D User and Role API Reference
Note:
The User and Role API is deprecated. Oracle recommends that you use instead the Identity Governance Framework and migrate usage to this framework. For information about this migration, see Migrating to Identity Directory API in Developing Applications with Identity Governance Framework.
This appendix includes the following sections:
Mapping User Attributes to LDAP Directories
Table D-1 lists user attributes in the UserProfile.property file and the attribute that corresponds in the directory servers supported. IBM Tivoli and OpenLDAP use the same set of parameters. Microsoft ADAM and Microsoft Active Directory use the same set of parameters.
                     
Table D-1 User Attributes in Directory Servers
| User Attribute | Oracle Internet Directory | Embedded LDAP Server | Microsoft Active Directory | ODS EE | Novell eDirectory | OpenLDAP | 
|---|---|---|---|---|---|---|
| GUID | orclguid | uid | objectguid | nsuniqueid | guid | entryuuid | 
| USER_ID | username (see Note below) | uid | uid | uid | uid | uid | 
| DISPLAY_NAME | displayname | displayname | displayname | displayname | displayname | displayname | 
| BUSINESS_EMAIL |  |  |  |  |  |  | 
| DESCRIPTION | description | description | description | description | description | description | 
| EMPLOYEE_TYPE | employeeType | employeeType | employeeType | employeeType | employeeType | employeeType | 
| DEPARTMENT | departmentnumber | departmentnumber | departmentnumber | departmentnumber | departmentnumber | departmentnumber | 
| DATE_OF_BIRTH | orcldateofbirth | - | - | - | - | - | 
| BUSINESS_FAX | facsimiletelephonenumber | facsimiletelephonenumber | facsimiletelephonenumber | facsimiletelephonenumber | facsimiletelephonenumber | facsimiletelephonenumber | 
| BUSINESS_CITY | l | l | l | l | l | l | 
| BUSINESS_COUNTRY | c | c | c | c | c | c | 
| DATE_OF_HIRE | orclhiredate | - | - | - | - | - | 
| NAME | cn | uid | cn | uid | cn | cn | 
| PREFERRED_LANGUAGE | Preferredlanguage | preferredlanguage | preferredlanguage | preferredlanguage | preferredlanguage | preferredlanguage | 
| BUSINESS_POSTAL_ADDR | postaladdress | postaladdress | postaladdress | postaladdress | postaladdress | postaladdress | 
| MIDDLE_NAME | orclmiddlename | - | - | - | - | - | 
| ORGANIZATIONAL_UNIT | ou | ou | ou | ou | ou | ou | 
| WIRELESS_ACCT_NUMBER | orclwirelessaccountnumber | - | - | - | - | - | 
| BUSINESS_PO_BOX | postofficebox | postofficebox | postofficebox | postofficebox | postofficebox | postofficebox | 
| BUSINESS_STATE | St | st | st | st | st | st | 
| HOME_ADDRESS | Homepostaladdress | homepostaladdress | homepostaladdress | homepostaladdress | homepostaladdress | homepostaladdress | 
| NAME_SUFFIX | Generationqualifier | generationqualifier | generationqualifier | generationqualifier | generationqualifier | generationqualifier | 
| BUSINESS_STREET | street | street | street | street | street | street | 
| INITIALS | initials | initials | initials | initials | initials | initials | 
| USER_NAME | username (see Note below) | uid | samaccountname | uid | uid | uid | 
| BUSINESS_POSTAL_CODE | postalcode | postalcode | postalcode | postalcode | postalcode | postalcode | 
| BUSINESS_PAGER | pager | pager | pager | pager | pager | pager | 
| LAST_NAME | sn | sn | sn | sn | sn | sn | 
| BUSINESS_PHONE | telephonenumber | telephonenumber | telephonenumber | telephonenumber | telephonenumber | telephonenumber | 
| FIRST_NAME | givenname | givenname | givenname | givenname | givenname | givenname | 
| TIME_ZONE | orcltimezone | - | - | - | - | - | 
| MAIDEN_NAME | orclmaidenname | - | - | - | - | - | 
| PASSWORD | userpasssword | userpasssword | userpasssword | userpasssword | userpasssword | userpasssword | 
| DEFAULT_GROUP | orcldefaultprofilegroup | - | - | - | - | - | 
| ORGANIZATION | o | o | o | o | o | o | 
| HOME_PHONE | homephone | homephone | homephone | homephone | homephone | homephone | 
| BUSINESS_MOBILE | mobile | mobile | mobile | mobile | mobile | mobile | 
| UI_ACCESS_MODE | orcluiaccessibilitymode | - | - | - | - | - | 
| JPEG_PHOTO | jpegphoto | jpegphoto | jpegphoto | jpegphoto | jpegphoto | jpegphoto | 
| MANAGER | manager | manager | manager | manager | manager | manager | 
| TITLE | title | title | title | title | title | title | 
| EMPLOYEE_NUMBER | employeenumber | employeenumber | employeenumber | employeenumber | employeenumber | employeenumber | 
| LDUser.PASSWORD | userpassword | userpassword | userpassword | userpassword | userpassword | userpassword | 
Parent topic: User and Role API Reference
Mapping Role Attributes to LDAP Directories
Table D-2 lists each role attribute in UserProfile.property and its corresponding attribute in different directory servers. IBM Tivoli and OpenLDAP use the same set of parameters. Microsoft ADAM and Microsoft Active Directory use the same set of parameters.
Table D-2 Role Attributes in Directory Servers
| Role Attribute | Oracle Internet Directory | Embedded LDAP Server | Microsoft Active Directory | ODS EE | Novell eDirectory | OpenLDAP | 
|---|---|---|---|---|---|---|
| 
 | displayname | - | displayname | displayname | displayname | displayname | 
| 
 | - | - | - | - | - | - | 
| 
 | cn | cn | cn | cn | cn | cn | 
| 
 | owner | owner | - | Owner | - | owner | 
| 
 | orclguid | cn | objectguid | NSuniqueid | guid | entryuuid | 
Parent topic: User and Role API Reference
Default Configuration Parameters
This section lists default configuration parameter values and the source of the value in different directory servers.
Table D-3 lists parameter values for Oracle Internet Directory and Microsoft Active Directory. Note that Active Directory requires SSL when setting sensitive information like passwords.
Table D-3 Oracle Internet Directory and Microsoft Active Directory Parameters
| Parameter | Oracle Internet Directory | Microsoft Active Directory | 
|---|---|---|
| RT_USER_OBJECT_CLASSES | #config | {"user" } | 
| RT_USER_MANDATORY_ATTRS | #schema | #schema | 
| RT_USER_CREATE_BASES | #config | cn=users,<subscriberDN> | 
| RT_USER_SEARCH_BASES | #config | <subscriberDN> | 
| RT_USER_FILTER_OBJECT_CLASSES | #config | {"user"} | 
| RT_USER_SELECTED_CREATE_BASE | #config | cn=users,<subscriberDN> | 
| RT_GROUP_OBJECT_CLASSES | #config | {"group" } | 
| RT_GROUP_MANDATORY_ATTRS | #schema | #schema | 
| RT_GROUP_CREATE_BASES | #config | <subscriberDN> | 
| RT_GROUP_SEARCH_BASES | #config | <subscriberDN> | 
| RT_GROUP_FILTER_OBJECT_CLASSES | #config | {"group"} | 
| RT_GROUP_MEMBER_ATTRS | "uniquemember", "member" | "member" | 
| RT_GROUP_SELECTED_CREATE_BASE | #config | <subscriberDN> | 
| RT_GROUP_GENERIC_SEARCH_BASE | <subscriber-DN> | <subscriberDN> | 
| RT_SEARCH_TYPE | #config | #config | 
| ST_SUBSCRIBER_NAME | #config | NULL | 
| ST_USER_NAME_ATTR | #config | cn | 
| ST_USER_LOGIN_ATTR | #config | samaccountname | 
| ST_GROUP_NAME_ATTR | #config | cn | 
| ST_MAX_SEARCHFILTER_LENGTH | 500 | 500 | 
| ST_BINARY_ATTRIBUTES | Binary Attribute | Binary Attribute + {objectguid, unicodepwd} | 
| ST_LOGGER_NAME | oracle.idm.userrole | oracle.idm.userrole | 
Note:
The Binary Attributes include photo, personalsignature, audio, jpegphoto, javaSErializeddata, thumbnailphoto, thumbnaillogo, userpassword, usercertificate, cacertificate, authorityrevocationlist, certificaterevocationlist, crosscertificatepair, and x500UniqueIdentifier.
The config attribute is extracted from the meta information present in the directory. The schema attribute is extracted from the schema in the directory.
Table D-4 lists parameters for Oracle Directory Server Enterprise Edition and Novell eDirectory.
Table D-4 Directory Server Enterprise Edition and Novell eDirectory Parameters
| Parameter | DS EE | Novell eDirectory | 
|---|---|---|
| RT_USER_OBJECT_CLASSES | {"inetorgperson", "person", "organizationalperson" } | { "person", "inetorgperson", "organizationalPerson", "ndsloginproperties" } | 
| RT_USER_MANDATORY_ATTRS | #schema | #schema | 
| RT_USER_CREATE_BASES | ou=people,<subscriberDN> | ou=users,<subscriberDN> | 
| RT_USER_SEARCH_BASES | <subscriberDN> | <subscriberDN> | 
| RT_USER_FILTER_OBJECT_CLASSES | {"inetorgperson", "person", "organizationalperson" } | { "person", "inetorgperson", "organizationalPerson", "ndsloginproperties" } | 
| RT_USER_SELECTED_CREATE_BASE | ou=people,<subscriberDN> | ou=users,<subscriberDN> | 
| RT_GROUP_OBJECT_CLASSES | "groupofuniquenames" | {"group" } | 
| RT_GROUP_MANDATORY_ATTRS | #schema | #schema | 
| RT_GROUP_CREATE_BASES | ou=groups,<subscriberDN> | ou=groups,<subscriberDN> | 
| RT_GROUP_SEARCH_BASES | <subscriberDN> | <subscriberDN> | 
| RT_GROUP_FILTER_OBJECT_CLASSES | {"groupofuniquenames"} | {"group"} | 
| RT_GROUP_MEMBER_ATTRS | "uniquemember" | "member" | 
| RT_GROUP_SELECTED_CREATE_BASE | ou=groups,<subscriberDN> | ou=groups,<subscriberDN> | 
| RT_GROUP_GENERIC_SEARCH_BASE | <subscriber-DN> | <subscriberDN> | 
| RT_SEARCH_TYPE | #config | #config | 
| ST_SUBSCRIBER_NAME | NULL | NULL | 
| ST_USER_NAME_ATTR | uid | cn | 
| ST_USER_LOGIN_ATTR | uid | cn | 
| ST_GROUP_NAME_ATTR | cn | cn | 
| ST_MAX_SEARCHFILTER_LENGTH | 500 | 500 | 
| ST_BINARY_ATTRIBUTES | Binary Attribute | Binary Attribute + {objectguid, unicodepwd} | 
| ST_LOGGER_NAME | oracle.idm.userrole | oracle.idm.userrole | 
Note:
The Binary Attributes include photo, personalsignature, audio, jpegphoto, javaSErializeddata, thumbnailphoto, thumbnaillogo, userpassword, usercertificate, cacertificate, authorityrevocationlist, certificaterevocationlist, crosscertificatepair, and x500UniqueIdentifier.
The config attribute is extracted from the meta information present in the directory. The schema attribute is extracted from the schema in the directory.
Table D-5 lists the parameters for OpenLDAP and Oracle Virtual Directory.
Table D-5 OpenLDAP and Oracle Virtual Directory Parameters
| Parameter | OpenLDAP | Oracle Virtual Directory | 
|---|---|---|
| RT_USER_OBJECT_CLASSES | {"inetorgperson", "person", "organizationalperson" } | {"inetorgperson"} | 
| RT_USER_MANDATORY_ATTRS | #schema | #schema | 
| RT_USER_CREATE_BASES | ou=people,<subscriberDN> | <subscriberDN> | 
| RT_USER_SEARCH_BASES | <subscriberDN> | <subscriberDN> | 
| RT_USER_FILTER_OBJECT_CLASSES | {"inetorgperson", "person", "organizationalperson" } | {"inetorgperson"} | 
| RT_USER_SELECTED_CREATE_BASE | ou=people,<subscriberDN> | <subscriberDN> | 
| RT_GROUP_OBJECT_CLASSES | "groupofuniquenames" | {"groupofuniquenames"} | 
| RT_GROUP_MANDATORY_ATTRS | #schema | #schema | 
| RT_GROUP_CREATE_BASES | ou=groups,<subscriberDN> | <subscriberDN> | 
| RT_GROUP_SEARCH_BASES | <subscriberDN> | <subscriberDN> | 
| RT_GROUP_FILTER_OBJECT_CLASSES | "groupofuniquenames" | {"groupofuniquenames"} | 
| RT_GROUP_MEMBER_ATTRS | "uniquemember" | "uniquemember" | 
| RT_GROUP_SELECTED_CREATE_BASE | ou=groups,<subscriberDN> | <subscriberDN> | 
| RT_GROUP_GENERIC_SEARCH_BASE | <subscriber-DN> | <subscriberDN> | 
| RT_SEARCH_TYPE | #config | #config | 
| ST_SUBSCRIBER_NAME | NULL | #config (namingcontexts) | 
| ST_USER_NAME_ATTR | uid | cn | 
| ST_USER_LOGIN_ATTR | uid | cn | 
| ST_GROUP_NAME_ATTR | cn | cn | 
| ST_MAX_SEARCHFILTER_LENGTH | 500 | 500 | 
| ST_BINARY_ATTRIBUTES | Binary Attribute | Binary Attribute + {objectguid, unicodepwd} | 
| ST_LOGGER_NAME | oracle.idm.userrole | oracle.idm.userrole | 
Note:
The Binary Attributes include photo, personalsignature, audio, jpegphoto, javaSErializeddata, thumbnailphoto, thumbnaillogo, userpassword, usercertificate, cacertificate, authorityrevocationlist, certificaterevocationlist, crosscertificatepair, and x500UniqueIdentifier.
The config attribute is extracted from the meta information present in the directory. The schema attribute is extracted from the schema in the directory.
Table D-6 lists the embedded LDAP server parameters.
Table D-6 Embedded LDAP Parameters
| Parameter | Default | 
|---|---|
| RT_USER_OBJECT_CLASSES | {"inetorgperson", "person", "organizationalperson", "wlsUser"} | 
| RT_USER_MANDATORY_ATTRS | #schema | 
| RT_USER_CREATE_BASES | {"ou=people,<subscriberDN>"} | 
| RT_USER_SEARCH_BASES | {"ou=people,<subscriberDN>"} | 
| RT_USER_FILTER_OBJECT_CLASSES | {"inetorgperson", "wlsUser"} | 
| RT_USER_SELECTED_CREATE_BASE | ou=people,<subscriberDN> | 
| RT_GROUP_OBJECT_CLASSES | {"top","groupofuniquenames","groupOfURLs"} | 
| RT_GROUP_MANDATORY_ATTRS | #schema | 
| RT_GROUP_CREATE_BASES | {"ou=groups,<subscriberDN>"} | 
| RT_GROUP_SEARCH_BASES | {"ou=groups,<subscriberDN>"} | 
| RT_GROUP_FILTER_OBJECT_CLASSES | {"top","groupofuniquenames","groupOfURLs"} | 
| RT_GROUP_MEMBER_ATTRS | "uniquemember" | 
| RT_GROUP_SELECTED_CREATE_BASE | ou=groups,<subscriberDN> | 
| RT_GROUP_GENERIC_SEARCH_BASE | <subscriberDN> | 
| RT_SEARCH_TYPE | #config | 
| ST_SUBSCRIBER_NAME | #config (namingcontexts) | 
| ST_USER_NAME_ATTR | uid | 
| ST_USER_LOGIN_ATTR | uid | 
| ST_GROUP_NAME_ATTR | cn | 
| ST_MAX_SEARCHFILTER_LENGTH | 500 | 
| ST_BINARY_ATTRIBUTES | *(BBA) See note below about BBAs. | 
| ST_LOGGER_NAME | oracle.idm.userrole | 
Parent topic: User and Role API Reference