39 Configuring Directory Server Chaining
This chapter includes the following sections:
Note:
In this chapter, references to Oracle Single Sign-On refer to Oracle Single Sign-On 10g (10.1.4.3.0) or later. References to Oracle Enterprise User Security refer to the 10g release only.
39.1 Understanding Directory Server Chaining Configuration
This section provide a contextual description about directory server chaining and include a list of Oracle products and other external directory servers that can be integrated with Oracle Internet Directory server chaining
This section has the following topics :
39.1.1 About Oracle Internet Directory Server Chaining
Directory server chaining was first introduced for Oracle Internet Directory 10g (10.1.4.0.1) and was implemented using the Java plug-in framework. As of 11g Release 1 (11.1.1.0.0), you can also configure server chaining to use SSL. Server chaining does not replace Oracle Directory Integration Platform, but instead offers complementary functionality to that product.
Server chaining is different from a virtual directory such as Oracle Virtual Directory. A virtual directory is a flexible virtualization layer between multiple identity repositories and applications. A virtual directory offers complementary services to identity synchronization and directory servers. Organizations can create consolidated logical or virtual views of data that can span multiple directories and databases.
39.1.2 Supported External Directory Servers
Oracle Internet Directory server chaining supports external directory servers:
The supported external directory servers are:
-
Microsoft Active Directory
Note:
Oracle Internet Directory server chaining does not support Microsoft Active Directory Lightweight Directory Service (AD LDS), formerly known as ADAM.
-
Oracle Directory Server Enterprise Edition (ODSEE)
-
Sun Java System Directory Server (formerly known as Sun ONE or iPlanet Directory Server)
-
Novell eDirectory
Oracle Internet Directory can connect with one Active Directory server, one Sun Java System Directory Server, one Novell eDirectory, or with all three directory servers.
39.1.3 Integrating Oracle Products with Oracle Internet Directory Server Chaining
The following Oracle products have been integrated with Oracle Internet Directory server chaining:
39.1.3.1 Oracle Single Sign-On10g (10.1.4.3.0) or Later
When server chaining is enabled, a user from the external directory can log in through Oracle Single Sign-On as if authenticated locally within Oracle Internet Directory, rather than the external repository.
39.1.3.2 Enterprise User Security 10g Only
Oracle Internet Directory server chaining enables you to implement Enterprise User Security 10g without synchronizing identity data with Oracle Internet Directory through Oracle Directory Integration Platform. Your identity data remains in the external repository and the Oracle Internet Directory data store contains only Enterprise User Security-related metadata.
With Sun Java System Directory Server as the external directory, server chaining supports password-based authentication with Enterprise User Security.
With Active Directory as the external directory, server chaining supports Kerberos- based authentication and password-based authentication with Enterprise User Security. The external users can log in to Oracle Database after the Enterprise User Security authentication setup is completed. For further details, see Configuring an Active Directory Plug-in for Password Change Notification, which is based on Note 452385.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for more information on configuring Enterprise User Security for password authentication and Kerberos authentication.
39.1.4 Supported Operations for Server Chaining
Server chaining supports the following operations:
-
Bind
-
Compare
-
Modify
-
Search
The compare, modify, and search operations can be enabled or disabled by setting configuration parameters.
When an Oracle Internet Directory client application issues an LDAP search request, Oracle Internet Directory integrates the search results from its own data and the external directories.
When an Oracle Internet Directory client application issues an LDAP bind, compare, or modify request, Oracle Internet Directory redirects the request to the external directory.
In 10g (10.1.4.0.1) and later, the compare operation is only supported for the userpassword
attribute.
In 10g (10.1.4.0.1) and later, attribute modification is supported in two cases:
-
The external attribute has the same name as the Oracle Internet Directory attribute. This is true for most standard LDAP attributes.
-
The external attribute is mapped to an Oracle Internet Directory attribute, and neither the external nor the Oracle Internet Directory attribute is an operational attribute.
Note:
You cannot modify an Active Directory user password from Oracle Internet Directory through server chaining.
39.2 Configuring Server Chaining
The following topics describe about the server chaining entries and how to customize those entries for your environment:
39.2.1 About Server Chaining Entries
Oracle Internet Directory is shipped with disabled sample server chaining entries.
The DNs for the server chaining entries are:
-
Active Directory:
cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry
-
Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (formerly Sun ONE or iPlanet):
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry
-
Novell eDirectory:
cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry
You configure server chaining by customizing the preceding entries for your environment and then enabling them. You can perform this configuration either from the command line or by using Oracle Directory Services Manager as described later in this section.
From 11g Release 1 (11.1.1.9.0) onward, you can add your own entry under cn=OID Server Chaining, cn=subconfigsubentry
to configure server chaining. Here, it is mandatory to add the orcloidscdirtype
attribute to the new entry. This attribute specifies the external directory for which you want to configure server chaining, and can have one of the following values:
-
For Active directory:
ad
-
For Novell eDirectory:
edir
-
For Sun Java System Directory Server:
iplanet
For instance, if an entry has orcloidscdirtype=edir
, then in other words it implies that this entry is configured for connecting with eDirectory. Likewise, you can have your own set of entries.
Note:
Only one active entry for an external directory server type is supported.
39.2.2 Configuring Server Chaining by Using Oracle Directory Services Manager
Oracle Directory Services Manager provides a convenient interface for modifying the Oracle Internet Directory server chaining configuration entries.
To configure server chaining by using Oracle Directory Services Manager:
39.3 Creating Server Chaining Configuration Entries
The following topics describe how to configure external directory servers for server chaining either with or without SSL:
-
Mapping of Oracle Internet Directory Attributes to External Directory Attributes
-
Example of Configuring an Active Directory for Server Chaining
-
Example of Configuring an Active Directory for Server Chaining with SSL
-
Configuring an Active Directory for Server Chaining with SSL
-
Adding New Attributes to an Existing Active Directory Server Chaining Entry
-
Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining
-
Configuring Sun Java System Directory Server (iPlanet) for Server Chaining
-
Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining with SSL
-
Example of Configuring an eDirectory for Server Chaining with SSL
39.3.1 Server Chaining Configuration Entry Attributes
This section lists and describes the server chaining configuration entry attributes.
Table 39-1 lists the configuration entry attributes for server chaining.
Table 39-1 Configuration Entry Attributes for Server Chaining
Attribute | Required | Description |
---|---|---|
|
Yes |
The host name of the external directory host. This is a single value attribute. |
|
Yes |
The port number of the external directory host. This is a single value attribute. The default value is 3060. |
|
Yes |
The DN in the external directory. Server chaining binds against the external directory using this identity to perform search and modify operations. This identity must have sufficient privilege to perform the operation. This is a single value attribute. |
|
Yes |
The password for the DN of the external directory. This is a single value attribute. Be sure to enable privacy mode to ensure that users cannot retrieve this attribute in clear text. See Enabling Privacy Mode of Sensitive Attributes. |
|
Yes |
The user container in the external directory from which to perform the user search operation. This is a single value attribute. |
|
Yes |
The group container in the external directory from which to perform the group search operation. This is a single value attribute. If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), this value must be the same as the value used for the user container ( |
|
Yes |
The user container in Oracle Internet Directory in which the external users reside. For more information, see Naming Conventions for User and Group Containers. |
|
Yes |
The group container in Oracle Internet Directory in which the external groups reside. For more information, see Naming Conventions for User and Group Containers. |
|
No |
Specifies each attribute mapping between the external directory and Oracle Internet Directory. For example, to map the
For more information, see Mapping of Oracle Internet Directory Attributes to External Directory Attributes. |
|
Yes |
External search capability. |
|
Yes |
External modify capability. |
|
Yes |
External authentication capability. |
|
No |
SSL connection to the external directory. 0 = disabled (default), 1 = enabled. This is a single value attribute. Required if SSL is enabled. |
|
No |
The SSL port number of the external directory host. This is a single value attribute. |
|
No |
The filename and path of the wallet that contains the server certificate of the external directory. This is a single value attribute. Required if SSL is enabled |
|
No |
The wallet password. This is a single value attribute. Required if SSL is enabled |
|
No |
Specifies the mapping of OID attribute "uid" to an attribute in Active Directory. You can map "uid" to any non-binary attributes defined in Active Directory. The default value is "name". This is a single value attribute. |
|
No |
In a search against the group container: "base" - show entries with objectclass group (default), "sub" - show entries without objectclass "user" and "computer". This is a single value attribute. Applicable with Active Directory only. |
|
No |
In a one level search with an entry one level below the user container as the base: "base" - do not show any entry (default), "sub" - show entries in the subtree below the base of the search. This is a single value attribute. Applicable with Active Directory only. |
|
No |
Add "orcluserv2" objectclass to entries that have objectclass user. 0 = disabled (default), 1 = enabled. This is a single value attribute. Applicable with Active Directory only. |
39.3.2 Naming Conventions for User and Group Containers
The target user and group containers must be under the Oracle Internet Directory search base in order to work with Oracle Single Sign-On.
For user and group containers, use the following names:
-
Active Directory:
cn=AD
-
Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet or Sun ONE Directory Server):
cn=iPlanet
-
Novell eDirectory:
cn=edir
For example, if your user search base is cn=users,dc=us,dc=oracle,dc=com
Use the following names for the target user containers:
-
Active Directory:
cn=AD,cn=users,dc=us,dc=oracle,dc=com
-
Oracle Directory Server Enterprise Edition or Sun Java System Directory Server:
cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com
-
Novel eDirectory:
cn=edir,cn=users,dc=us,dc=oracle,dc=com
Similarly, if your group search base is cn=groups,dc=us,dc=oracle,dc=com
Use the following names for the target group containers:
-
Active Directory:
cn=AD,cn=groups,dc=us,dc=oracle,dc=com
-
Oracle Directory Server Enterprise Edition or Sun Java System Directory Server (iPlanet or Sun ONE Directory Server):
cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com
-
Novel eDirectory:
cn=edir,cn=groups,dc=us,dc=oracle,dc=com
Note:
The target user and group containers exist only for the external directories. All the users and groups that appear under these nodes are populated by the external directories. Do not add entries under these containers directly from Oracle Internet Directory.
If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), the value for the group container (orclOIDSCExtGroupContainer
attribute) must be the same as the value used for the user container (orclOIDSCExtUserContainer
attribute).
39.3.3 Mapping of Oracle Internet Directory Attributes to External Directory Attributes
If an attribute in an external directory and an Oracle Internet Directory attribute are the same, then no mapping is required. Server chaining performs some attribute mapping by default.
The following topics describe the default attribute mapping of Oracle Internet Directory to external directories:
39.3.3.1 Default Attribute Mapping to Active Directory
The following table lists the default attribute mapping of Oracle Internet Directory to Active Directory:
Table 39-2 Default Attribute Mapping to Active Directory
Oracle Internet Directory Attribute | Active Directory Attribute |
---|---|
|
|
|
|
|
|
|
|
For Active Directory server chaining, you can use the mapUIDtoADAttribute
attribute to map uid
to any non-binary attributes defined in Active Directory.
39.3.3.2 Default Attribute Mapping to Sun Java System Directory Server
The following table lists the default attribute mapping of Oracle Internet Directory to Sun Java System Directory Server:
Table 39-3 Default Attribute Mapping to Sun Java System Directory Server
Oracle Internet Directory Attribute | Sun Java System Directory Server Attribute |
---|---|
|
|
|
|
|
|
39.3.3.3 Default Attribute Mapping to Novell eDirectory
The following table lists the default attribute mapping of Oracle Internet Directory to Novell eDirectory:
Table 39-4 Default Attribute Mapping to Novell eDirectory
Oracle Internet Directory Attribute | Novell eDirectory Attribute |
---|---|
|
|
|
|
|
|
The following objects cannot be mapped:
-
Operational attributes
-
Object classes
-
Oracle Internet Directory- specific attributes. These attributes typically have names starting with
orcl
.
39.3.4 Example of Configuring an Active Directory for Server Chaining
The following example shows server chaining configured to use the Active Directory server dlin-pc9.us.example.com
, port 3060
, as its external directory store. The SSL capability has been enabled.
All the attributes are explained in Table 39-1.
cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry orclOIDSCExtHost: dlin-pc9.us.example.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com orclOIDSCExtPassword: ******* orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCAttrMapping;description: title orcloidscsslenabled: 0
39.3.5 Configuring an Active Directory for Server Chaining
The following example is the LDIF file used to modify the configuration entry:
The following example is the LDIF file used to modify the configuration entry:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=administrator,cn=users,dc=oidvd,dc=com
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc9.us.example.com
-
replace: orcloidscextport
orcloidscextport: 3060
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=AD,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=AD,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: cn=users,dc=dlin,dc=net
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
-
replace: orcloidscsslenabled
orcloidscsslenabled:1
39.3.6 Example of Configuring an Active Directory for Server Chaining with SSL
The following example shows server chaining configured to use the Active Directory server.
The following example shows server chaining configured to use the Active Directory server ad.example.com, SSL port 3133, and the wallet located at /adwallet/ewallet.p12
.
cn=oidscad,cn=OID Server Chaining,cn= subconfigsubentry orclOIDSCExtHost: ad.example.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=administrator,cn=users,dc=oidvd,dc=com orclOIDSCExtPassword: ******* orclOIDSCExtUserContainer: cn=users,dc=oidvd,dc=com orclOIDSCTargetUserContainer: cn=AD,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=AD,cn=groups,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 3133 orclOIDSCWalletLocation: /adwallet/ewallet.p12 orclOIDSCWalletPassword: ********
39.3.7 Configuring an Active Directory for Server Chaining with SSL
You can configure an Active Directory for server chaining with SSL from the command line.
Perform the following steps:
39.3.8 Adding New Attributes to an Existing Active Directory Server Chaining Entry
To add the attributes to an existing Active Directory server chaining entry, modify the LDIF file with the appropriate values.
The attributes mapUIDtoADAttribute
, showExternalGroupEntries
, showExternalUserEntries
, and addOrcluserv2ToADUsers
have been added since Oracle Internet Directory 10g (10.1.4.0.1).
To add these attributes to an existing Active Directory server chaining entry, modify the following LDIF file with the appropriate values:
dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: mapUIDtoADAttribute mapUIDtoADAttribute: name - replace: showExternalGroupEntries showExternalGroupEntries: base - replace: showExternalUserEntries showExternalUserEntries: base - replace: addOrcluserv2ToADUsers addOrcluserv2ToADUsers: 0
Use a command line such as
ldapmodify -p OID_port -h OID_host -D "cn=orcladmin" -q -v -f ldif_file_name
to modify the configuration entry.
39.3.9 Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining
The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.example.com
, port 103060
, as its external directory store.
All the attributes are explained in Table 39-1.
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: dlin-pc10.us.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled:0
39.3.10 Configuring Sun Java System Directory Server (iPlanet) for Server Chaining
The following example is the LDIF file used to modify the configuration entry:
The following example is the LDIF file used to modify the configuration entry:
dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscextdn
orcloidscextdn: cn=directory manager
-
replace: orcloidscextpassword
orcloidscextpassword: password
-
replace: orcloidscexthost
orcloidscexthost: dlin-pc10.us.example.com
-
replace: orcloidscextport
orcloidscextport: 10389
-
replace: orcloidsctargetusercontainer
orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com
-
replace: orcloidsctargetgroupcontainer
orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com
-
replace: orcloidscextusercontainer
orcloidscextusercontainer: ou=people,dc=example,dc=com
-
replace: orcloidscextgroupcontainer
orcloidscextgroupcontainer: ou=groups,dc=example,dc=com
-
replace: orcloidscextsearchenabled
orcloidscextsearchenabled: 1
-
replace: orcloidscextmodifyenabled
orcloidscextmodifyenabled: 1
-
replace: orcloidscextauthenabled
orcloidscextauthenabled: 1
39.3.11 Example of Configuring Sun Java System Directory Server (iPlanet) for Server Chaining with SSL
This example shows how to configure sun java system directory server for server chaining with SSL.
The following example shows server chaining configured to use the Sun Java System Directory Server sunone.example.com, SSL port 10636, and the wallet located at /ipwallet/ewallet.p12.
cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: /ipwallet/ewallet.p12 orclOIDSCWalletPassword: ********
39.3.12 Configuring Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) for Server Chaining with SSL
You can configure Oracle Directory server Enterprise and Sun System directory server from the command line.
To configure server chaining with SSL from the command line:
39.3.13 Example of Configuring an eDirectory for Server Chaining
This section shows an example for configuring an eDirectory for server chaining.
A sample eDirectory configuration looks like this:
cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: edirhost.domain.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=admin,o=domain orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=users,o=domain orclOIDSCExtGroupContainer: ou=groups,o=domain orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled:0
39.3.14 Example of Configuring an eDirectory for Server Chaining with SSL
A sample edirectory configuration with SSL looks like this:
A sample edirectory configuration with SSL looks like this:
cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: edirhost.domain.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=admin,o=domain orclOIDSCExtPassword: ******** orclOIDSCExtUserContainer: ou=users,o=domain orclOIDSCExtGroupContainer: ou=groups,o=domain orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 3133 orclOIDSCWalletLocation: /edir/ewallet.p12 orclOIDSCWalletPassword: ********
39.4 Debugging Server Chaining
This section describes the procedure to debug server chaining.
To debug server chaining:
39.5 Configuring an Active Directory Plug-in for Password Change Notification
When you use Enterprise User Security 10g with Server Chaining, a hash password is required in order to authenticate users. This section describes how to install a plug-in the Microsoft Active Directory (AD) server so that this hash password is available to users accessed through Oracle Internet Directory. Customers planning to configure Enterprise User Security to work with users accessed through Server Chaining must configure this feature.
To configure an active directory plug-in for password change notification:
-
In Active Directory, create an attribute called
orclCommonAttribute
to store the hash password. Use a command line such as:ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f orclca.ldif
Use an orclca.ldif file similar to the following example. Replace
DC=bill,DC=com
with the actual Active Directory domain name and choose an appropriateattributeID
.dn: cn=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com objectClass: top objectClass: attributeSchema cn: orclcommonattribute distinguishedName: CN=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com instanceType: 4 uSNCreated: 16632 attributeID: 1.9.9.9.9.9.9.9.9 attributeSyntax: 2.5.5.3 isSingleValued: TRUE uSNChanged: 16632 showInAdvancedViewOnly: TRUE adminDisplayName: orclCommonAttribute oMSyntax: 27 lDAPDisplayName: orclCommonAttribute name: orclcommonattribute objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bill,DC=com
-
Associate the attribute with the user objectclass. Use a command line such as:
ldapadd –p AD_Port –h AD_host -D "AD_administrator_DN" –w AD_administrator_password -v –f user.ldif
In the following file, user.ldif, replace D
C=bill,DC=com
with the actual Active Directory domain name.dn: CN=User,CN=Schema,CN=Configuration,DC=bill,DC=com changetype: modify add: mayConatin mayContain: orclCommonAttribute
It might take Active Directory a few minutes to refresh the schema.
-
Install the password change notification plug-in, as follows:
-
Copy:
%ORACLE_HOME%\ovd\eus\win64\oidpwdcn.dll
(for Windows 64 bit)Or,
%ORACLE_HOME%\ovd\eus\win\oidpwdcn.dll
(for Windows 32 bit)to the Active Directory
WINDOWS\system32
folder. -
Use
regedt32
to modify the registry. In the line:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
, addoidpwdcn
to the end. It should look like the following:RASSFM KDCSVC WDIGEST scecli oidpwdcn
-
Restart Active Directory.
-
Verify that the plug-in is installed properly by resetting the password of a user. The
orclCommonAttribute
should contain the hash password value.
-
-
Reset the password for all the Active Directory users so that the password verifier is present for all the users.