0

39.3.5 Configuring an Active Directory for Server Chaining

The following example is the LDIF file used to modify the configuration entry:

The following example is the LDIF file used to modify the configuration entry:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=administrator,cn=users,dc=oidvd,dc=com
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc9.us.example.com
-
replace: orcloidscextport
orcloidscextport: 3060
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
-
replace: orcloidscsslenabled
orcloidscsslenabled:1

39.3.6 Example of Configuring an Active Directory for Server Chaining with SSL

The following example shows server chaining configured to use the Active Directory server.

The following example shows server chaining configured to use the Active Directory server ad.example.com, SSL port 3133, and the wallet located at /adwallet/ewallet.p12.

cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry
orclOIDSCExtHost: ad.example.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com
orclOIDSCExtPassword: *******
orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com
orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 3133
orclOIDSCWalletLocation: /adwallet/ewallet.p12
orclOIDSCWalletPassword: ********

39.3.7 Configuring an Active Directory for Server Chaining with SSL

You can configure an Active Directory for server chaining with SSL from the command line.

Perform the following steps:

  1. Configure Active Directory server chaining without SSL, as described in the previous section.
  2. Create an LDIF file like the following to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Active Directory server:
    dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
    changetype: modify 
    replace: orcloidscsslenabled 
    orcloidscsslenabled:1 
    - 
    replace: orcloidscextsslport 
    orcloidscextsslport: 3133 
    - 
    replace: orcloidscwalletlocation 
    orcloidscwalletlocation: /adwallet/ewallet.p12 
    - 
    replace: orcloidscwalletpassword 
    orcloidscwalletpassword: passw0rd
    
  3. To apply the changes, use a command line such as
    ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name

39.3.8 Adding New Attributes to an Existing Active Directory Server Chaining Entry

To add the attributes to an existing Active Directory server chaining entry, modify the LDIF file with the appropriate values.

The attributes mapUIDtoADAttribute, showExternalGroupEntries, showExternalUserEntries, and addOrcluserv2ToADUsers have been added since Oracle Internet Directory 10g (10.1.4.0.1).

To add these attributes to an existing Active Directory server chaining entry, modify the following LDIF file with the appropriate values:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
changetype: modify 
replace: mapUIDtoADAttribute
mapUIDtoADAttribute: name
-
replace: showExternalGroupEntries
showExternalGroupEntries: base
-
replace: showExternalUserEntries
showExternalUserEntries: base
-
replace: addOrcluserv2ToADUsers
addOrcluserv2ToADUsers: 0

Use a command line such as

ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name

to modify the configuration entry.

39.3.9 Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining

The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.example.com, port 103060, as its external directory store.

All the attributes are explained in Table 39-1.

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: dlin-pc10.us.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled:0

39.3.10 Configuring Sun Java System Directory Server (iPlanet) for Server Chaining

The following example is the LDIF file used to modify the configuration entry:

The following example is the LDIF file used to modify the configuration entry:

dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=directory manager
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc10.us.example.com
-
replace: orcloidscextport
orcloidscextport: 10389
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: ou=people,dc=example,dc=com
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: ou=groups,dc=example,dc=com
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1

39.3.11 Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining with SSL

This example shows how to configure sun java system directory server for server chaining with SSL.

The following example shows server chaining configured to use the Sun Java System Directory Server sunone.example.com, SSL port 10636, and the wallet located at /ipwallet/ewallet.p12.

cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: sunone.example.com
orclOIDSCExtPort: 10389
orclOIDSCExtDN: cn=directory manager
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=people,dc=example,dc=com
orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com
orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 10636 
orclOIDSCWalletLocation: /ipwallet/ewallet.p12
orclOIDSCWalletPassword: ********

39.3.12 Configuring Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) for Server Chaining with SSL

You can configure Oracle Directory server Enterprise and Sun System directory server from the command line.

To configure server chaining with SSL from the command line:

  1. Configure server chaining without SSL, as described in the previous section.
  2. Create the following LDIF file to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Oracle Directory Server Enterprise Edition/Sun Java System Directory Server.
    dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
    changetype: modify
    replace: orcloidscsslenabled
    orcloidscsslenabled:1
    -
    replace: orcloidscextsslport
    orcloidscextsslport: 10636 
    -
    replace: orcloidscwalletlocation
    orcloidscwalletlocation: /ipwallet/ewallet.p12
    -
    replace: orcloidscwalletpassword
    orcloidscwalletpassword: passw0rd
    
  3. Execute a command such as
    ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
    

    to modify the configuration entry.

39.3.13 Example of Configuring an eDirectory for Server Chaining

This section shows an example for configuring an eDirectory for server chaining.

A sample eDirectory configuration looks like this:

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: edirhost.domain.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=admin,o=domain
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=users,o=domain
orclOIDSCExtGroupContainer: ou=groups,o=domain
orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled:0 

39.3.14 Example of Configuring an eDirectory for Server Chaining with SSL

A sample edirectory configuration with SSL looks like this:

A sample edirectory configuration with SSL looks like this:

cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
orclOIDSCExtHost: edirhost.domain.com
orclOIDSCExtPort: 3060
orclOIDSCExtDN: cn=admin,o=domain
orclOIDSCExtPassword: ********
orclOIDSCExtUserContainer: ou=users,o=domain
orclOIDSCExtGroupContainer: ou=groups,o=domain
orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com
orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com
orclOIDSCExtSearchEnabled: 1
orclOIDSCExtModifyEnabled: 1
orclOIDSCExtAuthEnabled: 1
orclOIDSCSSLEnabled: 1
orclOIDSCExtSSLPort: 3133
orclOIDSCWalletLocation: /edir/ewallet.p12
orclOIDSCWalletPassword: ******** 

39.4 Debugging Server Chaining

This section describes the procedure to debug server chaining.

To debug server chaining:

  1. Set the Oracle Internet Directory server debug logging level, as described in Managing Logging Using Fusion Middleware Control or Managing Logging from the Command Line. Use the logging level value 402653184. This value enables logging of all messages related to the Java plug-in framework.
  2. Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry. set the attribute orcloidscDebugEnabled to 1.

    For example, to set orcloidscDebugEnabled to 1 in cn=oidscad,cn=oid server chaining,cn=subconfigsubentry, you would type:

    $ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -f file
    

    where file contains:

    dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry 
    changetype: modify
    replace: orcloidscDebugEnabled
    orcloidscDebugEnabled: 1
    

    See Also:

    Java plug-in debugging and logging information in the Java Plug-ins for User Provisioning in Application Developer's Guide for Oracle Identity Management.

39.5 Configuring an Active Directory Plug-in for Password Change Notification

When you use Enterprise User Security 10g with Server Chaining, a hash password is required in order to authenticate users. This section describes how to install a plug-in the Microsoft Active Directory (AD) server so that this hash password is available to users accessed through Oracle Internet Directory. Customers planning to configure Enterprise User Security to work with users accessed through Server Chaining must configure this feature.

To configure an active directory plug-in for password change notification:

  1. In Active Directory, create an attribute called orclCommonAttribute to store the hash password. Use a command line such as:

    ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f orclca.ldif
    

    Use an orclca.ldif file similar to the following example. Replace DC=bill,DC=com with the actual Active Directory domain name and choose an appropriate attributeID.

    dn: cn=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com 
    objectClass: top
    objectClass: attributeSchema
    cn: orclcommonattribute
    distinguishedName: CN=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com
    instanceType: 4
    uSNCreated: 16632
    attributeID: 1.9.9.9.9.9.9.9.9
    attributeSyntax: 2.5.5.3
    isSingleValued: TRUE
    uSNChanged: 16632
    showInAdvancedViewOnly: TRUE
    adminDisplayName: orclCommonAttribute
    oMSyntax: 27
    lDAPDisplayName: orclCommonAttribute
    name: orclcommonattribute
    objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bill,DC=com
    
  2. Associate the attribute with the user objectclass. Use a command line such as:

    ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f user.ldif
    

    In the following file, user.ldif, replace DC=bill,DC=com with the actual Active Directory domain name.

    dn: CN=User,CN=Schema,CN=Configuration,DC=bill,DC=com
    changetype: modify
    add: mayConatin
    mayContain: orclCommonAttribute 
    

    It might take Active Directory a few minutes to refresh the schema.

  3. Install the password change notification plug-in, as follows:

    1. Copy:

      %ORACLE_HOME%\ovd\eus\win64\oidpwdcn.dll (for Windows 64 bit)

      Or,

      %ORACLE_HOME%\ovd\eus\win\oidpwdcn.dll (for Windows 32 bit)

      to the Active Directory WINDOWS\system32 folder.

    2. Use regedt32 to modify the registry. In the line:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, add oidpwdcn to the end. It should look like the following:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      
    3. Restart Active Directory.

    4. Verify that the plug-in is installed properly by resetting the password of a user. The orclCommonAttribute should contain the hash password value.

  4. Reset the password for all the Active Directory users so that the password verifier is present for all the users.