Oidag Oracle Fusion Middleware Administrator Guide For Internet Directors

User Manual:

Open the PDF directly: View PDF .
Page Count: 806 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Scroll down to view the document on your mobile browser.

Contents
1 Introduction to Directory Services
2 Understanding Oracle Internet Directory in Oracle Fusion Middleware
3 Understanding Oracle Internet Directory Concepts and Architecture
4 Understanding Process Control of Oracle Internet Directory Components
5 Understanding Oracle Internet Directory Organization
6 Understanding Oracle Internet Directory Replication
7 Getting Started With Oracle Internet Directory
8 Managing Oracle Internet Directory Instances
9 Managing System Configuration Attributes
10 Managing IP Addresses
11 Managing Naming Contexts
12 Managing Accounts and Passwords
13 Managing Directory Entries
14 Managing Dynamic and Static Groups
15 Performing Bulk Operations
16 Managing Collective Attributes
17 Managing Alias Entries
18 Managing Attribute Uniqueness Constraint Entries
19 Managing Knowledge References and Referrals
20 Managing Directory Schema
21 Configuring Referential Integrity
22 Managing Auditing
23 Managing Logging
24 Monitoring Oracle Internet Directory
25 Backing Up and Restoring Oracle Internet Directory
26 Configuring Secure Sockets Layer (SSL)
27 Configuring Data Privacy
28 Managing Password Policies
29 Managing Directory Access Control
30 Managing Password Verifiers
31 Delegating Privileges for Oracle Identity Management
32 Managing Authentication
33 Planning, Deploying and Managing Realms
34 Tuning and Sizing Oracle Internet Directory
35 Managing Garbage Collection
36 Migrating Data from Other Data Repositories
37 Configuring Server Chaining
38 Managing DIT Masking
39 Setting Up Replication
40 Setting Up Replication Failover
41 Managing Replication Configuration Attributes
42 Managing and Monitoring Replication
43 Configuring a Customized Password Policy Plug-In
44 Developing Plug-ins for the Oracle Internet Directory Server
45 Configuring a Customized External Authentication Plug-in
A Differences Between 10g and 11g
B Managing Oracle Internet Directory Instances by Using OIDCTL
C Setting Up Oracle Database Advanced Replication-Based Replication
D How Replication Works
E Java Server Plug-in Developer's Reference
F PL/SQL Server Plug-in Developer's Reference
G The LDAP Filter Definition
H The Access Control Directive Format
I Globalization Support in the Directory
J Setting up Access Controls for Creation and Search Bases for Users and Groups
K Searching the Directory for User Certificates
L Adding a Directory Node by Using the Database Copy Procedure
M Oracle Authentication Services for Operating Systems
N RFCs Supported by Oracle Internet Directory
O Managing Oracle Directory Services Manager's Java Key Store
P Starting and Stopping the Oracle Stack
Q Performing a Rolling Upgrade
R Using the Oracle Internet Directory VM Template
S Troubleshooting Oracle Internet Directory
- Preface
- Audience
- Documentation Accessibility
  - Access to Oracle Support
- Related Documents
- Conventions
  - What's New in Oracle Internet Directory?
- New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1.6.0)
- New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1.4.0)
- New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1)
- New Features Introduced with Oracle Internet Directory 10g (10.1.4.1)
- New Features Introduced with Oracle Internet Directory 10g Release 2 (10.1.2)
  - Part I Understanding Directory Services
  - 1 Introduction to Directory Services
  - 1.1 What Is a Directory?
    - 1.1.1 The Expanding Role of Online Directories
      - Table 1-1 Comparison of Online Directories and Relational Databases
    - 1.1.2 The Problem: Too Many Special-Purpose Directories
  - 1.2 What Is the Lightweight Directory Access Protocol (LDAP)?
    - 1.2.1 LDAP and Simplified Directory Management
    - 1.2.2 LDAP Version 3
  - 1.3 What Is Oracle Internet Directory?
    - 1.3.1 Overview of Oracle Internet Directory
      - Figure 1-1 Oracle Internet Directory Overview
    - 1.3.2 Components of Oracle Internet Directory
    - 1.3.3 Advantages of Oracle Internet Directory
  - 1.4 How Oracle Products Use Oracle Internet Directory
    - 1.4.1 Easier and More Cost-Effective Administration of Oracle Products
    - 1.4.2 Tighter Security Through Centralized Security Policy Administration
    - 1.4.3 Integration of Multiple Directories
      - 2 Understanding Oracle Internet Directory in Oracle Fusion Middleware
  - 2.1 WebLogic Server Domain
  - 2.2 Oracle Internet Directory as a System Component
  - 2.3 Oracle Internet Directory Deployment Options
    - 1. Create New Domain-Oracle Internet Directory with a local Oracle WebLogic Server Domain. Oracle WebLogic Server is installed locally with Oracle Internet Directory and an admin domain is created for Oracle Internet Directory.
    - 2. Extend Existing Domain-Oracle Internet Directory with a remote Oracle WebLogic Server Domain. Oracle WebLogic Server admin server and domain have been installed and created separately and Oracle Internet Directory registers with the Domain remotely.
    - 3. Expand Cluster-Oracle Internet Directory in an Oracle WebLogic Server cluster for High Availability. This option will not be discussed here.
    - 4. Configure Without Domain-Oracle Internet Directory without a Oracle WebLogic Server Domain. Oracle Internet Directory can be ...
  - 2.4 Middleware Home
  - 2.5 WebLogic Server Home
  - 2.6 Oracle Common Home
  - 2.7 Oracle Home
  - 2.8 Oracle Instance
  - 2.9 Oracle Enterprise Manager Fusion Middleware Control
  - 2.10 Logging, Auditing, and Diagnostics
  - 2.11 MBeans and the WebLogic Scripting Tool
    - 3 Understanding Oracle Internet Directory Concepts and Architecture
  - 3.1 Oracle Internet Directory Architecture
    - 3.1.1 An Oracle Internet Directory Node
      - Figure 3-1 A Typical Oracle Internet Directory Node
        Table 3-1 An Oracle Internet Directory Node
    - 3.1.2 An Oracle Directory Server Instance
      - Figure 3-2 Oracle Directory Server Instance Architecture
    - 3.1.3 Oracle Internet Directory Ports
    - 3.1.4 Directory Metadata
  - 3.2 How Oracle Internet Directory Processes a Search Request
    - 1. The user or client enters a search request that is conditioned by one or more of the following options:
    - 2. The C API, using the LDAP protocol, sends a request to a directory server instance to connect to the directory.
    - 3. The directory server authenticates the user, a process called binding. The directory server also checks the Access Control Lists (ACLs) to verify that the user is authorized to perform the requested search.
    - 4. The directory server converts the search request from LDAP to Oracle Call Interface (OCI)/Oracle Net Services and sends it to the Oracle Database.
    - 5. The Oracle Database retrieves the information and passes it back through the chain-to the directory server, then to the C API, and, finally, to the client.
  - 3.3 Directory Entries
    - 3.3.1 Distinguished Names (DNs) and Directory Information Trees (DITs)
      - Figure 3-3 A Directory Information Tree
    - 3.3.2 Entry Caching
  - 3.4 Attributes
    - Figure 3-4 Attributes of the Entry for Anne Smith
    - 3.4.1 Kinds of Attribute Information
      - Table 3-2 Attributes Created with Each New Entry
    - 3.4.2 Single-Valued and Multivalued Attributes
    - 3.4.3 Common LDAP Attributes
      - Table 3-3 Common LDAP Attributes
    - 3.4.4 Attribute Syntax
    - 3.4.5 Attribute Matching Rules
    - 3.4.6 Attribute Options
  - 3.5 Object Classes
    - 3.5.1 Subclasses, Superclasses, and Inheritance
    - 3.5.2 Object Class Types
  - 3.6 Naming Contexts
    - Figure 3-5 Correct and Incorrect Naming Contexts
  - 3.7 Security
  - 3.8 Globalization Support
  - 3.9 Distributed Directories
    - 3.9.1 Directory Replication
    - 3.9.2 Directory Partitioning
      - Figure 3-6 A Partitioned Directory
  - 3.10 Knowledge References and Referrals
    - Figure 3-7 Using Knowledge References to Point to Naming Contexts
  - 3.11 Oracle Delegated Administration Services and the Oracle Internet Directory Self-Service Console
  - 3.12 The Service Registry and Service to Service Authentication
  - 3.13 Oracle Directory Integration Platform
  - 3.14 Oracle Internet Directory and Identity Management
    - 3.14.1 About Identity Management
    - 3.14.2 Oracle Identity Management Products
    - 3.14.3 Identity Management Realms
      - 3.14.3.1 Default Identity Management Realm
      - 3.14.3.2 Identity Management Policies
  - 3.15 Resource Information
    - 3.15.1 Resource Type Information
    - 3.15.2 Resource Access Information
      - 1. Retrieves the necessary connect information from the RAD
      - 2. Uses that information to connect to those databases and to authenticate the user requesting the data
    - 3.15.3 Location of Resource Information in the DIT
      - Figure 3-8 Placement of Resource Access and Resource Type Information in the DIT
        4 Understanding Process Control of Oracle Internet Directory Components
  - 4.1 Oracle Internet Directory Process Control Architecture
    - Figure 4-1 Oracle Internet Directory Process Control
  - 4.2 The ODS_PROCESS_STATUS Table
    - Table 4-1 Process Control Items in the ODS_PROCESS_STATUS Table
  - 4.3 Starting, Stopping, and Monitoring of Oracle Internet Directory Processes
    - 4.3.1 Oracle Internet Directory Snippet in opmn.xml
    - 4.3.2 OPMN Starting Oracle Internet Directory
    - 4.3.3 OPMN Stopping of Oracle Internet Directory
    - 4.3.4 Process Monitoring
  - 4.4 Oracle Internet Directory Process Control-Best Practices
    - 5 Understanding Oracle Internet Directory Organization
  - 5.1 The Directory Information Tree
    - Figure 5-1 Planning the Directory Information Tree
  - 5.2 Planning the Overall Directory Structure
  - 5.3 Planning the Names and Organization of Users and Groups
    - 5.3.1 Organizing Users
    - 5.3.2 Organizing Groups
      - 1. Use the owner attribute of the group to list which users own this group.
      - 2. Create an access control policy at a higher level that grants all users listed in the owner attribute special privileges to perform the various operations.
  - 5.4 Migrating a DIT from a Third-Party Directory
    - 6 Understanding Oracle Internet Directory Replication
    - Figure 6-1 A Replicated Directory
  - 6.1 Why Use Replication?
  - 6.2 Replication Concepts
    - 6.2.1 Content to be Replicated: Full or Partial
      - Table 6-1 Full or Partial Replication
      - Figure 6-2 Example of Partial Replication
    - 6.2.2 Direction: One-Way, Two-Way, or Peer to Peer
      - Table 6-2 Direction of Replication
    - 6.2.3 Transport Mechanism: LDAP or Oracle Database Advanced Replication
      - Table 6-3 Transport Protocols
    - 6.2.4 Directory Replication Group (DRG) Type: Single-master, Multimaster, or Fan-out
    - 6.2.5 Loose Consistency Model
    - 6.2.6 How the Replication Concepts Fit Together
      - Table 6-5 Types of Data Transfer Between Nodes in a Directory Replication Group
    - 6.2.7 Multimaster Replication with Fan-Out
      - Figure 6-6 Example of Multimaster Replication with Fan-Out
  - 6.3 What Kind of Replication Do You Need?
    - Local Availability
    - Load Balancing
    - High Availability
      - Part II Basic Administration
      - 7 Getting Started With Oracle Internet Directory
  - 7.1 Patching Your System to 11g Release 1 (11.1.1.6.0)
    - 7.1.1 Upgrading a Directory Replication Group
  - 7.2 Postinstallation Tasks and Information
    - 7.2.1 Setting Up the Environment
    - 7.2.2 Adding Datafiles to the OLTS_CT_STORE and OLTS_ATTRSTORE Tablespaces
    - 7.2.3 Changing Settings of Windows Services
    - 7.2.4 Starting and Stopping the Oracle Stack
    - 7.2.5 Identifying Default URLs and Ports
    - 7.2.6 Tuning Oracle Internet Directory
    - 7.2.7 Enabling Anonymous Binds
    - 7.2.8 Enabling Oracle Internet Directory to run on Privileged Ports
    - 7.2.9 Verifying Oracle Database Time Zone
  - 7.3 Using Fusion Middleware Control to Manage Oracle Internet Directory
    - 1. Connect to Fusion Middleware Control.
    - 2. In the left panel topology tree, expand the domain, then Fusion Middleware, then Identity and Access. Alternatively, from the...
    - 3. Select the Oracle Internet Directory component you want to manage.
    - 4. Use the Oracle Internet Directory menu to select tasks.
      - Table 7-1 Using the Oracle Internet Directory Menu
  - 7.4 Using Oracle Directory Services Manager
    - 7.4.1 Introduction to Oracle Directory Services Manager
    - 7.4.2 Configuring ODSM for SSO Integration
    - 7.4.3 Configuring the SSO Server for ODSM Integration
    - 7.4.4 Configuring the Oracle HTTP Server for ODSM-SSO Integration
    - 7.4.5 Invoking Oracle Directory Services Manager
    - 7.4.6 Connecting to the Server from Oracle Directory Services Manager
    - 7.4.7 Configuring Oracle Directory Services Manager Session Timeout
    - 7.4.8 Configuring Oracle HTTP Server to Support Oracle Directory Services Manager in an Oracle WebLogic Server Cluster
  - 7.5 Using Command-Line Utilities to Manage Oracle Internet Directory
    - 7.5.1 Using Standard LDAP Utilities
    - 7.5.2 Using Bulk Tools
    - 7.5.3 Using WLST
  - 7.6 Basic Tasks for Configuring and Managing Oracle Internet Directory
    - 1. Start and stop the LDAP server. See Chapter 8
    - 2. Manage system configuration attributes. See Chapter 9.
    - 3. Manage directory entries. See Chapter 13.
    - 4. Manage directory schema. See Chapter 20.
    - 5. Configure auditing. Chapter 22.
    - 6. Manage log files. See Chapter 23.
    - 7. Configure SSL. See Chapter 26.
    - 8. Configure password policies. See Chapter 28.
    - 9. Configure access control. See Chapter 29.
    - 10. Get sizing and tuning recommendations for Oracle Internet Directory deployments. See the "Obtaining Recommendations by Using...
    - 11. Set up replication. See Chapter 39 and Appendix C.
    - 12. Convert an Advanced Replication-based replication agreement to an LDAP-based replication agreement. See Section 39.2, "Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement."
    - 13. Modify an existing replication setup. See Chapter 42.
    - 8 Managing Oracle Internet Directory Instances
  - 8.1 Introduction to Managing Oracle Internet Directory Instances
    - 8.1.1 The Instance-Specific Configuration Entry
      - Figure 8-1 DIT Showing Two Instance-Specific Configuration Entries
    - 8.1.2 Creating the First Oracle Internet Directory Instance
    - 8.1.3 Creating Additional Oracle Internet Directory Instances
      - Figure 8-2 Oracle Internet Directory Process Control
    - 8.1.4 Registering an Oracle Instance or Component with the WebLogic Server
  - 8.2 Managing Oracle Internet Directory Components by Using Fusion Middleware Control
    - 8.2.1 Viewing Active Server Information by Using Fusion Middleware Control
    - 8.2.2 Starting the Oracle Internet Directory Server by Using Fusion Middleware Control
    - 8.2.3 Stopping the Oracle Internet Directory Server by Using Fusion Middleware Control
    - 8.2.4 Restarting the Oracle Internet Directory Server by Using Fusion Middleware Control
  - 8.3 Managing Oracle Internet Directory Components by Using opmnctl
    - 8.3.1 Creating an Oracle Internet Directory Component by Using opmnctl
    - 8.3.2 Registering an Oracle Instance by Using opmnctl
    - 8.3.3 Unregistering an Oracle Instance by Using opmnctl
    - 8.3.4 Updating the Component Registration of an Oracle Instance by Using opmnctl
      - Table 8-1 Attribute Changes Requiring Update of Component Registration
    - 8.3.5 Deleting an Oracle Internet Directory Component by Using opmnctl
    - 8.3.6 Viewing Active Server Instance Information by Using opmnctl
    - 8.3.7 Starting the Oracle Internet Directory Server by Using opmnctl
    - 8.3.8 Stopping the Oracle Internet Directory Server by Using opmnctl
    - 8.3.9 Restarting the Oracle Internet Directory Server by Using opmnctl
    - 8.3.10 Changing the Oracle Database Information in opmn.xml
  - 8.4 Starting an Instance of the Replication Server by Using OIDCTL
    - 9 Managing System Configuration Attributes
  - 9.1 Introduction to Managing System Configuration Attributes
    - 9.1.1 What are Configuration Attributes?
    - 9.1.2 What are Operational Attributes?
    - 9.1.3 Attributes of the Instance-Specific Configuration Entry
      - Table 9-1 Attributes of the Instance-Specific Configuration Entry
    - 9.1.4 Attributes of the DSA Configuration Entry
      - Table 9-2 Attributes in the DSA Configuration Entry
    - 9.1.5 Attributes of the DSE
      - Table 9-3 Attributes of the DSE
  - 9.2 Managing System Configuration Attributes by Using Fusion Middleware Control
    - 9.2.1 Configuring Server Properties
    - 9.2.2 Configuring Shared Properties
    - 9.2.3 Configuring Other Parameters
  - 9.3 Managing System Configuration Attributes by Using WLST
    - 1. Invoke WLST
    - 2. Connect to the WebLogic server
    - 3. To navigate to the custom mbean tree, type:
    - 4. To get a one-level list of the MBean in the custom MBean tree, type:
    - 5. To get to a domain, use the cd() command. For example:
      - Table 9-7 Oracle Internet Directory-Related MBeans
    - 6. To get to a specific MBean, type:
    - 7. Once you have navigated to the desired MBean, you can get the current value for an attribute by typing:
    - 8. Before you make any changes to attributes, you must ensure that the MBean has the current server configuration. To do that, load the configuration from Oracle Internet Directory server to the mbean. Type:
    - 9. Then you can use the set command to set a specific attribute. Type:
    - 10. After making changes, you must save the MBean configuration to the Oracle Internet Directory server. Type:
  - 9.4 Managing System Configuration Attributes by Using LDAP Tools
    - 9.4.1 Setting System Configuration Attributes by Using ldapmodify
    - 9.4.2 Listing Configuration Attributes with ldapsearch
  - 9.5 Managing System Configuration Attributes by Using ODSM Data Browser
    - 9.5.1 Navigating to the Instance-Specific Configuration Entry
    - 9.5.2 Navigating to the DSA Configuration Entry
    - 9.5.3 Navigating to the DSE Root
      - 10 Managing IP Addresses
  - 10.1 Introduction to Managing IP Addresses
  - 10.2 Configuring an IP Address for IP V6, Cold Failover Cluster, or Virtual IP
    - 1. Create an LDIF file similar to this:
    - 2. Execute the following ldapmodify command:
    - 3. Restart Oracle Internet Directory by using opmnctl, as follows:
    - 4. Update the registration of the Oracle Internet Directory component, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl." For example:
    - 11 Managing Naming Contexts
  - 11.1 Introduction to Managing Naming Contexts
  - 11.2 Searching for Published Naming Contexts
  - 11.3 Publishing a Naming Context
    - 12 Managing Accounts and Passwords
  - 12.1 Introduction to Managing Accounts and Passwords
  - 12.2 Managing Accounts and Passwords by Using Command-Line Tools
    - 12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools
    - 12.2.2 Unlocking Accounts by Using Command-Line Tools
    - 12.2.3 Forcing a Password Change by Using Command-Line Tools
  - 12.3 Managing Accounts and Passwords by Using the Self-Service Console
    - 12.3.1 Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service Console
    - 12.3.2 Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console
    - 12.3.3 Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console
  - 12.4 Listing and Unlocking Locked Accounts by Using Oracle Directory Services Manager
    - 1. Invoke Oracle Directory Services Manager as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. From the task selection bar, select Data Browser.
    - 3. Perform a simple search, as described in Section 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager," using the search string (pwdaccountlockedtime=*). A list of entries with locked accounts appears.
    - 4. Select the entry whose account you want to unlock.
    - 5. When an account is locked, Unlock Account appears before the Apply and Revert buttons. Click Unlock Account.
  - 12.5 Changing the Superuser Password by Using Fusion Middleware Control
    - 1. Select Administration, then Shared Properties from the Oracle Internet Directory menu.
    - 2. Click the Change Superuser Password tab.
    - 3. Specify the old password.
    - 4. Specify the new password.
    - 5. Confirm the new password.
    - 6. Click Apply.
      - Table 12-1 Configuration Attributes on Shared Properties, Change Superuser Password Tab.
  - 12.6 Creating Another Account With Superuser Privileges
  - 12.7 Managing the Superuser Password by Using ldapmodify
  - 12.8 Changing the Oracle Internet Directory Database Password
  - 12.9 Resetting the Superuser Password
    - Example:
  - 12.10 Changing the Password for the EMD Administrator Account
    - 1. Change the userpassword of the account "cn=emd admin,cn=oracle internet directory" in Oracle Internet Directory by using ldapmodify.
    - 2. Invoke wlst and connect to the WebLogic server.
    - 3. Run the following WLST command:
    - 4. On each Oracle instance in the WebLogic domain, execute the following command line:
    - 5. Update the component registration of the Oracle instance, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl."
  - 12.11 Changing the Password for the ODSSM Administrator Account
    - 1. Use SQLPlus or a similar tool to alter the password in the database.
    - 2. Go to ORACLE_HOME/common/bin and run the following command:
    - 3. Connect to the WebLogic Administration Server:
    - 4. Run the updateCred() command:
    - 5. On each Oracle instance in the WebLogic domain, execute the following command line:
    - 6. Update the component registration of the Oracle instance, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl."
    - 1. Log in to the WebLogic Administration console at: http://host:port/console
    - 2. Select Data Sources -> schedulerDS -> Connection Pool.
    - 3. Click Lock & Edit in the top left corner of the screen.
    - 4. Enter the new password in the Password and Confirm Password fields.
    - 5. Click Activate Changes.
    - 13 Managing Directory Entries
  - 13.1 Introduction to Managing Directory Entries
  - 13.2 Managing Entries by Using Oracle Directory Services Manager
    - 13.2.1 Displaying Entries by Using Oracle Directory Services Manager
    - 13.2.2 Searching for Entries by Using Oracle Directory Services Manager
    - 13.2.3 Importing Entries from an LDIF File by Using Oracle Directory Services Manager
    - 13.2.4 Exporting Entries to an LDIF File by Using Oracle Directory Services Manager
    - 13.2.5 Viewing Attributes for a Specific Entry by Using Oracle Directory Services Manager
    - 13.2.6 Adding a New Entry by Using Oracle Directory Services Manager
    - 13.2.7 Deleting an Entry or Subtree by Using Oracle Directory Services Manager
    - 13.2.8 Adding an Entry by Copying an Existing Entry in Oracle Directory Services Manager
    - 13.2.9 Modifying an Entry by Using Oracle Directory Services Manager
  - 13.3 Managing Entries by Using LDAP Command-Line Tools
    - 13.3.1 Listing All the Attributes in the Directory by Using ldapsearch
    - 13.3.2 Listing Operational Attributes by Using ldapsearch
    - 13.3.3 Attribute Case in ldapsearch Output
    - 13.3.4 Adding a User Entry by Using ldapadd
    - 13.3.5 Modifying a User Entry by Using ldapmodify
    - 13.3.6 Adding an Attribute Option by Using ldapmodify
    - 13.3.7 Deleting an Attribute Option by Using ldapmodify
    - 13.3.8 Searching for Entries with Attribute Options by Using ldapsearch
      - 14 Managing Dynamic and Static Groups
  - 14.1 Introduction to Managing Dynamic and Static Groups
    - 14.1.1 Static Groups
      - 14.1.1.1 Schema Elements for Creating Static Groups
    - 14.1.2 Dynamic Groups
    - 14.1.3 Hierarchies
    - 14.1.4 Querying Group Entries
    - 14.1.5 orclMemberOf Attribute
      - Examples:
    - 14.1.6 When to Use Each Kind of Group
      - Table 14-2 Static and Dynamic Group Considerations
  - 14.2 Managing Group Entries by Using Oracle Directory Services Manager
    - 14.2.1 Creating Static Group Entries by Using Oracle Directory Services Manager
    - 14.2.2 Modifying a Static Group Entry by Using Oracle Directory Services Manager
    - 14.2.3 Creating Dynamic Group Entries by Using Oracle Directory Services Manager
    - 14.2.4 Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager
  - 14.3 Managing Group Entries by Using the Command Line
    - 14.3.1 Creating a Static Group Entry by Using ldapadd
      - Example: Creating a Static Group Entry by Using ldapadd
    - 14.3.2 Modifying a Static Group by Using ldapmodify
      - Example: Modifying a Static Group by Using ldapmodify
    - 14.3.3 Creating a Dynamic Group Entry by Using ldapadd
    - 14.3.4 Modifying a Dynamic Group by Using ldapmodify
      - 15 Performing Bulk Operations
  - 15.1 Introduction to Performing Bulk Operations
  - 15.2 Changing Server Mode
    - 15.2.1 Setting the Server Mode by Using Fusion Middleware Control
    - 15.2.2 Setting the Server Mode by Using ldapmodify
  - 15.3 Loading Data Into the Schema by Using bulkload
    - 15.3.1 Importing an LDIF File by Using bulkload
    - 15.3.2 Loading Data in Incremental or Append Mode By Using bulkload
    - 15.3.3 Performing Index Verification By Using bulkload
    - 15.3.4 Re-Creating Indexes By Using bulkload
    - 15.3.5 Recovering Data After a Load Failure By Using bulkload
  - 15.4 Modifying Attributes of a Large Number of Entries By Using bulkmodify
    - 15.4.1 Adding a Description for All Entries Under a Specified Naming Context
    - 15.4.2 Adding an Attribute for Entries Under a Specified Naming Context Matching a Filter
    - 15.4.3 Replacing an Attribute for All Entries Under a Specified Naming Context
  - 15.5 Deleting Entries or Attributes of Entries by Using bulkdelete
    - 15.5.1 Deleting All Entries Under a Specified Naming Context by Using bulkdelete
    - 15.5.2 Deleting Entries Under Naming Contexts and Making them Tombstone Entries
  - 15.6 Dumping Data from Oracle Internet Directory to a File by Using ldifwrite
    - 15.6.1 Dumping Part of a Specified Naming Context to an LDIF File
    - 15.6.2 Dumping Entries Under a Specified Naming Context to an LDIF File
  - 15.7 Creating and Dropping Indexes from Existing Attributes by Using catalog
    - 15.7.1 Changing a Searchable Attribute into a Non-searchable Attribute
    - 15.7.2 Changing a Non-searchable Attribute into a Searchable Attribute
      - 16 Managing Collective Attributes
  - 16.1 Introduction to Collective Attributes
    - 16.1.1 The RFC Definition and Oracle Extensions
      - 16.1.1.1 RFC 3671
      - 16.1.1.2 Oracle Extensions
    - 16.1.2 Defining the Collective Attribute Subentry
    - 16.1.3 Using subtreeSpecification
    - 16.1.4 Overriding a Collective Attribute
  - 16.2 Managing Collective Attributes by Using the Command Line
    - 16.2.1 Adding a Subentry by Using ldapadd
    - 16.2.2 Modifying a Subentry by Using ldapmodify
      - 17 Managing Alias Entries
  - 17.1 Introduction to Managing Alias Entries
    - Figure 17-1 Alias Entries Example
  - 17.2 Adding an Alias Entry
    - 1. Create a sample LDIF file, My_file.ldif, with the following entries:
    - 2. Add these entries to the directory by using the following command:
    - Figure 17-2 Resulting Tree when Creating the My_file.ldif
  - 17.3 Searching the Directory with Alias Entries
    - Table 17-1 Flags for Searching the Directory with Alias Entries
    - 17.3.1 Searching the Base with Alias Entries
    - 17.3.2 Searching One-Level with Alias Entries
    - 17.3.3 Searching a Subtree with Alias Entries
  - 17.4 Modifying Alias Entries
  - 17.5 Interpreting Messages Related to Alias Dereferencing
    - Table 17-2 Entry Alias Dereferencing Messages
    - 18 Managing Attribute Uniqueness Constraint Entries
  - 18.1 Introduction to Managing Attribute Uniqueness Constraint Entries
    - Table 18-1 Attribute Uniqueness Constraint Entry
    - Simple Replication Scenario
    - Multimaster Replication Scenario
  - 18.2 Specifying Attribute Uniqueness Constraint Entries
    - Figure 18-1 Example of a Directory Information Tree
    - 18.2.1 Specifying Multiple Attribute Names in an Attribute Uniqueness Constraint
    - 18.2.2 Specifying Multiple Subtrees in an Attribute Uniqueness Constraint
    - 18.2.3 Specifying Multiple Scopes in an Attribute Uniqueness Constraint
    - 18.2.4 Specifying Multiple Object Classes in an Attribute Uniqueness Constraint
    - 18.2.5 Specifying Multiple Subtrees, Scopes, and Object Classes in an Attribute Uniqueness Constraint
  - 18.3 Managing an Attribute Uniqueness Constraint Entry by Using Oracle Directory Services Manager
    - 18.3.1 Creating an Attribute Uniqueness Constraint Entry by Using ODSM
    - 18.3.2 Modifying an Attribute Uniqueness Constraint Entry by Using ODSM
    - 18.3.3 Deleting an Attribute Uniqueness Constraint Entry by Using ODSM
  - 18.4 Managing an Attribute Uniqueness Constraint Entry by Using the Command Line
    - 18.4.1 Creating Attribute Uniqueness Across a Directory by Using Command-Line Tools
    - 18.4.2 Creating Attribute Uniqueness Across One Subtree by Using Command-Line Tools
    - 18.4.3 Creating Attribute Uniqueness Across One Object Class by Using Command-Line Tools
    - 18.4.4 Modifying Attribute Uniqueness Constraint Entries by Using Command-Line Tools
    - 18.4.5 Deleting Attribute Uniqueness Constraint Entries by Using Command-Line Tools
      - 1. Remove the attribute uniqueness constraint entry from the directory by using ldapdelete.
      - 2. Restart the directory server to effect this change.
    - 18.4.6 Enabling and Disabling Attribute Uniqueness by Using Command-Line Tools
  - 19.1 Introduction to Managing Knowledge References and Referrals
  - 19.2 Configuring Smart Referrals
    - 1. On Server A and B in the United States, configure a knowledge reference for the c=uk object on Server C and Server D:
    - 2. Configure a similar knowledge reference on Server C and D in the United Kingdom for the c=us object on Server A and Server B:
  - 19.3 Configuring Default Referrals
    - 20 Managing Directory Schema
  - 20.1 Introduction to Managing Directory Schema
    - 20.1.1 Where Schema Information is Stored in the Directory
      - Figure 20-1 Location of Schema Components in Entries of Type subSchemaSubentry
    - 20.1.2 Understanding Object Classes
    - 20.1.3 Understanding Attributes
    - 20.1.4 Extending the Number of Attributes Associated with Entries
    - 20.1.5 Understanding Attribute Aliases
    - 20.1.6 Object Identifier Support in LDAP Operations
  - 20.2 Managing Directory Schema by Using Oracle Directory Services Manager
    - 20.2.1 Searching for Object Classes by Using Oracle Directory Services Manager
    - 20.2.2 Adding Object Classes by Using Oracle Directory Services Manager
    - 20.2.3 Modifying Object Classes by Using Oracle Directory Services Manager
    - 20.2.4 Deleting Object Classes by Using Oracle Directory Services Manager
    - 20.2.5 Viewing Properties of Object Classes by Using Oracle Directory Services Manager
    - 20.2.6 Adding a New Attribute by Using Oracle Directory Services Manager
    - 20.2.7 Modifying an Attribute by Using Oracle Directory Services Manager
    - 20.2.8 Deleting an Attribute by Using Oracle Directory Services Manager
    - 20.2.9 Viewing All Directory Attributes by Using Oracle Directory Services Manager
    - 20.2.10 Searching for Attributes by Using Oracle Directory Services Manager
    - 20.2.11 Adding an Index to a New Attribute by Using Oracle Directory Services Manager
      - 1. Create an attribute as described in Section 20.2.6, "Adding a New Attribute by Using Oracle Directory Services Manager" or in Section 20.3.5, "Adding and Modifying Attributes by Using ldapmodify."
      - 2. In the New Attribute Type dialog box, select the Indexed box.
    - 20.2.12 Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager
    - 20.2.13 Dropping an Index from an Attribute by Using Oracle Directory Services Manager
    - 20.2.14 Creating a Content Rule by Using Oracle Directory Services Manager
    - 20.2.15 Modifying a Content Rule by Using Oracle Directory Services Manager
    - 20.2.16 Viewing Matching Rules by Using Oracle Directory Services Manager
    - 20.2.17 Viewing Syntaxes by Using Oracle Directory Services Manager
  - 20.3 Managing Directory Schema by Using the Command Line
    - 20.3.1 Viewing the Schema by Using ldapsearch
    - 20.3.2 Adding a New Object Class by Using Command-Line Tools
    - 20.3.3 Adding a New Attribute to an Auxiliary or User-Defined Object Class by Using Command-Line Tools
    - 20.3.4 Modifying Object Classes by Using Command-Line Tools
    - 20.3.5 Adding and Modifying Attributes by Using ldapmodify
    - 20.3.6 Deleting Attributes by Using ldapmodify
    - 20.3.7 Indexing an Attribute by Using ldapmodify
    - 20.3.8 Dropping an Index from an Attribute by Using ldapmodify
    - 20.3.9 Indexing an Attribute by Using the Catalog Management Tool
    - 20.3.10 Adding a New Attribute With Attribute Aliases by Using the Command Line
    - 20.3.11 Adding or Modifying Attribute Aliases in Existing Attributes by Using the Command Line
    - 20.3.12 Deleting Attribute Aliases by Using the Command Line
    - 20.3.13 Using Attribute Aliases with LDAP Commands
    - 20.3.14 Managing Content Rules by Using Command-Line Tools
      - Table 20-2 Content Rule Parameters
    - 20.3.15 Viewing Matching Rules by Using ldapsearch
    - 20.3.16 Viewing Syntaxes by Using by Using ldapsearch
      - 21 Configuring Referential Integrity
  - 21.1 Introduction to Configuring Referential Integrity
  - 21.2 Enabling Referential Integrity by Using Fusion Middleware Control
    - 1. Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
    - 2. Select a value from the Referential Integrity list:
    - 3. Choose Apply.
  - 21.3 Disabling Referential Integrity by Using Fusion Middleware Control
    - 1. Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
    - 2. Select Disabled from the Enable Referential Integrity list.
  - 21.4 Enabling Referential Integrity by Using the Command Line
  - 21.5 Configuring Specific Attributes for Referential Integrity by Using the Command Line
  - 21.6 Disabling Referential Integrity by Using the Command Line
  - 21.7 Detecting and Correcting Referential Integrity Violations
    - 1. Run oiddiag with the option listdiags=true. The default output file is ORACLE_INSTANCE/diagnostics/logs/OID/tools/oiddiag.txt.
    - 2. Edit the output file, oiddiag.txt so that it contains only the line:
    - 3. Run oiddiag with the option collect_sub=true
    - 22 Managing Auditing
  - 22.1 Introduction to Auditing
    - 22.1.1 Configuring the Audit Store
    - 22.1.2 Oracle Internet Directory Audit Configuration
      - Table 22-1 Oracle Internet Directory Audit Configuration Attributes
    - 22.1.3 Replication and Oracle Directory Integration Platform Audit Configuration
    - 22.1.4 Audit Record Fields
    - 22.1.5 Audit Record Storage
    - 22.1.6 Generating Audit Reports
  - 22.2 Managing Auditing by Using Fusion Middleware Control
    - 1. From the Oracle Internet Directory menu, select Security, then Audit Policy Settings.
    - 2. From the Audit Policy list, select Custom to configure your own filters, or one of the filter presets, None, Low, or Medium. (You cannot set All from Fusion Middleware Control.)
    - 3. If you want to audit only failures, click Select Failures Only.
    - 4. To configure a filter, click the Edit icon next to its name. The Edit Filter dialog for the filter appears.
    - 5. Specify the filter condition using the buttons, selections from the menus, and strings that you enter. Condition subjects inc...
    - 6. To add a condition, click the Add icon.
    - 7. When you have completed the filter, click Apply to save the changes or Revert to discard the changes.
      - Table 22-2 Audit Configuration Attributes in Fusion Middleware Control
  - 22.3 Managing Auditing by Using WLST
  - 22.4 Managing Auditing from the Command Line
    - 22.4.1 Viewing Audit Configuration from the Command Line
    - 22.4.2 Configuring Oracle Internet Directory Auditing from the Command Line
    - 22.4.3 Enabling Replication and Oracle Directory Integration Platform Auditing
      - 23 Managing Logging
  - 23.1 Introduction to Logging
    - Table 23-1 Oracle Internet Directory Log File Locations
    - 23.1.1 Features of Oracle Internet Directory Debug Logging
    - 23.1.2 Interpreting Log Messages
  - 23.2 Managing Logging by Using Fusion Middleware Control
    - 23.2.1 Viewing Log Files by Using Fusion Middleware Control
    - 23.2.2 Configuring Logging by Using Fusion Middleware Control
  - 23.3 Managing Logging from the Command Line
    - 23.3.1 Viewing Log Files from the Command Line
    - 23.3.2 Setting Debug Logging Levels by Using the Command Line
      - Table 23-3 Values for OrclDebugFlag
    - 23.3.3 Setting the Debug Operation by Using the Command Line
      - Table 23-4 Debug Operations
    - 23.3.4 Force Flushing the Trace Information to a Log File
      - Example 23-1 Enabling Force Flushing
        1. Create an LDIF file as follows:
        2. Load this file by entering the following:
        24 Monitoring Oracle Internet Directory
  - 24.1 Introduction to Monitoring Oracle Internet Directory Server
    - 24.1.1 Capabilities of Oracle Internet Directory Server Manageability
    - 24.1.2 Oracle Internet Directory Server Manageability Architecture and Components
      - Figure 24-1 Architecture of Oracle Internet Directory Server Manageability
        Table 24-1 Components of Oracle Internet Directory Server Manageability
    - 24.1.3 Purging of Security Events and Statistics Entries
    - 24.1.4 Account Used for Accessing Server Manageability Information
  - 24.2 Setting Up Statistics Collection by Using Fusion Middleware Control
    - 24.2.1 Configuring Directory Server Statistics Collection by Using Fusion Middleware Control
    - 24.2.2 Configuring a User for Statistics Collection by Using Fusion Middleware Control
  - 24.3 Viewing Statistics Information with Fusion Middleware Control
    - 24.3.1 Viewing Statistics Information on the Oracle Internet Directory Home Page
    - 24.3.2 Viewing Information on the Oracle Internet Directory Performance Page
  - 24.4 Viewing Statistics Information from the Oracle Directory Services Manager Home Page
  - 24.5 Setting Up Statistics Collection by Using the Command-Line
    - 24.5.1 Configuring Health, General, and Performance Statistics Attributes
    - 24.5.2 Configuring Security Events Tracking
      - Table 24-3 Values of orcloptracklevel
      - Table 24-4 Metrics Recorded by Each orcloptracklevel Value
    - 24.5.3 Configuring User Statistics Collection from the Command Line
    - 24.5.4 Configuring Event Levels from the Command Line
      - Table 24-5 Event Levels
    - 24.5.5 Configuring a User for Statistics Collection by Using the Command Line
  - 24.6 Viewing Information with the OIDDIAG Tool
    - Security Events
    - All Statistics and Events
    - Subset of Statistics and Events
  - 26.1 Introduction to Configuring Secure Sockets Layer (SSL)
    - 26.1.1 Supported Cipher Suites
      - Table 26-1 SSL Cipher Suites Supported in Oracle Internet Directory
    - 26.1.2 Supported Protocol Versions
    - 26.1.3 SSL Authentication Modes
      - Table 26-2 SSL Authentication Modes
    - 26.1.4 Limitations of the Use of SSL in11g Release 1 (11.1.1)
    - 26.1.5 Oracle Wallets
    - 26.1.6 Other Components and SSL
    - 26.1.7 SSL Interoperability Mode
    - 26.1.8 StartTLS
  - 26.2 Configuring SSL by Using Fusion Middleware Control
    - 1. Creating a Wallet by Using Fusion Middleware Control
    - 2. Configuring SSL Parameters by Using Fusion Middleware Control
    - 3. Restarting Oracle Internet Directory.
    - 26.2.1 Creating a Wallet by Using Fusion Middleware Control
    - 26.2.2 Configuring SSL Parameters by Using Fusion Middleware Control
    - 26.2.3 Setting SSL Parameters with Fusion Middleware Control
      - SSL Attributes
        Table 26-3 SSL-Related Attributes in Fusion Middleware Control
  - 26.3 Configuring SSL by Using WLST
    - 1. Create an Oracle wallet.
    - 2. Configure SSL parameters.
    - 3. Restart Oracle Internet Directory.
    - 1. Invoke wlst and connect to the host, specifying the username, password, and port of the WebLogic administration server.
    - 2. Navigate to the custom mbean tree, then to the specific mbean oracle.as.oid, as described in Section 9.3, "Managing System Configuration Attributes by Using WLST."
    - 3. Determine what certificates, if any, you already have in the Key Store MBean. See Table 9-7, " Oracle Internet Directory-Related MBeans".
    - 4. If Necessary, create a new self-signed certificate.
    - 5. Add a self-signed certificate to the wallet for use as the server certificate.
    - 6. Configure the oid1 component node's listener/port for SSL, specifying the appropriate authentication mode:
    - 7. Restart Oracle Internet Directory, as described in Chapter 8, "Managing Oracle Internet Directory Instances," to activate the changes
    - 8. Run opmnctl updatecomponentregistration, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl"
    - 9. Verify that SSL is enabled by using the methods described in Section 26.5, "Testing SSL Connections by Using Oracle Directory Services Manager" and Section 26.6, "Testing SSL Connections From the Command Line."
  - 26.4 Configuring SSL by Using LDAP Commands
    - 1. Create an Oracle wallet.
    - 2. Configure SSL parameters.
    - 3. Restart Oracle Internet Directory.
      - Table 26-4 SSL Attributes
  - 26.5 Testing SSL Connections by Using Oracle Directory Services Manager
    - 1. Invoke ODSM as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. Connect to the Oracle Internet Directory server. On the login screen, enable SSL and specify the SSL port.
  - 26.6 Testing SSL Connections From the Command Line
    - 26.6.1 Testing SSL With Encryption Only
    - 26.6.2 Testing SSL With Server Authentication
    - 26.6.3 Testing SSL With Client and Server Authentication
  - 26.7 Configuring SSL Interoperability Mode
    - 27 Configuring Data Privacy
  - 27.1 Introduction to Table Space Encryption
  - 27.2 Enabling and Disabling Table Space Encryption
    - 1. Make a cold backup of the Oracle Databases that are used by the Oracle Internet Directory instances.
    - 2. Make sure you have the JavaVM and XML developer's Kit packages installed in the database Oracle home.
    - 3. Log in to SQL*Plus as a user who has the SYSTEM privilege and execute the following command:
    - 4. Create the directory object, log directory object used for dumpfiles, and logfiles of the Oracle DataPump utility. Log in to SQL*Plus as the ODS user and execute the following commands:
    - 5. Create directory_path and log_directory_path in the file system.
    - 6. Set the database wallet location in the sqlnet.ora of the database Oracle home.
      - a. To use a separate database wallet for table space encryption, set the parameter ENCRYPTION_WALLET_LOCATION in sqlnet.ora. For example:
      - b. To use the same database wallet shared by all Oracle components, set the parameter WALLET_LOCATION in sqlnet.ora. For example:
    - 7. Shut down all the Oracle Internet Directory instances that are using the Oracle Database Oracle home.
    - 8. If you are enabling table space encryption for the first time in the Oracle Database Oracle home, log in to SQL*Plus as a user who has the ALTER SYSTEM privilege and execute the following command:
    - 9. Whenever the Oracle Database is shut down and restarted, log in to SQL*Plus as a user who has the ALTER SYSTEM privilege and execute the following command:
    - 10. Set the environment variable ORACLE_HOME to the Oracle Database home.
    - 11. Set the environment variable NLS_LANG to the character set of the Oracle Database server.
    - 12. Edit the path of the perl5 executable in the Perl script ORACLE_ HOME/ldap/datasecurity/oidtbltde.pl so that it matches the location of perl5 on your computer.
    - 13. If you have not already done so, install the database independent interface module for Perl (DBI) and the Oracle DBD driver for Perl.
    - 14. Run the Perl script oidtbltde.pl to enable or disable TDE for Oracle Internet Directory
  - 27.3 Introduction to Using Database Vault With Oracle Internet Directory
  - 27.4 Configuring Oracle Database Vault to Protect Oracle Internet Directory Data
    - 27.4.1 Registering Oracle Database Vault
    - 27.4.2 Adding a Database Vault Realm and Policies for Oracle Internet Directory
    - 27.4.3 Managing Oracle Database Vault Configuration for Oracle Internet Directory
    - 27.4.4 Deleting Database Vault Policies For Oracle Internet Directory
    - 27.4.5 Disabling Oracle Database Vault for the Oracle Internet Directory Database
  - 27.5 Best Practices for Using Database Vault with Oracle Internet Directory
  - 27.6 Introduction to Sensitive Attributes
    - 27.6.1 List of Sensitive Attributes
      - Table 27-1 Sensitive Attributes Stored in orclencryptedattributes
    - 27.6.2 Encryption Algorithm for Sensitive Attributes
  - 27.7 Configuring Privacy of Retrieved Sensitive Attributes
  - 27.8 Introduction to Hashed Attributes
    - Table 27-2 LDAP and Bulk Operations on Attributes in orclhashedattributes
  - 27.9 Configuring Hashed Attributes
    - 27.9.1 Configuring Hashed Attributes by Using Fusion Middleware Control
    - 27.9.2 Configuring Hashed Attributes by Using ldapmodify
      - 28 Managing Password Policies
  - 28.1 Introduction to Managing Password Policies
    - 28.1.1 What a Password Policy Is
    - 28.1.2 Steps Required to Create and Apply a Password Policy
    - 28.1.3 Fine-Grained Password Policies
      - Figure 28-1 Location of Password Policy Entries
      - Figure 28-2 pwdPolicy subentry Attributes Populated with DN of Password Policy
    - 28.1.4 Default Password Policy
    - 28.1.5 Password Policy Attributes
      - Table 28-1 Password Policy Attributes
    - 28.1.6 Password Policy-Related Operational Attributes
      - Table 28-2 Password Policy-Related Operational Attributes
    - 28.1.7 Directory Server Verification of Password Policy Information
    - 28.1.8 Password Policy Error Messages
    - 28.1.9 Releases Before 10g (10.1.4.0.1)
  - 28.2 Managing Password Policies by Using Oracle Directory Services Manager
    - 28.2.1 Viewing Password Policies by Using Oracle Directory Services Manager
    - 28.2.2 Modifying Password Policies by Using Oracle Directory Services Manager
    - 28.2.3 Creating a Password Policy and Assigning it to a Subtree by Using ODSM
  - 28.3 Managing Password Policies by Using Command-Line Tools
    - 28.3.1 Viewing Password Policies by Using Command-Line Tools
    - 28.3.2 Creating a New Password Policy by Using Command-Line Tools
    - 28.3.3 Applying a Password Policy to a Subtree by Using Command-Line Tools
    - 28.3.4 Setting Password Policies by Using Command-Line Tools
      - 29 Managing Directory Access Control
  - 29.1 Introduction to Managing Directory Access Control
    - 29.1.1 Access Control Management Constructs
    - 29.1.2 Access Control Information Components
    - 29.1.3 Access Level Requirements for LDAP Operations
      - Table 29-3 LDAP Operations and Access Needed to Perform Each One
    - 29.1.4 How ACL Evaluation Works
  - 29.2 Managing Access Control by Using Oracle Directory Services Manager
    - 29.2.1 Viewing an ACP by Using Oracle Directory Services Manager
    - 29.2.2 Adding an ACP by Using Oracle Directory Services Manager
    - 29.2.3 Modifying an ACP by Using Access Control Management in ODSM
    - 29.2.4 Adding or Modifying an ACP by Using the Data Browser in ODSM
    - 29.2.5 Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM
  - 29.3 Managing Access Control by Using Command-Line Tools
    - 29.3.1 Restricting the Kind of Entry a User Can Add
    - 29.3.2 Setting Up an Inheritable ACP by Using ldapmodify
    - 29.3.3 Setting Up Entry-Level ACIs by Using ldapmodify
    - 29.3.4 Using Wildcards in an LDIF File with ldapmodify
    - 29.3.5 Selecting Entries by DN
    - 29.3.6 Using Attribute and Subject Selectors
    - 29.3.7 Granting Read-Only Access
    - 29.3.8 Granting Selfwrite Access to Group Entries
    - 29.3.9 Defining a Completely Autonomous Policy to Inhibit Overriding Policies
      - Table 29-5 DNs Used in Example
      - 30 Managing Password Verifiers
  - 30.1 Introduction to Password Verifiers for Authenticating to the Directory
    - 30.1.1 Userpassword Verifiers and Authentication to the Directory
    - 30.1.2 Hashing Schemes for Creating Userpassword Verifiers
  - 30.2 Managing Hashing Schemes for Password Verifiers for Authenticating to the Directory
  - 30.3 Introduction to Password Verifiers for Authenticating to Components
    - 30.3.1 About Password Verifiers for Authenticating to Oracle Components
      - Figure 30-1 Location of the Password Verifier Profile Entry
    - 30.3.2 Attributes for Storing Password Verifiers for Authenticating to Oracle Components
      - Table 30-1 Attributes for Storing Password Verifiers in User Entries
      - Figure 30-2 Authentication Model
    - 30.3.3 Default Verifiers for Oracle Components
    - 30.3.4 How Password Verification Works for an Oracle Component
      - Figure 30-3 How Password Verification Works
        1. The user tries to log in to an application by entering a user name and a clear text password.
        2. The application sends the clear text password to the directory server. If the application stores password verifiers in the di...
        3. The directory server:
        a. Generates a password verifier by using the hashing algorithm specified for the particular application
        b. Compares this password verifier with the corresponding password verifiers in the directory. For the compare operation to be successful, the application must provide its appID as the subtype of the verifier attribute. For example:
        c. Notifies the application of the results of the compare operation.
        4. Depending on the message from the directory server, the application either authenticates the user or not.
        1. Hashes the clear text password entered by the user
        2. Retrieves from the directory the hashed value of the clear text password as entered by the user
        3. Initiates a challenge to the user to which the client responds. If the response is correct, then the application authenticates the user.
  - 30.4 Managing Password Verifier Profiles for Oracle Components by Using ODSM
    - 1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. From the task selection bar, select Security.
    - 3. Expand Password Verifier in the left pane. All of the password verifiers appear in the left pane.
    - 4. Select the password verifier you want to view. The right pane displays the Password Verifier Profile tab page.
    - 5. You can modify the hashing algorithm used to generate a password verifier. In the Password Verifier Profile dialog box, specify the hashing algorithm in the Oracle Password Parameters field. The syntax is:
  - 30.5 Managing Password Verifier Profiles for Components by Using Command-Line Tools
    - 30.5.1 Viewing a Password Verifier Profile by Using Command-Line Tools
    - 30.5.2 Example: Modifying a Password Verifier Profile by Using Command-Line Tools
  - 30.6 Introduction to Generating Verifiers by Using Dynamic Parameters
  - 30.7 Configuring Oracle Internet Directory to Generate Dynamic Password Verifiers
    - 31 Delegating Privileges for Oracle Identity Management
  - 31.1 Introduction to Delegating Privileges for Oracle Identity Management
    - 31.1.1 How Delegation Works
    - 31.1.2 Delegation in an Oracle Fusion Middleware Environment
      - Figure 31-1 Delegation Flow in an Oracle Fusion Middleware Environment
    - 31.1.3 About the Default Configuration
      - Table 31-1 Default Privileges Granted to Everyone and to Each User
    - 31.1.4 Privileges for Administering the Oracle Technology Stack
      - Table 31-2 Privileges for Administering the Oracle Technology Stack
  - 31.2 Delegating Privileges for User and Group Management
    - 31.2.1 How Privileges Are Granted for Managing User and Group Data
    - 31.2.2 Default Privileges for Managing User Data
    - 31.2.3 Default Privileges for Managing Group Data
  - 31.3 Delegating Privileges for Deployment of Oracle Components
    - 31.3.1 How Deployment Privileges Are Granted
      - 1. Grants certain deployment privileges to various groups-for example, the Oracle Fusion Middleware Administrators Group
      - 2. Adds the administrators to those privileged groups
    - 31.3.2 Oracle Application Server Administrators
      - Table 31-11 Characteristics of the Oracle Application Server Administrators Group
    - 31.3.3 User Management Application Administrators
      - Table 31-12 Characteristics of the User Management Application Administrators Group
    - 31.3.4 Trusted Application Administrators
      - Table 31-13 Characteristics of the Trusted Application Administrators Group
  - 31.4 Delegating Privileges for Component Run Time
    - 31.4.1 Default Privileges for Reading and Modifying User Passwords
      - Table 31-14 Characteristics of the User Security Administrators Group
    - 31.4.2 Default Privileges for Comparing User Passwords
      - Table 31-15 Characteristics of the Authentication Services Group
    - 31.4.3 Default Privileges for Comparing Password Verifiers
      - Table 31-16 Characteristics of the Verifier Services Group
    - 31.4.4 Default Privileges for Proxying on Behalf of End Users
      - Table 31-17 Characteristics of the User Proxy Privilege Group
    - 31.4.5 Default Privileges for Managing the Oracle Context
      - Table 31-18 Characteristics of the Oracle Context Administrators Group
    - 31.4.6 Default Privileges for Reading Common User Attributes
      - Table 31-19 Characteristics of the Common User Attributes Group
    - 31.4.7 Default Privileges for Reading Common Group Attributes
      - Table 31-20 Characteristics of the Common Group Attributes Group
    - 31.4.8 Default Privileges for Reading the Service Registry
      - Table 31-21 Characteristics of the Service Registry Viewers Group
    - 31.4.9 Default Privileges for Administering the Service Registry
      - Table 31-22 Characteristics of the Common Group Attributes Group
      - 32 Managing Authentication
  - 32.1 Introduction to Authentication
    - 32.1.1 Direct Authentication
    - 32.1.2 Indirect Authentication
      - Figure 32-1 Indirect Authentication
        1. The end user sends to the application or middle tier a request containing a query to Oracle Internet Directory. The application or middle tier authenticates the end user.
        2. The application or middle tier binds to the directory.
        3. The application or middle tier performs a second bind, this time using the DN of the end user. It does not enter the end user's password.
        4. The directory server recognizes this second bind as an attempt by the application or middle tier to switch to the end user's ...
    - 32.1.3 External Authentication
    - 32.1.4 Simple Authentication and Security Layer (SASL)
      - How a SASL-Enabled Client Authenticates to a Directory Server by Using Digest-MD5
        1. The directory server sends to the LDAP client a digest-challenge that includes various Digest-MD5 authentication options that it supports and a special token.
        2. The client selects an authentication option, then sends a digest-response to the server indicating the option it has selected...
        3. The directory server then decrypts and verifies the client credential from the response.
      - How a SASL-Enabled Client Authenticates to a Directory Server by Using External Authentication
        1. The client sends an initial message with the authorization identity.
        2. The directory server uses information external to SASL to determine whether the client can validly authenticate as the author...
  - 32.2 Configuring Certificate Authentication Method by Using Fusion Middleware Control
  - 32.3 Configuring SASL Authentication by Using Fusion Middleware Control
    - 1. Select Administration, then Server Properties from the Oracle Internet Directory menu, then select SASL.
    - 2. Select the desired types for MD5 SASL Authentication Mode.
    - 3. If you select Authentication with Integrity and Privacy Protection, you are presented with choices for SASL Cipher Choice for...
    - 4. If desired, select Enable SASL Authentication. Before enabling SASL Authentication, ensure that Oracle Internet Directory is configured to perform mutual authentication. See Section 26.2, "Configuring SSL by Using Fusion Middleware Control."
    - 5. Choose Apply.
      - Table 32-1 Configuration Attributes on Server Properties, SASL Tab
  - 32.4 Configuring Certificate Authentication Method by Using Command-Line Tools
  - 32.5 Configuring SASL Authentication by Using the Command Line
    - Table 32-2 SASL Authentication Attributes
    - Table 32-3 SASL Authentication Modes
  - 32.6 Introduction to Anonymous Binds
    - Table 32-4 Orclanonymousbindsflag Value and Directory Server Behavior
  - 32.7 Managing Anonymous Binds
    - 32.7.1 Managing Anonymous Binds by Using Fusion Middleware Control
    - 32.7.2 Managing Anonymous Binds by Using the Command Line
      - Part IV Advanced Administration: Managing Directory Deployment
      - 33 Planning, Deploying and Managing Realms
  - 33.1 Introduction to Planning, Deploying and Managing Realms
    - 33.1.1 Planning the Identity Management Realm
      - Figure 33-1 Example of an Identity Management Realm
    - 33.1.2 Identity Management Realms in an Enterprise Deployment
      - 33.1.2.1 Single Identity Management Realm in the Enterprise
        Figure 33-2 Enterprise Use Case: Single Identity Management Realm
      - 33.1.2.2 Multiple Identity Management Realms in the Enterprise
        Figure 33-3 Enterprise Use Case: Multiple Identity Management Realms
    - 33.1.3 Identity Management Realms in a Hosted Deployment
      - Figure 33-4 Hosted Deployment Use Case
    - 33.1.4 Identity Management Realm Implementation in Oracle Internet Directory
      - Table 33-1 Oracle Identity Management Objects
    - 33.1.5 Default Directory Information Tree and the Identity Management Realm
      - Figure 33-5 Default Identity Management Realm
  - 33.2 Customizing the Default Identity Management Realm
    - Table 33-2 Customizing the Default Identity Management Realm
    - Use Case 1:
    - Use Case 2:
    - Use Case 3:
    - Use Case 4:
    - Use Case 5:
    - 33.2.1 Steps to Update the Existing User and Group Search Base
    - 33.2.2 Set up an Additional Search Base
    - 33.2.3 Refresh Oracle Single Sign-On
    - 33.2.4 Reconfigure Provisioning Profiles
  - 33.3 Creating Additional Identity Management Realms for Hosted Deployments
    - 34 Tuning and Sizing Oracle Internet Directory
    - 35 Managing Garbage Collection
  - 35.1 Introduction to Managing Garbage Collection
    - 35.1.1 Components of the Oracle Internet Directory Garbage Collection Framework
      - 35.1.1.1 Garbage Collection Plug-in
      - 35.1.1.2 Background Database Processes
        35.1.1.2.1 Garbage Collectors
        35.1.1.2.2 Predefined Garbage Collectors
        35.1.1.2.3 Oracle Internet Directory Statistics Collector
    - 35.1.2 How Oracle Internet Directory Garbage Collection Works
      - Figure 35-1 Example: Garbage Collection of Change Log Entries
        1. An LDAP client sends to the directory server a request for a particular garbage collection operation. The operation could be, for example, to purge the entries of tombstone or, change logs.
        2. The directory server passes the request to the garbage collection plug-in.
        3. The garbage collection plug-in sends the request to the garbage collection engine in the Oracle Internet Directory-designated database.
        4. The garbage collection engine triggers the corresponding background database process-in this case, the change log garbage collector. The background database process runs according to the parameters specified in its configuration.
    - 35.1.3 Garbage Collector Entries and the Oracle Internet Directory Statistics Collector Entry
      - Figure 35-2 Garbage Collection Entries in the DIT
    - 35.1.4 Change Log Purging
  - 35.2 Set Oracle Database Time Zone for Garbage Collection
    - 1. Invoke PL/SQL:
    - 2. Perform a query to get the value of dbtimezone:
    - 3. Perform a query to get the displacement from Coordinated Universal Time (UTC):
    - 4. If the dbtimezone parameter is equal to last column value of the systimestamp output, you do not need to perform the remaining steps. Otherwise, proceed to Step 5.
    - 5. Stop all instances of Oracle Internet Directory that are using the Oracle Database, as described in Chapter 8, "Managing Oracle Internet Directory Instances."
    - 6. Set the dbtimezone parameter, using the value you got from the last column the systimestamp query:
    - 7. Shut down the Oracle Database:
    - 8. Restart the Oracle Database:
    - 9. Restart Oracle Internet Directory as described in Chapter 8, "Managing Oracle Internet Directory Instances."
  - 35.3 Modifying Oracle Internet Directory Garbage Collectors
    - 35.3.1 Modifying a Garbage Collector by Using Oracle Directory Services Manager
    - 35.3.2 Modifying a Garbage Collector by Using Command-Line Tools
      - 35.3.2.1 Example 1: Modifying a Garbage Collector
      - 35.3.2.2 Example 2: Disabling a Garbage Collector Change Log
    - 35.3.3 Modifying the Oracle Internet Directory Statistics Collector
  - 35.4 Managing Logging for Oracle Internet Directory Garbage Collectors
    - 35.4.1 Enabling Logging for Oracle Internet Directory Garbage Collectors
    - 35.4.2 Disabling Logging for Oracle Internet Directory Garbage Collectors
    - 35.4.3 Monitoring Garbage Collection Logging
  - 35.5 Configuring Time-Based Change Log Purging
    - 36 Migrating Data from Other Data Repositories
  - 36.1 Introduction to Migrating Data from Other Data Repositories
  - 36.2 Migrating Data from LDAP-Compliant Directories
    - Table 36-1 Features of bulkload and syncProfileBootstrap
    - 36.2.1 Migrating LDAP Data by Using an LDIF File and bulkload
    - 36.2.2 Migrating LDAP Data by Using syncProfileBootstrap Directly
      - Figure 36-2 Using syncProfileBootstrap Directly
    - 36.2.3 Migrating LDAP Data by Using an LDIF File and syncProfileBootstrap
      - Figure 36-3 Using an LDIF File and syncProfileBootstrap
    - 36.2.4 Migrating LDAP Data by Using syncProfileBootstrap, bulkload, and LDIF Files
      - Figure 36-4 Using syncProfileBootstrap, bulkload, and LDIF Files
    - 36.2.5 Migrating LDAP Data by Using the Oracle Directory Integration Platform Server
      - Figure 36-5 Using the Oracle Directory Integration Server
  - 36.3 Migrating User Data from Application-Specific Repositories
    - 36.3.1 The Intermediate Template File
    - 36.3.2 Reconciling Data in Application Repository with Data Already in the Directory
    - 36.3.3 Tasks For Migrating Data from Application-Specific Repositories
      - 36.3.3.1 Task 1: Create an Intermediate Template File
        Figure 36-6 Structure of the Intermediate User File
        36.3.3.1.1 Example: User Entries in an Intermediate Template File
        36.3.3.1.2 Attributes in User Entries
        Table 36-2 Mandatory Attributes in a User Entry
      - 36.3.3.2 Task 2: Run the OID Migration Tool
        37 Configuring Server Chaining
  - 37.1 Introduction to Configuring Server Chaining
    - 37.1.1 Supported External Servers
    - 37.1.2 Integrated Oracle Products
      - 37.1.2.1 Oracle Single Sign-On
      - 37.1.2.2 Enterprise User Security
    - 37.1.3 Supported Operations
    - 37.1.4 Server Chaining with Replication
  - 37.2 Configuring Server Chaining
    - 37.2.1 Configuring Server Chaining by Using Oracle Directory Services Manager
    - 37.2.2 Configuring Server Chaining from the Command Line
  - 37.3 Creating Server Chaining Configuration Entries
    - 37.3.1 Configuration Entry Attributes
      - Table 37-1 Configuration Entry Attributes for Server Chaining
    - 37.3.2 Requirements for User and Group Containers
    - 37.3.3 Attribute Mapping
    - 37.3.4 Active Directory Example
    - 37.3.5 Active Directory with SSL Example
    - 37.3.6 Active Directory with New Attributes Example
    - 37.3.7 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example
    - 37.3.8 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) with SSL Example
    - 37.3.9 eDirectory Example
    - 37.3.10 eDirectory with SSL Example
  - 37.4 Debugging Server Chaining
    - 1. Set the Oracle Internet Directory server debug logging level, as described in Section 23.2, "Managing Logging by Using Fusion...
    - 2. Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry. set the attribute orcloidscDebugEnabled to 1.
  - 37.5 Configuring an Active Directory Plug-in for Password Change Notification
    - 1. In Active Directory, create an attribute called orclCommonAttribute to store the hash password. Use a command line such as:
    - 2. Associate the attribute with the user objectclass. Use a command line such as:
    - 3. Install the password change notification plug-in, as follows:
    - 4. Reset the password for all the Active Directory users so that the password verifier is present for all the users.
    - 38 Managing DIT Masking
  - 38.1 Configuring Masking
    - Table 38-1 Masking Configuration Attributes
  - 38.2 Masking Examples
    - 38.2.1 Restricting Access by Container Name
    - 38.2.2 Restricting Access by Entry Data
      - Part V Advanced Administration: Directory Replication
      - 39 Setting Up Replication
  - 39.1 Introduction to Setting Up Replication
    - 39.1.1 Replication Transport Mechanisms
    - 39.1.2 Replication Setup Methods
    - 39.1.3 Bootstrap Rules
    - 39.1.4 The Replication Agreement
    - 39.1.5 Other Replication Configuration Attributes
    - 39.1.6 Replication Process and Architecture
    - 39.1.7 Rules for Configuring LDAP-Based Replication
    - 39.1.8 Replication Security
      - 39.1.8.1 Authentication and the Directory Replication Server
      - 39.1.8.2 Secure Sockets Layer (SSL) and Oracle Internet Directory Replication
    - 39.1.9 LDAP Replication Filtering for Partial Replication
  - 39.2 Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement
  - 39.3 Setting Up an LDAP-Based Replication Agreement by Using the Replication Wizard
    - 1. From the Oracle Internet Directory menu on the home page, select Administration, then Replication Management.
    - 2. You are prompted to log into the replication DN account. Provide the host, port, replication DN, and replication DN password....
    - 3. Click the Create icon.
    - 4. On the Type screen, select the replication type: One Way Replication, Two Way Replication, or Multimaster Replication.
    - 5. Click Next. The Replicas screen displays the replication type you selected.
    - 6. Provide an agreement name. This must be unique across all the nodes.
    - 7. For one way or two way replication, enter the host, port, user name (replication DN), and replication password for the consumer node. Fields for the supplier node are populated and greyed out.
    - 8. Click Next to go the Settings page.
    - 9. In the LDAP Connection field, select Keep Alive if you want the replication server to use same connection for performing mult...
    - 10. Enter the Replication Frequency.
    - 11. Enter the Human Intervention Queue Schedule. This is the interval, in seconds, at which the directory replication server repeats the change application process.
    - 12. If you have specified Two Way Replication or Multimaster Replication as the agreement type, the settings page contains a sec...
    - 13. Click Next to go to the Scope page. The default primary naming context is filled in.
    - 14. To exclude a secondary naming context within the default primary naming context, select the primary naming context and click the Create button. Then proceed to Step 16.
    - 15. To create another primary naming context, click the Create Primary Naming Context button. This invokes the Primary Naming Context dialog.
    - 16. To exclude a secondary naming context, click the Add icon below the Excluded Secondary Naming Contexts field. This invokes t...
    - 17. To exclude an attribute, click the Add icon below the ExcludedAttributes field. This invokes the Select Excluded Attributes screen. Select the attributes you want to exclude and click OK. The attribute now appears in the Excluded Attributes field.
    - 18. Click OK. The primary naming context is now listed on the Scope page.
    - 19. Click Next. The Summary page displays a summary of the replication agreement you are about to create.
    - 20. Click Finish to create the replication agreement.
  - 39.4 Testing Replication by Using Oracle Directory Services Manager
    - 1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. From the task selection bar, select Data Browser.
    - 3. Create a single entry on the MDS node, as described in Section 13.2.6, "Adding a New Entry by Using Oracle Directory Services Manager."
  - 39.5 Setting Up an LDAP-Based Replication by Using the Command Line
    - 39.5.1 Copying Your LDAP Data by Using ldifwrite and bulkload
    - 39.5.2 Setting Up an LDAP-Based Replica with Customized Settings
    - 39.5.3 Password Policy and Fan-out Replication
      - Table 39-2 Command-line Parameters to OIDUpgradePasswordPolicies
    - 39.5.4 Deleting an LDAP-Based Replica
      - 39.5.4.1 Task 1: Stop the Directory Replication Server on the Node to be Deleted
      - 39.5.4.2 Task 2: Delete the Replica from the Replication Group
  - 39.6 Setting Up a Multimaster Replication Group with Fan-Out
    - Table 39-3 Nodes in Example of Partial Replication Deployment
    - Figure 39-11 Example of Fan-Out Replication
    - Task 1: Set up the Multimaster Replication Group for Node1 and Node2
    - Task 2: Configure the Replication Agreement
      - 1. Edit the example file mod.ldif as follows:
      - 2. Use ldapmodify to update the replication agreement orclExcludedNamingcontexts attribute at both Node1 and Node2. To do this, enter:
    - Task 3: Start the Replication Servers on Node1 and Node2
    - Task 4: Test the Directory Replication Between Node1 and Node2.
    - Task 5: Install and Configure Node3 as a Partial Replica of Node2
    - Task 6: Customize the Partial Replication Agreement
      - a. Edit the example file mod.ldif as follows:
      - b. Use ldapadd to add the partial replication naming context object at both Node2 and Node3.
    - Task 7: Start the Replication Servers on All Nodes in the DRG
    - Task 8: Install and Configure Node4 as a Full Replica of Node2
    - Task 9: Test the Replication from Node2 to Node4
    - Task 10: Install and Configure Node5 as a Two-Way Replica of Node1
    - Task 11: Test the Two-Way Replication Between Node1 and Node5
      - 40 Setting Up Replication Failover
  - 40.1 Introduction to Replication Failover
    - Figure 40-1 Replication Failover Scenario
    - Figure 40-2 Consumer and New Supplier Connected to Old Supplier by LDAP
    - Figure 40-3 Old and New Suppliers in the Same Advanced Replication Group
    - 40.1.1 Limitations and Warnings for Replication Failover
      - Figure 40-4 Failover Preserving Replica Type
      - Figure 40-5 Compare and Reconcile All Connected Replicas
    - 40.1.2 Determining Which Type of Replication Failover to Use
  - 40.2 Performing a Stateless Replication Failover
    - 40.2.1 Task 1: Stop all Directory Replication Server on related Nodes
    - 40.2.2 Task 2: Break Old Replication Agreement and Set up New Agreement
    - 40.2.3 Task 3: Save Last Change Number
    - 40.2.4 Task 4: Compare and Reconcile New Supplier and Consumer
    - 40.2.5 Task 5: Update Last Applied Change Number of New Agreement
      - 1. Create an LDIF file with the last change number you retrieved in "Task 3: Save Last Change Number".
      - 2. Modify the agreement by using ldapmodify, as follows:
    - 40.2.6 Task 6: Clean Up Old Agreement on Old Supplier
    - 40.2.7 Task 7: Start All Directory Replication Server on related Nodes
  - 40.3 Performing a Time-Based Replication Failover
    - 40.3.1 Task 1: Configure Change Log Garbage Collection Object on New Supplier
      - 1. Create an LDIF file similar to this:
      - 2. Apply the LDIF file by typing:
    - 40.3.2 Task 2: Save Last Change Number from New Supplier
    - 40.3.3 Task 3: Enable Change Log Regeneration on New Supplier
      - 1. Create an LDIF file like this:
      - 2. Apply the LDIF file by typing:
    - 40.3.4 Task 4: Wait for the Desired Time Period to Elapse
    - 40.3.5 Task 5: Stop all Directory Replication Servers on Related Nodes
    - 40.3.6 Task 6: Break Old Replication Agreement and Set Up New Agreement
    - 40.3.7 Task 7: Update Last Applied Change Number of New Agreement
      - 1. Create an LDIF file with the retrieved last applied change number, similar to this:
      - 2. Apply the LDIF file to the agreement by using ldapmodify:
    - 40.3.8 Task 8: Clean Up Old Agreement on Old Supplier
    - 40.3.9 Task 9: Start All Directory Replication Servers on Related Nodes
      - 41 Managing Replication Configuration Attributes
  - 41.1 Introduction to Replication Configuration Attributes
    - 41.1.1 The Replication Configuration Container
    - 41.1.2 The Replica Subentry
      - Table 41-1 Attributes of the Replica Subentry
    - 41.1.3 The Replication Agreement Entry
    - 41.1.4 The Replication Naming Context Container Entry
    - 41.1.5 The Replication Naming Context Object Entry
      - Table 41-3 Attributes of the Replication Naming Context Entry
    - 41.1.6 The Replication Configuration Set
      - Table 41-4 Replication Configuration Set Attributes
    - 41.1.7 Examples of Replication Configuration Objects in the Directory
  - 41.2 Configuring Replication Configuration Attributes by Using Fusion Middleware Control
    - 41.2.1 Configuring Attributes on the Shared Properties, Replication Tab
      - Table 41-5 Configuration Attributes on Shared Properties, Replication Tab
    - 41.2.2 Configuring Replication Wizard Parameters
      - Table 41-6 Replication Schedule Attributes
  - 41.3 Managing Replication Configuration Attributes From the Command Line
    - 42 Managing and Monitoring Replication
  - 42.1 Introduction to Managing and Monitoring Replication
    - 42.1.1 Modifying What Is to Be Replicated in LDAP-Based Partial Replication
    - 42.1.2 Managing Worker Threads
      - Table 42-1 Configuration Attributes Controlling Worker Threads
    - 42.1.3 Change Logs in Directory Replication
    - 42.1.4 The Human Intervention Queue
    - 42.1.5 Pilot Mode
    - 42.1.6 Conflict Resolution in Oracle Replication
  - 42.2 Managing and Monitoring Replication by Using ODSM and Fusion Middleware Control
    - 42.2.1 Enabling or Disabling Change Log Generation by Using Fusion Middleware Control
    - 42.2.2 Viewing the Local Change Logs by Using Oracle Directory Services Manager
    - 42.2.3 Viewing and Modifying Replica Naming Context Objects
    - 42.2.4 Viewing or Modifying a Replication Setup by Using the Replication Wizard
    - 42.2.5 Deleting an LDAP-Based Replication Agreement by Using the Replication Wizard
    - 42.2.6 Configure Replication Attributes by Using Fusion Middleware Control
      - Table 42-4 Replication Configset Attributes on Shared Properties, Replication Tab
    - 42.2.7 Activating or Inactivating a Replication Server by Using Fusion Middleware Control
    - 42.2.8 Configuring the Replication Debug Level by Using Fusion Middleware Control
    - 42.2.9 Configuring Replica Details by Using Fusion Middleware Control
      - Table 42-6 Replica Details on Shared Properties, Replication Tab
    - 42.2.10 Viewing Queue Statistics by Using Fusion Middleware Control
    - 42.2.11 Managing Changelog Processing by Using Fusion Middleware Control
    - 42.2.12 Monitoring Conflict Resolution Messages by Using Fusion Middleware Control
  - 42.3 Managing and Monitoring Replication by Using the Command Line
    - 42.3.1 Enabling and Disabling Change Log Generation by Using the Command Line
    - 42.3.2 Viewing Change Logs by Using ldapsearch
      - Table 42-7 Important Attributes in the Change Log
    - 42.3.3 Configuring Attributes of the Replica Subentry by Using ldapmodify
      - Table 42-8 Replica Subentry Attributes
    - 42.3.4 Specifying Pilot Mode for a Replica by Using remtool
    - 42.3.5 Configuring Replication Agreement Attributes by Using ldapmodify
      - Table 42-9 Replication Agreement Options
    - 42.3.6 Modifying Replica Naming Context Object Parameters by Using ldapmodify
    - 42.3.7 Configuring Attributes of the Replication Configuration Set by Using ldapmodify
      - Table 42-10 Replication Configuration Attributes
      - Table 42-11 Replication Debug Levels
    - 42.3.8 Monitoring Conflict Resolution Messages by Using the Command Line
      - Table 42-12 Conflict Resolution Messages
    - 42.3.9 Managing the Human Intervention Queue
    - 42.3.10 Monitoring Replication Progress in a Directory Replication Group by Using remtool -pthput
      - Example Output
    - 42.3.11 Viewing Queue Statistics and Verifying Replication by Using remtool
    - 42.3.12 Managing the Number of Entries the Human Intervention Queue Tools Can Process
    - 42.3.13 Changing the Replication Administrator's Password for Advanced Replication
  - 42.4 Comparing and Reconciling Inconsistent Data by Using oidcmprec
    - 1. Set the supplier and the consumer to read-only mode. Use one of the procedures in"Changing Server Mode" on page 15-3.
    - 2. Ensure that the supplier and the consumer are in a tranquil state-that is, that neither is supplying or applying changes. If they are not in a tranquil state, then wait until they have finished updating.
    - 3. Identify the inconsistent entries or subtree on the consumer.
    - 4. Use the Oracle Internet Directory Comparison and Reconciliation Tool to fix the inconsistent entries or subtree on the consumer.
    - 5. Set the participating supplier and consumer back to read/write mode.
    - 42.4.1 Conflict Scenarios
    - 42.4.2 Operations Supported by oidcmprec
    - 42.4.3 Output from oidcmprec
    - 42.4.4 How oidcmprec Works
    - 42.4.5 Setting the Source and Destination Directories
    - 42.4.6 Selecting the DIT for the Operation
    - 42.4.7 Selecting the Attributes for the Operation
    - 42.4.8 Controlling Change Log Generation
    - 42.4.9 Using a Text or XML Parameter File
    - 42.4.10 Including Directory Schema
    - 42.4.11 Overriding Predefined Conflict Resolution Rules
    - 42.4.12 Using the User-Defined Compare and Reconcile Operation
    - 42.4.13 Known Limitations of the oidcmprec Tool
      - Part VI Advanced Administration: Directory Plug-ins
      - 43 Configuring a Customized Password Policy Plug-In
  - 43.1 Introduction to Configuring a Customized Password Policy Plug-in
    - 1. The client sends the directory server either an ldapadd or ldapmodify request.
    - 2. Before the directory server makes the addition or modification, it passes the password value to the plug-in.
    - 3. The plug-in
    - 4. If the password meets the specification, then the plug-in notifies the directory server accordingly, and the directory server makes the addition or modification.
  - 43.2 Installing, Configuring, and Enabling a Customized Password Policy Plug-in
    - 43.2.1 Loading and Registering the PL/SQL Program
      - 1. Load the plug-in package into the database. In this example, we enter:
      - 2. Register the plug-in. This example uses a file named pluginreg.dat, which contains the following:
    - 43.2.2 Coding the Password Policy Plug-in
    - 43.2.3 Debugging the Password Policy Plug-in
    - 43.2.4 Contents of Sample PL/SQL Package pluginpkg.sql
      - 44 Developing Plug-ins for the Oracle Internet Directory Server
  - 44.1 Introduction to Developing Plug-ins for the Oracle Internet Directory Server
    - Figure 44-1 Oracle Internet Directory Plug-in Framework
    - 44.1.1 Passing Options to the JVM
    - 44.1.2 Supported Languages for Server Plug-ins
    - 44.1.3 Server Plug-in Prerequisites
    - 44.1.4 Server Plug-in Benefits
    - 44.1.5 Guidelines for Designing Plug-ins
    - 44.1.6 The Server Plug-in Framework
    - 44.1.7 LDAP Operations and Timings Supported by the Directory
    - 44.1.8 Using Plug-ins in a Replication Environment
  - 44.2 Creating a Plug-in
    - 1. Write a user-defined plug-in procedure in PL/SQL or Java.
    - 2. Compile the plug-in module.
    - 3. Register the plug-in module through the configuration entry interface by using either the command line or Oracle Directory Services Manager.
  - 44.3 Registering a Plug-in From the Command Line
    - 44.3.1 Creating a Plug-in Configuration Entry
      - Table 44-1 Plug-in Configuration Objects and Attributes
    - 44.3.2 Adding a Plug-in Configuration Entry by Using Command-Line Tools
  - 44.4 Managing Plug-ins by Using Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control
    - 1. Section 44.4.1, "Creating a New Plug-in by Using Oracle Directory Services Manager"
    - 2. Section 44.4.2, "Registering a Plug-in by Using Oracle Directory Services Manager"
    - 3. Section 44.4.3, "Editing a Plug-in by Using Oracle Directory Services Manager"
    - 4. Section 44.4.4, "Deleting a Plug-in by Using Oracle Directory Services Manager"
    - 5. Section 44.4.5, "Managing JVM Options by Using Oracle Enterprise Manager Fusion Middleware Control"
    - 44.4.1 Creating a New Plug-in by Using Oracle Directory Services Manager
    - 44.4.2 Registering a Plug-in by Using Oracle Directory Services Manager
    - 44.4.3 Editing a Plug-in by Using Oracle Directory Services Manager
    - 44.4.4 Deleting a Plug-in by Using Oracle Directory Services Manager
    - 44.4.5 Managing JVM Options by Using Oracle Enterprise Manager Fusion Middleware Control
      - 45 Configuring a Customized External Authentication Plug-in
  - 45.1 Introduction to Configuring a Customized External Authentication Plug-in
  - 45.2 Installing, Configuring, and Enabling the External Authentication Plug-in
    - 1. Implement your standalone external authentication PL/SQL program. For example, if you want to authenticate users by using user names and passwords, then you should have a PL/SQL program which takes these two parameters.
    - 2. Integrate this standalone program into the plug-in modules.
    - 3. Load the plug-in package into database. In this example, we enter:
    - 4. Register the plug-ins. Do this by creating and uploading an LDIF file that provides the directory server with the necessary information to invoke the plug-in.
    - 5. This example uses a file named oidexauth.ldif, which contains the following:
  - 45.3 Debugging the External Authentication Plug-in
  - 45.4 Creating the PL/SQL Package oidexaup.sql
    - Part VII Appendixes
    - A Differences Between 10g and 11g
  - A.1 Instance Creation and Process Management
    - 10g Oracle Internet Directory Instance Creation
    - 11g Oracle Internet Directory Instance Creation
    - 11g Replication Server
    - 11g OIDMON
  - A.2 Locations of Configuration Attributes
    - Table A-1 New Locations of 10g Attributes
  - A.3 Default Ports
  - A.4 Enabling Server Debugging
  - A.5 Command Line Tools
  - A.6 Path Names
    - Table A-2 Some Path Names that Changed
  - A.7 Graphical User Interfaces
  - A.8 Audit
  - A.9 Referential Integrity
  - A.10 Server Chaining
  - A.11 Replication
  - A.12 Oracle Directory Integration Platform
  - A.13 Oracle Single Sign-On and Oracle Delegated Administration Services
  - A.14 Java Containers
    - B Managing Oracle Internet Directory Instances by Using OIDCTL
  - B.1 Introduction to Managing Oracle Internet Directory by Using OIDCTL
    - Figure B-1 A Component with Two Instances
  - B.2 Creating and Starting an Oracle Internet Directory Server Instance by Using OIDCTL
  - B.3 Stopping an Oracle Internet Directory Server Instance by Using OIDCTL
  - B.4 Starting an Oracle Internet Directory Server Instance by Using OIDCTL
  - B.5 Viewing Status Information by Using OIDCTL
  - B.6 Deleting an Oracle Internet Directory Server Instance by Using OIDCTL
    - C Setting Up Oracle Database Advanced Replication-Based Replication
  - C.1 Introduction to Setting up Oracle Database Advanced Replication-Based Replication
    - C.1.1 Database Version Compatibility
    - C.1.2 Advanced Replication Filtering for Partial Replication
      - C.1.2.1 Excluded Naming Contexts
        Figure C-1 Example of a Naming Context Container and Its Objects
      - C.1.2.2 Rules for Advanced Replication Filtering.
  - C.2 Setting Up Advanced Replication-Based Replication
    - C.2.1 Rules for Setting Up Advanced Replication
    - C.2.2 Setting Up an Advanced Replication-Based Multimaster Replication Group
    - C.2.3 Adding a Node for Advanced Replication-Based Multimaster Replication
    - C.2.4 Deleting a Node from a Multimaster Replication Group
  - D.1 Features of Oracle Database Advanced Replication-Based Replication
  - D.2 Architecture for Oracle Database Advanced Replication-Based Replication
    - Figure D-1 Advanced Replication Process
  - D.3 Architecture of LDAP-Based Replication
    - Figure D-2 LDAP Replication Process
  - D.4 LDAP Replica States
    - Table D-1 LDAP Replica States
  - D.5 The Replication Process
    - D.5.1 How the Multimaster Replication Process Adds a New Entry to a Consumer
      - 1. The directory replication server looks in the consumer for the DN of the parent of the target entry. Specifically, it does this by looking for a global unique identifier (GUID) assigned to the DN of the parent.
      - 2. If the parent entry exists, then the directory replication server composes a DN for the new entry and places the new entry under its parent in the consumer. It then places the change entry in the purge queue.
    - D.5.2 How the Multimaster Replication Process Deletes an Entry
      - 1. The directory replication server looks in the consumer for an entry with a GUID matching the one in the change entry.
      - 2. If the matching entry exists in the consumer, then the directory replication server deletes it. It then places the change entry in the purge queue.
    - D.5.3 How the Multimaster Replication Process Modifies an Entry
    - D.5.4 How the Multimaster Replication Process Modifies a Relative Distinguished Name
      - 1. The directory replication server looks in the consumer for the DN with a GUID that matches the GUID in the change entry.
      - 2. If the matching entry exists in the consumer, then the directory replication server modifies the RDN of that entry and places the change entry in the purge queue.
    - D.5.5 How the Multimaster Replication Process Modifies a Distinguished Name
  - E.1 Advantages of Java Plug-ins
  - E.2 Setting Up a Java Plug-in
    - 1. Create the standalone Java program using the pre-defined class definition and methods. You can implement the plug-in as a jar file or as a package.
    - 2. Compile the plug-in file or package. Before compiling, ensure that your CLASSPATH is set to $ORACLE_HOME/ldap/jlib/ospf.jar. Make sure the compilation completes without error.
    - 3. Place the class file, jar, or package in the pre-defined class location $ORACLE_ HOME/ldap/server/plugin.
    - 4. Register the Java plug-in by adding the plug-in configuration entry.
      - Table E-1 Plug-in Names and Corresponding Paths
  - E.3 Java Plug-in API
    - E.3.1 Communication Between the Server and Plug-in
      - Figure E-1 Communication Between the Server and the Java Plug-in
    - E.3.2 Java Plug-in Structure
    - E.3.3 PluginDetail
    - E.3.4 PluginResult
    - E.3.5 ServerPlugin Interface
  - E.4 Java Plug-in Error and Exception Handling
    - E.4.1 Run-time Exception Example
    - E.4.2 Run-time Error Example
    - E.4.3 PluginException Example
  - E.5 Java Plug-in Debugging and Logging
    - Table E-16 Debug Levels for Java Plug-in Logging
  - E.6 Java Plug-in Examples
    - E.6.1 Example 1: Password Validation Plug-in
      - E.6.1.1 Password Validation Plug-in Configuration Entry
      - E.6.1.2 Password Validation Plug-in Code Example
    - E.6.2 Example 2: External Authentication Plug-in for Active Directory
      - E.6.2.1 External Authentication Plug-in Configuration Entry
      - E.6.2.2 External Authentication Plug-in Code
        F PL/SQL Server Plug-in Developer's Reference
  - F.1 Designing, Creating, and Using PL/SQL Server Plug-ins
    - F.1.1 PL/SQLPlug-in Caveats
      - F.1.1.1 Types of PL/SQL Plug-in Operations
      - F.1.1.2 Naming PL/SQL Plug-ins
    - F.1.2 Creating PL/SQLPlug-ins
      - F.1.2.1 Package Specifications for Plug-in Module Interfaces
        Table F-1 Plug-in Module Interface
        Table F-2 Operation-Based and Attribute-Based Plug-in Procedure Signatures
    - F.1.3 Compiling PL/SQLPlug-ins
    - F.1.4 Managing PL/SQL Plug-ins
      - F.1.4.1 Modifying Plug-ins
      - F.1.4.2 Debugging Plug-ins
    - F.1.5 Enabling and Disabling PL/SQL Plug-ins
    - F.1.6 Exception Handling in a PL/SQL Plug-in
      - F.1.6.1 Error Handling
        Table F-3 Valid Values for the plug-in Return Code
      - F.1.6.2 Program Control Handling between Oracle Internet Directory and Plug-ins
        Table F-4 Program Control Handling when a Plug-in Exception Occurs
        Table F-5 Program Control Handling when an LDAP Operation Fails
    - F.1.7 PL/SQL Plug-in LDAP API
    - F.1.8 PL/SQL Plug-in and Database Tools
    - F.1.9 PL/SQL Plug-in Security
    - F.1.10 PL/SQL Plug-in Debugging
    - F.1.11 PL/SQL Plug-in LDAP API Specifications
    - F.1.12 Database Limitations
  - F.2 Examples of PL/SQL Plug-ins
    - F.2.1 Example 1: Search Query Logging
    - F.2.2 Example 2: Synchronizing Two DITs
  - F.3 Binary Support in the PL/SQLPlug-in Framework
    - F.3.1 Binary Operations with ldapmodify
    - F.3.2 Binary Operations with ldapadd
    - F.3.3 Binary Operations with ldapcompare
  - F.4 Database Object Types Defined
  - F.5 Specifications for PL/SQL Plug-in Procedures
    - G The LDAP Filter Definition
    - H The Access Control Directive Format
  - H.1 Schema for orclACI
  - H.2 Schema for orclEntryLevelACI
    - I Globalization Support in the Directory
  - I.1 About Character Sets and the Directory
    - I.1.1 About Unicode
      - Table I-1 Unicode Implementations
    - I.1.2 About Oracle and UTF-8
    - I.1.3 Migration from UTF8 to AL32UTF8 when Upgrading Oracle Internet Directory
      - 1. Run the character set scanner (CSSCAN) to ensure that there are no invalid UTF8 characters inside your current database.
      - 2. Run the CSALTER script to update the database to AL32UTF8.
  - I.2 The NLS_LANG Environment Variable
    - Table I-2 Components of the NLS_LANG Parameter
  - I.3 Using Non-AL32UTF8 Databases
  - I.4 Using Globalization Support with LDIF Files
    - I.4.1 An LDIF file Containing Only ASCII Strings
    - I.4.2 An LDIF file Containing UTF-8 Encoded Strings
  - I.5 Using Globalization Support with Command-Line LDAP Tools
    - I.5.1 Specifying the -E Argument When Using Each Tool
    - I.5.2 Examples: Using the -E Argument with Command-Line LDAP Tools
      - Table I-3 Examples: Using the -E Argument with Command-Line Tools
  - I.6 Setting NLS_LANG in the Client Environment
  - I.7 Using Globalization Support with Bulk Tools
    - I.7.1 Using Globalization Support with bulkload
    - I.7.2 Using Globalization Support with ldifwrite
    - I.7.3 Using Globalization Support with bulkdelete
    - I.7.4 Using Globalization Support with bulkmodify
      - J Setting up Access Controls for Creation and Search Bases for Users and Groups
  - J.1 Setting up Access Controls for the User Search Base and the User Creation Base
    - 1. Create an LDIF (user_aci.ldif) file with the following entry:
    - 2. Replace %subscriberdn% with the dn of the subscriber and %usersearch_or_ createbase_dn% with the new value of the container DN where the new user search/create base points to.
    - 3. Run the ldapmodify command as follows:
  - J.2 Setting up Access Controls for the Group Search Base and the Group Creation Base
    - 1. Create an ldif (group_aci.ldif) file with the following entry:
    - 2. Replace %subscriberdn% with the DN of the subscriber and %groupsearch_ or_createbase_dn% with the new value of the container DN where the new group search base or group create base points to.
    - 3. Run the ldapmodify command as follows:
    - K Searching the Directory for User Certificates
  - K.1 Certificate Mapping
    - Adding a Certificate Mapping Rule
    - Deleting a Certificate Mapping Rule
    - Modifying a Certificate Mapping Rule
  - K.2 Search Types
    - L Adding a Directory Node by Using the Database Copy Procedure
  - L.1 Definitions
  - L.2 Prerequisites
    - 1. The operating system, version, and patch level of the new directory site must be the same as that of the sponsor directory site. This procedure might not work if the patch levels of the operating systems differ.
    - 2. Oracle strongly recommends that you back up the sponsor directory's repository before you employ this procedure.
    - 3. Because this procedure involves copying Oracle data files, performance depends on the underlying network. If the underlying n...
    - 4. Only a person familiar with the Oracle database should perform this procedure.
    - 5. If the sponsor site is already a part of an Advanced Replication group, the sponsor node must be the Master definition site (MDS).
  - L.3 Sponsor Directory Site Environment
  - L.4 New Directory Site Environment
  - L.5 Addition of a Directory Node
    - 1. Install the node and check its status, as follows:
      - a. Install Identity Management with the Oracle Internet Directory component on the sponsor node. See Oracle Fusion Middleware Installation Guide for Oracle Identity Management
      - b. To check the status of Oracle Internet Directory, type:
    - 2. Shut down Oracle Internet Directory and all other opmn processes on the sponsor node, as follows:
    - 3. Perform the following steps on the sponsor node.
      - a. At the command line prompt execute the following SQL*Plus commands:
      - b. Shut down the database and Oracle Net Services listener on the sponsor node. By default, the listener name is LISTENER. Type:
      - c. If the copied node is part of an Advanced Replication-based DRG, perform the following steps:
      - d. Rename the trace file created in Step 3a to newdb.sql, under the same directory.
    - 4. On the sponsor node, open newdb.sql in a text editor and delete all the lines except the STARTUP NOMOUNT and CREATE CONTROLFILE statements. After deleting those lines, newdb.sql should look like this:
    - 5. Continue editing the file newdb.sql on the sponsor node, as follows:
      - a. Change the line:
      - b. Modify the UNIX directory location of the database and logfiles to point to the new node site's directory.
    - 6. Copy the initialization parameter file init$ORACLE_SID.ora from the sponsor directory's database to init$ORACLE_SID_NEW_DIR_D...
    - 7. In the new initialization parameter file on the sponsor, make the following changes:
      - a. Comment out the parameter JOB_QUEUE_PROCESSES, if it exists.
      - b. Change the parameter dbname from LDAP to NLDAP.
      - c. If the new site's domain name is different from the sponsor directory's domain name, alter the parameter db_domain also.
      - d. Alter the location of the following parameters to point to the location of the new site.
      - e. In addition to the parameters listed in Step 7d, if your initialization parameter file has any parameters that are node specific, such as DB_RECOVERY_FILE_ DEST and DB_CREATE_FILE_DEST, alter those parameters as well.
    - 8. Edit the tnsnames.ora file to include connection details for the new node. Refer to the following sample file:
    - 9. Create an archive of all the data files and compress the archived file. Be sure to include all the files listed under DATAFILE in newdb.sql.
    - 10. Install Oracle Database on the new node using the software only option. See the Oracle Database Installation Guide for your platform and Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
    - 11. When the software-0nly install on the new node has completed, the following directory exists:
    - 12. Copy the archived file created on the sponsor node in Step 9 to the new node, using FTP or another appropriate tool. Change directory to the database file location on the new node, then use FTP to copy the archived file from rst-sun.
    - 13. If the sponsor node is part of an Advanced replication group, then perform the following steps:
      - a. Copy the initialization parameter file initLDAP.ora from the sponsor node (rst-sun) to the new node under the UNIX directory $ORACLE_HOME/dbs using a tool such as FTP. Rename the file to initNLDAP.ora.
      - b. Using a tool such as FTP, copy the file newdb.sql you created on the sponsor node in Step 5 to the new node. Rename newdb.sql to olddb.sql.
      - c. Make a copy of tnsnames.ora called tnsnames.ora.bk.
      - d. At the shell prompt on the new node, set the ORACLE_BASE, ORACLE_HOME, and ORACLE_SID environment variables. For example (using the C shell):
      - e. In the same shell, execute olddb.sql using SQL*Plus as shown in the following example:
      - f. Start up the database and listener as follows:
      - g. If you have performed a database copy from a node that has Advanced replication configured with another node, you must delete the LDAP_REP replication group in the new node. To do so, execute the following commands:
    - 14. Copy the initialization parameter file initLDAP.ora from the sponsor node (rst-sun) to the new node under the UNIX directory...
    - 15. On the new node, ensure that the following files do not exist in the directory $ORACLE_HOME/dbs on UNIX or ORACLE_HOME\database in Windows:
    - 16. Using FTP or another appropriate tool, copy the file newdb.sql you created on the sponsor node in Step 5 to the new node. For example:
    - 17. At the UNIX shell prompt on the new node, set ORACLE_BASE, ORACLE_ HOME and ORACLE_SID environment variables. For example (using the C shell):
    - 18. In the same UNIX shell, execute newdb.sql using SQL*Plus as shown in the following example:
    - 19. Complete the changes on the new node.
      - a. Start up the database and listener as follows:
      - b. Change the global database name of the new node.
      - c. Add a temporary file to the tablespace using the following command:
    - 20. Configure Oracle Internet Directory on the new node
      - a. Install WebLogic Server. See Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
      - b. Install Oracle Internet Directory. See Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
      - c. Stop Oracle Internet Directory by using opmnctl.
    - 21. On the new node, delete the wallet files oidpwdlldap1 and oidpwdr* at the new node and reset the ODS password
    - 22. On the new node, reset the password and start the Oracle Internet Directory processes.
    - 23. At this point, Oracle Internet Directory on the new node is up and running. The replicaid value in new Oracle Internet Direc...
      - a. Create a file, chgrid.ldif, with the following contents:
      - b. Using the ldapmodify tool, change the replicaid:
    - 24. Because the replica id of the new node was changed in Step 23, you must re-create the relative replica entries for the new node, as follows:
    - 25. ) In addition to renaming the replica subentry, you must change the orclreplicauri, orclreplicasecondaryuri and orclreplicas...
      - a. Create an LDIF file, modsubentry.ldif, with the following contents:
      - b. Using the ldapmodify tool, apply the changes to the directory:
    - 26. Stop Oracle Internet Directory processes.
    - 27. Clean up the changelog tables at the new node.
    - 28. If the new node is part of an Advanced Replication-based DRG, proceed as follows.
      - a. To configure Oracle Database Advanced Replication, if you are adding new node to an existing DRG, at the shell prompt, execute the following command:
      - b. Start up Oracle Internet Directory and the replication server on all the nodes, including the new node and the sponsor node.
    - 29. If the new node is a full LDAP-based replication replica, configure LDAP-based Replication and add the full replica as fan-out, as follows:
      - a. Make sure that the database and Oracle Internet Directory server is running at the sponsor node.
      - b. Configure LDAP-based replication using remtool, as follows:
      - c. Initialize the replication change status of the new replication agreement.
      - d. Start up Oracle Internet Directory and the replication server on all the nodes. For one-way replication, you only need to start the replication server on the consumer node.
    - M Oracle Authentication Services for Operating Systems
    - N RFCs Supported by Oracle Internet Directory
      - Table N-1 Supported RFCs
    - O Managing Oracle Directory Services Manager's Java Key Store
  - O.1 Introduction to Managing ODSM's Java Key Store
  - O.2 Retrieving ODSM's Java Key Store Password
  - O.3 Listing the Contents of odsm.cer Java Key Store
  - O.4 Deleting Expired Certificates
    - O.4.1 Determining the Expiration Date of a Certificate
    - O.4.2 Deleting a Certificate
      - P Starting and Stopping the Oracle Stack
  - P.1 Starting the Stack
    - 1. Start the Oracle Database
    - 2. Start the Oracle WebLogic Administration Server.
    - 3. Ensure that the Node Manager is running. Normally, the Oracle WebLogic Administration Server starts the Node Manager. If, for some reason, the Node Manager is not running, start it.
    - 4. Start system components, such as Oracle Internet Directory and Oracle Virtual Directory.
    - 5. Start WebLogic managed components, such as Oracle Directory Integration Platform and Oracle Directory Services Manager.
  - P.2 Stopping the Stack
    - 1. Stop WebLogic managed components, such as Oracle Directory Integration Platform and Oracle Directory Services Manager.
    - 2. Stop system components, such as Oracle Internet Directory and Oracle Virtual Directory.
    - 3. Stop the WebLogic Administration Server.
    - 4. If you want to stop the Node Manager, you can use the kill command.
    - 5. Stop the Oracle Database.
    - Q Performing a Rolling Upgrade
  - Q.1 Prerequisites for Rolling Upgrade
  - Q.2 Rolling Upgrade Instructions
    - 1. Stop the replication server on the first node you want to upgrade.
    - 2. Suspend the replication from the first node to each of the other nodes:
    - 3. Validate that replication has been suspended from the first node to all the other nodes in the DRG by running the following ldapsearch command:
    - 4. Stop Oracle Internet Directory on the node you are about to upgrade.
    - 5. Patch the node to Release 11.1.1.4.0. Refer to the instructions in the Oracle Fusion Middleware Patching Guide:
    - 6. Start Oracle Internet Directory on the node you have just upgraded.
    - 7. Because no other nodes have been upgraded yet, do not resume replication between the first node and any other node.
    - 8. Stop the replication server on the second node you want to upgrade.
    - 9. Suspend replication from the second node to each of the nodes that have not been upgraded.
    - 10. Validate that replication has been suspended from the node you are about to upgrade to each node that has not been upgraded, using the same command as in Step 3 against the second node.
    - 11. Stop Oracle Internet Directory on the node you are about to upgrade.
    - 12. Patch the node to Release 11.1.1.4.0 as in Step 5.
    - 13. Start Oracle Internet Directory on the node you have just upgraded.
    - 14. Now two nodes have been upgraded, so resume replication from the first node you upgraded to the second node you upgraded.
    - 15. Validate that replication has been resumed from first upgraded node to the second upgraded nodes in DRG by running the following ldapsearch command:
    - 16. Start replication server on the second upgraded replica.
    - 17. Shut down the replication server on the third node you want to upgrade.
    - 18. Suspend replication from the third node to each node that has not yet been upgraded, if any.
    - 19. Validate that replication has been suspended from the third node to each node that has not been upgraded.
    - 20. Stop Oracle Internet Directory and other processes on the third node to be upgraded.
    - 21. Patch the node to Release 11.1.1.4.0 as in Step 5.
    - 22. Start Oracle Internet Directory on the third node.
    - 23. Resume replication from each node that has already been upgraded to the third node.
    - 24. Validate that replication has been resumed from each upgraded node to the third node.
    - 25. Start replication on the third node
  - Q.3 Rolling Upgrade Example
    - 1. Stop the replication server on Node A.
    - 2. Suspend the replication from:
    - 3. Validate that replication has been suspended from Node A to Node B by running the following ldapsearch command:
    - 4. Stop Oracle Internet Directory and other processes on Node A.
    - 5. Run the PSA on Node A to upgrade it to 11g Release 1 (11.1.1.4.0).
    - 6. Bring up Oracle Internet Directory and the replication server on Node A. Note that there is no node with which Node A should resume replication.
    - 7. Stop the replication server on Node B.
    - 8. Suspend replication from Node B to Node C by executing the following command:
    - 9. Validate that replication has been suspended from Node B to Node C by running the following ldapsearch command:
    - 10. Stop Oracle Internet Directory and other processes on Node B.
    - 11. Run the PSA on Node B to upgrade it to 11g Release 1 (11.1.1.4.0).
    - 12. Bring up Oracle Internet Directory on Node B.
    - 13. Validate that replication has been resumed from Node A to Node B by running the following ldapsearch command:
    - 14. Bring up the replication server on Node B.
    - 15. Shut down the replication server on Node C.
    - 16. There is no other node to be upgraded so there is no need to suspend replication. Stop Oracle Internet Directory and other processes on Node C.
    - 17. Run PSA on Node C to upgrade it to 11g Release 1 (11.1.1.4.0).
    - 18. Bring up Oracle Internet Directory on Node C.
    - 19. Validate that replication has been resumed successfully by performing an ldapsearch on Node A and Node B similar to Step 13. Validate replication:
    - 20. Bring up the replication server on Node C.
    - R Using the Oracle Internet Directory VM Template
  - R.1 Installing Operating System, Oracle Database, and Oracle Internet Directory
    - 1. Install the Oracle VM server as described in Oracle VM Server Installation Guide.
    - 2. Download the VM template files for Oracle Internet Directory, oidhome.tgz and OVM_EL5U2_X86_64_ORACLE11G_PVM_1.tgz, from http://edelivery.oracle.com.
    - 3. Copy the template files to dom0 /OVS/seed_pool.
    - 4. Change to that directory and extract the files, as follows:
    - 5. Change to the directory containing the configuration file vm.cfg.
    - 6. Edit vm.cfg, setting VCPU, Memory, and network (VIF) values appropriately for this VM. Recommendations for sizing and tuning ...
    - 7. Start Oracle VM by typing:
    - 8. By default, Oracle VM starts a VNC server on port 5900. From another window, using a VNC client, connect to the host where Oracle VM is running, at port 5900.
    - 9. You are prompted for installation and configuration information. Provide the information to set up the Oracle 11g database.
    - 10. Log into the host as user root, password ovsroot. Changing the password is recommended.
    - 11. Oracle Internet Directory is now installed in the home directory /oidhome/app/mwhome.
  - R.2 Installing Oracle Internet Directory Template with an Existing Oracle VM that has Oracle Database
    - 1. Download the VM template file oidhome.tgz from http://edelivery.oracle.com.
    - 2. Copy the file to dom0 /OVS/seed_pool.
    - 3. Change to that directory and extract the file, as follows:
    - 4. Change to the directory containing the configuration file vm.cfg. For example:
    - 5. Edit vm.cfg, adding oidhome.img as a disk, as shown in bold:
    - 6. Restart the guest OS by typing:
    - 7. Create the /oidhome directory:
    - 8. Mount the Oracle Internet Directory image:
    - 9. Set the owner and group for the /mntPoint/app directory tree:
    - 10. Run oidRoot.sh:
    - 11. Switch to the user oracle:
    - 12. Set the DISPLAY environment variable.
    - 13. Set the ORACLE_HOME environment variable to: /mntPoint/app/mwhome/Oracle_ IDM1
    - 14. Change to the directory containing config.sh and execute it:
    - 15. You are prompted for information. Provide the information to configure the environment.
  - R.3 Registering Oracle Internet Directory for Oracle Enterprise Manager Fusion Middleware Control and ODSM Management
  - R.4 Using the Oracle Internet Directory OVM image in a Non-OVM Environment
    - 1. Download the VM template file oidhome.tgz from http://edelivery.oracle.com.
    - 2. Extract the file, as follows:
    - 3. Copy oidhome.img to a directory. For example:
    - 4. Switch to root user
    - 5. Create /oidhome.
    - 6. Mount the image. For example:
    - 7. Change to the directory /oidhome and set the owner and group for the /oidhome/app tree:
    - 8. Run oidRoot.sh:
    - 9. Set the DISPLAY environment variable.
    - 10. Set the ORACLE_HOME environment variable to: /oidhome/app/mwhome/Oracle_IDM1
    - 11. Install the Oracle database, as described in the Oracle Database Installation Guide for your platform.
    - 12. Run /oidhome/app/mwhome/Oracle_IDM1/bin/config.sh to configure Oracle Internet Directory.
  - R.5 Default Values
    - S Troubleshooting Oracle Internet Directory
  - S.1 Problems and Solutions
    - S.1.1 Installation Errors
    - S.1.2 Oracle Database Server Errors
      - S.1.2.1 Oracle Database Server Connection is Down
        Problem
        Solution
      - S.1.2.2 Oracle Database Server Error Due to Interrupted Client Connection
        Problem
        Solution
      - S.1.2.3 Oracle Database Server Error Due to Schema Modifications
        Problem
        Solution
    - S.1.3 Directory Server Error Messages and Causes
      - S.1.3.1 Inappropriate Authentication Error
        Problem
        Solution
      - S.1.3.2 Constraint Violation Error Due to Editing a User or Group or Creating a Realm
        Problem
        Solution
      - S.1.3.3 Standard Error Messages Returned from Oracle Directory Server
        Table S-1 Standard Error Messages
      - S.1.3.4 Additional Directory Server Error Messages
        Table S-2 Additional Error Messages
    - S.1.4 Getting a Core Dump and Stack Trace When Oracle Internet Directory Crashes
    - S.1.5 TCP/IP Problems
      - S.1.5.1 Do Not Use TCP-Based Monitoring of Server Availability on Windows 2003 Server
      - S.1.5.2 Do Not Install DaimondCS Port Explorer
    - S.1.6 Troubleshooting Password Policies
      - S.1.6.1 Password Policy is Not Enforced
        Problem
        Solution
      - S.1.6.2 Password Policy Error Messages
        Table S-3 Password Policy Violation Error Messages
    - S.1.7 Troubleshooting Directory Performance
      - S.1.7.1 Poor LDAP Search Performance
        Problem
        Solution
      - S.1.7.2 Poor LDAP Add or Modify Performance
        Problem
        Solution
      - S.1.7.3 Poor Oracle Database Server Performance
        Problem
        Solution
        1. Identify the LDAP operations that are processor-intensive by running:
        2. Tune the database appropriately for this kind of query. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
        3. If possible, change the applications's search signature. If that is not possible, tune the Oracle Internet Directory attribute orclinmemfiltprocess. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
    - S.1.8 Troubleshooting Port Configuration
    - S.1.9 Troubleshooting Creating Oracle Internet Directory Component with opmnctl
      - Problem
      - Solution
    - S.1.10 Troubleshooting Starting Oracle Internet Directory
      - S.1.10.1 Oracle Internet Directory is Down
        Problem
        Solution
        Problem
        Solution
        1. The oidmon log, ORACLE_ INSTANCE/diagnostics/logs/OID/componentName/oidmon-0000.log contains details as to why oidmon cannot start the oidldapd process. The most common issues are
        2. The Oracle Internet Directory dispatcher log, ORACLE_ INSTANCE/diagnostics/logs/OID/componentName/oidldapd01-0000.l og contains information about why oidldapd server processes fail to start. The most common reasons are:
        3. The Oracle Internet Directory server log, ORACLE_ INSTANCE/diagnostics/logs/OID/componentName/oidldapd01sPID-00 00.log contains information about why the server processes fail to run. Common issues include:
      - S.1.10.2 Oracle Internet Directory is Read-Only
        Problem
        Solution
    - S.1.11 Troubleshooting Starting, Stopping, and Restarting of the Directory Server
      - S.1.11.1 About the Tools for Starting, Stopping, and Restarting the Directory Server Instance
        OIDCTL
        OIDMON
        About the Processes Involved in Starting, Stopping, and Restarting the Directory Server
      - S.1.11.2 Problems Starting, Stopping, and Restarting the Directory Server
        S.1.11.2.1 OIDCTL or OIDMON fails
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
    - S.1.12 Troubleshooting Oracle Internet Directory Replication
      - Bootstrapping Fails
      - S.1.12.1 Replication Server Does Not Start
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        1. Prepare a modification file, mod.ldif. For example, to change to host my.us.example.com and port 4444, you would specify:
        2. Run:
        Problem
        Solution
        Problem
        Solution
      - S.1.12.2 Repository Creation Assistant Error
        Problem
        Solution
      - S.1.12.3 Errors in Replication Bootstrap
        Problem
        Solution
        Problem
        Solution
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
      - S.1.12.4 Changes Are Not Replicated
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
      - S.1.12.5 Replication Stops Working
        Problem
        Problem
        Solution
    - S.1.13 Troubleshooting Change Log Garbage Collection
      - Problem
      - Solution
      - Problem
      - Solution
      - Problem
      - Solution
      - Solution
    - S.1.14 Troubleshooting Dynamic Password Verifiers
      - Table S-4 Error Messages for Dynamic Password Verifiers
    - S.1.15 Troubleshooting Oracle Internet Directory Password Wallets
      - S.1.15.1 Oracle Internet Directory Server Does Not Start
        Problem
        Solution
        Solution
      - S.1.15.2 Password Not Synchronized
        Problem
        Solution
    - S.1.16 Troubleshooting bulkload
      - Problem
      - Solution
      - Problem
      - Solution
      - Problem
      - Solution
        1. Ensure that the database is restarted properly.
        2. If the bulkload invocation employed only the check="TRUE" or generate="TRUE" options, but not the load="TRUE" option, go to step 3.
        3. Re-issue the bulkload command that failed.
    - S.1.17 Troubleshooting bulkdelete, bulkmodify, and ldifwrite
      - Problem
      - Solution
    - S.1.18 Troubleshooting catalog
      - Problem
      - Solution
      - Problem
      - Solution
    - S.1.19 Troubleshooting remtool
      - Problem
      - Solution
    - S.1.20 Troubleshooting Server Chaining
      - Problem
      - Solution
    - S.1.21 Viewing Version Information
    - S.1.22 Troubleshooting Fusion Middleware Control and WLST
      - Problem
      - Solution
      - Problem
      - Solution
      - Solution
      - Solution
    - S.1.23 Troubleshooting Oracle Directory Services Manager
      - S.1.23.1 Cannot Invoke ODSM from Fusion Middleware Control
        Problem
        Solution
      - S.1.23.2 Cannot Invoke ODSM from Fusion Middleware Control in Multiple NIC and DHCP Enabled Environment
        Problem
        Solution
        1. Using a web browser, access the WebLogic Server Administration Console.
        2. In the left pane of the WebLogic Server Administration Console, click Lock & Edit to edit the server configuration.
        3. In the left pane of the WebLogic Server Administration Console, expand Environment and select Servers.
        4. On the Summary of Servers page, click the link for the WebLogic Managed Server where Oracle Directory Services Manager is deployed.
        5. On the Settings page for the WebLogic Managed Server, update the Listen Address to the host name of the server where Oracle Directory Services Manager is deployed.
        6. Click Save to save the configuration.
        7. Click Activate Changes to update the server configuration.
      - S.1.23.3 Various Failover Issues
        Problem
        1. Oracle Directory Services Manager is deployed in a High Availability active-active configuration using Oracle HTTP Server.
        2. Display an Oracle Directory Services Manager page using the Oracle HTTP Server name and port number.
        3. Make a connection to an Oracle Internet Directory server.
        4. Work with the Oracle Internet Directory server using the current Oracle Directory Services Manager Oracle HTTP Server host and port.
        5. Shut down one managed server at a time using the WebLogic Server Administration Console.
        6. Go back to the Oracle Directory Services Manager page and port, and the connection which was established earlier with Oracle ...
        Solution
        1. In your web browser, exit the current Oracle Directory Services Manager page.
        2. Launch a new web browser page and specify the same Oracle Directory Services Manager Oracle HTTP Server name and port.
        3. Re-establish a new connection to the Oracle Internet Directory server you were working with earlier.
        Problem
        Solution
        Problem
        Solution
      - S.1.23.4 ODSM Displays an Error Message
        Problem
        Solution
      - S.1.23.5 Cursor Loses Focus
        Problem
        Solution
  - S.2 Need More Help?
    - Index
- Symbols
- Numerics
- A
- B
- C
- D
- E
- F
- G
- H
- I
- J
- K
- L
- M
- N
- O
- P
- Q
- R
- S
- T
- U
- V
- W
- X

Navigation menu