Oidag Oracle Fusion Middleware Administrator Guide For Internet Directors

User Manual:

Open the PDF directly: View PDF .
Page Count: 806 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Contents
1 Introduction to Directory Services
2 Understanding Oracle Internet Directory in Oracle Fusion Middleware
3 Understanding Oracle Internet Directory Concepts and Architecture
4 Understanding Process Control of Oracle Internet Directory Components
5 Understanding Oracle Internet Directory Organization
6 Understanding Oracle Internet Directory Replication
7 Getting Started With Oracle Internet Directory
8 Managing Oracle Internet Directory Instances
9 Managing System Configuration Attributes
10 Managing IP Addresses
11 Managing Naming Contexts
12 Managing Accounts and Passwords
13 Managing Directory Entries
14 Managing Dynamic and Static Groups
15 Performing Bulk Operations
16 Managing Collective Attributes
17 Managing Alias Entries
18 Managing Attribute Uniqueness Constraint Entries
19 Managing Knowledge References and Referrals
20 Managing Directory Schema
21 Configuring Referential Integrity
22 Managing Auditing
23 Managing Logging
24 Monitoring Oracle Internet Directory
25 Backing Up and Restoring Oracle Internet Directory
26 Configuring Secure Sockets Layer (SSL)
27 Configuring Data Privacy
28 Managing Password Policies
29 Managing Directory Access Control
30 Managing Password Verifiers
31 Delegating Privileges for Oracle Identity Management
32 Managing Authentication
33 Planning, Deploying and Managing Realms
34 Tuning and Sizing Oracle Internet Directory
35 Managing Garbage Collection
36 Migrating Data from Other Data Repositories
37 Configuring Server Chaining
38 Managing DIT Masking
39 Setting Up Replication
40 Setting Up Replication Failover
41 Managing Replication Configuration Attributes
42 Managing and Monitoring Replication
43 Configuring a Customized Password Policy Plug-In
44 Developing Plug-ins for the Oracle Internet Directory Server
45 Configuring a Customized External Authentication Plug-in
A Differences Between 10g and 11g
B Managing Oracle Internet Directory Instances by Using OIDCTL
C Setting Up Oracle Database Advanced Replication-Based Replication
D How Replication Works
E Java Server Plug-in Developer's Reference
F PL/SQL Server Plug-in Developer's Reference
G The LDAP Filter Definition
H The Access Control Directive Format
I Globalization Support in the Directory
J Setting up Access Controls for Creation and Search Bases for Users and Groups
K Searching the Directory for User Certificates
L Adding a Directory Node by Using the Database Copy Procedure
M Oracle Authentication Services for Operating Systems
N RFCs Supported by Oracle Internet Directory
O Managing Oracle Directory Services Manager's Java Key Store
P Starting and Stopping the Oracle Stack
Q Performing a Rolling Upgrade
R Using the Oracle Internet Directory VM Template
S Troubleshooting Oracle Internet Directory
- Preface
- Audience
- Documentation Accessibility
  - Access to Oracle Support
- Related Documents
- Conventions
  - What's New in Oracle Internet Directory?
- New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1.6.0)
- New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1.4.0)
- New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1)
- New Features Introduced with Oracle Internet Directory 10g (10.1.4.1)
- New Features Introduced with Oracle Internet Directory 10g Release 2 (10.1.2)
  - Part I Understanding Directory Services
  - 1 Introduction to Directory Services
  - 1.1 What Is a Directory?
    - 1.1.1 The Expanding Role of Online Directories
      - Table 1-1 Comparison of Online Directories and Relational Databases
    - 1.1.2 The Problem: Too Many Special-Purpose Directories
  - 1.2 What Is the Lightweight Directory Access Protocol (LDAP)?
    - 1.2.1 LDAP and Simplified Directory Management
    - 1.2.2 LDAP Version 3
  - 1.3 What Is Oracle Internet Directory?
    - 1.3.1 Overview of Oracle Internet Directory
      - Figure 1-1 Oracle Internet Directory Overview
    - 1.3.2 Components of Oracle Internet Directory
    - 1.3.3 Advantages of Oracle Internet Directory
  - 1.4 How Oracle Products Use Oracle Internet Directory
    - 1.4.1 Easier and More Cost-Effective Administration of Oracle Products
    - 1.4.2 Tighter Security Through Centralized Security Policy Administration
    - 1.4.3 Integration of Multiple Directories
      - 2 Understanding Oracle Internet Directory in Oracle Fusion Middleware
  - 2.1 WebLogic Server Domain
  - 2.2 Oracle Internet Directory as a System Component
  - 2.3 Oracle Internet Directory Deployment Options
    - 1. Create New Domain-Oracle Internet Directory with a local Oracle WebLogic Server Domain. Oracle WebLogic Server is installed locally with Oracle Internet Directory and an admin domain is created for Oracle Internet Directory.
    - 2. Extend Existing Domain-Oracle Internet Directory with a remote Oracle WebLogic Server Domain. Oracle WebLogic Server admin server and domain have been installed and created separately and Oracle Internet Directory registers with the Domain remotely.
    - 3. Expand Cluster-Oracle Internet Directory in an Oracle WebLogic Server cluster for High Availability. This option will not be discussed here.
    - 4. Configure Without Domain-Oracle Internet Directory without a Oracle WebLogic Server Domain. Oracle Internet Directory can be ...
  - 2.4 Middleware Home
  - 2.5 WebLogic Server Home
  - 2.6 Oracle Common Home
  - 2.7 Oracle Home
  - 2.8 Oracle Instance
  - 2.9 Oracle Enterprise Manager Fusion Middleware Control
  - 2.10 Logging, Auditing, and Diagnostics
  - 2.11 MBeans and the WebLogic Scripting Tool
    - 3 Understanding Oracle Internet Directory Concepts and Architecture
  - 3.1 Oracle Internet Directory Architecture
    - 3.1.1 An Oracle Internet Directory Node
      - Figure 3-1 A Typical Oracle Internet Directory Node
        Table 3-1 An Oracle Internet Directory Node
    - 3.1.2 An Oracle Directory Server Instance
      - Figure 3-2 Oracle Directory Server Instance Architecture
    - 3.1.3 Oracle Internet Directory Ports
    - 3.1.4 Directory Metadata
  - 3.2 How Oracle Internet Directory Processes a Search Request
    - 1. The user or client enters a search request that is conditioned by one or more of the following options:
    - 2. The C API, using the LDAP protocol, sends a request to a directory server instance to connect to the directory.
    - 3. The directory server authenticates the user, a process called binding. The directory server also checks the Access Control Lists (ACLs) to verify that the user is authorized to perform the requested search.
    - 4. The directory server converts the search request from LDAP to Oracle Call Interface (OCI)/Oracle Net Services and sends it to the Oracle Database.
    - 5. The Oracle Database retrieves the information and passes it back through the chain-to the directory server, then to the C API, and, finally, to the client.
  - 3.3 Directory Entries
    - 3.3.1 Distinguished Names (DNs) and Directory Information Trees (DITs)
      - Figure 3-3 A Directory Information Tree
    - 3.3.2 Entry Caching
  - 3.4 Attributes
    - Figure 3-4 Attributes of the Entry for Anne Smith
    - 3.4.1 Kinds of Attribute Information
      - Table 3-2 Attributes Created with Each New Entry
    - 3.4.2 Single-Valued and Multivalued Attributes
    - 3.4.3 Common LDAP Attributes
      - Table 3-3 Common LDAP Attributes
    - 3.4.4 Attribute Syntax
    - 3.4.5 Attribute Matching Rules
    - 3.4.6 Attribute Options
  - 3.5 Object Classes
    - 3.5.1 Subclasses, Superclasses, and Inheritance
    - 3.5.2 Object Class Types
  - 3.6 Naming Contexts
    - Figure 3-5 Correct and Incorrect Naming Contexts
  - 3.7 Security
  - 3.8 Globalization Support
  - 3.9 Distributed Directories
    - 3.9.1 Directory Replication
    - 3.9.2 Directory Partitioning
      - Figure 3-6 A Partitioned Directory
  - 3.10 Knowledge References and Referrals
    - Figure 3-7 Using Knowledge References to Point to Naming Contexts
  - 3.11 Oracle Delegated Administration Services and the Oracle Internet Directory Self-Service Console
  - 3.12 The Service Registry and Service to Service Authentication
  - 3.13 Oracle Directory Integration Platform
  - 3.14 Oracle Internet Directory and Identity Management
    - 3.14.1 About Identity Management
    - 3.14.2 Oracle Identity Management Products
    - 3.14.3 Identity Management Realms
      - 3.14.3.1 Default Identity Management Realm
      - 3.14.3.2 Identity Management Policies
  - 3.15 Resource Information
    - 3.15.1 Resource Type Information
    - 3.15.2 Resource Access Information
      - 1. Retrieves the necessary connect information from the RAD
      - 2. Uses that information to connect to those databases and to authenticate the user requesting the data
    - 3.15.3 Location of Resource Information in the DIT
      - Figure 3-8 Placement of Resource Access and Resource Type Information in the DIT
        4 Understanding Process Control of Oracle Internet Directory Components
  - 4.1 Oracle Internet Directory Process Control Architecture
    - Figure 4-1 Oracle Internet Directory Process Control
  - 4.2 The ODS_PROCESS_STATUS Table
    - Table 4-1 Process Control Items in the ODS_PROCESS_STATUS Table
  - 4.3 Starting, Stopping, and Monitoring of Oracle Internet Directory Processes
    - 4.3.1 Oracle Internet Directory Snippet in opmn.xml
    - 4.3.2 OPMN Starting Oracle Internet Directory
    - 4.3.3 OPMN Stopping of Oracle Internet Directory
    - 4.3.4 Process Monitoring
  - 4.4 Oracle Internet Directory Process Control-Best Practices
    - 5 Understanding Oracle Internet Directory Organization
  - 5.1 The Directory Information Tree
    - Figure 5-1 Planning the Directory Information Tree
  - 5.2 Planning the Overall Directory Structure
  - 5.3 Planning the Names and Organization of Users and Groups
    - 5.3.1 Organizing Users
    - 5.3.2 Organizing Groups
      - 1. Use the owner attribute of the group to list which users own this group.
      - 2. Create an access control policy at a higher level that grants all users listed in the owner attribute special privileges to perform the various operations.
  - 5.4 Migrating a DIT from a Third-Party Directory
    - 6 Understanding Oracle Internet Directory Replication
    - Figure 6-1 A Replicated Directory
  - 6.1 Why Use Replication?
  - 6.2 Replication Concepts
    - 6.2.1 Content to be Replicated: Full or Partial
      - Table 6-1 Full or Partial Replication
      - Figure 6-2 Example of Partial Replication
    - 6.2.2 Direction: One-Way, Two-Way, or Peer to Peer
      - Table 6-2 Direction of Replication
    - 6.2.3 Transport Mechanism: LDAP or Oracle Database Advanced Replication
      - Table 6-3 Transport Protocols
    - 6.2.4 Directory Replication Group (DRG) Type: Single-master, Multimaster, or Fan-out
    - 6.2.5 Loose Consistency Model
    - 6.2.6 How the Replication Concepts Fit Together
      - Table 6-5 Types of Data Transfer Between Nodes in a Directory Replication Group
    - 6.2.7 Multimaster Replication with Fan-Out
      - Figure 6-6 Example of Multimaster Replication with Fan-Out
  - 6.3 What Kind of Replication Do You Need?
    - Local Availability
    - Load Balancing
    - High Availability
      - Part II Basic Administration
      - 7 Getting Started With Oracle Internet Directory
  - 7.1 Patching Your System to 11g Release 1 (11.1.1.6.0)
    - 7.1.1 Upgrading a Directory Replication Group
  - 7.2 Postinstallation Tasks and Information
    - 7.2.1 Setting Up the Environment
    - 7.2.2 Adding Datafiles to the OLTS_CT_STORE and OLTS_ATTRSTORE Tablespaces
    - 7.2.3 Changing Settings of Windows Services
    - 7.2.4 Starting and Stopping the Oracle Stack
    - 7.2.5 Identifying Default URLs and Ports
    - 7.2.6 Tuning Oracle Internet Directory
    - 7.2.7 Enabling Anonymous Binds
    - 7.2.8 Enabling Oracle Internet Directory to run on Privileged Ports
    - 7.2.9 Verifying Oracle Database Time Zone
  - 7.3 Using Fusion Middleware Control to Manage Oracle Internet Directory
    - 1. Connect to Fusion Middleware Control.
    - 2. In the left panel topology tree, expand the domain, then Fusion Middleware, then Identity and Access. Alternatively, from the...
    - 3. Select the Oracle Internet Directory component you want to manage.
    - 4. Use the Oracle Internet Directory menu to select tasks.
      - Table 7-1 Using the Oracle Internet Directory Menu
  - 7.4 Using Oracle Directory Services Manager
    - 7.4.1 Introduction to Oracle Directory Services Manager
    - 7.4.2 Configuring ODSM for SSO Integration
    - 7.4.3 Configuring the SSO Server for ODSM Integration
    - 7.4.4 Configuring the Oracle HTTP Server for ODSM-SSO Integration
    - 7.4.5 Invoking Oracle Directory Services Manager
    - 7.4.6 Connecting to the Server from Oracle Directory Services Manager
    - 7.4.7 Configuring Oracle Directory Services Manager Session Timeout
    - 7.4.8 Configuring Oracle HTTP Server to Support Oracle Directory Services Manager in an Oracle WebLogic Server Cluster
  - 7.5 Using Command-Line Utilities to Manage Oracle Internet Directory
    - 7.5.1 Using Standard LDAP Utilities
    - 7.5.2 Using Bulk Tools
    - 7.5.3 Using WLST
  - 7.6 Basic Tasks for Configuring and Managing Oracle Internet Directory
    - 1. Start and stop the LDAP server. See Chapter 8
    - 2. Manage system configuration attributes. See Chapter 9.
    - 3. Manage directory entries. See Chapter 13.
    - 4. Manage directory schema. See Chapter 20.
    - 5. Configure auditing. Chapter 22.
    - 6. Manage log files. See Chapter 23.
    - 7. Configure SSL. See Chapter 26.
    - 8. Configure password policies. See Chapter 28.
    - 9. Configure access control. See Chapter 29.
    - 10. Get sizing and tuning recommendations for Oracle Internet Directory deployments. See the "Obtaining Recommendations by Using...
    - 11. Set up replication. See Chapter 39 and Appendix C.
    - 12. Convert an Advanced Replication-based replication agreement to an LDAP-based replication agreement. See Section 39.2, "Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement."
    - 13. Modify an existing replication setup. See Chapter 42.
    - 8 Managing Oracle Internet Directory Instances
  - 8.1 Introduction to Managing Oracle Internet Directory Instances
    - 8.1.1 The Instance-Specific Configuration Entry
      - Figure 8-1 DIT Showing Two Instance-Specific Configuration Entries
    - 8.1.2 Creating the First Oracle Internet Directory Instance
    - 8.1.3 Creating Additional Oracle Internet Directory Instances
      - Figure 8-2 Oracle Internet Directory Process Control
    - 8.1.4 Registering an Oracle Instance or Component with the WebLogic Server
  - 8.2 Managing Oracle Internet Directory Components by Using Fusion Middleware Control
    - 8.2.1 Viewing Active Server Information by Using Fusion Middleware Control
    - 8.2.2 Starting the Oracle Internet Directory Server by Using Fusion Middleware Control
    - 8.2.3 Stopping the Oracle Internet Directory Server by Using Fusion Middleware Control
    - 8.2.4 Restarting the Oracle Internet Directory Server by Using Fusion Middleware Control
  - 8.3 Managing Oracle Internet Directory Components by Using opmnctl
    - 8.3.1 Creating an Oracle Internet Directory Component by Using opmnctl
    - 8.3.2 Registering an Oracle Instance by Using opmnctl
    - 8.3.3 Unregistering an Oracle Instance by Using opmnctl
    - 8.3.4 Updating the Component Registration of an Oracle Instance by Using opmnctl
      - Table 8-1 Attribute Changes Requiring Update of Component Registration
    - 8.3.5 Deleting an Oracle Internet Directory Component by Using opmnctl
    - 8.3.6 Viewing Active Server Instance Information by Using opmnctl
    - 8.3.7 Starting the Oracle Internet Directory Server by Using opmnctl
    - 8.3.8 Stopping the Oracle Internet Directory Server by Using opmnctl
    - 8.3.9 Restarting the Oracle Internet Directory Server by Using opmnctl
    - 8.3.10 Changing the Oracle Database Information in opmn.xml
  - 8.4 Starting an Instance of the Replication Server by Using OIDCTL
    - 9 Managing System Configuration Attributes
  - 9.1 Introduction to Managing System Configuration Attributes
    - 9.1.1 What are Configuration Attributes?
    - 9.1.2 What are Operational Attributes?
    - 9.1.3 Attributes of the Instance-Specific Configuration Entry
      - Table 9-1 Attributes of the Instance-Specific Configuration Entry
    - 9.1.4 Attributes of the DSA Configuration Entry
      - Table 9-2 Attributes in the DSA Configuration Entry
    - 9.1.5 Attributes of the DSE
      - Table 9-3 Attributes of the DSE
  - 9.2 Managing System Configuration Attributes by Using Fusion Middleware Control
    - 9.2.1 Configuring Server Properties
    - 9.2.2 Configuring Shared Properties
    - 9.2.3 Configuring Other Parameters
  - 9.3 Managing System Configuration Attributes by Using WLST
    - 1. Invoke WLST
    - 2. Connect to the WebLogic server
    - 3. To navigate to the custom mbean tree, type:
    - 4. To get a one-level list of the MBean in the custom MBean tree, type:
    - 5. To get to a domain, use the cd() command. For example:
      - Table 9-7 Oracle Internet Directory-Related MBeans
    - 6. To get to a specific MBean, type:
    - 7. Once you have navigated to the desired MBean, you can get the current value for an attribute by typing:
    - 8. Before you make any changes to attributes, you must ensure that the MBean has the current server configuration. To do that, load the configuration from Oracle Internet Directory server to the mbean. Type:
    - 9. Then you can use the set command to set a specific attribute. Type:
    - 10. After making changes, you must save the MBean configuration to the Oracle Internet Directory server. Type:
  - 9.4 Managing System Configuration Attributes by Using LDAP Tools
    - 9.4.1 Setting System Configuration Attributes by Using ldapmodify
    - 9.4.2 Listing Configuration Attributes with ldapsearch
  - 9.5 Managing System Configuration Attributes by Using ODSM Data Browser
    - 9.5.1 Navigating to the Instance-Specific Configuration Entry
    - 9.5.2 Navigating to the DSA Configuration Entry
    - 9.5.3 Navigating to the DSE Root
      - 10 Managing IP Addresses
  - 10.1 Introduction to Managing IP Addresses
  - 10.2 Configuring an IP Address for IP V6, Cold Failover Cluster, or Virtual IP
    - 1. Create an LDIF file similar to this:
    - 2. Execute the following ldapmodify command:
    - 3. Restart Oracle Internet Directory by using opmnctl, as follows:
    - 4. Update the registration of the Oracle Internet Directory component, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl." For example:
    - 11 Managing Naming Contexts
  - 11.1 Introduction to Managing Naming Contexts
  - 11.2 Searching for Published Naming Contexts
  - 11.3 Publishing a Naming Context
    - 12 Managing Accounts and Passwords
  - 12.1 Introduction to Managing Accounts and Passwords
  - 12.2 Managing Accounts and Passwords by Using Command-Line Tools
    - 12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools
    - 12.2.2 Unlocking Accounts by Using Command-Line Tools
    - 12.2.3 Forcing a Password Change by Using Command-Line Tools
  - 12.3 Managing Accounts and Passwords by Using the Self-Service Console
    - 12.3.1 Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service Console
    - 12.3.2 Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console
    - 12.3.3 Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console
  - 12.4 Listing and Unlocking Locked Accounts by Using Oracle Directory Services Manager
    - 1. Invoke Oracle Directory Services Manager as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. From the task selection bar, select Data Browser.
    - 3. Perform a simple search, as described in Section 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager," using the search string (pwdaccountlockedtime=*). A list of entries with locked accounts appears.
    - 4. Select the entry whose account you want to unlock.
    - 5. When an account is locked, Unlock Account appears before the Apply and Revert buttons. Click Unlock Account.
  - 12.5 Changing the Superuser Password by Using Fusion Middleware Control
    - 1. Select Administration, then Shared Properties from the Oracle Internet Directory menu.
    - 2. Click the Change Superuser Password tab.
    - 3. Specify the old password.
    - 4. Specify the new password.
    - 5. Confirm the new password.
    - 6. Click Apply.
      - Table 12-1 Configuration Attributes on Shared Properties, Change Superuser Password Tab.
  - 12.6 Creating Another Account With Superuser Privileges
  - 12.7 Managing the Superuser Password by Using ldapmodify
  - 12.8 Changing the Oracle Internet Directory Database Password
  - 12.9 Resetting the Superuser Password
    - Example:
  - 12.10 Changing the Password for the EMD Administrator Account
    - 1. Change the userpassword of the account "cn=emd admin,cn=oracle internet directory" in Oracle Internet Directory by using ldapmodify.
    - 2. Invoke wlst and connect to the WebLogic server.
    - 3. Run the following WLST command:
    - 4. On each Oracle instance in the WebLogic domain, execute the following command line:
    - 5. Update the component registration of the Oracle instance, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl."
  - 12.11 Changing the Password for the ODSSM Administrator Account
    - 1. Use SQLPlus or a similar tool to alter the password in the database.
    - 2. Go to ORACLE_HOME/common/bin and run the following command:
    - 3. Connect to the WebLogic Administration Server:
    - 4. Run the updateCred() command:
    - 5. On each Oracle instance in the WebLogic domain, execute the following command line:
    - 6. Update the component registration of the Oracle instance, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl."
    - 1. Log in to the WebLogic Administration console at: http://host:port/console
    - 2. Select Data Sources -> schedulerDS -> Connection Pool.
    - 3. Click Lock & Edit in the top left corner of the screen.
    - 4. Enter the new password in the Password and Confirm Password fields.
    - 5. Click Activate Changes.
    - 13 Managing Directory Entries
  - 13.1 Introduction to Managing Directory Entries
  - 13.2 Managing Entries by Using Oracle Directory Services Manager
    - 13.2.1 Displaying Entries by Using Oracle Directory Services Manager
    - 13.2.2 Searching for Entries by Using Oracle Directory Services Manager
    - 13.2.3 Importing Entries from an LDIF File by Using Oracle Directory Services Manager
    - 13.2.4 Exporting Entries to an LDIF File by Using Oracle Directory Services Manager
    - 13.2.5 Viewing Attributes for a Specific Entry by Using Oracle Directory Services Manager
    - 13.2.6 Adding a New Entry by Using Oracle Directory Services Manager
    - 13.2.7 Deleting an Entry or Subtree by Using Oracle Directory Services Manager
    - 13.2.8 Adding an Entry by Copying an Existing Entry in Oracle Directory Services Manager
    - 13.2.9 Modifying an Entry by Using Oracle Directory Services Manager
  - 13.3 Managing Entries by Using LDAP Command-Line Tools
    - 13.3.1 Listing All the Attributes in the Directory by Using ldapsearch
    - 13.3.2 Listing Operational Attributes by Using ldapsearch
    - 13.3.3 Attribute Case in ldapsearch Output
    - 13.3.4 Adding a User Entry by Using ldapadd
    - 13.3.5 Modifying a User Entry by Using ldapmodify
    - 13.3.6 Adding an Attribute Option by Using ldapmodify
    - 13.3.7 Deleting an Attribute Option by Using ldapmodify
    - 13.3.8 Searching for Entries with Attribute Options by Using ldapsearch
      - 14 Managing Dynamic and Static Groups
  - 14.1 Introduction to Managing Dynamic and Static Groups
    - 14.1.1 Static Groups
      - 14.1.1.1 Schema Elements for Creating Static Groups
    - 14.1.2 Dynamic Groups
    - 14.1.3 Hierarchies
    - 14.1.4 Querying Group Entries
    - 14.1.5 orclMemberOf Attribute
      - Examples:
    - 14.1.6 When to Use Each Kind of Group
      - Table 14-2 Static and Dynamic Group Considerations
  - 14.2 Managing Group Entries by Using Oracle Directory Services Manager
    - 14.2.1 Creating Static Group Entries by Using Oracle Directory Services Manager
    - 14.2.2 Modifying a Static Group Entry by Using Oracle Directory Services Manager
    - 14.2.3 Creating Dynamic Group Entries by Using Oracle Directory Services Manager
    - 14.2.4 Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager
  - 14.3 Managing Group Entries by Using the Command Line
    - 14.3.1 Creating a Static Group Entry by Using ldapadd
      - Example: Creating a Static Group Entry by Using ldapadd
    - 14.3.2 Modifying a Static Group by Using ldapmodify
      - Example: Modifying a Static Group by Using ldapmodify
    - 14.3.3 Creating a Dynamic Group Entry by Using ldapadd
    - 14.3.4 Modifying a Dynamic Group by Using ldapmodify
      - 15 Performing Bulk Operations
  - 15.1 Introduction to Performing Bulk Operations
  - 15.2 Changing Server Mode
    - 15.2.1 Setting the Server Mode by Using Fusion Middleware Control
    - 15.2.2 Setting the Server Mode by Using ldapmodify
  - 15.3 Loading Data Into the Schema by Using bulkload
    - 15.3.1 Importing an LDIF File by Using bulkload
    - 15.3.2 Loading Data in Incremental or Append Mode By Using bulkload
    - 15.3.3 Performing Index Verification By Using bulkload
    - 15.3.4 Re-Creating Indexes By Using bulkload
    - 15.3.5 Recovering Data After a Load Failure By Using bulkload
  - 15.4 Modifying Attributes of a Large Number of Entries By Using bulkmodify
    - 15.4.1 Adding a Description for All Entries Under a Specified Naming Context
    - 15.4.2 Adding an Attribute for Entries Under a Specified Naming Context Matching a Filter
    - 15.4.3 Replacing an Attribute for All Entries Under a Specified Naming Context
  - 15.5 Deleting Entries or Attributes of Entries by Using bulkdelete
    - 15.5.1 Deleting All Entries Under a Specified Naming Context by Using bulkdelete
    - 15.5.2 Deleting Entries Under Naming Contexts and Making them Tombstone Entries
  - 15.6 Dumping Data from Oracle Internet Directory to a File by Using ldifwrite
    - 15.6.1 Dumping Part of a Specified Naming Context to an LDIF File
    - 15.6.2 Dumping Entries Under a Specified Naming Context to an LDIF File
  - 15.7 Creating and Dropping Indexes from Existing Attributes by Using catalog
    - 15.7.1 Changing a Searchable Attribute into a Non-searchable Attribute
    - 15.7.2 Changing a Non-searchable Attribute into a Searchable Attribute
      - 16 Managing Collective Attributes
  - 16.1 Introduction to Collective Attributes
    - 16.1.1 The RFC Definition and Oracle Extensions
      - 16.1.1.1 RFC 3671
      - 16.1.1.2 Oracle Extensions
    - 16.1.2 Defining the Collective Attribute Subentry
    - 16.1.3 Using subtreeSpecification
    - 16.1.4 Overriding a Collective Attribute
  - 16.2 Managing Collective Attributes by Using the Command Line
    - 16.2.1 Adding a Subentry by Using ldapadd
    - 16.2.2 Modifying a Subentry by Using ldapmodify
      - 17 Managing Alias Entries
  - 17.1 Introduction to Managing Alias Entries
    - Figure 17-1 Alias Entries Example
  - 17.2 Adding an Alias Entry
    - 1. Create a sample LDIF file, My_file.ldif, with the following entries:
    - 2. Add these entries to the directory by using the following command:
    - Figure 17-2 Resulting Tree when Creating the My_file.ldif
  - 17.3 Searching the Directory with Alias Entries
    - Table 17-1 Flags for Searching the Directory with Alias Entries
    - 17.3.1 Searching the Base with Alias Entries
    - 17.3.2 Searching One-Level with Alias Entries
    - 17.3.3 Searching a Subtree with Alias Entries
  - 17.4 Modifying Alias Entries
  - 17.5 Interpreting Messages Related to Alias Dereferencing
    - Table 17-2 Entry Alias Dereferencing Messages
    - 18 Managing Attribute Uniqueness Constraint Entries
  - 18.1 Introduction to Managing Attribute Uniqueness Constraint Entries
    - Table 18-1 Attribute Uniqueness Constraint Entry
    - Simple Replication Scenario
    - Multimaster Replication Scenario
  - 18.2 Specifying Attribute Uniqueness Constraint Entries
    - Figure 18-1 Example of a Directory Information Tree
    - 18.2.1 Specifying Multiple Attribute Names in an Attribute Uniqueness Constraint
    - 18.2.2 Specifying Multiple Subtrees in an Attribute Uniqueness Constraint
    - 18.2.3 Specifying Multiple Scopes in an Attribute Uniqueness Constraint
    - 18.2.4 Specifying Multiple Object Classes in an Attribute Uniqueness Constraint
    - 18.2.5 Specifying Multiple Subtrees, Scopes, and Object Classes in an Attribute Uniqueness Constraint
  - 18.3 Managing an Attribute Uniqueness Constraint Entry by Using Oracle Directory Services Manager
    - 18.3.1 Creating an Attribute Uniqueness Constraint Entry by Using ODSM
    - 18.3.2 Modifying an Attribute Uniqueness Constraint Entry by Using ODSM
    - 18.3.3 Deleting an Attribute Uniqueness Constraint Entry by Using ODSM
  - 18.4 Managing an Attribute Uniqueness Constraint Entry by Using the Command Line
    - 18.4.1 Creating Attribute Uniqueness Across a Directory by Using Command-Line Tools
    - 18.4.2 Creating Attribute Uniqueness Across One Subtree by Using Command-Line Tools
    - 18.4.3 Creating Attribute Uniqueness Across One Object Class by Using Command-Line Tools
    - 18.4.4 Modifying Attribute Uniqueness Constraint Entries by Using Command-Line Tools
    - 18.4.5 Deleting Attribute Uniqueness Constraint Entries by Using Command-Line Tools
      - 1. Remove the attribute uniqueness constraint entry from the directory by using ldapdelete.
      - 2. Restart the directory server to effect this change.
    - 18.4.6 Enabling and Disabling Attribute Uniqueness by Using Command-Line Tools
  - 19.1 Introduction to Managing Knowledge References and Referrals
  - 19.2 Configuring Smart Referrals
    - 1. On Server A and B in the United States, configure a knowledge reference for the c=uk object on Server C and Server D:
    - 2. Configure a similar knowledge reference on Server C and D in the United Kingdom for the c=us object on Server A and Server B:
  - 19.3 Configuring Default Referrals
    - 20 Managing Directory Schema
  - 20.1 Introduction to Managing Directory Schema
    - 20.1.1 Where Schema Information is Stored in the Directory
      - Figure 20-1 Location of Schema Components in Entries of Type subSchemaSubentry
    - 20.1.2 Understanding Object Classes
    - 20.1.3 Understanding Attributes
    - 20.1.4 Extending the Number of Attributes Associated with Entries
    - 20.1.5 Understanding Attribute Aliases
    - 20.1.6 Object Identifier Support in LDAP Operations
  - 20.2 Managing Directory Schema by Using Oracle Directory Services Manager
    - 20.2.1 Searching for Object Classes by Using Oracle Directory Services Manager
    - 20.2.2 Adding Object Classes by Using Oracle Directory Services Manager
    - 20.2.3 Modifying Object Classes by Using Oracle Directory Services Manager
    - 20.2.4 Deleting Object Classes by Using Oracle Directory Services Manager
    - 20.2.5 Viewing Properties of Object Classes by Using Oracle Directory Services Manager
    - 20.2.6 Adding a New Attribute by Using Oracle Directory Services Manager
    - 20.2.7 Modifying an Attribute by Using Oracle Directory Services Manager
    - 20.2.8 Deleting an Attribute by Using Oracle Directory Services Manager
    - 20.2.9 Viewing All Directory Attributes by Using Oracle Directory Services Manager
    - 20.2.10 Searching for Attributes by Using Oracle Directory Services Manager
    - 20.2.11 Adding an Index to a New Attribute by Using Oracle Directory Services Manager
      - 1. Create an attribute as described in Section 20.2.6, "Adding a New Attribute by Using Oracle Directory Services Manager" or in Section 20.3.5, "Adding and Modifying Attributes by Using ldapmodify."
      - 2. In the New Attribute Type dialog box, select the Indexed box.
    - 20.2.12 Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager
    - 20.2.13 Dropping an Index from an Attribute by Using Oracle Directory Services Manager
    - 20.2.14 Creating a Content Rule by Using Oracle Directory Services Manager
    - 20.2.15 Modifying a Content Rule by Using Oracle Directory Services Manager
    - 20.2.16 Viewing Matching Rules by Using Oracle Directory Services Manager
    - 20.2.17 Viewing Syntaxes by Using Oracle Directory Services Manager
  - 20.3 Managing Directory Schema by Using the Command Line
    - 20.3.1 Viewing the Schema by Using ldapsearch
    - 20.3.2 Adding a New Object Class by Using Command-Line Tools
    - 20.3.3 Adding a New Attribute to an Auxiliary or User-Defined Object Class by Using Command-Line Tools
    - 20.3.4 Modifying Object Classes by Using Command-Line Tools
    - 20.3.5 Adding and Modifying Attributes by Using ldapmodify
    - 20.3.6 Deleting Attributes by Using ldapmodify
    - 20.3.7 Indexing an Attribute by Using ldapmodify
    - 20.3.8 Dropping an Index from an Attribute by Using ldapmodify
    - 20.3.9 Indexing an Attribute by Using the Catalog Management Tool
    - 20.3.10 Adding a New Attribute With Attribute Aliases by Using the Command Line
    - 20.3.11 Adding or Modifying Attribute Aliases in Existing Attributes by Using the Command Line
    - 20.3.12 Deleting Attribute Aliases by Using the Command Line
    - 20.3.13 Using Attribute Aliases with LDAP Commands
    - 20.3.14 Managing Content Rules by Using Command-Line Tools
      - Table 20-2 Content Rule Parameters
    - 20.3.15 Viewing Matching Rules by Using ldapsearch
    - 20.3.16 Viewing Syntaxes by Using by Using ldapsearch
      - 21 Configuring Referential Integrity
  - 21.1 Introduction to Configuring Referential Integrity
  - 21.2 Enabling Referential Integrity by Using Fusion Middleware Control
    - 1. Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
    - 2. Select a value from the Referential Integrity list:
    - 3. Choose Apply.
  - 21.3 Disabling Referential Integrity by Using Fusion Middleware Control
    - 1. Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
    - 2. Select Disabled from the Enable Referential Integrity list.
  - 21.4 Enabling Referential Integrity by Using the Command Line
  - 21.5 Configuring Specific Attributes for Referential Integrity by Using the Command Line
  - 21.6 Disabling Referential Integrity by Using the Command Line
  - 21.7 Detecting and Correcting Referential Integrity Violations
    - 1. Run oiddiag with the option listdiags=true. The default output file is ORACLE_INSTANCE/diagnostics/logs/OID/tools/oiddiag.txt.
    - 2. Edit the output file, oiddiag.txt so that it contains only the line:
    - 3. Run oiddiag with the option collect_sub=true
    - 22 Managing Auditing
  - 22.1 Introduction to Auditing
    - 22.1.1 Configuring the Audit Store
    - 22.1.2 Oracle Internet Directory Audit Configuration
      - Table 22-1 Oracle Internet Directory Audit Configuration Attributes
    - 22.1.3 Replication and Oracle Directory Integration Platform Audit Configuration
    - 22.1.4 Audit Record Fields
    - 22.1.5 Audit Record Storage
    - 22.1.6 Generating Audit Reports
  - 22.2 Managing Auditing by Using Fusion Middleware Control
    - 1. From the Oracle Internet Directory menu, select Security, then Audit Policy Settings.
    - 2. From the Audit Policy list, select Custom to configure your own filters, or one of the filter presets, None, Low, or Medium. (You cannot set All from Fusion Middleware Control.)
    - 3. If you want to audit only failures, click Select Failures Only.
    - 4. To configure a filter, click the Edit icon next to its name. The Edit Filter dialog for the filter appears.
    - 5. Specify the filter condition using the buttons, selections from the menus, and strings that you enter. Condition subjects inc...
    - 6. To add a condition, click the Add icon.
    - 7. When you have completed the filter, click Apply to save the changes or Revert to discard the changes.
      - Table 22-2 Audit Configuration Attributes in Fusion Middleware Control
  - 22.3 Managing Auditing by Using WLST
  - 22.4 Managing Auditing from the Command Line
    - 22.4.1 Viewing Audit Configuration from the Command Line
    - 22.4.2 Configuring Oracle Internet Directory Auditing from the Command Line
    - 22.4.3 Enabling Replication and Oracle Directory Integration Platform Auditing
      - 23 Managing Logging
  - 23.1 Introduction to Logging
    - Table 23-1 Oracle Internet Directory Log File Locations
    - 23.1.1 Features of Oracle Internet Directory Debug Logging
    - 23.1.2 Interpreting Log Messages
  - 23.2 Managing Logging by Using Fusion Middleware Control
    - 23.2.1 Viewing Log Files by Using Fusion Middleware Control
    - 23.2.2 Configuring Logging by Using Fusion Middleware Control
  - 23.3 Managing Logging from the Command Line
    - 23.3.1 Viewing Log Files from the Command Line
    - 23.3.2 Setting Debug Logging Levels by Using the Command Line
      - Table 23-3 Values for OrclDebugFlag
    - 23.3.3 Setting the Debug Operation by Using the Command Line
      - Table 23-4 Debug Operations
    - 23.3.4 Force Flushing the Trace Information to a Log File
      - Example 23-1 Enabling Force Flushing
        1. Create an LDIF file as follows:
        2. Load this file by entering the following:
        24 Monitoring Oracle Internet Directory
  - 24.1 Introduction to Monitoring Oracle Internet Directory Server
    - 24.1.1 Capabilities of Oracle Internet Directory Server Manageability
    - 24.1.2 Oracle Internet Directory Server Manageability Architecture and Components
      - Figure 24-1 Architecture of Oracle Internet Directory Server Manageability
        Table 24-1 Components of Oracle Internet Directory Server Manageability
    - 24.1.3 Purging of Security Events and Statistics Entries
    - 24.1.4 Account Used for Accessing Server Manageability Information
  - 24.2 Setting Up Statistics Collection by Using Fusion Middleware Control
    - 24.2.1 Configuring Directory Server Statistics Collection by Using Fusion Middleware Control
    - 24.2.2 Configuring a User for Statistics Collection by Using Fusion Middleware Control
  - 24.3 Viewing Statistics Information with Fusion Middleware Control
    - 24.3.1 Viewing Statistics Information on the Oracle Internet Directory Home Page
    - 24.3.2 Viewing Information on the Oracle Internet Directory Performance Page
  - 24.4 Viewing Statistics Information from the Oracle Directory Services Manager Home Page
  - 24.5 Setting Up Statistics Collection by Using the Command-Line
    - 24.5.1 Configuring Health, General, and Performance Statistics Attributes
    - 24.5.2 Configuring Security Events Tracking
      - Table 24-3 Values of orcloptracklevel
      - Table 24-4 Metrics Recorded by Each orcloptracklevel Value
    - 24.5.3 Configuring User Statistics Collection from the Command Line
    - 24.5.4 Configuring Event Levels from the Command Line
      - Table 24-5 Event Levels
    - 24.5.5 Configuring a User for Statistics Collection by Using the Command Line
  - 24.6 Viewing Information with the OIDDIAG Tool
    - Security Events
    - All Statistics and Events
    - Subset of Statistics and Events
  - 26.1 Introduction to Configuring Secure Sockets Layer (SSL)
    - 26.1.1 Supported Cipher Suites
      - Table 26-1 SSL Cipher Suites Supported in Oracle Internet Directory
    - 26.1.2 Supported Protocol Versions
    - 26.1.3 SSL Authentication Modes
      - Table 26-2 SSL Authentication Modes
    - 26.1.4 Limitations of the Use of SSL in11g Release 1 (11.1.1)
    - 26.1.5 Oracle Wallets
    - 26.1.6 Other Components and SSL
    - 26.1.7 SSL Interoperability Mode
    - 26.1.8 StartTLS
  - 26.2 Configuring SSL by Using Fusion Middleware Control
    - 1. Creating a Wallet by Using Fusion Middleware Control
    - 2. Configuring SSL Parameters by Using Fusion Middleware Control
    - 3. Restarting Oracle Internet Directory.
    - 26.2.1 Creating a Wallet by Using Fusion Middleware Control
    - 26.2.2 Configuring SSL Parameters by Using Fusion Middleware Control
    - 26.2.3 Setting SSL Parameters with Fusion Middleware Control
      - SSL Attributes
        Table 26-3 SSL-Related Attributes in Fusion Middleware Control
  - 26.3 Configuring SSL by Using WLST
    - 1. Create an Oracle wallet.
    - 2. Configure SSL parameters.
    - 3. Restart Oracle Internet Directory.
    - 1. Invoke wlst and connect to the host, specifying the username, password, and port of the WebLogic administration server.
    - 2. Navigate to the custom mbean tree, then to the specific mbean oracle.as.oid, as described in Section 9.3, "Managing System Configuration Attributes by Using WLST."
    - 3. Determine what certificates, if any, you already have in the Key Store MBean. See Table 9-7, " Oracle Internet Directory-Related MBeans".
    - 4. If Necessary, create a new self-signed certificate.
    - 5. Add a self-signed certificate to the wallet for use as the server certificate.
    - 6. Configure the oid1 component node's listener/port for SSL, specifying the appropriate authentication mode:
    - 7. Restart Oracle Internet Directory, as described in Chapter 8, "Managing Oracle Internet Directory Instances," to activate the changes
    - 8. Run opmnctl updatecomponentregistration, as described in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by Using opmnctl"
    - 9. Verify that SSL is enabled by using the methods described in Section 26.5, "Testing SSL Connections by Using Oracle Directory Services Manager" and Section 26.6, "Testing SSL Connections From the Command Line."
  - 26.4 Configuring SSL by Using LDAP Commands
    - 1. Create an Oracle wallet.
    - 2. Configure SSL parameters.
    - 3. Restart Oracle Internet Directory.
      - Table 26-4 SSL Attributes
  - 26.5 Testing SSL Connections by Using Oracle Directory Services Manager
    - 1. Invoke ODSM as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. Connect to the Oracle Internet Directory server. On the login screen, enable SSL and specify the SSL port.
  - 26.6 Testing SSL Connections From the Command Line
    - 26.6.1 Testing SSL With Encryption Only
    - 26.6.2 Testing SSL With Server Authentication
    - 26.6.3 Testing SSL With Client and Server Authentication
  - 26.7 Configuring SSL Interoperability Mode
    - 27 Configuring Data Privacy
  - 27.1 Introduction to Table Space Encryption
  - 27.2 Enabling and Disabling Table Space Encryption
    - 1. Make a cold backup of the Oracle Databases that are used by the Oracle Internet Directory instances.
    - 2. Make sure you have the JavaVM and XML developer's Kit packages installed in the database Oracle home.
    - 3. Log in to SQL*Plus as a user who has the SYSTEM privilege and execute the following command:
    - 4. Create the directory object, log directory object used for dumpfiles, and logfiles of the Oracle DataPump utility. Log in to SQL*Plus as the ODS user and execute the following commands:
    - 5. Create directory_path and log_directory_path in the file system.
    - 6. Set the database wallet location in the sqlnet.ora of the database Oracle home.
      - a. To use a separate database wallet for table space encryption, set the parameter ENCRYPTION_WALLET_LOCATION in sqlnet.ora. For example:
      - b. To use the same database wallet shared by all Oracle components, set the parameter WALLET_LOCATION in sqlnet.ora. For example:
    - 7. Shut down all the Oracle Internet Directory instances that are using the Oracle Database Oracle home.
    - 8. If you are enabling table space encryption for the first time in the Oracle Database Oracle home, log in to SQL*Plus as a user who has the ALTER SYSTEM privilege and execute the following command:
    - 9. Whenever the Oracle Database is shut down and restarted, log in to SQL*Plus as a user who has the ALTER SYSTEM privilege and execute the following command:
    - 10. Set the environment variable ORACLE_HOME to the Oracle Database home.
    - 11. Set the environment variable NLS_LANG to the character set of the Oracle Database server.
    - 12. Edit the path of the perl5 executable in the Perl script ORACLE_ HOME/ldap/datasecurity/oidtbltde.pl so that it matches the location of perl5 on your computer.
    - 13. If you have not already done so, install the database independent interface module for Perl (DBI) and the Oracle DBD driver for Perl.
    - 14. Run the Perl script oidtbltde.pl to enable or disable TDE for Oracle Internet Directory
  - 27.3 Introduction to Using Database Vault With Oracle Internet Directory
  - 27.4 Configuring Oracle Database Vault to Protect Oracle Internet Directory Data
    - 27.4.1 Registering Oracle Database Vault
    - 27.4.2 Adding a Database Vault Realm and Policies for Oracle Internet Directory
    - 27.4.3 Managing Oracle Database Vault Configuration for Oracle Internet Directory
    - 27.4.4 Deleting Database Vault Policies For Oracle Internet Directory
    - 27.4.5 Disabling Oracle Database Vault for the Oracle Internet Directory Database
  - 27.5 Best Practices for Using Database Vault with Oracle Internet Directory
  - 27.6 Introduction to Sensitive Attributes
    - 27.6.1 List of Sensitive Attributes
      - Table 27-1 Sensitive Attributes Stored in orclencryptedattributes
    - 27.6.2 Encryption Algorithm for Sensitive Attributes
  - 27.7 Configuring Privacy of Retrieved Sensitive Attributes
  - 27.8 Introduction to Hashed Attributes
    - Table 27-2 LDAP and Bulk Operations on Attributes in orclhashedattributes
  - 27.9 Configuring Hashed Attributes
    - 27.9.1 Configuring Hashed Attributes by Using Fusion Middleware Control
    - 27.9.2 Configuring Hashed Attributes by Using ldapmodify
      - 28 Managing Password Policies
  - 28.1 Introduction to Managing Password Policies
    - 28.1.1 What a Password Policy Is
    - 28.1.2 Steps Required to Create and Apply a Password Policy
    - 28.1.3 Fine-Grained Password Policies
      - Figure 28-1 Location of Password Policy Entries
      - Figure 28-2 pwdPolicy subentry Attributes Populated with DN of Password Policy
    - 28.1.4 Default Password Policy
    - 28.1.5 Password Policy Attributes
      - Table 28-1 Password Policy Attributes
    - 28.1.6 Password Policy-Related Operational Attributes
      - Table 28-2 Password Policy-Related Operational Attributes
    - 28.1.7 Directory Server Verification of Password Policy Information
    - 28.1.8 Password Policy Error Messages
    - 28.1.9 Releases Before 10g (10.1.4.0.1)
  - 28.2 Managing Password Policies by Using Oracle Directory Services Manager
    - 28.2.1 Viewing Password Policies by Using Oracle Directory Services Manager
    - 28.2.2 Modifying Password Policies by Using Oracle Directory Services Manager
    - 28.2.3 Creating a Password Policy and Assigning it to a Subtree by Using ODSM
  - 28.3 Managing Password Policies by Using Command-Line Tools
    - 28.3.1 Viewing Password Policies by Using Command-Line Tools
    - 28.3.2 Creating a New Password Policy by Using Command-Line Tools
    - 28.3.3 Applying a Password Policy to a Subtree by Using Command-Line Tools
    - 28.3.4 Setting Password Policies by Using Command-Line Tools
      - 29 Managing Directory Access Control
  - 29.1 Introduction to Managing Directory Access Control
    - 29.1.1 Access Control Management Constructs
    - 29.1.2 Access Control Information Components
    - 29.1.3 Access Level Requirements for LDAP Operations
      - Table 29-3 LDAP Operations and Access Needed to Perform Each One
    - 29.1.4 How ACL Evaluation Works
  - 29.2 Managing Access Control by Using Oracle Directory Services Manager
    - 29.2.1 Viewing an ACP by Using Oracle Directory Services Manager
    - 29.2.2 Adding an ACP by Using Oracle Directory Services Manager
    - 29.2.3 Modifying an ACP by Using Access Control Management in ODSM
    - 29.2.4 Adding or Modifying an ACP by Using the Data Browser in ODSM
    - 29.2.5 Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM
  - 29.3 Managing Access Control by Using Command-Line Tools
    - 29.3.1 Restricting the Kind of Entry a User Can Add
    - 29.3.2 Setting Up an Inheritable ACP by Using ldapmodify
    - 29.3.3 Setting Up Entry-Level ACIs by Using ldapmodify
    - 29.3.4 Using Wildcards in an LDIF File with ldapmodify
    - 29.3.5 Selecting Entries by DN
    - 29.3.6 Using Attribute and Subject Selectors
    - 29.3.7 Granting Read-Only Access
    - 29.3.8 Granting Selfwrite Access to Group Entries
    - 29.3.9 Defining a Completely Autonomous Policy to Inhibit Overriding Policies
      - Table 29-5 DNs Used in Example
      - 30 Managing Password Verifiers
  - 30.1 Introduction to Password Verifiers for Authenticating to the Directory
    - 30.1.1 Userpassword Verifiers and Authentication to the Directory
    - 30.1.2 Hashing Schemes for Creating Userpassword Verifiers
  - 30.2 Managing Hashing Schemes for Password Verifiers for Authenticating to the Directory
  - 30.3 Introduction to Password Verifiers for Authenticating to Components
    - 30.3.1 About Password Verifiers for Authenticating to Oracle Components
      - Figure 30-1 Location of the Password Verifier Profile Entry
    - 30.3.2 Attributes for Storing Password Verifiers for Authenticating to Oracle Components
      - Table 30-1 Attributes for Storing Password Verifiers in User Entries
      - Figure 30-2 Authentication Model
    - 30.3.3 Default Verifiers for Oracle Components
    - 30.3.4 How Password Verification Works for an Oracle Component
      - Figure 30-3 How Password Verification Works
        1. The user tries to log in to an application by entering a user name and a clear text password.
        2. The application sends the clear text password to the directory server. If the application stores password verifiers in the di...
        3. The directory server:
        a. Generates a password verifier by using the hashing algorithm specified for the particular application
        b. Compares this password verifier with the corresponding password verifiers in the directory. For the compare operation to be successful, the application must provide its appID as the subtype of the verifier attribute. For example:
        c. Notifies the application of the results of the compare operation.
        4. Depending on the message from the directory server, the application either authenticates the user or not.
        1. Hashes the clear text password entered by the user
        2. Retrieves from the directory the hashed value of the clear text password as entered by the user
        3. Initiates a challenge to the user to which the client responds. If the response is correct, then the application authenticates the user.
  - 30.4 Managing Password Verifier Profiles for Oracle Components by Using ODSM
    - 1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. From the task selection bar, select Security.
    - 3. Expand Password Verifier in the left pane. All of the password verifiers appear in the left pane.
    - 4. Select the password verifier you want to view. The right pane displays the Password Verifier Profile tab page.
    - 5. You can modify the hashing algorithm used to generate a password verifier. In the Password Verifier Profile dialog box, specify the hashing algorithm in the Oracle Password Parameters field. The syntax is:
  - 30.5 Managing Password Verifier Profiles for Components by Using Command-Line Tools
    - 30.5.1 Viewing a Password Verifier Profile by Using Command-Line Tools
    - 30.5.2 Example: Modifying a Password Verifier Profile by Using Command-Line Tools
  - 30.6 Introduction to Generating Verifiers by Using Dynamic Parameters
  - 30.7 Configuring Oracle Internet Directory to Generate Dynamic Password Verifiers
    - 31 Delegating Privileges for Oracle Identity Management
  - 31.1 Introduction to Delegating Privileges for Oracle Identity Management
    - 31.1.1 How Delegation Works
    - 31.1.2 Delegation in an Oracle Fusion Middleware Environment
      - Figure 31-1 Delegation Flow in an Oracle Fusion Middleware Environment
    - 31.1.3 About the Default Configuration
      - Table 31-1 Default Privileges Granted to Everyone and to Each User
    - 31.1.4 Privileges for Administering the Oracle Technology Stack
      - Table 31-2 Privileges for Administering the Oracle Technology Stack
  - 31.2 Delegating Privileges for User and Group Management
    - 31.2.1 How Privileges Are Granted for Managing User and Group Data
    - 31.2.2 Default Privileges for Managing User Data
    - 31.2.3 Default Privileges for Managing Group Data
  - 31.3 Delegating Privileges for Deployment of Oracle Components
    - 31.3.1 How Deployment Privileges Are Granted
      - 1. Grants certain deployment privileges to various groups-for example, the Oracle Fusion Middleware Administrators Group
      - 2. Adds the administrators to those privileged groups
    - 31.3.2 Oracle Application Server Administrators
      - Table 31-11 Characteristics of the Oracle Application Server Administrators Group
    - 31.3.3 User Management Application Administrators
      - Table 31-12 Characteristics of the User Management Application Administrators Group
    - 31.3.4 Trusted Application Administrators
      - Table 31-13 Characteristics of the Trusted Application Administrators Group
  - 31.4 Delegating Privileges for Component Run Time
    - 31.4.1 Default Privileges for Reading and Modifying User Passwords
      - Table 31-14 Characteristics of the User Security Administrators Group
    - 31.4.2 Default Privileges for Comparing User Passwords
      - Table 31-15 Characteristics of the Authentication Services Group
    - 31.4.3 Default Privileges for Comparing Password Verifiers
      - Table 31-16 Characteristics of the Verifier Services Group
    - 31.4.4 Default Privileges for Proxying on Behalf of End Users
      - Table 31-17 Characteristics of the User Proxy Privilege Group
    - 31.4.5 Default Privileges for Managing the Oracle Context
      - Table 31-18 Characteristics of the Oracle Context Administrators Group
    - 31.4.6 Default Privileges for Reading Common User Attributes
      - Table 31-19 Characteristics of the Common User Attributes Group
    - 31.4.7 Default Privileges for Reading Common Group Attributes
      - Table 31-20 Characteristics of the Common Group Attributes Group
    - 31.4.8 Default Privileges for Reading the Service Registry
      - Table 31-21 Characteristics of the Service Registry Viewers Group
    - 31.4.9 Default Privileges for Administering the Service Registry
      - Table 31-22 Characteristics of the Common Group Attributes Group
      - 32 Managing Authentication
  - 32.1 Introduction to Authentication
    - 32.1.1 Direct Authentication
    - 32.1.2 Indirect Authentication
      - Figure 32-1 Indirect Authentication
        1. The end user sends to the application or middle tier a request containing a query to Oracle Internet Directory. The application or middle tier authenticates the end user.
        2. The application or middle tier binds to the directory.
        3. The application or middle tier performs a second bind, this time using the DN of the end user. It does not enter the end user's password.
        4. The directory server recognizes this second bind as an attempt by the application or middle tier to switch to the end user's ...
    - 32.1.3 External Authentication
    - 32.1.4 Simple Authentication and Security Layer (SASL)
      - How a SASL-Enabled Client Authenticates to a Directory Server by Using Digest-MD5
        1. The directory server sends to the LDAP client a digest-challenge that includes various Digest-MD5 authentication options that it supports and a special token.
        2. The client selects an authentication option, then sends a digest-response to the server indicating the option it has selected...
        3. The directory server then decrypts and verifies the client credential from the response.
      - How a SASL-Enabled Client Authenticates to a Directory Server by Using External Authentication
        1. The client sends an initial message with the authorization identity.
        2. The directory server uses information external to SASL to determine whether the client can validly authenticate as the author...
  - 32.2 Configuring Certificate Authentication Method by Using Fusion Middleware Control
  - 32.3 Configuring SASL Authentication by Using Fusion Middleware Control
    - 1. Select Administration, then Server Properties from the Oracle Internet Directory menu, then select SASL.
    - 2. Select the desired types for MD5 SASL Authentication Mode.
    - 3. If you select Authentication with Integrity and Privacy Protection, you are presented with choices for SASL Cipher Choice for...
    - 4. If desired, select Enable SASL Authentication. Before enabling SASL Authentication, ensure that Oracle Internet Directory is configured to perform mutual authentication. See Section 26.2, "Configuring SSL by Using Fusion Middleware Control."
    - 5. Choose Apply.
      - Table 32-1 Configuration Attributes on Server Properties, SASL Tab
  - 32.4 Configuring Certificate Authentication Method by Using Command-Line Tools
  - 32.5 Configuring SASL Authentication by Using the Command Line
    - Table 32-2 SASL Authentication Attributes
    - Table 32-3 SASL Authentication Modes
  - 32.6 Introduction to Anonymous Binds
    - Table 32-4 Orclanonymousbindsflag Value and Directory Server Behavior
  - 32.7 Managing Anonymous Binds
    - 32.7.1 Managing Anonymous Binds by Using Fusion Middleware Control
    - 32.7.2 Managing Anonymous Binds by Using the Command Line
      - Part IV Advanced Administration: Managing Directory Deployment
      - 33 Planning, Deploying and Managing Realms
  - 33.1 Introduction to Planning, Deploying and Managing Realms
    - 33.1.1 Planning the Identity Management Realm
      - Figure 33-1 Example of an Identity Management Realm
    - 33.1.2 Identity Management Realms in an Enterprise Deployment
      - 33.1.2.1 Single Identity Management Realm in the Enterprise
        Figure 33-2 Enterprise Use Case: Single Identity Management Realm
      - 33.1.2.2 Multiple Identity Management Realms in the Enterprise
        Figure 33-3 Enterprise Use Case: Multiple Identity Management Realms
    - 33.1.3 Identity Management Realms in a Hosted Deployment
      - Figure 33-4 Hosted Deployment Use Case
    - 33.1.4 Identity Management Realm Implementation in Oracle Internet Directory
      - Table 33-1 Oracle Identity Management Objects
    - 33.1.5 Default Directory Information Tree and the Identity Management Realm
      - Figure 33-5 Default Identity Management Realm
  - 33.2 Customizing the Default Identity Management Realm
    - Table 33-2 Customizing the Default Identity Management Realm
    - Use Case 1:
    - Use Case 2:
    - Use Case 3:
    - Use Case 4:
    - Use Case 5:
    - 33.2.1 Steps to Update the Existing User and Group Search Base
    - 33.2.2 Set up an Additional Search Base
    - 33.2.3 Refresh Oracle Single Sign-On
    - 33.2.4 Reconfigure Provisioning Profiles
  - 33.3 Creating Additional Identity Management Realms for Hosted Deployments
    - 34 Tuning and Sizing Oracle Internet Directory
    - 35 Managing Garbage Collection
  - 35.1 Introduction to Managing Garbage Collection
    - 35.1.1 Components of the Oracle Internet Directory Garbage Collection Framework
      - 35.1.1.1 Garbage Collection Plug-in
      - 35.1.1.2 Background Database Processes
        35.1.1.2.1 Garbage Collectors
        35.1.1.2.2 Predefined Garbage Collectors
        35.1.1.2.3 Oracle Internet Directory Statistics Collector
    - 35.1.2 How Oracle Internet Directory Garbage Collection Works
      - Figure 35-1 Example: Garbage Collection of Change Log Entries
        1. An LDAP client sends to the directory server a request for a particular garbage collection operation. The operation could be, for example, to purge the entries of tombstone or, change logs.
        2. The directory server passes the request to the garbage collection plug-in.
        3. The garbage collection plug-in sends the request to the garbage collection engine in the Oracle Internet Directory-designated database.
        4. The garbage collection engine triggers the corresponding background database process-in this case, the change log garbage collector. The background database process runs according to the parameters specified in its configuration.
    - 35.1.3 Garbage Collector Entries and the Oracle Internet Directory Statistics Collector Entry
      - Figure 35-2 Garbage Collection Entries in the DIT
    - 35.1.4 Change Log Purging
  - 35.2 Set Oracle Database Time Zone for Garbage Collection
    - 1. Invoke PL/SQL:
    - 2. Perform a query to get the value of dbtimezone:
    - 3. Perform a query to get the displacement from Coordinated Universal Time (UTC):
    - 4. If the dbtimezone parameter is equal to last column value of the systimestamp output, you do not need to perform the remaining steps. Otherwise, proceed to Step 5.
    - 5. Stop all instances of Oracle Internet Directory that are using the Oracle Database, as described in Chapter 8, "Managing Oracle Internet Directory Instances."
    - 6. Set the dbtimezone parameter, using the value you got from the last column the systimestamp query:
    - 7. Shut down the Oracle Database:
    - 8. Restart the Oracle Database:
    - 9. Restart Oracle Internet Directory as described in Chapter 8, "Managing Oracle Internet Directory Instances."
  - 35.3 Modifying Oracle Internet Directory Garbage Collectors
    - 35.3.1 Modifying a Garbage Collector by Using Oracle Directory Services Manager
    - 35.3.2 Modifying a Garbage Collector by Using Command-Line Tools
      - 35.3.2.1 Example 1: Modifying a Garbage Collector
      - 35.3.2.2 Example 2: Disabling a Garbage Collector Change Log
    - 35.3.3 Modifying the Oracle Internet Directory Statistics Collector
  - 35.4 Managing Logging for Oracle Internet Directory Garbage Collectors
    - 35.4.1 Enabling Logging for Oracle Internet Directory Garbage Collectors
    - 35.4.2 Disabling Logging for Oracle Internet Directory Garbage Collectors
    - 35.4.3 Monitoring Garbage Collection Logging
  - 35.5 Configuring Time-Based Change Log Purging
    - 36 Migrating Data from Other Data Repositories
  - 36.1 Introduction to Migrating Data from Other Data Repositories
  - 36.2 Migrating Data from LDAP-Compliant Directories
    - Table 36-1 Features of bulkload and syncProfileBootstrap
    - 36.2.1 Migrating LDAP Data by Using an LDIF File and bulkload
    - 36.2.2 Migrating LDAP Data by Using syncProfileBootstrap Directly
      - Figure 36-2 Using syncProfileBootstrap Directly
    - 36.2.3 Migrating LDAP Data by Using an LDIF File and syncProfileBootstrap
      - Figure 36-3 Using an LDIF File and syncProfileBootstrap
    - 36.2.4 Migrating LDAP Data by Using syncProfileBootstrap, bulkload, and LDIF Files
      - Figure 36-4 Using syncProfileBootstrap, bulkload, and LDIF Files
    - 36.2.5 Migrating LDAP Data by Using the Oracle Directory Integration Platform Server
      - Figure 36-5 Using the Oracle Directory Integration Server
  - 36.3 Migrating User Data from Application-Specific Repositories
    - 36.3.1 The Intermediate Template File
    - 36.3.2 Reconciling Data in Application Repository with Data Already in the Directory
    - 36.3.3 Tasks For Migrating Data from Application-Specific Repositories
      - 36.3.3.1 Task 1: Create an Intermediate Template File
        Figure 36-6 Structure of the Intermediate User File
        36.3.3.1.1 Example: User Entries in an Intermediate Template File
        36.3.3.1.2 Attributes in User Entries
        Table 36-2 Mandatory Attributes in a User Entry
      - 36.3.3.2 Task 2: Run the OID Migration Tool
        37 Configuring Server Chaining
  - 37.1 Introduction to Configuring Server Chaining
    - 37.1.1 Supported External Servers
    - 37.1.2 Integrated Oracle Products
      - 37.1.2.1 Oracle Single Sign-On
      - 37.1.2.2 Enterprise User Security
    - 37.1.3 Supported Operations
    - 37.1.4 Server Chaining with Replication
  - 37.2 Configuring Server Chaining
    - 37.2.1 Configuring Server Chaining by Using Oracle Directory Services Manager
    - 37.2.2 Configuring Server Chaining from the Command Line
  - 37.3 Creating Server Chaining Configuration Entries
    - 37.3.1 Configuration Entry Attributes
      - Table 37-1 Configuration Entry Attributes for Server Chaining
    - 37.3.2 Requirements for User and Group Containers
    - 37.3.3 Attribute Mapping
    - 37.3.4 Active Directory Example
    - 37.3.5 Active Directory with SSL Example
    - 37.3.6 Active Directory with New Attributes Example
    - 37.3.7 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) Example
    - 37.3.8 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server (iPlanet) with SSL Example
    - 37.3.9 eDirectory Example
    - 37.3.10 eDirectory with SSL Example
  - 37.4 Debugging Server Chaining
    - 1. Set the Oracle Internet Directory server debug logging level, as described in Section 23.2, "Managing Logging by Using Fusion...
    - 2. Modify the Oracle Internet Directory server chaining debugging settings. For both cn=oidscad,cn=oid server chaining,cn=subconfigsubentry and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry. set the attribute orcloidscDebugEnabled to 1.
  - 37.5 Configuring an Active Directory Plug-in for Password Change Notification
    - 1. In Active Directory, create an attribute called orclCommonAttribute to store the hash password. Use a command line such as:
    - 2. Associate the attribute with the user objectclass. Use a command line such as:
    - 3. Install the password change notification plug-in, as follows:
    - 4. Reset the password for all the Active Directory users so that the password verifier is present for all the users.
    - 38 Managing DIT Masking
  - 38.1 Configuring Masking
    - Table 38-1 Masking Configuration Attributes
  - 38.2 Masking Examples
    - 38.2.1 Restricting Access by Container Name
    - 38.2.2 Restricting Access by Entry Data
      - Part V Advanced Administration: Directory Replication
      - 39 Setting Up Replication
  - 39.1 Introduction to Setting Up Replication
    - 39.1.1 Replication Transport Mechanisms
    - 39.1.2 Replication Setup Methods
    - 39.1.3 Bootstrap Rules
    - 39.1.4 The Replication Agreement
    - 39.1.5 Other Replication Configuration Attributes
    - 39.1.6 Replication Process and Architecture
    - 39.1.7 Rules for Configuring LDAP-Based Replication
    - 39.1.8 Replication Security
      - 39.1.8.1 Authentication and the Directory Replication Server
      - 39.1.8.2 Secure Sockets Layer (SSL) and Oracle Internet Directory Replication
    - 39.1.9 LDAP Replication Filtering for Partial Replication
  - 39.2 Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement
  - 39.3 Setting Up an LDAP-Based Replication Agreement by Using the Replication Wizard
    - 1. From the Oracle Internet Directory menu on the home page, select Administration, then Replication Management.
    - 2. You are prompted to log into the replication DN account. Provide the host, port, replication DN, and replication DN password....
    - 3. Click the Create icon.
    - 4. On the Type screen, select the replication type: One Way Replication, Two Way Replication, or Multimaster Replication.
    - 5. Click Next. The Replicas screen displays the replication type you selected.
    - 6. Provide an agreement name. This must be unique across all the nodes.
    - 7. For one way or two way replication, enter the host, port, user name (replication DN), and replication password for the consumer node. Fields for the supplier node are populated and greyed out.
    - 8. Click Next to go the Settings page.
    - 9. In the LDAP Connection field, select Keep Alive if you want the replication server to use same connection for performing mult...
    - 10. Enter the Replication Frequency.
    - 11. Enter the Human Intervention Queue Schedule. This is the interval, in seconds, at which the directory replication server repeats the change application process.
    - 12. If you have specified Two Way Replication or Multimaster Replication as the agreement type, the settings page contains a sec...
    - 13. Click Next to go to the Scope page. The default primary naming context is filled in.
    - 14. To exclude a secondary naming context within the default primary naming context, select the primary naming context and click the Create button. Then proceed to Step 16.
    - 15. To create another primary naming context, click the Create Primary Naming Context button. This invokes the Primary Naming Context dialog.
    - 16. To exclude a secondary naming context, click the Add icon below the Excluded Secondary Naming Contexts field. This invokes t...
    - 17. To exclude an attribute, click the Add icon below the ExcludedAttributes field. This invokes the Select Excluded Attributes screen. Select the attributes you want to exclude and click OK. The attribute now appears in the Excluded Attributes field.
    - 18. Click OK. The primary naming context is now listed on the Scope page.
    - 19. Click Next. The Summary page displays a summary of the replication agreement you are about to create.
    - 20. Click Finish to create the replication agreement.
  - 39.4 Testing Replication by Using Oracle Directory Services Manager
    - 1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
    - 2. From the task selection bar, select Data Browser.
    - 3. Create a single entry on the MDS node, as described in Section 13.2.6, "Adding a New Entry by Using Oracle Directory Services Manager."
  - 39.5 Setting Up an LDAP-Based Replication by Using the Command Line
    - 39.5.1 Copying Your LDAP Data by Using ldifwrite and bulkload
    - 39.5.2 Setting Up an LDAP-Based Replica with Customized Settings
    - 39.5.3 Password Policy and Fan-out Replication
      - Table 39-2 Command-line Parameters to OIDUpgradePasswordPolicies
    - 39.5.4 Deleting an LDAP-Based Replica
      - 39.5.4.1 Task 1: Stop the Directory Replication Server on the Node to be Deleted
      - 39.5.4.2 Task 2: Delete the Replica from the Replication Group
  - 39.6 Setting Up a Multimaster Replication Group with Fan-Out
    - Table 39-3 Nodes in Example of Partial Replication Deployment
    - Figure 39-11 Example of Fan-Out Replication
    - Task 1: Set up the Multimaster Replication Group for Node1 and Node2
    - Task 2: Configure the Replication Agreement
      - 1. Edit the example file mod.ldif as follows:
      - 2. Use ldapmodify to update the replication agreement orclExcludedNamingcontexts attribute at both Node1 and Node2. To do this, enter:
    - Task 3: Start the Replication Servers on Node1 and Node2
    - Task 4: Test the Directory Replication Between Node1 and Node2.
    - Task 5: Install and Configure Node3 as a Partial Replica of Node2
    - Task 6: Customize the Partial Replication Agreement
      - a. Edit the example file mod.ldif as follows:
      - b. Use ldapadd to add the partial replication naming context object at both Node2 and Node3.
    - Task 7: Start the Replication Servers on All Nodes in the DRG
    - Task 8: Install and Configure Node4 as a Full Replica of Node2
    - Task 9: Test the Replication from Node2 to Node4
    - Task 10: Install and Configure Node5 as a Two-Way Replica of Node1
    - Task 11: Test the Two-Way Replication Between Node1 and Node5
      - 40 Setting Up Replication Failover
  - 40.1 Introduction to Replication Failover
    - Figure 40-1 Replication Failover Scenario
    - Figure 40-2 Consumer and New Supplier Connected to Old Supplier by LDAP
    - Figure 40-3 Old and New Suppliers in the Same Advanced Replication Group
    - 40.1.1 Limitations and Warnings for Replication Failover
      - Figure 40-4 Failover Preserving Replica Type
      - Figure 40-5 Compare and Reconcile All Connected Replicas
    - 40.1.2 Determining Which Type of Replication Failover to Use
  - 40.2 Performing a Stateless Replication Failover
    - 40.2.1 Task 1: Stop all Directory Replication Server on related Nodes
    - 40.2.2 Task 2: Break Old Replication Agreement and Set up New Agreement
    - 40.2.3 Task 3: Save Last Change Number
    - 40.2.4 Task 4: Compare and Reconcile New Supplier and Consumer
    - 40.2.5 Task 5: Update Last Applied Change Number of New Agreement
      - 1. Create an LDIF file with the last change number you retrieved in "Task 3: Save Last Change Number".
      - 2. Modify the agreement by using ldapmodify, as follows:
    - 40.2.6 Task 6: Clean Up Old Agreement on Old Supplier
    - 40.2.7 Task 7: Start All Directory Replication Server on related Nodes
  - 40.3 Performing a Time-Based Replication Failover
    - 40.3.1 Task 1: Configure Change Log Garbage Collection Object on New Supplier
      - 1. Create an LDIF file similar to this:
      - 2. Apply the LDIF file by typing:
    - 40.3.2 Task 2: Save Last Change Number from New Supplier
    - 40.3.3 Task 3: Enable Change Log Regeneration on New Supplier
      - 1. Create an LDIF file like this:
      - 2. Apply the LDIF file by typing:
    - 40.3.4 Task 4: Wait for the Desired Time Period to Elapse
    - 40.3.5 Task 5: Stop all Directory Replication Servers on Related Nodes
    - 40.3.6 Task 6: Break Old Replication Agreement and Set Up New Agreement
    - 40.3.7 Task 7: Update Last Applied Change Number of New Agreement
      - 1. Create an LDIF file with the retrieved last applied change number, similar to this:
      - 2. Apply the LDIF file to the agreement by using ldapmodify:
    - 40.3.8 Task 8: Clean Up Old Agreement on Old Supplier
    - 40.3.9 Task 9: Start All Directory Replication Servers on Related Nodes
      - 41 Managing Replication Configuration Attributes
  - 41.1 Introduction to Replication Configuration Attributes
    - 41.1.1 The Replication Configuration Container
    - 41.1.2 The Replica Subentry
      - Table 41-1 Attributes of the Replica Subentry
    - 41.1.3 The Replication Agreement Entry
    - 41.1.4 The Replication Naming Context Container Entry
    - 41.1.5 The Replication Naming Context Object Entry
      - Table 41-3 Attributes of the Replication Naming Context Entry
    - 41.1.6 The Replication Configuration Set
      - Table 41-4 Replication Configuration Set Attributes
    - 41.1.7 Examples of Replication Configuration Objects in the Directory
  - 41.2 Configuring Replication Configuration Attributes by Using Fusion Middleware Control
    - 41.2.1 Configuring Attributes on the Shared Properties, Replication Tab
      - Table 41-5 Configuration Attributes on Shared Properties, Replication Tab
    - 41.2.2 Configuring Replication Wizard Parameters
      - Table 41-6 Replication Schedule Attributes
  - 41.3 Managing Replication Configuration Attributes From the Command Line
    - 42 Managing and Monitoring Replication
  - 42.1 Introduction to Managing and Monitoring Replication
    - 42.1.1 Modifying What Is to Be Replicated in LDAP-Based Partial Replication
    - 42.1.2 Managing Worker Threads
      - Table 42-1 Configuration Attributes Controlling Worker Threads
    - 42.1.3 Change Logs in Directory Replication
    - 42.1.4 The Human Intervention Queue
    - 42.1.5 Pilot Mode
    - 42.1.6 Conflict Resolution in Oracle Replication
  - 42.2 Managing and Monitoring Replication by Using ODSM and Fusion Middleware Control
    - 42.2.1 Enabling or Disabling Change Log Generation by Using Fusion Middleware Control
    - 42.2.2 Viewing the Local Change Logs by Using Oracle Directory Services Manager
    - 42.2.3 Viewing and Modifying Replica Naming Context Objects
    - 42.2.4 Viewing or Modifying a Replication Setup by Using the Replication Wizard
    - 42.2.5 Deleting an LDAP-Based Replication Agreement by Using the Replication Wizard
    - 42.2.6 Configure Replication Attributes by Using Fusion Middleware Control
      - Table 42-4 Replication Configset Attributes on Shared Properties, Replication Tab
    - 42.2.7 Activating or Inactivating a Replication Server by Using Fusion Middleware Control
    - 42.2.8 Configuring the Replication Debug Level by Using Fusion Middleware Control
    - 42.2.9 Configuring Replica Details by Using Fusion Middleware Control
      - Table 42-6 Replica Details on Shared Properties, Replication Tab
    - 42.2.10 Viewing Queue Statistics by Using Fusion Middleware Control
    - 42.2.11 Managing Changelog Processing by Using Fusion Middleware Control
    - 42.2.12 Monitoring Conflict Resolution Messages by Using Fusion Middleware Control
  - 42.3 Managing and Monitoring Replication by Using the Command Line
    - 42.3.1 Enabling and Disabling Change Log Generation by Using the Command Line
    - 42.3.2 Viewing Change Logs by Using ldapsearch
      - Table 42-7 Important Attributes in the Change Log
    - 42.3.3 Configuring Attributes of the Replica Subentry by Using ldapmodify
      - Table 42-8 Replica Subentry Attributes
    - 42.3.4 Specifying Pilot Mode for a Replica by Using remtool
    - 42.3.5 Configuring Replication Agreement Attributes by Using ldapmodify
      - Table 42-9 Replication Agreement Options
    - 42.3.6 Modifying Replica Naming Context Object Parameters by Using ldapmodify
    - 42.3.7 Configuring Attributes of the Replication Configuration Set by Using ldapmodify
      - Table 42-10 Replication Configuration Attributes
      - Table 42-11 Replication Debug Levels
    - 42.3.8 Monitoring Conflict Resolution Messages by Using the Command Line
      - Table 42-12 Conflict Resolution Messages
    - 42.3.9 Managing the Human Intervention Queue
    - 42.3.10 Monitoring Replication Progress in a Directory Replication Group by Using remtool -pthput
      - Example Output
    - 42.3.11 Viewing Queue Statistics and Verifying Replication by Using remtool
    - 42.3.12 Managing the Number of Entries the Human Intervention Queue Tools Can Process
    - 42.3.13 Changing the Replication Administrator's Password for Advanced Replication
  - 42.4 Comparing and Reconciling Inconsistent Data by Using oidcmprec
    - 1. Set the supplier and the consumer to read-only mode. Use one of the procedures in"Changing Server Mode" on page 15-3.
    - 2. Ensure that the supplier and the consumer are in a tranquil state-that is, that neither is supplying or applying changes. If they are not in a tranquil state, then wait until they have finished updating.
    - 3. Identify the inconsistent entries or subtree on the consumer.
    - 4. Use the Oracle Internet Directory Comparison and Reconciliation Tool to fix the inconsistent entries or subtree on the consumer.
    - 5. Set the participating supplier and consumer back to read/write mode.
    - 42.4.1 Conflict Scenarios
    - 42.4.2 Operations Supported by oidcmprec
    - 42.4.3 Output from oidcmprec
    - 42.4.4 How oidcmprec Works
    - 42.4.5 Setting the Source and Destination Directories
    - 42.4.6 Selecting the DIT for the Operation
    - 42.4.7 Selecting the Attributes for the Operation
    - 42.4.8 Controlling Change Log Generation
    - 42.4.9 Using a Text or XML Parameter File
    - 42.4.10 Including Directory Schema
    - 42.4.11 Overriding Predefined Conflict Resolution Rules
    - 42.4.12 Using the User-Defined Compare and Reconcile Operation
    - 42.4.13 Known Limitations of the oidcmprec Tool
      - Part VI Advanced Administration: Directory Plug-ins
      - 43 Configuring a Customized Password Policy Plug-In
  - 43.1 Introduction to Configuring a Customized Password Policy Plug-in
    - 1. The client sends the directory server either an ldapadd or ldapmodify request.
    - 2. Before the directory server makes the addition or modification, it passes the password value to the plug-in.
    - 3. The plug-in
    - 4. If the password meets the specification, then the plug-in notifies the directory server accordingly, and the directory server makes the addition or modification.
  - 43.2 Installing, Configuring, and Enabling a Customized Password Policy Plug-in
    - 43.2.1 Loading and Registering the PL/SQL Program
      - 1. Load the plug-in package into the database. In this example, we enter:
      - 2. Register the plug-in. This example uses a file named pluginreg.dat, which contains the following:
    - 43.2.2 Coding the Password Policy Plug-in
    - 43.2.3 Debugging the Password Policy Plug-in
    - 43.2.4 Contents of Sample PL/SQL Package pluginpkg.sql
      - 44 Developing Plug-ins for the Oracle Internet Directory Server
  - 44.1 Introduction to Developing Plug-ins for the Oracle Internet Directory Server
    - Figure 44-1 Oracle Internet Directory Plug-in Framework
    - 44.1.1 Passing Options to the JVM
    - 44.1.2 Supported Languages for Server Plug-ins
    - 44.1.3 Server Plug-in Prerequisites
    - 44.1.4 Server Plug-in Benefits
    - 44.1.5 Guidelines for Designing Plug-ins
    - 44.1.6 The Server Plug-in Framework
    - 44.1.7 LDAP Operations and Timings Supported by the Directory
    - 44.1.8 Using Plug-ins in a Replication Environment
  - 44.2 Creating a Plug-in
    - 1. Write a user-defined plug-in procedure in PL/SQL or Java.
    - 2. Compile the plug-in module.
    - 3. Register the plug-in module through the configuration entry interface by using either the command line or Oracle Directory Services Manager.
  - 44.3 Registering a Plug-in From the Command Line
    - 44.3.1 Creating a Plug-in Configuration Entry
      - Table 44-1 Plug-in Configuration Objects and Attributes
    - 44.3.2 Adding a Plug-in Configuration Entry by Using Command-Line Tools
  - 44.4 Managing Plug-ins by Using Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control
    - 1. Section 44.4.1, "Creating a New Plug-in by Using Oracle Directory Services Manager"
    - 2. Section 44.4.2, "Registering a Plug-in by Using Oracle Directory Services Manager"
    - 3. Section 44.4.3, "Editing a Plug-in by Using Oracle Directory Services Manager"
    - 4. Section 44.4.4, "Deleting a Plug-in by Using Oracle Directory Services Manager"
    - 5. Section 44.4.5, "Managing JVM Options by Using Oracle Enterprise Manager Fusion Middleware Control"
    - 44.4.1 Creating a New Plug-in by Using Oracle Directory Services Manager
    - 44.4.2 Registering a Plug-in by Using Oracle Directory Services Manager
    - 44.4.3 Editing a Plug-in by Using Oracle Directory Services Manager
    - 44.4.4 Deleting a Plug-in by Using Oracle Directory Services Manager
    - 44.4.5 Managing JVM Options by Using Oracle Enterprise Manager Fusion Middleware Control
      - 45 Configuring a Customized External Authentication Plug-in
  - 45.1 Introduction to Configuring a Customized External Authentication Plug-in
  - 45.2 Installing, Configuring, and Enabling the External Authentication Plug-in
    - 1. Implement your standalone external authentication PL/SQL program. For example, if you want to authenticate users by using user names and passwords, then you should have a PL/SQL program which takes these two parameters.
    - 2. Integrate this standalone program into the plug-in modules.
    - 3. Load the plug-in package into database. In this example, we enter:
    - 4. Register the plug-ins. Do this by creating and uploading an LDIF file that provides the directory server with the necessary information to invoke the plug-in.
    - 5. This example uses a file named oidexauth.ldif, which contains the following:
  - 45.3 Debugging the External Authentication Plug-in
  - 45.4 Creating the PL/SQL Package oidexaup.sql
    - Part VII Appendixes
    - A Differences Between 10g and 11g
  - A.1 Instance Creation and Process Management
    - 10g Oracle Internet Directory Instance Creation
    - 11g Oracle Internet Directory Instance Creation
    - 11g Replication Server
    - 11g OIDMON
  - A.2 Locations of Configuration Attributes
    - Table A-1 New Locations of 10g Attributes
  - A.3 Default Ports
  - A.4 Enabling Server Debugging
  - A.5 Command Line Tools
  - A.6 Path Names
    - Table A-2 Some Path Names that Changed
  - A.7 Graphical User Interfaces
  - A.8 Audit
  - A.9 Referential Integrity
  - A.10 Server Chaining
  - A.11 Replication
  - A.12 Oracle Directory Integration Platform
  - A.13 Oracle Single Sign-On and Oracle Delegated Administration Services
  - A.14 Java Containers
    - B Managing Oracle Internet Directory Instances by Using OIDCTL
  - B.1 Introduction to Managing Oracle Internet Directory by Using OIDCTL
    - Figure B-1 A Component with Two Instances
  - B.2 Creating and Starting an Oracle Internet Directory Server Instance by Using OIDCTL
  - B.3 Stopping an Oracle Internet Directory Server Instance by Using OIDCTL
  - B.4 Starting an Oracle Internet Directory Server Instance by Using OIDCTL
  - B.5 Viewing Status Information by Using OIDCTL
  - B.6 Deleting an Oracle Internet Directory Server Instance by Using OIDCTL
    - C Setting Up Oracle Database Advanced Replication-Based Replication
  - C.1 Introduction to Setting up Oracle Database Advanced Replication-Based Replication
    - C.1.1 Database Version Compatibility
    - C.1.2 Advanced Replication Filtering for Partial Replication
      - C.1.2.1 Excluded Naming Contexts
        Figure C-1 Example of a Naming Context Container and Its Objects
      - C.1.2.2 Rules for Advanced Replication Filtering.
  - C.2 Setting Up Advanced Replication-Based Replication
    - C.2.1 Rules for Setting Up Advanced Replication
    - C.2.2 Setting Up an Advanced Replication-Based Multimaster Replication Group
    - C.2.3 Adding a Node for Advanced Replication-Based Multimaster Replication
    - C.2.4 Deleting a Node from a Multimaster Replication Group
  - D.1 Features of Oracle Database Advanced Replication-Based Replication
  - D.2 Architecture for Oracle Database Advanced Replication-Based Replication
    - Figure D-1 Advanced Replication Process
  - D.3 Architecture of LDAP-Based Replication
    - Figure D-2 LDAP Replication Process
  - D.4 LDAP Replica States
    - Table D-1 LDAP Replica States
  - D.5 The Replication Process
    - D.5.1 How the Multimaster Replication Process Adds a New Entry to a Consumer
      - 1. The directory replication server looks in the consumer for the DN of the parent of the target entry. Specifically, it does this by looking for a global unique identifier (GUID) assigned to the DN of the parent.
      - 2. If the parent entry exists, then the directory replication server composes a DN for the new entry and places the new entry under its parent in the consumer. It then places the change entry in the purge queue.
    - D.5.2 How the Multimaster Replication Process Deletes an Entry
      - 1. The directory replication server looks in the consumer for an entry with a GUID matching the one in the change entry.
      - 2. If the matching entry exists in the consumer, then the directory replication server deletes it. It then places the change entry in the purge queue.
    - D.5.3 How the Multimaster Replication Process Modifies an Entry
    - D.5.4 How the Multimaster Replication Process Modifies a Relative Distinguished Name
      - 1. The directory replication server looks in the consumer for the DN with a GUID that matches the GUID in the change entry.
      - 2. If the matching entry exists in the consumer, then the directory replication server modifies the RDN of that entry and places the change entry in the purge queue.
    - D.5.5 How the Multimaster Replication Process Modifies a Distinguished Name
  - E.1 Advantages of Java Plug-ins
  - E.2 Setting Up a Java Plug-in
    - 1. Create the standalone Java program using the pre-defined class definition and methods. You can implement the plug-in as a jar file or as a package.
    - 2. Compile the plug-in file or package. Before compiling, ensure that your CLASSPATH is set to $ORACLE_HOME/ldap/jlib/ospf.jar. Make sure the compilation completes without error.
    - 3. Place the class file, jar, or package in the pre-defined class location $ORACLE_ HOME/ldap/server/plugin.
    - 4. Register the Java plug-in by adding the plug-in configuration entry.
      - Table E-1 Plug-in Names and Corresponding Paths
  - E.3 Java Plug-in API
    - E.3.1 Communication Between the Server and Plug-in
      - Figure E-1 Communication Between the Server and the Java Plug-in
    - E.3.2 Java Plug-in Structure
    - E.3.3 PluginDetail
    - E.3.4 PluginResult
    - E.3.5 ServerPlugin Interface
  - E.4 Java Plug-in Error and Exception Handling
    - E.4.1 Run-time Exception Example
    - E.4.2 Run-time Error Example
    - E.4.3 PluginException Example
  - E.5 Java Plug-in Debugging and Logging
    - Table E-16 Debug Levels for Java Plug-in Logging
  - E.6 Java Plug-in Examples
    - E.6.1 Example 1: Password Validation Plug-in
      - E.6.1.1 Password Validation Plug-in Configuration Entry
      - E.6.1.2 Password Validation Plug-in Code Example
    - E.6.2 Example 2: External Authentication Plug-in for Active Directory
      - E.6.2.1 External Authentication Plug-in Configuration Entry
      - E.6.2.2 External Authentication Plug-in Code
        F PL/SQL Server Plug-in Developer's Reference
  - F.1 Designing, Creating, and Using PL/SQL Server Plug-ins
    - F.1.1 PL/SQLPlug-in Caveats
      - F.1.1.1 Types of PL/SQL Plug-in Operations
      - F.1.1.2 Naming PL/SQL Plug-ins
    - F.1.2 Creating PL/SQLPlug-ins
      - F.1.2.1 Package Specifications for Plug-in Module Interfaces
        Table F-1 Plug-in Module Interface
        Table F-2 Operation-Based and Attribute-Based Plug-in Procedure Signatures
    - F.1.3 Compiling PL/SQLPlug-ins
    - F.1.4 Managing PL/SQL Plug-ins
      - F.1.4.1 Modifying Plug-ins
      - F.1.4.2 Debugging Plug-ins
    - F.1.5 Enabling and Disabling PL/SQL Plug-ins
    - F.1.6 Exception Handling in a PL/SQL Plug-in
      - F.1.6.1 Error Handling
        Table F-3 Valid Values for the plug-in Return Code
      - F.1.6.2 Program Control Handling between Oracle Internet Directory and Plug-ins
        Table F-4 Program Control Handling when a Plug-in Exception Occurs
        Table F-5 Program Control Handling when an LDAP Operation Fails
    - F.1.7 PL/SQL Plug-in LDAP API
    - F.1.8 PL/SQL Plug-in and Database Tools
    - F.1.9 PL/SQL Plug-in Security
    - F.1.10 PL/SQL Plug-in Debugging
    - F.1.11 PL/SQL Plug-in LDAP API Specifications
    - F.1.12 Database Limitations
  - F.2 Examples of PL/SQL Plug-ins
    - F.2.1 Example 1: Search Query Logging
    - F.2.2 Example 2: Synchronizing Two DITs
  - F.3 Binary Support in the PL/SQLPlug-in Framework
    - F.3.1 Binary Operations with ldapmodify
    - F.3.2 Binary Operations with ldapadd
    - F.3.3 Binary Operations with ldapcompare
  - F.4 Database Object Types Defined
  - F.5 Specifications for PL/SQL Plug-in Procedures
    - G The LDAP Filter Definition
    - H The Access Control Directive Format
  - H.1 Schema for orclACI
  - H.2 Schema for orclEntryLevelACI
    - I Globalization Support in the Directory
  - I.1 About Character Sets and the Directory
    - I.1.1 About Unicode
      - Table I-1 Unicode Implementations
    - I.1.2 About Oracle and UTF-8
    - I.1.3 Migration from UTF8 to AL32UTF8 when Upgrading Oracle Internet Directory
      - 1. Run the character set scanner (CSSCAN) to ensure that there are no invalid UTF8 characters inside your current database.
      - 2. Run the CSALTER script to update the database to AL32UTF8.
  - I.2 The NLS_LANG Environment Variable
    - Table I-2 Components of the NLS_LANG Parameter
  - I.3 Using Non-AL32UTF8 Databases
  - I.4 Using Globalization Support with LDIF Files
    - I.4.1 An LDIF file Containing Only ASCII Strings
    - I.4.2 An LDIF file Containing UTF-8 Encoded Strings
  - I.5 Using Globalization Support with Command-Line LDAP Tools
    - I.5.1 Specifying the -E Argument When Using Each Tool
    - I.5.2 Examples: Using the -E Argument with Command-Line LDAP Tools
      - Table I-3 Examples: Using the -E Argument with Command-Line Tools
  - I.6 Setting NLS_LANG in the Client Environment
  - I.7 Using Globalization Support with Bulk Tools
    - I.7.1 Using Globalization Support with bulkload
    - I.7.2 Using Globalization Support with ldifwrite
    - I.7.3 Using Globalization Support with bulkdelete
    - I.7.4 Using Globalization Support with bulkmodify
      - J Setting up Access Controls for Creation and Search Bases for Users and Groups
  - J.1 Setting up Access Controls for the User Search Base and the User Creation Base
    - 1. Create an LDIF (user_aci.ldif) file with the following entry:
    - 2. Replace %subscriberdn% with the dn of the subscriber and %usersearch_or_ createbase_dn% with the new value of the container DN where the new user search/create base points to.
    - 3. Run the ldapmodify command as follows:
  - J.2 Setting up Access Controls for the Group Search Base and the Group Creation Base
    - 1. Create an ldif (group_aci.ldif) file with the following entry:
    - 2. Replace %subscriberdn% with the DN of the subscriber and %groupsearch_ or_createbase_dn% with the new value of the container DN where the new group search base or group create base points to.
    - 3. Run the ldapmodify command as follows:
    - K Searching the Directory for User Certificates
  - K.1 Certificate Mapping
    - Adding a Certificate Mapping Rule
    - Deleting a Certificate Mapping Rule
    - Modifying a Certificate Mapping Rule
  - K.2 Search Types
    - L Adding a Directory Node by Using the Database Copy Procedure
  - L.1 Definitions
  - L.2 Prerequisites
    - 1. The operating system, version, and patch level of the new directory site must be the same as that of the sponsor directory site. This procedure might not work if the patch levels of the operating systems differ.
    - 2. Oracle strongly recommends that you back up the sponsor directory's repository before you employ this procedure.
    - 3. Because this procedure involves copying Oracle data files, performance depends on the underlying network. If the underlying n...
    - 4. Only a person familiar with the Oracle database should perform this procedure.
    - 5. If the sponsor site is already a part of an Advanced Replication group, the sponsor node must be the Master definition site (MDS).
  - L.3 Sponsor Directory Site Environment
  - L.4 New Directory Site Environment
  - L.5 Addition of a Directory Node
    - 1. Install the node and check its status, as follows:
      - a. Install Identity Management with the Oracle Internet Directory component on the sponsor node. See Oracle Fusion Middleware Installation Guide for Oracle Identity Management
      - b. To check the status of Oracle Internet Directory, type:
    - 2. Shut down Oracle Internet Directory and all other opmn processes on the sponsor node, as follows:
    - 3. Perform the following steps on the sponsor node.
      - a. At the command line prompt execute the following SQL*Plus commands:
      - b. Shut down the database and Oracle Net Services listener on the sponsor node. By default, the listener name is LISTENER. Type:
      - c. If the copied node is part of an Advanced Replication-based DRG, perform the following steps:
      - d. Rename the trace file created in Step 3a to newdb.sql, under the same directory.
    - 4. On the sponsor node, open newdb.sql in a text editor and delete all the lines except the STARTUP NOMOUNT and CREATE CONTROLFILE statements. After deleting those lines, newdb.sql should look like this:
    - 5. Continue editing the file newdb.sql on the sponsor node, as follows:
      - a. Change the line:
      - b. Modify the UNIX directory location of the database and logfiles to point to the new node site's directory.
    - 6. Copy the initialization parameter file init$ORACLE_SID.ora from the sponsor directory's database to init$ORACLE_SID_NEW_DIR_D...
    - 7. In the new initialization parameter file on the sponsor, make the following changes:
      - a. Comment out the parameter JOB_QUEUE_PROCESSES, if it exists.
      - b. Change the parameter dbname from LDAP to NLDAP.
      - c. If the new site's domain name is different from the sponsor directory's domain name, alter the parameter db_domain also.
      - d. Alter the location of the following parameters to point to the location of the new site.
      - e. In addition to the parameters listed in Step 7d, if your initialization parameter file has any parameters that are node specific, such as DB_RECOVERY_FILE_ DEST and DB_CREATE_FILE_DEST, alter those parameters as well.
    - 8. Edit the tnsnames.ora file to include connection details for the new node. Refer to the following sample file:
    - 9. Create an archive of all the data files and compress the archived file. Be sure to include all the files listed under DATAFILE in newdb.sql.
    - 10. Install Oracle Database on the new node using the software only option. See the Oracle Database Installation Guide for your platform and Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
    - 11. When the software-0nly install on the new node has completed, the following directory exists:
    - 12. Copy the archived file created on the sponsor node in Step 9 to the new node, using FTP or another appropriate tool. Change directory to the database file location on the new node, then use FTP to copy the archived file from rst-sun.
    - 13. If the sponsor node is part of an Advanced replication group, then perform the following steps:
      - a. Copy the initialization parameter file initLDAP.ora from the sponsor node (rst-sun) to the new node under the UNIX directory $ORACLE_HOME/dbs using a tool such as FTP. Rename the file to initNLDAP.ora.
      - b. Using a tool such as FTP, copy the file newdb.sql you created on the sponsor node in Step 5 to the new node. Rename newdb.sql to olddb.sql.
      - c. Make a copy of tnsnames.ora called tnsnames.ora.bk.
      - d. At the shell prompt on the new node, set the ORACLE_BASE, ORACLE_HOME, and ORACLE_SID environment variables. For example (using the C shell):
      - e. In the same shell, execute olddb.sql using SQL*Plus as shown in the following example:
      - f. Start up the database and listener as follows:
      - g. If you have performed a database copy from a node that has Advanced replication configured with another node, you must delete the LDAP_REP replication group in the new node. To do so, execute the following commands:
    - 14. Copy the initialization parameter file initLDAP.ora from the sponsor node (rst-sun) to the new node under the UNIX directory...
    - 15. On the new node, ensure that the following files do not exist in the directory $ORACLE_HOME/dbs on UNIX or ORACLE_HOME\database in Windows:
    - 16. Using FTP or another appropriate tool, copy the file newdb.sql you created on the sponsor node in Step 5 to the new node. For example:
    - 17. At the UNIX shell prompt on the new node, set ORACLE_BASE, ORACLE_ HOME and ORACLE_SID environment variables. For example (using the C shell):
    - 18. In the same UNIX shell, execute newdb.sql using SQL*Plus as shown in the following example:
    - 19. Complete the changes on the new node.
      - a. Start up the database and listener as follows:
      - b. Change the global database name of the new node.
      - c. Add a temporary file to the tablespace using the following command:
    - 20. Configure Oracle Internet Directory on the new node
      - a. Install WebLogic Server. See Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
      - b. Install Oracle Internet Directory. See Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
      - c. Stop Oracle Internet Directory by using opmnctl.
    - 21. On the new node, delete the wallet files oidpwdlldap1 and oidpwdr* at the new node and reset the ODS password
    - 22. On the new node, reset the password and start the Oracle Internet Directory processes.
    - 23. At this point, Oracle Internet Directory on the new node is up and running. The replicaid value in new Oracle Internet Direc...
      - a. Create a file, chgrid.ldif, with the following contents:
      - b. Using the ldapmodify tool, change the replicaid:
    - 24. Because the replica id of the new node was changed in Step 23, you must re-create the relative replica entries for the new node, as follows:
    - 25. ) In addition to renaming the replica subentry, you must change the orclreplicauri, orclreplicasecondaryuri and orclreplicas...
      - a. Create an LDIF file, modsubentry.ldif, with the following contents:
      - b. Using the ldapmodify tool, apply the changes to the directory:
    - 26. Stop Oracle Internet Directory processes.
    - 27. Clean up the changelog tables at the new node.
    - 28. If the new node is part of an Advanced Replication-based DRG, proceed as follows.
      - a. To configure Oracle Database Advanced Replication, if you are adding new node to an existing DRG, at the shell prompt, execute the following command:
      - b. Start up Oracle Internet Directory and the replication server on all the nodes, including the new node and the sponsor node.
    - 29. If the new node is a full LDAP-based replication replica, configure LDAP-based Replication and add the full replica as fan-out, as follows:
      - a. Make sure that the database and Oracle Internet Directory server is running at the sponsor node.
      - b. Configure LDAP-based replication using remtool, as follows:
      - c. Initialize the replication change status of the new replication agreement.
      - d. Start up Oracle Internet Directory and the replication server on all the nodes. For one-way replication, you only need to start the replication server on the consumer node.
    - M Oracle Authentication Services for Operating Systems
    - N RFCs Supported by Oracle Internet Directory
      - Table N-1 Supported RFCs
    - O Managing Oracle Directory Services Manager's Java Key Store
  - O.1 Introduction to Managing ODSM's Java Key Store
  - O.2 Retrieving ODSM's Java Key Store Password
  - O.3 Listing the Contents of odsm.cer Java Key Store
  - O.4 Deleting Expired Certificates
    - O.4.1 Determining the Expiration Date of a Certificate
    - O.4.2 Deleting a Certificate
      - P Starting and Stopping the Oracle Stack
  - P.1 Starting the Stack
    - 1. Start the Oracle Database
    - 2. Start the Oracle WebLogic Administration Server.
    - 3. Ensure that the Node Manager is running. Normally, the Oracle WebLogic Administration Server starts the Node Manager. If, for some reason, the Node Manager is not running, start it.
    - 4. Start system components, such as Oracle Internet Directory and Oracle Virtual Directory.
    - 5. Start WebLogic managed components, such as Oracle Directory Integration Platform and Oracle Directory Services Manager.
  - P.2 Stopping the Stack
    - 1. Stop WebLogic managed components, such as Oracle Directory Integration Platform and Oracle Directory Services Manager.
    - 2. Stop system components, such as Oracle Internet Directory and Oracle Virtual Directory.
    - 3. Stop the WebLogic Administration Server.
    - 4. If you want to stop the Node Manager, you can use the kill command.
    - 5. Stop the Oracle Database.
    - Q Performing a Rolling Upgrade
  - Q.1 Prerequisites for Rolling Upgrade
  - Q.2 Rolling Upgrade Instructions
    - 1. Stop the replication server on the first node you want to upgrade.
    - 2. Suspend the replication from the first node to each of the other nodes:
    - 3. Validate that replication has been suspended from the first node to all the other nodes in the DRG by running the following ldapsearch command:
    - 4. Stop Oracle Internet Directory on the node you are about to upgrade.
    - 5. Patch the node to Release 11.1.1.4.0. Refer to the instructions in the Oracle Fusion Middleware Patching Guide:
    - 6. Start Oracle Internet Directory on the node you have just upgraded.
    - 7. Because no other nodes have been upgraded yet, do not resume replication between the first node and any other node.
    - 8. Stop the replication server on the second node you want to upgrade.
    - 9. Suspend replication from the second node to each of the nodes that have not been upgraded.
    - 10. Validate that replication has been suspended from the node you are about to upgrade to each node that has not been upgraded, using the same command as in Step 3 against the second node.
    - 11. Stop Oracle Internet Directory on the node you are about to upgrade.
    - 12. Patch the node to Release 11.1.1.4.0 as in Step 5.
    - 13. Start Oracle Internet Directory on the node you have just upgraded.
    - 14. Now two nodes have been upgraded, so resume replication from the first node you upgraded to the second node you upgraded.
    - 15. Validate that replication has been resumed from first upgraded node to the second upgraded nodes in DRG by running the following ldapsearch command:
    - 16. Start replication server on the second upgraded replica.
    - 17. Shut down the replication server on the third node you want to upgrade.
    - 18. Suspend replication from the third node to each node that has not yet been upgraded, if any.
    - 19. Validate that replication has been suspended from the third node to each node that has not been upgraded.
    - 20. Stop Oracle Internet Directory and other processes on the third node to be upgraded.
    - 21. Patch the node to Release 11.1.1.4.0 as in Step 5.
    - 22. Start Oracle Internet Directory on the third node.
    - 23. Resume replication from each node that has already been upgraded to the third node.
    - 24. Validate that replication has been resumed from each upgraded node to the third node.
    - 25. Start replication on the third node
  - Q.3 Rolling Upgrade Example
    - 1. Stop the replication server on Node A.
    - 2. Suspend the replication from:
    - 3. Validate that replication has been suspended from Node A to Node B by running the following ldapsearch command:
    - 4. Stop Oracle Internet Directory and other processes on Node A.
    - 5. Run the PSA on Node A to upgrade it to 11g Release 1 (11.1.1.4.0).
    - 6. Bring up Oracle Internet Directory and the replication server on Node A. Note that there is no node with which Node A should resume replication.
    - 7. Stop the replication server on Node B.
    - 8. Suspend replication from Node B to Node C by executing the following command:
    - 9. Validate that replication has been suspended from Node B to Node C by running the following ldapsearch command:
    - 10. Stop Oracle Internet Directory and other processes on Node B.
    - 11. Run the PSA on Node B to upgrade it to 11g Release 1 (11.1.1.4.0).
    - 12. Bring up Oracle Internet Directory on Node B.
    - 13. Validate that replication has been resumed from Node A to Node B by running the following ldapsearch command:
    - 14. Bring up the replication server on Node B.
    - 15. Shut down the replication server on Node C.
    - 16. There is no other node to be upgraded so there is no need to suspend replication. Stop Oracle Internet Directory and other processes on Node C.
    - 17. Run PSA on Node C to upgrade it to 11g Release 1 (11.1.1.4.0).
    - 18. Bring up Oracle Internet Directory on Node C.
    - 19. Validate that replication has been resumed successfully by performing an ldapsearch on Node A and Node B similar to Step 13. Validate replication:
    - 20. Bring up the replication server on Node C.
    - R Using the Oracle Internet Directory VM Template
  - R.1 Installing Operating System, Oracle Database, and Oracle Internet Directory
    - 1. Install the Oracle VM server as described in Oracle VM Server Installation Guide.
    - 2. Download the VM template files for Oracle Internet Directory, oidhome.tgz and OVM_EL5U2_X86_64_ORACLE11G_PVM_1.tgz, from http://edelivery.oracle.com.
    - 3. Copy the template files to dom0 /OVS/seed_pool.
    - 4. Change to that directory and extract the files, as follows:
    - 5. Change to the directory containing the configuration file vm.cfg.
    - 6. Edit vm.cfg, setting VCPU, Memory, and network (VIF) values appropriately for this VM. Recommendations for sizing and tuning ...
    - 7. Start Oracle VM by typing:
    - 8. By default, Oracle VM starts a VNC server on port 5900. From another window, using a VNC client, connect to the host where Oracle VM is running, at port 5900.
    - 9. You are prompted for installation and configuration information. Provide the information to set up the Oracle 11g database.
    - 10. Log into the host as user root, password ovsroot. Changing the password is recommended.
    - 11. Oracle Internet Directory is now installed in the home directory /oidhome/app/mwhome.
  - R.2 Installing Oracle Internet Directory Template with an Existing Oracle VM that has Oracle Database
    - 1. Download the VM template file oidhome.tgz from http://edelivery.oracle.com.
    - 2. Copy the file to dom0 /OVS/seed_pool.
    - 3. Change to that directory and extract the file, as follows:
    - 4. Change to the directory containing the configuration file vm.cfg. For example:
    - 5. Edit vm.cfg, adding oidhome.img as a disk, as shown in bold:
    - 6. Restart the guest OS by typing:
    - 7. Create the /oidhome directory:
    - 8. Mount the Oracle Internet Directory image:
    - 9. Set the owner and group for the /mntPoint/app directory tree:
    - 10. Run oidRoot.sh:
    - 11. Switch to the user oracle:
    - 12. Set the DISPLAY environment variable.
    - 13. Set the ORACLE_HOME environment variable to: /mntPoint/app/mwhome/Oracle_ IDM1
    - 14. Change to the directory containing config.sh and execute it:
    - 15. You are prompted for information. Provide the information to configure the environment.
  - R.3 Registering Oracle Internet Directory for Oracle Enterprise Manager Fusion Middleware Control and ODSM Management
  - R.4 Using the Oracle Internet Directory OVM image in a Non-OVM Environment
    - 1. Download the VM template file oidhome.tgz from http://edelivery.oracle.com.
    - 2. Extract the file, as follows:
    - 3. Copy oidhome.img to a directory. For example:
    - 4. Switch to root user
    - 5. Create /oidhome.
    - 6. Mount the image. For example:
    - 7. Change to the directory /oidhome and set the owner and group for the /oidhome/app tree:
    - 8. Run oidRoot.sh:
    - 9. Set the DISPLAY environment variable.
    - 10. Set the ORACLE_HOME environment variable to: /oidhome/app/mwhome/Oracle_IDM1
    - 11. Install the Oracle database, as described in the Oracle Database Installation Guide for your platform.
    - 12. Run /oidhome/app/mwhome/Oracle_IDM1/bin/config.sh to configure Oracle Internet Directory.
  - R.5 Default Values
    - S Troubleshooting Oracle Internet Directory
  - S.1 Problems and Solutions
    - S.1.1 Installation Errors
    - S.1.2 Oracle Database Server Errors
      - S.1.2.1 Oracle Database Server Connection is Down
        Problem
        Solution
      - S.1.2.2 Oracle Database Server Error Due to Interrupted Client Connection
        Problem
        Solution
      - S.1.2.3 Oracle Database Server Error Due to Schema Modifications
        Problem
        Solution
    - S.1.3 Directory Server Error Messages and Causes
      - S.1.3.1 Inappropriate Authentication Error
        Problem
        Solution
      - S.1.3.2 Constraint Violation Error Due to Editing a User or Group or Creating a Realm
        Problem
        Solution
      - S.1.3.3 Standard Error Messages Returned from Oracle Directory Server
        Table S-1 Standard Error Messages
      - S.1.3.4 Additional Directory Server Error Messages
        Table S-2 Additional Error Messages
    - S.1.4 Getting a Core Dump and Stack Trace When Oracle Internet Directory Crashes
    - S.1.5 TCP/IP Problems
      - S.1.5.1 Do Not Use TCP-Based Monitoring of Server Availability on Windows 2003 Server
      - S.1.5.2 Do Not Install DaimondCS Port Explorer
    - S.1.6 Troubleshooting Password Policies
      - S.1.6.1 Password Policy is Not Enforced
        Problem
        Solution
      - S.1.6.2 Password Policy Error Messages
        Table S-3 Password Policy Violation Error Messages
    - S.1.7 Troubleshooting Directory Performance
      - S.1.7.1 Poor LDAP Search Performance
        Problem
        Solution
      - S.1.7.2 Poor LDAP Add or Modify Performance
        Problem
        Solution
      - S.1.7.3 Poor Oracle Database Server Performance
        Problem
        Solution
        1. Identify the LDAP operations that are processor-intensive by running:
        2. Tune the database appropriately for this kind of query. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
        3. If possible, change the applications's search signature. If that is not possible, tune the Oracle Internet Directory attribute orclinmemfiltprocess. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
    - S.1.8 Troubleshooting Port Configuration
    - S.1.9 Troubleshooting Creating Oracle Internet Directory Component with opmnctl
      - Problem
      - Solution
    - S.1.10 Troubleshooting Starting Oracle Internet Directory
      - S.1.10.1 Oracle Internet Directory is Down
        Problem
        Solution
        Problem
        Solution
        1. The oidmon log, ORACLE_ INSTANCE/diagnostics/logs/OID/componentName/oidmon-0000.log contains details as to why oidmon cannot start the oidldapd process. The most common issues are
        2. The Oracle Internet Directory dispatcher log, ORACLE_ INSTANCE/diagnostics/logs/OID/componentName/oidldapd01-0000.l og contains information about why oidldapd server processes fail to start. The most common reasons are:
        3. The Oracle Internet Directory server log, ORACLE_ INSTANCE/diagnostics/logs/OID/componentName/oidldapd01sPID-00 00.log contains information about why the server processes fail to run. Common issues include:
      - S.1.10.2 Oracle Internet Directory is Read-Only
        Problem
        Solution
    - S.1.11 Troubleshooting Starting, Stopping, and Restarting of the Directory Server
      - S.1.11.1 About the Tools for Starting, Stopping, and Restarting the Directory Server Instance
        OIDCTL
        OIDMON
        About the Processes Involved in Starting, Stopping, and Restarting the Directory Server
      - S.1.11.2 Problems Starting, Stopping, and Restarting the Directory Server
        S.1.11.2.1 OIDCTL or OIDMON fails
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
    - S.1.12 Troubleshooting Oracle Internet Directory Replication
      - Bootstrapping Fails
      - S.1.12.1 Replication Server Does Not Start
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        1. Prepare a modification file, mod.ldif. For example, to change to host my.us.example.com and port 4444, you would specify:
        2. Run:
        Problem
        Solution
        Problem
        Solution
      - S.1.12.2 Repository Creation Assistant Error
        Problem
        Solution
      - S.1.12.3 Errors in Replication Bootstrap
        Problem
        Solution
        Problem
        Solution
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
      - S.1.12.4 Changes Are Not Replicated
        Problem
        Solution
        Problem
        Solution
        Problem
        Solution
      - S.1.12.5 Replication Stops Working
        Problem
        Problem
        Solution
    - S.1.13 Troubleshooting Change Log Garbage Collection
      - Problem
      - Solution
      - Problem
      - Solution
      - Problem
      - Solution
      - Solution
    - S.1.14 Troubleshooting Dynamic Password Verifiers
      - Table S-4 Error Messages for Dynamic Password Verifiers
    - S.1.15 Troubleshooting Oracle Internet Directory Password Wallets
      - S.1.15.1 Oracle Internet Directory Server Does Not Start
        Problem
        Solution
        Solution
      - S.1.15.2 Password Not Synchronized
        Problem
        Solution
    - S.1.16 Troubleshooting bulkload
      - Problem
      - Solution
      - Problem
      - Solution
      - Problem
      - Solution
        1. Ensure that the database is restarted properly.
        2. If the bulkload invocation employed only the check="TRUE" or generate="TRUE" options, but not the load="TRUE" option, go to step 3.
        3. Re-issue the bulkload command that failed.
    - S.1.17 Troubleshooting bulkdelete, bulkmodify, and ldifwrite
      - Problem
      - Solution
    - S.1.18 Troubleshooting catalog
      - Problem
      - Solution
      - Problem
      - Solution
    - S.1.19 Troubleshooting remtool
      - Problem
      - Solution
    - S.1.20 Troubleshooting Server Chaining
      - Problem
      - Solution
    - S.1.21 Viewing Version Information
    - S.1.22 Troubleshooting Fusion Middleware Control and WLST
      - Problem
      - Solution
      - Problem
      - Solution
      - Solution
      - Solution
    - S.1.23 Troubleshooting Oracle Directory Services Manager
      - S.1.23.1 Cannot Invoke ODSM from Fusion Middleware Control
        Problem
        Solution
      - S.1.23.2 Cannot Invoke ODSM from Fusion Middleware Control in Multiple NIC and DHCP Enabled Environment
        Problem
        Solution
        1. Using a web browser, access the WebLogic Server Administration Console.
        2. In the left pane of the WebLogic Server Administration Console, click Lock & Edit to edit the server configuration.
        3. In the left pane of the WebLogic Server Administration Console, expand Environment and select Servers.
        4. On the Summary of Servers page, click the link for the WebLogic Managed Server where Oracle Directory Services Manager is deployed.
        5. On the Settings page for the WebLogic Managed Server, update the Listen Address to the host name of the server where Oracle Directory Services Manager is deployed.
        6. Click Save to save the configuration.
        7. Click Activate Changes to update the server configuration.
      - S.1.23.3 Various Failover Issues
        Problem
        1. Oracle Directory Services Manager is deployed in a High Availability active-active configuration using Oracle HTTP Server.
        2. Display an Oracle Directory Services Manager page using the Oracle HTTP Server name and port number.
        3. Make a connection to an Oracle Internet Directory server.
        4. Work with the Oracle Internet Directory server using the current Oracle Directory Services Manager Oracle HTTP Server host and port.
        5. Shut down one managed server at a time using the WebLogic Server Administration Console.
        6. Go back to the Oracle Directory Services Manager page and port, and the connection which was established earlier with Oracle ...
        Solution
        1. In your web browser, exit the current Oracle Directory Services Manager page.
        2. Launch a new web browser page and specify the same Oracle Directory Services Manager Oracle HTTP Server name and port.
        3. Re-establish a new connection to the Oracle Internet Directory server you were working with earlier.
        Problem
        Solution
        Problem
        Solution
      - S.1.23.4 ODSM Displays an Error Message
        Problem
        Solution
      - S.1.23.5 Cursor Loses Focus
        Problem
        Solution
  - S.2 Need More Help?
    - Index
- Symbols
- Numerics
- A
- B
- C
- D
- E
- F
- G
- H
- I
- J
- K
- L
- M
- N
- O
- P
- Q
- R
- S
- T
- U
- V
- W
- X

Oracle® Fusion Middleware

Administrator's Guide for Oracle Internet Directory

11g Release 1 (11.1.1)

E10029-05

October 2012

Documentation for Oracle Internet Directory administrators

that describes how to manage Oracle Internet Directory

using Oracle Directory Services Manager, Oracle

Enterprise Manager Fusion Middleware Control, and

command-line utilities.

Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, 11g Release 1 (11.1.1)

E10029-05

Primary Author: Ellen Desmond

Contributors: Olfat Aly, Krishna Chander, Giriraj Chauhan, Margaret Chou, Quan Dinh, Maud

Jamati-Bartlett, Vinoth Janakiraman, Buddhika Kottahachchi, Venkat Medam, Vishal Parashar, Karthi

Purushothaman, Lakshmi Ramadoss, Loganathan Ramasamy, Ramaprakash Sathyanarayan, Daniel Shih,

Olaf Stullich, Dipankar Thakuria, Arun Theebaprakasam, Vinay Thulasidas, Satishkumar Venkatasamy,

Frances Wu

This software and related documentation are provided under a license agreement containing restrictions on

use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your

license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,

transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse

engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is

prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If

you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it

on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data

delivered to U.S. Government customers are "commercial computer software" or "commercial technical data"

pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As

such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and

license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of

the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software

License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software or hardware is developed for general use in a variety of information management

applications. It is not developed or intended for use in any inherently dangerous applications, including

applications that may create a risk of personal injury. If you use this software or hardware in dangerous

applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other

measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages

caused by use of this software or hardware in dangerous applications.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks

of their respective owners.

This software and documentation may provide access to or information on content, products, and services

from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all

warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and

its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of

third-party content, products, or services.

RSA and RC4 are trademarks of RSA Data Security. Portions of Oracle

Internet Directory have been licensed by Oracle Corporation from RSA Data

Security.

This product contains SSLPlus Integration SuiteTM version 1.2, from Consensus Development Corporation.

iii

Contents

Preface ........................................................................................................................................................... xxxix

Audience................................................................................................................................................. xxxix

Documentation Accessibility............................................................................................................... xxxix

Related Documents ............................................................................................................................... xxxix

Conventions ................................................................................................................................................. xl

What's New in Oracle Internet Directory?................................................................................... xliii

New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1.6.0)..................... xliii

New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1.4.0)..................... xliv

New Features Introduced with Oracle Internet Directory 11g Release 1 (11.1.1)............................ xlv

New Features Introduced with Oracle Internet Directory 10g (10.1.4.1) ........................................ xlvii

New Features Introduced with Oracle Internet Directory 10g Release 2 (10.1.2)........................... xlix

Part I Understanding Directory Services

1 Introduction to Directory Services

1.1 What Is a Directory? ................................................................................................................... 1-1

1.1.1 The Expanding Role of Online Directories ...................................................................... 1-1

1.1.2 The Problem: Too Many Special-Purpose Directories.................................................... 1-2

1.2 What Is the Lightweight Directory Access Protocol (LDAP)? ............................................. 1-3

1.2.1 LDAP and Simplified Directory Management................................................................ 1-3

1.2.2 LDAP Version 3 ................................................................................................................... 1-3

1.3 What Is Oracle Internet Directory?........................................................................................... 1-4

1.3.1 Overview of Oracle Internet Directory............................................................................. 1-4

1.3.2 Components of Oracle Internet Directory........................................................................ 1-5

1.3.3 Advantages of Oracle Internet Directory ......................................................................... 1-5

1.3.3.1 Scalability....................................................................................................................... 1-6

1.3.3.2 High Availability .......................................................................................................... 1-6

1.3.3.3 Security........................................................................................................................... 1-6

1.3.3.4 Integration with the Oracle Environment................................................................. 1-6

1.4 How Oracle Products Use Oracle Internet Directory ............................................................ 1-6

1.4.1 Easier and More Cost-Effective Administration of Oracle Products ........................... 1-7

1.4.2 Tighter Security Through Centralized Security Policy Administration...................... 1-7

1.4.3 Integration of Multiple Directories ................................................................................... 1-8

2 Understanding Oracle Internet Directory in Oracle Fusion Middleware

2.1 WebLogic Server Domain.......................................................................................................... 2-1

2.2 Oracle Internet Directory as a System Component................................................................ 2-2

2.3 Oracle Internet Directory Deployment Options..................................................................... 2-2

2.4 Middleware Home...................................................................................................................... 2-3

2.5 WebLogic Server Home ............................................................................................................. 2-3

2.6 Oracle Common Home .............................................................................................................. 2-3

2.7 Oracle Home ............................................................................................................................... 2-3

2.8 Oracle Instance ........................................................................................................................... 2-3

2.9 Oracle Enterprise Manager Fusion Middleware Control ..................................................... 2-4

2.10 Logging, Auditing, and Diagnostics ........................................................................................ 2-4

2.11 MBeans and the WebLogic Scripting Tool .............................................................................. 2-4

3 Understanding Oracle Internet Directory Concepts and Architecture

3.1 Oracle Internet Directory Architecture.................................................................................... 3-1

3.1.1 An Oracle Internet Directory Node................................................................................... 3-2

3.1.2 An Oracle Directory Server Instance ................................................................................ 3-3

3.1.3 Oracle Internet Directory Ports.......................................................................................... 3-4

3.1.4 Directory Metadata.............................................................................................................. 3-4

3.2 How Oracle Internet Directory Processes a Search Request ................................................ 3-6

3.3 Directory Entries ......................................................................................................................... 3-7

3.3.1 Distinguished Names (DNs) and Directory Information Trees (DITs) ....................... 3-7

3.3.2 Entry Caching....................................................................................................................... 3-8

3.4 Attributes ..................................................................................................................................... 3-8

3.4.1 Kinds of Attribute Information.......................................................................................... 3-9

3.4.2 Single-Valued and Multivalued Attributes .................................................................. 3-10

3.4.3 Common LDAP Attributes.............................................................................................. 3-10

3.4.4 Attribute Syntax ................................................................................................................ 3-11

3.4.5 Attribute Matching Rules ................................................................................................ 3-11

3.4.6 Attribute Options.............................................................................................................. 3-12

3.5 Object Classes ........................................................................................................................... 3-12

3.5.1 Subclasses, Superclasses, and Inheritance .................................................................... 3-12

3.5.2 Object Class Types............................................................................................................ 3-13

3.5.2.1 Structural Object Classes .......................................................................................... 3-13

3.5.2.2 Auxiliary Object Classes........................................................................................... 3-13

3.5.2.3 Abstract Object Classes............................................................................................. 3-13

3.6 Naming Contexts ..................................................................................................................... 3-14

3.7 Security ...................................................................................................................................... 3-15

3.8 Globalization Support ............................................................................................................. 3-15

3.9 Distributed Directories............................................................................................................ 3-16

3.9.1 Directory Replication ....................................................................................................... 3-16

3.9.2 Directory Partitioning ...................................................................................................... 3-17

3.10 Knowledge References and Referrals ................................................................................... 3-18

3.11 Oracle Delegated Administration Services and the Oracle Internet Directory Self-Service

Console 3-19

3.12 The Service Registry and Service to Service Authentication ............................................ 3-20

3.13 Oracle Directory Integration Platform.................................................................................. 3-20

3.14 Oracle Internet Directory and Identity Management......................................................... 3-21

3.14.1 About Identity Management........................................................................................... 3-21

3.14.2 Oracle Identity Management Products ......................................................................... 3-22

3.14.3 Identity Management Realms......................................................................................... 3-23

3.14.3.1 Default Identity Management Realm ..................................................................... 3-23

3.14.3.2 Identity Management Policies ................................................................................. 3-24

3.15 Resource Information .............................................................................................................. 3-24

3.15.1 Resource Type Information............................................................................................. 3-24

3.15.2 Resource Access Information.......................................................................................... 3-24

3.15.3 Location of Resource Information in the DIT............................................................... 3-25

4 Understanding Process Control of Oracle Internet Directory Components

4.1 Oracle Internet Directory Process Control Architecture ....................................................... 4-1

4.2 The ODS_PROCESS_STATUS Table........................................................................................ 4-2

4.3 Starting, Stopping, and Monitoring of Oracle Internet Directory Processes...................... 4-3

4.3.1 Oracle Internet Directory Snippet in opmn.xml.............................................................. 4-3

4.3.2 OPMN Starting Oracle Internet Directory ....................................................................... 4-4

4.3.3 OPMN Stopping of Oracle Internet Directory................................................................. 4-4

4.3.4 Process Monitoring.............................................................................................................. 4-5

4.4 Oracle Internet Directory Process Control–Best Practices .................................................... 4-5

5 Understanding Oracle Internet Directory Organization

5.1 The Directory Information Tree................................................................................................ 5-1

5.2 Planning the Overall Directory Structure................................................................................ 5-2

5.3 Planning the Names and Organization of Users and Groups.............................................. 5-3

5.3.1 Organizing Users ................................................................................................................. 5-3

5.3.2 Organizing Groups.............................................................................................................. 5-4

5.4 Migrating a DIT from a Third-Party Directory....................................................................... 5-5

6 Understanding Oracle Internet Directory Replication

6.1 Why Use Replication? ................................................................................................................ 6-2

6.2 Replication Concepts.................................................................................................................. 6-2

6.2.1 Content to be Replicated: Full or Partial .......................................................................... 6-2

6.2.2 Direction: One-Way, Two-Way, or Peer to Peer ............................................................. 6-3

6.2.3 Transport Mechanism: LDAP or Oracle Database Advanced Replication ................. 6-4

6.2.4 Directory Replication Group (DRG) Type: Single-master, Multimaster, or Fan-out. 6-4

6.2.4.1 Single-Master Replication Example........................................................................... 6-5

6.2.4.2 Multimaster Replication Example.............................................................................. 6-5

6.2.4.3 Fan-out Replication Example...................................................................................... 6-6

6.2.5 Loose Consistency Model................................................................................................... 6-6

6.2.6 How the Replication Concepts Fit Together.................................................................... 6-6

6.2.7 Multimaster Replication with Fan-Out ............................................................................ 6-7

6.3 What Kind of Replication Do You Need? ............................................................................... 6-8

Part II Basic Administration

7 Getting Started With Oracle Internet Directory

7.1 Patching Your System to 11g Release 1 (11.1.1.6.0)................................................................ 7-1

7.1.1 Upgrading a Directory Replication Group ...................................................................... 7-1

7.2 Postinstallation Tasks and Information................................................................................... 7-1

7.2.1 Setting Up the Environment .............................................................................................. 7-2

7.2.2 Adding Datafiles to the OLTS_CT_STORE and OLTS_ATTRSTORE Tablespaces... 7-2

7.2.3 Changing Settings of Windows Services.......................................................................... 7-2

7.2.4 Starting and Stopping the Oracle Stack............................................................................ 7-2

7.2.5 Identifying Default URLs and Ports ................................................................................. 7-2

7.2.6 Tuning Oracle Internet Directory...................................................................................... 7-2

7.2.7 Enabling Anonymous Binds .............................................................................................. 7-3

7.2.8 Enabling Oracle Internet Directory to run on Privileged Ports .................................... 7-3

7.2.9 Verifying Oracle Database Time Zone ............................................................................ 7-3

7.3 Using Fusion Middleware Control to Manage Oracle Internet Directory ........................ 7-4

7.4 Using Oracle Directory Services Manager .............................................................................. 7-5

7.4.1 Introduction to Oracle Directory Services Manager....................................................... 7-6

7.4.1.1 Using the JAWS Screen Reader with Oracle Directory Services Manager........... 7-6

7.4.1.2 Non-Super User Access to Oracle Directory Services Manager ............................ 7-6

7.4.1.3 Single Sign-On Integration with Oracle Directory Services Manager .................. 7-6

7.4.2 Configuring ODSM for SSO Integration .......................................................................... 7-7

7.4.3 Configuring the SSO Server for ODSM Integration ....................................................... 7-8

7.4.4 Configuring the Oracle HTTP Server for ODSM-SSO Integration............................... 7-9

7.4.5 Invoking Oracle Directory Services Manager.................................................................. 7-9

7.4.6 Connecting to the Server from Oracle Directory Services Manager ......................... 7-10

7.4.6.1 Logging in to the Directory Server from Oracle Directory Services Manager . 7-10

7.4.6.2 Logging Into the Directory Server from Oracle Directory Services Manager Using

SSL 7-11

7.4.6.2.1 SSL No Authentication ...................................................................................... 7-11

7.4.6.2.2 SSL Server Only Authentication ...................................................................... 7-11

7.4.6.2.3 SSL Client and Server Authentication............................................................. 7-12

7.4.6.3 Connecting to an SSO-Enabled Directory as an SSO-Authenticated User........ 7-12

7.4.7 Configuring Oracle Directory Services Manager Session Timeout........................... 7-12

7.4.8 Configuring Oracle HTTP Server to Support Oracle Directory Services Manager in an

Oracle WebLogic Server Cluster 7-13

7.5 Using Command-Line Utilities to Manage Oracle Internet Directory............................. 7-13

7.5.1 Using Standard LDAP Utilities ...................................................................................... 7-14

7.5.2 Using Bulk Tools............................................................................................................... 7-14

7.5.3 Using WLST....................................................................................................................... 7-14

7.6 Basic Tasks for Configuring and Managing Oracle Internet Directory .......................... 7-15

8 Managing Oracle Internet Directory Instances

8.1 Introduction to Managing Oracle Internet Directory Instances .......................................... 8-1

8.1.1 The Instance-Specific Configuration Entry...................................................................... 8-1

8.1.2 Creating the First Oracle Internet Directory Instance .................................................... 8-2

8.1.3 Creating Additional Oracle Internet Directory Instances.............................................. 8-3

8.1.4 Registering an Oracle Instance or Component with the WebLogic Server................. 8-4

vii

8.2 Managing Oracle Internet Directory Components by Using Fusion Middleware Control ....

8-4

8.2.1 Viewing Active Server Information by Using Fusion Middleware Control .............. 8-5

8.2.2 Starting the Oracle Internet Directory Server by Using Fusion Middleware Control ......

8-5

8.2.3 Stopping the Oracle Internet Directory Server by Using Fusion Middleware Control.....

8-5

8.2.4 Restarting the Oracle Internet Directory Server by Using Fusion Middleware Control ..

8-5

8.3 Managing Oracle Internet Directory Components by Using opmnctl................................ 8-5

8.3.1 Creating an Oracle Internet Directory Component by Using opmnctl ...................... 8-6

8.3.2 Registering an Oracle Instance by Using opmnctl.......................................................... 8-7

8.3.3 Unregistering an Oracle Instance by Using opmnctl ..................................................... 8-7

8.3.4 Updating the Component Registration of an Oracle Instance by Using opmnctl ..... 8-8

8.3.5 Deleting an Oracle Internet Directory Component by Using opmnctl........................ 8-9

8.3.6 Viewing Active Server Instance Information by Using opmnctl.................................. 8-9

8.3.7 Starting the Oracle Internet Directory Server by Using opmnctl ................................. 8-9

8.3.8 Stopping the Oracle Internet Directory Server by Using opmnctl ............................ 8-10

8.3.9 Restarting the Oracle Internet Directory Server by Using opmnctl .......................... 8-10

8.3.10 Changing the Oracle Database Information in opmn.xml ......................................... 8-10

8.4 Starting an Instance of the Replication Server by Using OIDCTL.................................... 8-10

9 Managing System Configuration Attributes

9.1 Introduction to Managing System Configuration Attributes............................................... 9-1

9.1.1 What are Configuration Attributes? ................................................................................. 9-1

9.1.2 What are Operational Attributes? ..................................................................................... 9-2

9.1.3 Attributes of the Instance-Specific Configuration Entry ............................................... 9-2

9.1.4 Attributes of the DSA Configuration Entry..................................................................... 9-9

9.1.5 Attributes of the DSE........................................................................................................ 9-11

9.2 Managing System Configuration Attributes by Using Fusion Middleware Control .... 9-12

9.2.1 Configuring Server Properties........................................................................................ 9-12

9.2.2 Configuring Shared Properties....................................................................................... 9-14

9.2.3 Configuring Other Parameters ....................................................................................... 9-15

9.3 Managing System Configuration Attributes by Using WLST........................................... 9-15

9.4 Managing System Configuration Attributes by Using LDAP Tools................................ 9-17

9.4.1 Setting System Configuration Attributes by Using ldapmodify .............................. 9-17

9.4.2 Listing Configuration Attributes with ldapsearch ...................................................... 9-18

9.5 Managing System Configuration Attributes by Using ODSM Data Browser ................ 9-19

9.5.1 Navigating to the Instance-Specific Configuration Entry........................................... 9-19

9.5.2 Navigating to the DSA Configuration Entry ................................................................ 9-19

9.5.3 Navigating to the DSE Root ............................................................................................ 9-19

10 Managing IP Addresses

10.1 Introduction to Managing IP Addresses .............................................................................. 10-1

10.2 Configuring an IP Address for IP V6, Cold Failover Cluster, or Virtual IP.................... 10-1

viii

11 Managing Naming Contexts

11.1 Introduction to Managing Naming Contexts ...................................................................... 11-1

11.2 Searching for Published Naming Contexts .......................................................................... 11-1

11.3 Publishing a Naming Context................................................................................................ 11-2

12 Managing Accounts and Passwords

12.1 Introduction to Managing Accounts and Passwords ......................................................... 12-1

12.2 Managing Accounts and Passwords by Using Command-Line Tools ............................ 12-2

12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools ......................... 12-2

12.2.2 Unlocking Accounts by Using Command-Line Tools ................................................ 12-3

12.2.3 Forcing a Password Change by Using Command-Line Tools ................................... 12-3

12.3 Managing Accounts and Passwords by Using the Self-Service Console......................... 12-3

12.3.1 Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service

Console 12-4

12.3.2 Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console 12-4

12.3.3 Resetting Your Own Password by Using the Oracle Internet Directory Self-Service

Console 12-4

12.4 Listing and Unlocking Locked Accounts by Using Oracle Directory Services Manager.........

12-5

12.5 Changing the Superuser Password by Using Fusion Middleware Control.................... 12-5

12.6 Creating Another Account With Superuser Privileges ...................................................... 12-5

12.7 Managing the Superuser Password by Using ldapmodify................................................ 12-6

12.8 Changing the Oracle Internet Directory Database Password ........................................... 12-6

12.9 Resetting the Superuser Password ........................................................................................ 12-7

12.10 Changing the Password for the EMD Administrator Account......................................... 12-7

12.11 Changing the Password for the ODSSM Administrator Account.................................... 12-8

13 Managing Directory Entries

13.1 Introduction to Managing Directory Entries ....................................................................... 13-1

13.2 Managing Entries by Using Oracle Directory Services Manager ..................................... 13-1

13.2.1 Displaying Entries by Using Oracle Directory Services Manager............................. 13-2

13.2.2 Searching for Entries by Using Oracle Directory Services Manager......................... 13-3

13.2.3 Importing Entries from an LDIF File by Using Oracle Directory Services Manager.........

13-5

13.2.4 Exporting Entries to an LDIF File by Using Oracle Directory Services Manager ... 13-5

13.2.5 Viewing Attributes for a Specific Entry by Using Oracle Directory Services Manager....

13-5

13.2.6 Adding a New Entry by Using Oracle Directory Services Manager ........................ 13-6

13.2.7 Deleting an Entry or Subtree by Using Oracle Directory Services Manager ........... 13-8

13.2.8 Adding an Entry by Copying an Existing Entry in Oracle Directory Services Manager..

13-8

13.2.9 Modifying an Entry by Using Oracle Directory Services Manager........................... 13-9

13.3 Managing Entries by Using LDAP Command-Line Tools .............................................. 13-11

13.3.1 Listing All the Attributes in the Directory by Using ldapsearch............................. 13-11

13.3.2 Listing Operational Attributes by Using ldapsearch ................................................ 13-11

13.3.3 Attribute Case in ldapsearch Output........................................................................... 13-12

13.3.4 Adding a User Entry by Using ldapadd...................................................................... 13-12

13.3.5 Modifying a User Entry by Using ldapmodify .......................................................... 13-13

13.3.6 Adding an Attribute Option by Using ldapmodify................................................... 13-13

13.3.7 Deleting an Attribute Option by Using ldapmodify ................................................. 13-13

13.3.8 Searching for Entries with Attribute Options by Using ldapsearch ....................... 13-13

14 Managing Dynamic and Static Groups

14.1 Introduction to Managing Dynamic and Static Groups..................................................... 14-1

14.1.1 Static Groups ..................................................................................................................... 14-2

14.1.1.1 Schema Elements for Creating Static Groups........................................................ 14-2

14.1.2 Dynamic Groups............................................................................................................... 14-2

14.1.2.1 Cached and Uncached Dynamic Groups............................................................... 14-2

14.1.2.2 Enhancements to and Limitations of Dynamic Groups in Oracle Internet Directory

14-3

14.1.2.3 Schema Elements for Creating a Dynamic Group................................................ 14-4

14.1.3 Hierarchies......................................................................................................................... 14-7

14.1.4 Querying Group Entries .................................................................................................. 14-7

14.1.5 orclMemberOf Attribute.................................................................................................. 14-7

14.1.6 When to Use Each Kind of Group.................................................................................. 14-8

14.2 Managing Group Entries by Using Oracle Directory Services Manager......................... 14-9

14.2.1 Creating Static Group Entries by Using Oracle Directory Services Manager.......... 14-9

14.2.2 Modifying a Static Group Entry by Using Oracle Directory Services Manager.... 14-10

14.2.3 Creating Dynamic Group Entries by Using Oracle Directory Services Manager . 14-11

14.2.4 Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager ..........

14-13

14.3 Managing Group Entries by Using the Command Line .................................................. 14-14

14.3.1 Creating a Static Group Entry by Using ldapadd...................................................... 14-14

14.3.2 Modifying a Static Group by Using ldapmodify ....................................................... 14-15

14.3.3 Creating a Dynamic Group Entry by Using ldapadd ............................................... 14-15

14.3.3.1 Creating a Cached Dynamic Group Using labeledURI Attribute.................... 14-15

14.3.3.2 Creating an Uncached Dynamic List Using labeledURI Attribute .................. 14-16

14.3.3.3 Creating a Dynamic Group Using CONNECT BY String ................................. 14-16

14.3.4 Modifying a Dynamic Group by Using ldapmodify................................................. 14-17

15 Performing Bulk Operations

15.1 Introduction to Performing Bulk Operations ...................................................................... 15-1

15.2 Changing Server Mode ........................................................................................................... 15-3

15.2.1 Setting the Server Mode by Using Fusion Middleware Control ............................... 15-3

15.2.2 Setting the Server Mode by Using ldapmodify............................................................ 15-3

15.3 Loading Data Into the Schema by Using bulkload ............................................................. 15-3

15.3.1 Importing an LDIF File by Using bulkload................................................................... 15-6

15.3.2 Loading Data in Incremental or Append Mode By Using bulkload......................... 15-8

15.3.3 Performing Index Verification By Using bulkload ...................................................... 15-8

15.3.4 Re-Creating Indexes By Using bulkload ....................................................................... 15-8

15.3.5 Recovering Data After a Load Failure By Using bulkload ........................................ 15-8

15.4 Modifying Attributes of a Large Number of Entries By Using bulkmodify................... 15-8

15.4.1 Adding a Description for All Entries Under a Specified Naming Context.............. 15-9

15.4.2 Adding an Attribute for Entries Under a Specified Naming Context Matching a Filter..

15-9

15.4.3 Replacing an Attribute for All Entries Under a Specified Naming Context............ 15-9

15.5 Deleting Entries or Attributes of Entries by Using bulkdelete........................................ 15-10

15.5.1 Deleting All Entries Under a Specified Naming Context by Using bulkdelete..... 15-10

15.5.2 Deleting Entries Under Naming Contexts and Making them Tombstone Entries 15-10

15.6 Dumping Data from Oracle Internet Directory to a File by Using ldifwrite................. 15-11

15.6.1 Dumping Part of a Specified Naming Context to an LDIF File ............................... 15-11

15.6.2 Dumping Entries Under a Specified Naming Context to an LDIF File .................. 15-11

15.7 Creating and Dropping Indexes from Existing Attributes by Using catalog................ 15-12

15.7.1 Changing a Searchable Attribute into a Non-searchable Attribute ........................ 15-13

15.7.2 Changing a Non-searchable Attribute into a Searchable Attribute ........................ 15-13

16 Managing Collective Attributes

16.1 Introduction to Collective Attributes.................................................................................... 16-1

16.1.1 The RFC Definition and Oracle Extensions ................................................................. 16-1

16.1.1.1 RFC 3671 ..................................................................................................................... 16-1

16.1.1.2 Oracle Extensions ...................................................................................................... 16-1

16.1.2 Defining the Collective Attribute Subentry .................................................................. 16-2

16.1.3 Using subtreeSpecification .............................................................................................. 16-2

16.1.3.1 Base .............................................................................................................................. 16-2

16.1.3.2 Minimum and Maximum......................................................................................... 16-2

16.1.3.3 Specific Exclusions..................................................................................................... 16-3

16.1.4 Overriding a Collective Attribute .................................................................................. 16-4

16.2 Managing Collective Attributes by Using the Command Line......................................... 16-4

16.2.1 Adding a Subentry by Using ldapadd........................................................................... 16-4

16.2.2 Modifying a Subentry by Using ldapmodify ............................................................... 16-4

17 Managing Alias Entries

17.1 Introduction to Managing Alias Entries............................................................................... 17-1

17.2 Adding an Alias Entry ............................................................................................................ 17-2

17.3 Searching the Directory with Alias Entries.......................................................................... 17-3

17.3.1 Searching the Base with Alias Entries ........................................................................... 17-3

17.3.2 Searching One-Level with Alias Entries........................................................................ 17-4

17.3.3 Searching a Subtree with Alias Entries ......................................................................... 17-5

17.4 Modifying Alias Entries ......................................................................................................... 17-6

17.5 Interpreting Messages Related to Alias Dereferencing...................................................... 17-6

18 Managing Attribute Uniqueness Constraint Entries

18.1 Introduction to Managing Attribute Uniqueness Constraint Entries ............................. 18-1

18.2 Specifying Attribute Uniqueness Constraint Entries.......................................................... 18-3

18.2.1 Specifying Multiple Attribute Names in an Attribute Uniqueness Constraint....... 18-4

18.2.2 Specifying Multiple Subtrees in an Attribute Uniqueness Constraint...................... 18-4

18.2.3 Specifying Multiple Scopes in an Attribute Uniqueness Constraint......................... 18-5

18.2.4 Specifying Multiple Object Classes in an Attribute Uniqueness Constraint ........... 18-5

18.2.5 Specifying Multiple Subtrees, Scopes, and Object Classes in an Attribute Uniqueness

Constraint 18-6

18.3 Managing an Attribute Uniqueness Constraint Entry by Using Oracle Directory Services

Manager 18-6

18.3.1 Creating an Attribute Uniqueness Constraint Entry by Using ODSM..................... 18-6

18.3.2 Modifying an Attribute Uniqueness Constraint Entry by Using ODSM ................. 18-7

18.3.3 Deleting an Attribute Uniqueness Constraint Entry by Using ODSM..................... 18-7

18.4 Managing an Attribute Uniqueness Constraint Entry by Using the Command Line ... 18-7

18.4.1 Creating Attribute Uniqueness Across a Directory by Using Command-Line Tools .......

18-7

18.4.2 Creating Attribute Uniqueness Across One Subtree by Using Command-Line Tools .....

18-8

18.4.3 Creating Attribute Uniqueness Across One Object Class by Using Command-Line

Tools 18-9

18.4.4 Modifying Attribute Uniqueness Constraint Entries by Using Command-Line Tools ....

18-9

18.4.5 Deleting Attribute Uniqueness Constraint Entries by Using Command-Line Tools ........

18-9

18.4.6 Enabling and Disabling Attribute Uniqueness by Using Command-Line Tools.. 18-10

19 Managing Knowledge References and Referrals

19.1 Introduction to Managing Knowledge References and Referrals .................................... 19-1

19.2 Configuring Smart Referrals .................................................................................................. 19-3

19.3 Configuring Default Referrals................................................................................................ 19-3

20 Managing Directory Schema

20.1 Introduction to Managing Directory Schema ...................................................................... 20-1

20.1.1 Where Schema Information is Stored in the Directory ............................................... 20-2

20.1.2 Understanding Object Classes ........................................................................................ 20-2

20.1.2.1 About Adding Object Classes.................................................................................. 20-3

20.1.2.2 About Modifying Object Classes............................................................................. 20-4

20.1.2.3 About Deleting Object Classes ................................................................................ 20-4

20.1.3 Understanding Attributes .............................................................................................. 20-4

20.1.3.1 About Adding Attributes ......................................................................................... 20-5

20.1.3.2 About Modifying Attributes.................................................................................... 20-5

20.1.3.3 About Deleting Attributes........................................................................................ 20-5

20.1.3.4 About Indexing Attributes ...................................................................................... 20-6

20.1.4 Extending the Number of Attributes Associated with Entries .................................. 20-7

20.1.4.1 Extending the Number of Attributes before Creating Entries in the Directory 20-8

20.1.4.2 Extending the Number of Attributes for Existing Entries by Creating an Auxiliary

Object Class 20-8

20.1.4.3 Extending the Number of Attributes for Existing Entries by Creating a Content

Rule 20-9

20.1.4.4 Rules for Creating and Modifying Content Rules ................................................ 20-9

20.1.4.5 Schema Enforcement When Using Content Rules.............................................. 20-10

20.1.4.6 Searches for Object Classes Listed in Content Rules.......................................... 20-10

20.1.5 Understanding Attribute Aliases ................................................................................ 20-11

xii

20.1.6 Object Identifier Support in LDAP Operations.......................................................... 20-11

20.2 Managing Directory Schema by Using Oracle Directory Services Manager ................ 20-12

20.2.1 Searching for Object Classes by Using Oracle Directory Services Manager.......... 20-12

20.2.2 Adding Object Classes by Using Oracle Directory Services Manager.................... 20-13

20.2.3 Modifying Object Classes by Using Oracle Directory Services Manager............... 20-13

20.2.4 Deleting Object Classes by Using Oracle Directory Services Manager .................. 20-14

20.2.5 Viewing Properties of Object Classes by Using Oracle Directory Services Manager........

20-14

20.2.6 Adding a New Attribute by Using Oracle Directory Services Manager ................ 20-15

20.2.7 Modifying an Attribute by Using Oracle Directory Services Manager .................. 20-15

20.2.8 Deleting an Attribute by Using Oracle Directory Services Manager...................... 20-16

20.2.9 Viewing All Directory Attributes by Using Oracle Directory Services Manager . 20-16

20.2.10 Searching for Attributes by Using Oracle Directory Services Manager ................. 20-16

20.2.11 Adding an Index to a New Attribute by Using Oracle Directory Services Manager ........

20-17

20.2.12 Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager

20-17

20.2.13 Dropping an Index from an Attribute by Using Oracle Directory Services Manager.......

20-17

20.2.14 Creating a Content Rule by Using Oracle Directory Services Manager................. 20-17

20.2.15 Modifying a Content Rule by Using Oracle Directory Services Manager ............. 20-18

20.2.16 Viewing Matching Rules by Using Oracle Directory Services Manager................ 20-18

20.2.17 Viewing Syntaxes by Using Oracle Directory Services Manager ............................ 20-19

20.3 Managing Directory Schema by Using the Command Line............................................ 20-19

20.3.1 Viewing the Schema by Using ldapsearch.................................................................. 20-19

20.3.2 Adding a New Object Class by Using Command-Line Tools.................................. 20-20

20.3.3 Adding a New Attribute to an Auxiliary or User-Defined Object Class by Using

Command-Line Tools 20-20

20.3.4 Modifying Object Classes by Using Command-Line Tools ..................................... 20-21

20.3.5 Adding and Modifying Attributes by Using ldapmodify ........................................ 20-21

20.3.6 Deleting Attributes by Using ldapmodify .................................................................. 20-21

20.3.7 Indexing an Attribute by Using ldapmodify.............................................................. 20-22

20.3.8 Dropping an Index from an Attribute by Using ldapmodify .................................. 20-22

20.3.9 Indexing an Attribute by Using the Catalog Management Tool ............................. 20-23

20.3.10 Adding a New Attribute With Attribute Aliases by Using the Command Line... 20-23

20.3.11 Adding or Modifying Attribute Aliases in Existing Attributes by Using the Command

Line 20-23

20.3.12 Deleting Attribute Aliases by Using the Command Line......................................... 20-24

20.3.13 Using Attribute Aliases with LDAP Commands....................................................... 20-24

20.3.13.1 Using Attribute Aliases with ldapsearch ............................................................. 20-25

20.3.13.2 Using Attribute Aliases with ldapadd ................................................................. 20-25

20.3.13.3 Using Attribute Aliases with ldapmodify ........................................................... 20-26

20.3.13.4 Using Attribute Aliases with ldapdelete.............................................................. 20-26

20.3.13.5 Using Attribute Aliases with ldapmoddn ........................................................... 20-26

20.3.14 Managing Content Rules by Using Command-Line Tools ...................................... 20-27

20.3.15 Viewing Matching Rules by Using ldapsearch .......................................................... 20-28

20.3.16 Viewing Syntaxes by Using by Using ldapsearch ..................................................... 20-28

xiii

21 Configuring Referential Integrity

21.1 Introduction to Configuring Referential Integrity .............................................................. 21-1

21.2 Enabling Referential Integrity by Using Fusion Middleware Control ............................ 21-2

21.3 Disabling Referential Integrity by Using Fusion Middleware Control ........................... 21-2

21.4 Enabling Referential Integrity by Using the Command Line............................................ 21-2

21.5 Configuring Specific Attributes for Referential Integrity by Using the Command Line .........

21-3

21.6 Disabling Referential Integrity by Using the Command Line........................................... 21-3

21.7 Detecting and Correcting Referential Integrity Violations................................................ 21-3

22 Managing Auditing

22.1 Introduction to Auditing ........................................................................................................ 22-1

22.1.1 Configuring the Audit Store ........................................................................................... 22-2

22.1.2 Oracle Internet Directory Audit Configuration ........................................................... 22-2

22.1.3 Replication and Oracle Directory Integration Platform Audit Configuration ........ 22-3

22.1.4 Audit Record Fields.......................................................................................................... 22-3

22.1.5 Audit Record Storage....................................................................................................... 22-3

22.1.6 Generating Audit Reports ............................................................................................... 22-4

22.2 Managing Auditing by Using Fusion Middleware Control.............................................. 22-4

22.3 Managing Auditing by Using WLST .................................................................................... 22-5

22.4 Managing Auditing from the Command Line .................................................................... 22-5

22.4.1 Viewing Audit Configuration from the Command Line............................................ 22-5

22.4.2 Configuring Oracle Internet Directory Auditing from the Command Line............ 22-6

22.4.3 Enabling Replication and Oracle Directory Integration Platform Auditing............ 22-6

23 Managing Logging

23.1 Introduction to Logging.......................................................................................................... 23-1

23.1.1 Features of Oracle Internet Directory Debug Logging................................................ 23-2

23.1.2 Interpreting Log Messages .............................................................................................. 23-2

23.1.2.1 Log Messages for Specified LDAP Operations ..................................................... 23-3

23.1.2.2 Log Messages Not Associated with Specified LDAP Operations ...................... 23-3

23.1.2.3 Example: Trace Messages in Oracle Internet Directory Server Log File ........... 23-3

23.2 Managing Logging by Using Fusion Middleware Control ............................................... 23-4

23.2.1 Viewing Log Files by Using Fusion Middleware Control.......................................... 23-5

23.2.2 Configuring Logging by Using Fusion Middleware Control .................................... 23-5

23.3 Managing Logging from the Command Line...................................................................... 23-6

23.3.1 Viewing Log Files from the Command Line ................................................................ 23-6

23.3.2 Setting Debug Logging Levels by Using the Command Line.................................... 23-6

23.3.3 Setting the Debug Operation by Using the Command Line ...................................... 23-7

23.3.4 Force Flushing the Trace Information to a Log File..................................................... 23-8

24 Monitoring Oracle Internet Directory

24.1 Introduction to Monitoring Oracle Internet Directory Server........................................... 24-1

24.1.1 Capabilities of Oracle Internet Directory Server Manageability ............................... 24-1

24.1.2 Oracle Internet Directory Server Manageability Architecture and Components ... 24-2

xiv

24.1.3 Purging of Security Events and Statistics Entries ........................................................ 24-4

24.1.4 Account Used for Accessing Server Manageability Information .............................. 24-4

24.2 Setting Up Statistics Collection by Using Fusion Middleware Control........................... 24-4

24.2.1 Configuring Directory Server Statistics Collection by Using Fusion Middleware

Control 24-4

24.2.2 Configuring a User for Statistics Collection by Using Fusion Middleware Control ........

24-5

24.3 Viewing Statistics Information with Fusion Middleware Control ................................... 24-6

24.3.1 Viewing Statistics Information on the Oracle Internet Directory Home Page ........ 24-6

24.3.2 Viewing Information on the Oracle Internet Directory Performance Page ............. 24-6

24.4 Viewing Statistics Information from the Oracle Directory Services Manager Home Page .....

24-7

24.5 Setting Up Statistics Collection by Using the Command-Line.......................................... 24-7

24.5.1 Configuring Health, General, and Performance Statistics Attributes....................... 24-8

24.5.2 Configuring Security Events Tracking .......................................................................... 24-8

24.5.3 Configuring User Statistics Collection from the Command Line.............................. 24-9

24.5.4 Configuring Event Levels from the Command Line .................................................. 24-9

24.5.5 Configuring a User for Statistics Collection by Using the Command Line ........... 24-10

24.6 Viewing Information with the OIDDIAG Tool ................................................................. 24-10

25 Backing Up and Restoring Oracle Internet Directory

Part III Advanced Administration: Security

26 Configuring Secure Sockets Layer (SSL)

26.1 Introduction to Configuring Secure Sockets Layer (SSL) ................................................. 26-1

26.1.1 Supported Cipher Suites.................................................................................................. 26-2

26.1.2 Supported Protocol Versions .......................................................................................... 26-2

26.1.3 SSL Authentication Modes.............................................................................................. 26-3

26.1.4 Limitations of the Use of SSL in11g Release 1 (11.1.1) ................................................ 26-4

26.1.5 Oracle Wallets ................................................................................................................... 26-4

26.1.6 Other Components and SSL ........................................................................................... 26-4

26.1.7 SSL Interoperability Mode............................................................................................... 26-5

26.1.8 StartTLS .............................................................................................................................. 26-5

26.2 Configuring SSL by Using Fusion Middleware Control.................................................... 26-5

26.2.1 Creating a Wallet by Using Fusion Middleware Control ........................................... 26-6

26.2.2 Configuring SSL Parameters by Using Fusion Middleware Control ....................... 26-7

26.2.3 Setting SSL Parameters with Fusion Middleware Control......................................... 26-8

26.3 Configuring SSL by Using WLST .......................................................................................... 26-8

26.4 Configuring SSL by Using LDAP Commands .................................................................. 26-10

26.5 Testing SSL Connections by Using Oracle Directory Services Manager ....................... 26-11

26.6 Testing SSL Connections From the Command Line......................................................... 26-11

26.6.1 Testing SSL With Encryption Only .............................................................................. 26-12

26.6.2 Testing SSL With Server Authentication..................................................................... 26-12

26.6.3 Testing SSL With Client and Server Authentication ................................................. 26-12

26.7 Configuring SSL Interoperability Mode............................................................................. 26-13

27 Configuring Data Privacy

27.1 Introduction to Table Space Encryption............................................................................... 27-1

27.2 Enabling and Disabling Table Space Encryption ................................................................ 27-1

27.3 Introduction to Using Database Vault With Oracle Internet Directory........................... 27-3

27.4 Configuring Oracle Database Vault to Protect Oracle Internet Directory Data ............. 27-3

27.4.1 Registering Oracle Database Vault................................................................................. 27-3

27.4.2 Adding a Database Vault Realm and Policies for Oracle Internet Directory .......... 27-4

27.4.3 Managing Oracle Database Vault Configuration for Oracle Internet Directory ..... 27-5

27.4.4 Deleting Database Vault Policies For Oracle Internet Directory ............................... 27-5

27.4.5 Disabling Oracle Database Vault for the Oracle Internet Directory Database ........ 27-5

27.5 Best Practices for Using Database Vault with Oracle Internet Directory ........................ 27-5

27.6 Introduction to Sensitive Attributes...................................................................................... 27-6

27.6.1 List of Sensitive Attributes .............................................................................................. 27-6

27.6.2 Encryption Algorithm for Sensitive Attributes............................................................ 27-6

27.7 Configuring Privacy of Retrieved Sensitive Attributes...................................................... 27-7

27.8 Introduction to Hashed Attributes........................................................................................ 27-7

27.9 Configuring Hashed Attributes............................................................................................. 27-8

27.9.1 Configuring Hashed Attributes by Using Fusion Middleware Control .................. 27-8

27.9.2 Configuring Hashed Attributes by Using ldapmodify............................................... 27-8

28 Managing Password Policies

28.1 Introduction to Managing Password Policies...................................................................... 28-1

28.1.1 What a Password Policy Is .............................................................................................. 28-1

28.1.2 Steps Required to Create and Apply a Password Policy ............................................ 28-2

28.1.3 Fine-Grained Password Policies..................................................................................... 28-2

28.1.4 Default Password Policy.................................................................................................. 28-4

28.1.5 Password Policy Attributes............................................................................................. 28-5

28.1.6 Password Policy-Related Operational Attributes ........................................................ 28-7

28.1.7 Directory Server Verification of Password Policy Information ................................. 28-7

28.1.8 Password Policy Error Messages.................................................................................... 28-8

28.1.9 Releases Before 10g (10.1.4.0.1) ....................................................................................... 28-8

28.2 Managing Password Policies by Using Oracle Directory Services Manager.................. 28-9

28.2.1 Viewing Password Policies by Using Oracle Directory Services Manager.............. 28-9

28.2.2 Modifying Password Policies by Using Oracle Directory Services Manager.......... 28-9

28.2.3 Creating a Password Policy and Assigning it to a Subtree by Using ODSM ........ 28-10

28.3 Managing Password Policies by Using Command-Line Tools....................................... 28-11

28.3.1 Viewing Password Policies by Using Command-Line Tools................................... 28-11

28.3.2 Creating a New Password Policy by Using Command-Line Tools ........................ 28-11

28.3.3 Applying a Password Policy to a Subtree by Using Command-Line Tools .......... 28-11

28.3.4 Setting Password Policies by Using Command-Line Tools ..................................... 28-12

29 Managing Directory Access Control

29.1 Introduction to Managing Directory Access Control ........................................................ 29-1

29.1.1 Access Control Management Constructs ...................................................................... 29-2

29.1.1.1 Access Control Policy Points (ACPs)...................................................................... 29-3

29.1.1.2 The orclACI Attribute for Prescriptive Access Control ....................................... 29-3

xvi

29.1.1.3 The orclEntryLevelACI Attribute for Entry-Level Access Control.................... 29-3

29.1.1.4 Security Groups ......................................................................................................... 29-4

29.1.1.4.1 ACP groups ......................................................................................................... 29-4

29.1.1.4.2 Privilege Groups................................................................................................. 29-4

29.1.1.4.3 Users in Both Types of Groups......................................................................... 29-5

29.1.1.4.4 Constraints on Security Groups ....................................................................... 29-5

29.1.1.4.5 Overview: Granting Access Rights to a Group.............................................. 29-5

29.1.1.4.6 How the Directory Server Computes Security Group Membership .......... 29-5

29.1.1.4.7 Example: Computing Security Group Membership ..................................... 29-5

29.1.2 Access Control Information Components..................................................................... 29-7

29.1.2.1 Object: To What Are You Granting Access?.......................................................... 29-7

29.1.2.2 Subject: To Whom Are You Granting Access? ...................................................... 29-8

29.1.2.2.1 Entity .................................................................................................................... 29-8

29.1.2.2.2 Bind Mode ........................................................................................................... 29-9

29.1.2.2.3 Bind IP Filter ....................................................................................................... 29-9

29.1.2.2.4 Added Object Constraint ................................................................................ 29-10

29.1.2.3 Operations: What Access Are You Granting? ..................................................... 29-10

29.1.3 Access Level Requirements for LDAP Operations.................................................... 29-11

29.1.4 How ACL Evaluation Works ........................................................................................ 29-11

29.1.4.1 Precedence Rules Used in ACL Evaluation......................................................... 29-12

29.1.4.1.1 Precedence at the Entry Level ........................................................................ 29-13

29.1.4.1.2 Precedence at the Attribute Level .................................................................. 29-13

29.1.4.2 Use of More Than One ACI for the Same Object ................................................ 29-13

29.1.4.3 Exclusionary Access to Directory Objects............................................................ 29-14

29.1.4.4 ACL Evaluation For Groups .................................................................................. 29-15

29.2 Managing Access Control by Using Oracle Directory Services Manager ..................... 29-15

29.2.1 Viewing an ACP by Using Oracle Directory Services Manager.............................. 29-15

29.2.2 Adding an ACP by Using Oracle Directory Services Manager ............................... 29-16

29.2.2.1 Task 1: Specify the Entry That Will Be the ACP.................................................. 29-16

29.2.2.2 Task 2: Configure Structural Access Items .......................................................... 29-16

29.2.2.3 Task 3: Configure Content Access Items.............................................................. 29-18

29.2.2.4 Delete a Structural or Content Access Item ......................................................... 29-19

29.2.3 Modifying an ACP by Using Access Control Management in ODSM ................... 29-19

29.2.4 Adding or Modifying an ACP by Using the Data Browser in ODSM.................... 29-21

29.2.5 Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM . 29-21

29.3 Managing Access Control by Using Command-Line Tools ............................................ 29-21

29.3.1 Restricting the Kind of Entry a User Can Add........................................................... 29-22

29.3.2 Setting Up an Inheritable ACP by Using ldapmodify............................................... 29-23

29.3.3 Setting Up Entry-Level ACIs by Using ldapmodify.................................................. 29-23

29.3.4 Using Wildcards in an LDIF File with ldapmodify ................................................... 29-23

29.3.5 Selecting Entries by DN ................................................................................................. 29-24

29.3.6 Using Attribute and Subject Selectors ......................................................................... 29-24

29.3.7 Granting Read-Only Access .......................................................................................... 29-25

29.3.8 Granting Selfwrite Access to Group Entries .............................................................. 29-25

29.3.9 Defining a Completely Autonomous Policy to Inhibit Overriding Policies .......... 29-25

xvii

30 Managing Password Verifiers

30.1 Introduction to Password Verifiers for Authenticating to the Directory ........................ 30-1

30.1.1 Userpassword Verifiers and Authentication to the Directory ................................... 30-2

30.1.2 Hashing Schemes for Creating Userpassword Verifiers............................................. 30-3

30.2 Managing Hashing Schemes for Password Verifiers for Authenticating to the Directory......

30-3

30.3 Introduction to Password Verifiers for Authenticating to Components ......................... 30-4

30.3.1 About Password Verifiers for Authenticating to Oracle Components..................... 30-4

30.3.2 Attributes for Storing Password Verifiers for Authenticating to Oracle Components .....

30-5

30.3.3 Default Verifiers for Oracle Components ..................................................................... 30-7

30.3.4 How Password Verification Works for an Oracle Component.................................. 30-8

30.4 Managing Password Verifier Profiles for Oracle Components by Using ODSM........... 30-9

30.5 Managing Password Verifier Profiles for Components by Using Command-Line Tools........

30-10

30.5.1 Viewing a Password Verifier Profile by Using Command-Line Tools................... 30-10

30.5.2 Example: Modifying a Password Verifier Profile by Using Command-Line Tools...........

30-10

30.6 Introduction to Generating Verifiers by Using Dynamic Parameters ........................... 30-10

30.7 Configuring Oracle Internet Directory to Generate Dynamic Password Verifiers ...... 30-11

31 Delegating Privileges for Oracle Identity Management

31.1 Introduction to Delegating Privileges for Oracle Identity Management ....................... 31-1

31.1.1 How Delegation Works ................................................................................................... 31-1

31.1.2 Delegation in an Oracle Fusion Middleware Environment ....................................... 31-2

31.1.3 About the Default Configuration ................................................................................... 31-3

31.1.4 Privileges for Administering the Oracle Technology Stack ....................................... 31-3

31.2 Delegating Privileges for User and Group Management .................................................. 31-4

31.2.1 How Privileges Are Granted for Managing User and Group Data ......................... 31-4

31.2.2 Default Privileges for Managing User Data.................................................................. 31-5

31.2.2.1 Creating Users for a Realm ...................................................................................... 31-5

31.2.2.2 Modifying Attributes of a User ............................................................................... 31-5

31.2.2.3 Deleting a User........................................................................................................... 31-6

31.2.2.4 Delegating User Administration ............................................................................. 31-6

31.2.3 Default Privileges for Managing Group Data .............................................................. 31-7

31.2.3.1 Creating Groups ........................................................................................................ 31-7

31.2.3.2 Modifying the Attributes of Groups....................................................................... 31-7

31.2.3.3 Deleting Groups......................................................................................................... 31-7

31.2.3.4 Delegating Group Administration.......................................................................... 31-8

31.3 Delegating Privileges for Deployment of Oracle Components......................................... 31-8

31.3.1 How Deployment Privileges Are Granted.................................................................... 31-9

31.3.2 Oracle Application Server Administrators ................................................................... 31-9

31.3.3 User Management Application Administrators......................................................... 31-10

31.3.4 Trusted Application Administrators ........................................................................... 31-10

31.4 Delegating Privileges for Component Run Time.............................................................. 31-10

31.4.1 Default Privileges for Reading and Modifying User Passwords............................. 31-11

31.4.2 Default Privileges for Comparing User Passwords................................................... 31-12

xviii

31.4.3 Default Privileges for Comparing Password Verifiers.............................................. 31-12

31.4.4 Default Privileges for Proxying on Behalf of End Users........................................... 31-13

31.4.5 Default Privileges for Managing the Oracle Context ................................................ 31-13

31.4.6 Default Privileges for Reading Common User Attributes........................................ 31-13

31.4.7 Default Privileges for Reading Common Group Attributes .................................... 31-14

31.4.8 Default Privileges for Reading the Service Registry.................................................. 31-14

31.4.9 Default Privileges for Administering the Service Registry ...................................... 31-14

32 Managing Authentication

32.1 Introduction to Authentication ............................................................................................. 32-1

32.1.1 Direct Authentication....................................................................................................... 32-1

32.1.2 Indirect Authentication.................................................................................................... 32-3

32.1.3 External Authentication................................................................................................... 32-4

32.1.4 Simple Authentication and Security Layer (SASL) ..................................................... 32-5

32.2 Configuring Certificate Authentication Method by Using Fusion Middleware Control ........

32-6

32.3 Configuring SASL Authentication by Using Fusion Middleware Control..................... 32-6

32.4 Configuring Certificate Authentication Method by Using Command-Line Tools ........ 32-6

32.5 Configuring SASL Authentication by Using the Command Line .................................... 32-7

32.6 Introduction to Anonymous Binds........................................................................................ 32-8

32.7 Managing Anonymous Binds ................................................................................................ 32-8

32.7.1 Managing Anonymous Binds by Using Fusion Middleware Control ..................... 32-8

32.7.2 Managing Anonymous Binds by Using the Command Line..................................... 32-8

Part IV Advanced Administration: Managing Directory Deployment

33 Planning, Deploying and Managing Realms

33.1 Introduction to Planning, Deploying and Managing Realms ........................................... 33-1

33.1.1 Planning the Identity Management Realm ................................................................... 33-1

33.1.2 Identity Management Realms in an Enterprise Deployment..................................... 33-3

33.1.2.1 Single Identity Management Realm in the Enterprise ......................................... 33-3

33.1.2.2 Multiple Identity Management Realms in the Enterprise................................... 33-4

33.1.3 Identity Management Realms in a Hosted Deployment ............................................ 33-4

33.1.4 Identity Management Realm Implementation in Oracle Internet Directory ........... 33-5

33.1.5 Default Directory Information Tree and the Identity Management Realm ............. 33-6

33.2 Customizing the Default Identity Management Realm ..................................................... 33-8

33.2.1 Steps to Update the Existing User and Group Search Base...................................... 33-10

33.2.2 Set up an Additional Search Base................................................................................. 33-11

33.2.3 Refresh Oracle Single Sign-On...................................................................................... 33-12

33.2.4 Reconfigure Provisioning Profiles................................................................................ 33-12

33.3 Creating Additional Identity Management Realms for Hosted Deployments............. 33-13

34 Tuning and Sizing Oracle Internet Directory

35 Managing Garbage Collection

35.1 Introduction to Managing Garbage Collection.................................................................... 35-1

xix

35.1.1 Components of the Oracle Internet Directory Garbage Collection Framework ..... 35-1

35.1.1.1 Garbage Collection Plug-in ...................................................................................... 35-1

35.1.1.2 Background Database Processes ............................................................................. 35-2

35.1.1.2.1 Garbage Collectors ............................................................................................. 35-2

35.1.1.2.2 Predefined Garbage Collectors......................................................................... 35-2

35.1.1.2.3 Oracle Internet Directory Statistics Collector................................................. 35-3

35.1.2 How Oracle Internet Directory Garbage Collection Works ....................................... 35-3

35.1.3 Garbage Collector Entries and the Oracle Internet Directory Statistics Collector Entry ..

35-4

35.1.4 Change Log Purging ........................................................................................................ 35-5

35.2 Set Oracle Database Time Zone for Garbage Collection ................................................... 35-6

35.3 Modifying Oracle Internet Directory Garbage Collectors ................................................. 35-7

35.3.1 Modifying a Garbage Collector by Using Oracle Directory Services Manager....... 35-7

35.3.2 Modifying a Garbage Collector by Using Command-Line Tools.............................. 35-7

35.3.2.1 Example 1: Modifying a Garbage Collector........................................................... 35-7

35.3.2.2 Example 2: Disabling a Garbage Collector Change Log...................................... 35-7

35.3.3 Modifying the Oracle Internet Directory Statistics Collector..................................... 35-8

35.4 Managing Logging for Oracle Internet Directory Garbage Collectors ............................ 35-8

35.4.1 Enabling Logging for Oracle Internet Directory Garbage Collectors ....................... 35-8

35.4.2 Disabling Logging for Oracle Internet Directory Garbage Collectors ...................... 35-9

35.4.3 Monitoring Garbage Collection Logging ...................................................................... 35-9

35.5 Configuring Time-Based Change Log Purging................................................................... 35-9

36 Migrating Data from Other Data Repositories

36.1 Introduction to Migrating Data from Other Data Repositories ....................................... 36-1

36.2 Migrating Data from LDAP-Compliant Directories........................................................... 36-1

36.2.1 Migrating LDAP Data by Using an LDIF File and bulkload...................................... 36-2

36.2.2 Migrating LDAP Data by Using syncProfileBootstrap Directly................................ 36-4

36.2.3 Migrating LDAP Data by Using an LDIF File and syncProfileBootstrap................. 36-5

36.2.4 Migrating LDAP Data by Using syncProfileBootstrap, bulkload, and LDIF Files . 36-5

36.2.5 Migrating LDAP Data by Using the Oracle Directory Integration Platform Server..........

36-6

36.3 Migrating User Data from Application-Specific Repositories........................................... 36-6

36.3.1 The Intermediate Template File...................................................................................... 36-7

36.3.2 Reconciling Data in Application Repository with Data Already in the Directory.. 36-7

36.3.3 Tasks For Migrating Data from Application-Specific Repositories........................... 36-7

36.3.3.1 Task 1: Create an Intermediate Template File....................................................... 36-7

36.3.3.1.1 Example: User Entries in an Intermediate Template File............................. 36-8

36.3.3.1.2 Attributes in User Entries.................................................................................. 36-9

36.3.3.2 Task 2: Run the OID Migration Tool ...................................................................... 36-9

37 Configuring Server Chaining

37.1 Introduction to Configuring Server Chaining ..................................................................... 37-1

37.1.1 Supported External Servers............................................................................................. 37-2

37.1.2 Integrated Oracle Products.............................................................................................. 37-2

37.1.2.1 Oracle Single Sign-On............................................................................................... 37-2

37.1.2.2 Enterprise User Security........................................................................................... 37-2

37.1.3 Supported Operations...................................................................................................... 37-3

37.1.4 Server Chaining with Replication ................................................................................. 37-3

37.2 Configuring Server Chaining................................................................................................. 37-3

37.2.1 Configuring Server Chaining by Using Oracle Directory Services Manager .......... 37-4

37.2.2 Configuring Server Chaining from the Command Line............................................. 37-5

37.3 Creating Server Chaining Configuration Entries................................................................ 37-5

37.3.1 Configuration Entry Attributes ...................................................................................... 37-6

37.3.2 Requirements for User and Group Containers ............................................................ 37-8

37.3.3 Attribute Mapping............................................................................................................ 37-8

37.3.4 Active Directory Example ............................................................................................... 37-9

37.3.5 Active Directory with SSL Example............................................................................. 37-10

37.3.6 Active Directory with New Attributes Example........................................................ 37-11

37.3.7 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server

(iPlanet) Example 37-11

37.3.8 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server

(iPlanet) with SSL Example 37-12

37.3.9 eDirectory Example ........................................................................................................ 37-13

37.3.10 eDirectory with SSL Example ...................................................................................... 37-14

37.4 Debugging Server Chaining................................................................................................. 37-14

37.5 Configuring an Active Directory Plug-in for Password Change Notification ............. 37-14

38 Managing DIT Masking

38.1 Configuring Masking .............................................................................................................. 38-1

38.2 Masking Examples................................................................................................................... 38-1

38.2.1 Restricting Access by Container Name ......................................................................... 38-1

38.2.2 Restricting Access by Entry Data ................................................................................... 38-2

Part V Advanced Administration: Directory Replication

39 Setting Up Replication

39.1 Introduction to Setting Up Replication................................................................................. 39-2

39.1.1 Replication Transport Mechanisms ............................................................................... 39-2

39.1.2 Replication Setup Methods ............................................................................................. 39-2

39.1.2.1 Replication Wizard.................................................................................................... 39-2

39.1.2.2 Command Line Tools................................................................................................ 39-3

39.1.2.3 Database Copy Procedure ........................................................................................ 39-3

39.1.3 Bootstrap Rules ................................................................................................................. 39-3

39.1.4 The Replication Agreement............................................................................................. 39-4

39.1.5 Other Replication Configuration Attributes................................................................. 39-5

39.1.6 Replication Process and Architecture............................................................................ 39-5

39.1.7 Rules for Configuring LDAP-Based Replication.......................................................... 39-5

39.1.8 Replication Security.......................................................................................................... 39-6

39.1.8.1 Authentication and the Directory Replication Server.......................................... 39-6

39.1.8.2 Secure Sockets Layer (SSL) and Oracle Internet Directory Replication ............ 39-7

39.1.9 LDAP Replication Filtering for Partial Replication ..................................................... 39-7

39.1.9.1 Included and Excluded Naming Contexts in LDAP Replication Filtering....... 39-7

xxi

39.1.9.2 Attributes that Control Naming Contexts ............................................................. 39-8

39.1.9.3 Rules for LDAP Replication Filtering..................................................................... 39-8

39.1.9.4 Examples of LDAP Replication Filtering ............................................................... 39-8

39.1.9.5 Rules for Managing Naming Contexts and Attributes ...................................... 39-12

39.1.9.6 Optimization of Partial Replication Naming Context for Better Performance............

39-13

39.2 Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement .....

39-15

39.3 Setting Up an LDAP-Based Replication Agreement by Using the Replication Wizard...........

39-16

39.4 Testing Replication by Using Oracle Directory Services Manager................................. 39-17

39.5 Setting Up an LDAP-Based Replication by Using the Command Line ......................... 39-17

39.5.1 Copying Your LDAP Data by Using ldifwrite and bulkload................................... 39-18

39.5.2 Setting Up an LDAP-Based Replica with Customized Settings .............................. 39-18

39.5.2.1 Setting Up an LDAP-Based Replica by Using Automatic Bootstrapping....... 39-19

39.5.2.1.1 Task 1: Identify and Start the Directory Server on the Supplier Node..... 39-19

39.5.2.1.2 Task 2: Create the New Consumer Node by Installing Oracle Internet

Directory 39-19

39.5.2.1.3 Task 3: Back Up the Metadata from the New Consumer Node ................ 39-19

39.5.2.1.4 Task 4: Add an LDAP-Based Replica by Using the Replication Environment

Management Tool 39-20

39.5.2.1.5 Task 5: On the Consumer, Configure the Consumer Replica for Automatic

Bootstrapping 39-21

39.5.2.1.6 Task 6: Optional: Change Default Replication Parameters........................ 39-22

39.5.2.1.7 Task 7: Ensure the Directory Replication Servers are Started ................... 39-22

39.5.2.1.8 Task 8: If Oracle Delegated Administration Services or Oracle Single Sign-On

Are Installed on the New Node, Restore Their Entries in the New Node's

Directory 39-23

39.5.2.2 Setting Up an LDAP-Based Replica by Using the ldifwrite Tool ..................... 39-24

39.5.2.2.1 Task 1: Start the Directory Server on Both the Supplier and the Consumer

Nodes 39-25

39.5.2.2.2 Task 2: Back Up the Metadata from the New Consumer Node ................ 39-25

39.5.2.2.3 Task 3: Change the Directory Server at the Supplier to Read-Only Mode ...........

39-26

39.5.2.2.4 Task 4: Add an LDAP-Based Replica by Using the Replication Environment

Management Tool 39-26

39.5.2.2.5 Task 5: Back Up the Naming Contexts to Be Replicated ............................ 39-26

39.5.2.2.6 Task 6: Change the Directory Server at the Supplier to Read/Write Mode.........

39-27

39.5.2.2.7 Task 7: Load the Data on the New Consumer ............................................. 39-27

39.5.2.2.8 Task 8: If Oracle Delegated Administration Services or Oracle Single Sign-On

Are Installed on the New Node, Restore Their Entries in the New Node's

Directory 39-27

39.5.2.2.9 Task 9: Optional: Change Default Replication Parameters........................ 39-28

39.5.2.2.10 Task 10: Ensure the Directory Replication Servers are Started ................. 39-28

39.5.3 Password Policy and Fan-out Replication .................................................................. 39-28

39.5.4 Deleting an LDAP-Based Replica................................................................................. 39-29

39.5.4.1 Task 1: Stop the Directory Replication Server on the Node to be Deleted...... 39-29

39.5.4.2 Task 2: Delete the Replica from the Replication Group..................................... 39-30

xxii

39.6 Setting Up a Multimaster Replication Group with Fan-Out ........................................... 39-30

40 Setting Up Replication Failover

40.1 Introduction to Replication Failover..................................................................................... 40-1

40.1.1 Limitations and Warnings for Replication Failover .................................................... 40-4

40.1.2 Determining Which Type of Replication Failover to Use........................................... 40-5

40.2 Performing a Stateless Replication Failover ........................................................................ 40-5

40.2.1 Task 1: Stop all Directory Replication Server on related Nodes ............................... 40-5

40.2.2 Task 2: Break Old Replication Agreement and Set up New Agreement.................. 40-6

40.2.3 Task 3: Save Last Change Number................................................................................. 40-6

40.2.4 Task 4: Compare and Reconcile New Supplier and Consumer................................. 40-6

40.2.5 Task 5: Update Last Applied Change Number of New Agreement ......................... 40-6

40.2.6 Task 6: Clean Up Old Agreement on Old Supplier ..................................................... 40-7

40.2.7 Task 7: Start All Directory Replication Server on related Nodes............................... 40-7

40.3 Performing a Time-Based Replication Failover .................................................................. 40-8

40.3.1 Task 1: Configure Change Log Garbage Collection Object on New Supplier......... 40-8

40.3.2 Task 2: Save Last Change Number from New Supplier ............................................. 40-8

40.3.3 Task 3: Enable Change Log Regeneration on New Supplier...................................... 40-8

40.3.4 Task 4: Wait for the Desired Time Period to Elapse .................................................... 40-9

40.3.5 Task 5: Stop all Directory Replication Servers on Related Nodes ............................. 40-9

40.3.6 Task 6: Break Old Replication Agreement and Set Up New Agreement ................. 40-9

40.3.7 Task 7: Update Last Applied Change Number of New Agreement ......................... 40-9

40.3.8 Task 8: Clean Up Old Agreement on Old Supplier ..................................................... 40-9

40.3.9 Task 9: Start All Directory Replication Servers on Related Nodes.......................... 40-10

41 Managing Replication Configuration Attributes

41.1 Introduction to Replication Configuration Attributes........................................................ 41-1

41.1.1 The Replication Configuration Container..................................................................... 41-1

41.1.2 The Replica Subentry ....................................................................................................... 41-2

41.1.3 The Replication Agreement Entry.................................................................................. 41-3

41.1.3.1 Replication Agreement Entry Attributes ............................................................... 41-3

41.1.3.2 Oracle Database Advanced Replication-Based Replication Agreements ......... 41-5

41.1.3.3 LDAP Replication Agreements ............................................................................... 41-5

41.1.3.4 Two-Way LDAP Replication Agreements............................................................. 41-5

41.1.4 The Replication Naming Context Container Entry ..................................................... 41-6

41.1.5 The Replication Naming Context Object Entry............................................................ 41-6

41.1.6 The Replication Configuration Set ................................................................................. 41-8

41.1.7 Examples of Replication Configuration Objects in the Directory.............................. 41-9

41.2 Configuring Replication Configuration Attributes by Using Fusion Middleware Control ....

41-12

41.2.1 Configuring Attributes on the Shared Properties, Replication Tab ........................ 41-12

41.2.2 Configuring Replication Wizard Parameters ............................................................. 41-13

41.3 Managing Replication Configuration Attributes From the Command Line................. 41-14

42 Managing and Monitoring Replication

42.1 Introduction to Managing and Monitoring Replication .................................................... 42-1

xxiii

42.1.1 Modifying What Is to Be Replicated in LDAP-Based Partial Replication................ 42-2

42.1.2 Managing Worker Threads ............................................................................................. 42-2

42.1.3 Change Logs in Directory Replication........................................................................... 42-3

42.1.4 The Human Intervention Queue ................................................................................... 42-3

42.1.4.1 Managing the Queues............................................................................................... 42-3

42.1.4.2 Queue Statistics.......................................................................................................... 42-4

42.1.4.3 The Number of Entries the Human Intervention Queue Tools Can Process ... 42-4

42.1.5 Pilot Mode.......................................................................................................................... 42-4

42.1.6 Conflict Resolution in Oracle Replication .................................................................... 42-4

42.1.6.1 Levels at Which Replication Conflicts Occur ........................................................ 42-5

42.1.6.2 Automatic Conflict Resolution ................................................................................ 42-6

42.1.6.3 How Automated Conflict Resolution Works ........................................................ 42-6

42.2 Managing and Monitoring Replication by Using ODSM and Fusion Middleware Control ...

42-7

42.2.1 Enabling or Disabling Change Log Generation by Using Fusion Middleware Control ...

42-7

42.2.2 Viewing the Local Change Logs by Using Oracle Directory Services Manager ..... 42-8

42.2.3 Viewing and Modifying Replica Naming Context Objects ........................................ 42-8

42.2.4 Viewing or Modifying a Replication Setup by Using the Replication Wizard........ 42-9

42.2.5 Deleting an LDAP-Based Replication Agreement by Using the Replication Wizard ......

42-10

42.2.6 Configure Replication Attributes by Using Fusion Middleware Control.............. 42-11

42.2.7 Activating or Inactivating a Replication Server by Using Fusion Middleware Control...

42-12

42.2.8 Configuring the Replication Debug Level by Using Fusion Middleware Control 42-12

42.2.9 Configuring Replica Details by Using Fusion Middleware Control....................... 42-13

42.2.10 Viewing Queue Statistics by Using Fusion Middleware Control............................ 42-13

42.2.11 Managing Changelog Processing by Using Fusion Middleware Control.............. 42-14

42.2.12 Monitoring Conflict Resolution Messages by Using Fusion Middleware Control............

42-14

42.3 Managing and Monitoring Replication by Using the Command Line .......................... 42-14

42.3.1 Enabling and Disabling Change Log Generation by Using the Command Line .. 42-15

42.3.2 Viewing Change Logs by Using ldapsearch............................................................... 42-15

42.3.3 Configuring Attributes of the Replica Subentry by Using ldapmodify ................. 42-16

42.3.4 Specifying Pilot Mode for a Replica by Using remtool............................................. 42-17

42.3.5 Configuring Replication Agreement Attributes by Using ldapmodify.................. 42-17

42.3.6 Modifying Replica Naming Context Object Parameters by Using ldapmodify.... 42-18

42.3.7 Configuring Attributes of the Replication Configuration Set by Using ldapmodify ........

42-21

42.3.8 Monitoring Conflict Resolution Messages by Using the Command Line.............. 42-22

42.3.9 Managing the Human Intervention Queue ............................................................... 42-24

42.3.10 Monitoring Replication Progress in a Directory Replication Group by Using remtool

-pthput 42-25

42.3.11 Viewing Queue Statistics and Verifying Replication by Using remtool ............... 42-26

42.3.12 Managing the Number of Entries the Human Intervention Queue Tools Can Process....

42-27

42.3.13 Changing the Replication Administrator's Password for Advanced Replication 42-27

42.4 Comparing and Reconciling Inconsistent Data by Using oidcmprec ............................ 42-28

xxiv

42.4.1 Conflict Scenarios ........................................................................................................... 42-29

42.4.2 Operations Supported by oidcmprec........................................................................... 42-29

42.4.3 Output from oidcmprec................................................................................................. 42-30

42.4.4 How oidcmprec Works.................................................................................................. 42-31

42.4.5 Setting the Source and Destination Directories.......................................................... 42-31

42.4.6 Selecting the DIT for the Operation ............................................................................. 42-32

42.4.7 Selecting the Attributes for the Operation .................................................................. 42-32

42.4.8 Controlling Change Log Generation............................................................................ 42-33

42.4.9 Using a Text or XML Parameter File............................................................................ 42-33

42.4.10 Including Directory Schema.......................................................................................... 42-34

42.4.11 Overriding Predefined Conflict Resolution Rules..................................................... 42-34

42.4.12 Using the User-Defined Compare and Reconcile Operation ................................... 42-35

42.4.13 Known Limitations of the oidcmprec Tool ................................................................. 42-35

Part VI Advanced Administration: Directory Plug-ins

43 Configuring a Customized Password Policy Plug-In

43.1 Introduction to Configuring a Customized Password Policy Plug-in............................. 43-1

43.2 Installing, Configuring, and Enabling a Customized Password Policy Plug-in............. 43-2

43.2.1 Loading and Registering the PL/SQL Program .......................................................... 43-2

43.2.2 Coding the Password Policy Plug-in ............................................................................. 43-3

43.2.3 Debugging the Password Policy Plug-in....................................................................... 43-3

43.2.4 Contents of Sample PL/SQL Package pluginpkg.sql.................................................. 43-4

44 Developing Plug-ins for the Oracle Internet Directory Server

44.1 Introduction to Developing Plug-ins for the Oracle Internet Directory Server.............. 44-1

44.1.1 Passing Options to the JVM ........................................................................................... 44-2

44.1.2 Supported Languages for Server Plug-ins .................................................................... 44-2

44.1.3 Server Plug-in Prerequisites............................................................................................ 44-3

44.1.4 Server Plug-in Benefits..................................................................................................... 44-3

44.1.5 Guidelines for Designing Plug-ins ................................................................................. 44-3

44.1.6 The Server Plug-in Framework....................................................................................... 44-4

44.1.7 LDAP Operations and Timings Supported by the Directory..................................... 44-4

44.1.7.1 Pre-Operation Server Plug-ins................................................................................. 44-4

44.1.7.2 Post-Operation Server Plug-ins ............................................................................... 44-5

44.1.7.3 When-Operation Server Plug-ins ............................................................................ 44-5

44.1.7.4 When_Replace-Operation Server Plug-ins ............................................................ 44-5

44.1.8 Using Plug-ins in a Replication Environment .............................................................. 44-5

44.2 Creating a Plug-in .................................................................................................................... 44-6

44.3 Registering a Plug-in From the Command Line ................................................................. 44-6

44.3.1 Creating a Plug-in Configuration Entry........................................................................ 44-6

44.3.2 Adding a Plug-in Configuration Entry by Using Command-Line Tools................. 44-8

44.4 Managing Plug-ins by Using Oracle Directory Services Manager and Oracle Enterprise

Manager Fusion Middleware Control 44-9

44.4.1 Creating a New Plug-in by Using Oracle Directory Services Manager.................... 44-9

44.4.2 Registering a Plug-in by Using Oracle Directory Services Manager ...................... 44-10

44.4.3 Editing a Plug-in by Using Oracle Directory Services Manager.............................. 44-10

xxv

44.4.4 Deleting a Plug-in by Using Oracle Directory Services Manager............................ 44-10

44.4.5 Managing JVM Options by Using Oracle Enterprise Manager Fusion Middleware

Control 44-11

45 Configuring a Customized External Authentication Plug-in

45.1 Introduction to Configuring a Customized External Authentication Plug-in ............... 45-1

45.2 Installing, Configuring, and Enabling the External Authentication Plug-in .................. 45-2

45.3 Debugging the External Authentication Plug-in................................................................. 45-3

45.4 Creating the PL/SQL Package oidexaup.sql ....................................................................... 45-4

Part VII Appendixes

A Differences Between 10g and 11g

A.1 Instance Creation and Process Management ........................................................................ A-1

A.2 Locations of Configuration Attributes.................................................................................... A-3

A.3 Default Ports ............................................................................................................................... A-5

A.4 Enabling Server Debugging ..................................................................................................... A-6

A.5 Command Line Tools ................................................................................................................ A-6

A.6 Path Names................................................................................................................................. A-7

A.7 Graphical User Interfaces ......................................................................................................... A-7

A.8 Audit ............................................................................................................................................ A-7

A.9 Referential Integrity................................................................................................................... A-8

A.10 Server Chaining.......................................................................................................................... A-8

A.11 Replication .................................................................................................................................. A-8

A.12 Oracle Directory Integration Platform.................................................................................... A-8

A.13 Oracle Single Sign-On and Oracle Delegated Administration Services ............................ A-8

A.14 Java Containers........................................................................................................................... A-9

B Managing Oracle Internet Directory Instances by Using OIDCTL

B.1 Introduction to Managing Oracle Internet Directory by Using OIDCTL.......................... B-1

B.2 Creating and Starting an Oracle Internet Directory Server Instance by Using OIDCTL B-3

B.3 Stopping an Oracle Internet Directory Server Instance by Using OIDCTL ...................... B-3

B.4 Starting an Oracle Internet Directory Server Instance by Using OIDCTL ........................ B-4

B.5 Viewing Status Information by Using OIDCTL .................................................................... B-4

B.6 Deleting an Oracle Internet Directory Server Instance by Using OIDCTL ....................... B-4

C Setting Up Oracle Database Advanced Replication-Based Replication

C.1 Introduction to Setting up Oracle Database Advanced Replication-Based Replication . C-1

C.1.1 Database Version Compatibility....................................................................................... C-1

C.1.2 Advanced Replication Filtering for Partial Replication ................................................ C-1

C.1.2.1 Excluded Naming Contexts ....................................................................................... C-1

C.1.2.2 Rules for Advanced Replication Filtering................................................................ C-2

C.2 Setting Up Advanced Replication-Based Replication .......................................................... C-2

C.2.1 Rules for Setting Up Advanced Replication ................................................................... C-3

C.2.2 Setting Up an Advanced Replication-Based Multimaster Replication Group ......... C-4

xxvi

C.2.2.1 Task 1: Install Oracle Internet Directory on the Master Definition Site (MDS).. C-4

C.2.2.2 Task 2: Install the Oracle Internet Directory on the Remote Master Sites (RMS) .......

C-5

C.2.2.2.1 If an Existing Master is Used as a Remote Master Site ................................... C-5

C.2.2.3 Task 3: Set Up Advanced Replication for a Directory Replication Group.......... C-6

C.2.2.3.1 On All Nodes, Prepare the Oracle Net Services Environment for Replication....

C-6

C.2.2.3.2 From the MDS, Configure Advanced Replication For Directory Replication......

C-8

C.2.2.4 Task 4 (Optional): Load Data into the Directory..................................................... C-9

C.2.2.5 Task 5: Ensure that Oracle Directory Server Instances are Started on All the Nodes

C-10

C.2.2.6 Task 6: Start the Replication Servers on All Nodes in the DRG ......................... C-10

C.2.2.7 Task 7: Test Directory Replication .......................................................................... C-10

C.2.3 Adding a Node for Advanced Replication-Based Multimaster Replication ........... C-11

C.2.3.1 Prepare the Oracle Net Services Environment ..................................................... C-11

C.2.3.2 Task 1: Stop the Directory Replication Server on All Nodes .............................. C-12

C.2.3.3 Task 2: Identify a Sponsor Node and Install Oracle Internet Directory ............ C-12

C.2.3.4 Task 3: Switch the Sponsor Node to Read-Only Mode........................................ C-12

C.2.3.5 Task 4: Back up the Sponsor Node by Using ldifwrite ........................................ C-12

C.2.3.6 Task 5: Perform Advanced Replication Add Node Setup................................... C-12

C.2.3.7 Task 6: Switch the Sponsor Node to Updatable Mode ........................................ C-13

C.2.3.8 Task 7: Start the Directory Replication Server on All Nodes Except the New Node .

C-13

C.2.3.9 Task 8: Load Data into the New Node by Using bulkload ................................. C-14

C.2.3.10 Task 9: Start the Directory Server on the New Node ........................................... C-14

C.2.3.11 Task 10: Start the Directory Replication Server on the New Node .................... C-14

C.2.4 Deleting a Node from a Multimaster Replication Group........................................... C-14

C.2.4.1 Task 1: Stop the Directory Replication Server on All Nodes .............................. C-15

C.2.4.2 Task 2: Stop All Oracle Internet Directory Processes in the Node to be Deleted........

C-15

C.2.4.3 Task 3: Delete the Node from the Master Definition Site .................................... C-15

C.2.4.4 Task 4: Start the Directory Replication Server on All Nodes .............................. C-15

D How Replication Works

D.1 Features of Oracle Database Advanced Replication-Based Replication ........................... D-1

D.2 Architecture for Oracle Database Advanced Replication-Based Replication ................... D-2

D.3 Architecture of LDAP-Based Replication............................................................................... D-4

D.4 LDAP Replica States.................................................................................................................. D-5

D.5 The Replication Process ............................................................................................................ D-8

D.5.1 How the Multimaster Replication Process Adds a New Entry to a Consumer......... D-8

D.5.2 How the Multimaster Replication Process Deletes an Entry ....................................... D-9

D.5.3 How the Multimaster Replication Process Modifies an Entry..................................... D-9

D.5.4 How the Multimaster Replication Process Modifies a Relative Distinguished Name......

D-10

D.5.5 How the Multimaster Replication Process Modifies a Distinguished Name .......... D-11

xxvii

E Java Server Plug-in Developer's Reference

E.1 Advantages of Java Plug-ins .................................................................................................... E-1

E.2 Setting Up a Java Plug-in.......................................................................................................... E-1

E.3 Java Plug-in API ........................................................................................................................ E-2

E.3.1 Communication Between the Server and Plug-in.......................................................... E-3

E.3.2 Java Plug-in Structure ........................................................................................................ E-3

E.3.3 PluginDetail......................................................................................................................... E-4

E.3.3.1 Server............................................................................................................................. E-4

E.3.3.2 LdapBaseEntry............................................................................................................. E-4

E.3.3.3 LdapOperation............................................................................................................. E-5

E.3.3.3.1 AddLdapOperation.............................................................................................. E-6

E.3.3.3.2 BindLdapOperation ............................................................................................. E-7

E.3.3.3.3 CompareLdapOperation .................................................................................... E-7

E.3.3.3.4 DeleteLdapOperation ......................................................................................... E-7

E.3.3.3.5 ModdnLdapOperation ........................................................................................ E-8

E.3.3.3.6 ModifyLdapOperation ........................................................................................ E-9

E.3.3.3.7 SearchLdapOperation ......................................................................................... E-9

E.3.3.4 PluginFlexfield........................................................................................................... E-10

E.3.4 PluginResult ...................................................................................................................... E-11

E.3.5 ServerPlugin Interface...................................................................................................... E-11

E.3.5.1 ServerPlugin Methods for Ldapbind...................................................................... E-11

E.3.5.2 ServerPlugin Methods for Ldapcompare............................................................... E-12

E.3.5.3 ServerPlugin Methods for Ldapadd ....................................................................... E-12

E.3.5.4 ServerPlugin Methods for Ldapmodify................................................................. E-12

E.3.5.5 ServerPlugin Methods for Ldapmoddn................................................................. E-12

E.3.5.6 ServerPlugin Methods for Ldapsearch................................................................... E-12

E.3.5.7 ServerPlugin Methods for Ldapdelete ................................................................... E-12

E.4 Java Plug-in Error and Exception Handling ........................................................................ E-12

E.4.1 Run-time Exception Example ......................................................................................... E-13

E.4.2 Run-time Error Example.................................................................................................. E-13

E.4.3 PluginException Example ............................................................................................... E-13

E.5 Java Plug-in Debugging and Logging .................................................................................. E-13

E.6 Java Plug-in Examples ............................................................................................................ E-14

E.6.1 Example 1: Password Validation Plug-in...................................................................... E-14

E.6.1.1 Password Validation Plug-in Configuration Entry .............................................. E-15

E.6.1.2 Password Validation Plug-in Code Example ........................................................ E-15

E.6.2 Example 2: External Authentication Plug-in for Active Directory............................ E-16

E.6.2.1 External Authentication Plug-in Configuration Entry......................................... E-16

E.6.2.2 External Authentication Plug-in Code ................................................................... E-16

F PL/SQL Server Plug-in Developer's Reference

F.1 Designing, Creating, and Using PL/SQL Server Plug-ins................................................... F-1

F.1.1 PL/SQLPlug-in Caveats .................................................................................................... F-1

F.1.1.1 Types of PL/SQL Plug-in Operations ...................................................................... F-2

F.1.1.2 Naming PL/SQL Plug-ins.......................................................................................... F-2

F.1.2 Creating PL/SQLPlug-ins ................................................................................................. F-2

xxviii

F.1.2.1 Package Specifications for Plug-in Module Interfaces........................................... F-2

F.1.3 Compiling PL/SQLPlug-ins.............................................................................................. F-4

F.1.3.1 Dependencies .............................................................................................................. F-4

F.1.3.2 Recompiling Plug-ins ................................................................................................. F-4

F.1.4 Managing PL/SQL Plug-ins.............................................................................................. F-4

F.1.4.1 Modifying Plug-ins ..................................................................................................... F-4

F.1.4.2 Debugging Plug-ins .................................................................................................... F-4

F.1.5 Enabling and Disabling PL/SQL Plug-ins...................................................................... F-5

F.1.6 Exception Handling in a PL/SQL Plug-in ...................................................................... F-5

F.1.6.1 Error Handling............................................................................................................. F-5

F.1.6.2 Program Control Handling between Oracle Internet Directory and Plug-ins ... F-5

F.1.7 PL/SQL Plug-in LDAP API .............................................................................................. F-6

F.1.8 PL/SQL Plug-in and Database Tools............................................................................... F-6

F.1.9 PL/SQL Plug-in Security................................................................................................... F-6

F.1.10 PL/SQL Plug-in Debugging ............................................................................................. F-7

F.1.11 PL/SQL Plug-in LDAP API Specifications ..................................................................... F-7

F.1.12 Database Limitations.......................................................................................................... F-8

F.2 Examples of PL/SQL Plug-ins ................................................................................................. F-8

F.2.1 Example 1: Search Query Logging................................................................................... F-8

F.2.2 Example 2: Synchronizing Two DITs ............................................................................ F-10

F.3 Binary Support in the PL/SQLPlug-in Framework............................................................ F-12

F.3.1 Binary Operations with ldapmodify.............................................................................. F-12

F.3.2 Binary Operations with ldapadd.................................................................................... F-14

F.3.3 Binary Operations with ldapcompare ........................................................................... F-16

F.4 Database Object Types Defined ............................................................................................. F-20

F.5 Specifications for PL/SQL Plug-in Procedures ................................................................... F-21

G The LDAP Filter Definition

H The Access Control Directive Format

H.1 Schema for orclACI.................................................................................................................... H-1

H.2 Schema for orclEntryLevelACI ................................................................................................ H-2

I Globalization Support in the Directory

I.1 About Character Sets and the Directory................................................................................... I-1

I.1.1 About Unicode ...................................................................................................................... I-2

I.1.2 About Oracle and UTF-8...................................................................................................... I-2

I.1.3 Migration from UTF8 to AL32UTF8 when Upgrading Oracle Internet Directory ..... I-3

I.2 The NLS_LANG Environment Variable................................................................................... I-3

I.3 Using Non-AL32UTF8 Databases.............................................................................................. I-4

I.4 Using Globalization Support with LDIF Files ......................................................................... I-4

I.4.1 An LDIF file Containing Only ASCII Strings ................................................................... I-4

I.4.2 An LDIF file Containing UTF-8 Encoded Strings ............................................................ I-4

I.4.2.1 CASE 1: Native Strings (Non-UTF-8) ......................................................................... I-5

I.4.2.2 CASE 2: UTF-8 Strings .................................................................................................. I-5

I.4.2.3 CASE 3: BASE64 Encoded UTF-8 Strings .................................................................. I-5

xxix

I.4.2.4 CASE 4: BASE64 Encoded Native Strings.................................................................. I-5

I.5 Using Globalization Support with Command-Line LDAP Tools......................................... I-5

I.5.1 Specifying the -E Argument When Using Each Tool ...................................................... I-6

I.5.2 Examples: Using the -E Argument with Command-Line LDAP Tools........................ I-6

I.6 Setting NLS_LANG in the Client Environment ...................................................................... I-7

I.7 Using Globalization Support with Bulk Tools......................................................................... I-8

I.7.1 Using Globalization Support with bulkload .................................................................... I-8

I.7.2 Using Globalization Support with ldifwrite..................................................................... I-8

I.7.3 Using Globalization Support with bulkdelete.................................................................. I-9

I.7.4 Using Globalization Support with bulkmodify ............................................................... I-9

J Setting up Access Controls for Creation and Search Bases for Users and

Groups

J.1 Setting up Access Controls for the User Search Base and the User Creation Base .......... J-1

J.2 Setting up Access Controls for the Group Search Base and the Group Creation Base..... J-3

K Searching the Directory for User Certificates

K.1 Certificate Mapping................................................................................................................... K-1

K.2 Search Types ............................................................................................................................... K-2

L Adding a Directory Node by Using the Database Copy Procedure

L.1 Definitions.................................................................................................................................... L-1

L.2 Prerequisites ................................................................................................................................ L-1

L.3 Sponsor Directory Site Environment ....................................................................................... L-2

L.4 New Directory Site Environment ............................................................................................. L-2

L.5 Addition of a Directory Node .................................................................................................. L-2

M Oracle Authentication Services for Operating Systems

N RFCs Supported by Oracle Internet Directory

O Managing Oracle Directory Services Manager's Java Key Store

O.1 Introduction to Managing ODSM's Java Key Store .............................................................. O-1

O.2 Retrieving ODSM's Java Key Store Password ....................................................................... O-2

O.3 Listing the Contents of odsm.cer Java Key Store .................................................................. O-2

O.4 Deleting Expired Certificates ................................................................................................... O-3

O.4.1 Determining the Expiration Date of a Certificate .......................................................... O-4

O.4.2 Deleting a Certificate.......................................................................................................... O-4

P Starting and Stopping the Oracle Stack

P.1 Starting the Stack........................................................................................................................ P-1

P.2 Stopping the Stack ..................................................................................................................... P-2

xxx

Q Performing a Rolling Upgrade

Q.1 Prerequisites for Rolling Upgrade........................................................................................... Q-1

Q.2 Rolling Upgrade Instructions................................................................................................... Q-1

Q.3 Rolling Upgrade Example ........................................................................................................ Q-3

R Using the Oracle Internet Directory VM Template

R.1 Installing Operating System, Oracle Database, and Oracle Internet Directory................ R-1

R.2 Installing Oracle Internet Directory Template with an Existing Oracle VM that has Oracle

Database R-2

R.3 Registering Oracle Internet Directory for Oracle Enterprise Manager Fusion Middleware

Control and ODSM Management R-3

R.4 Using the Oracle Internet Directory OVM image in a Non-OVM Environment ............. R-3

R.5 Default Values ............................................................................................................................ R-4

S Troubleshooting Oracle Internet Directory

S.1 Problems and Solutions ............................................................................................................ S-1

S.1.1 Installation Errors ............................................................................................................... S-2

S.1.2 Oracle Database Server Errors.......................................................................................... S-2

S.1.2.1 Oracle Database Server Connection is Down.......................................................... S-2

S.1.2.2 Oracle Database Server Error Due to Interrupted Client Connection................. S-2

S.1.2.3 Oracle Database Server Error Due to Schema Modifications ............................... S-3

S.1.3 Directory Server Error Messages and Causes ................................................................ S-3

S.1.3.1 Inappropriate Authentication Error ......................................................................... S-3

S.1.3.2 Constraint Violation Error Due to Editing a User or Group or Creating a Realm......

S-3

S.1.3.3 Standard Error Messages Returned from Oracle Directory Server...................... S-4

S.1.3.4 Additional Directory Server Error Messages .......................................................... S-5

S.1.4 Getting a Core Dump and Stack Trace When Oracle Internet Directory Crashes .... S-8

S.1.5 TCP/IP Problems................................................................................................................ S-8

S.1.5.1 Do Not Use TCP-Based Monitoring of Server Availability on Windows 2003 Server

S-9

S.1.5.2 Do Not Install DaimondCS Port Explorer ............................................................... S-9

S.1.6 Troubleshooting Password Policies ................................................................................. S-9

S.1.6.1 Password Policy is Not Enforced .............................................................................. S-9

S.1.6.2 Password Policy Error Messages .............................................................................. S-9

S.1.7 Troubleshooting Directory Performance....................................................................... S-10

S.1.7.1 Poor LDAP Search Performance ............................................................................. S-10

S.1.7.2 Poor LDAP Add or Modify Performance .............................................................. S-11

S.1.7.3 Poor Oracle Database Server Performance............................................................ S-11

S.1.8 Troubleshooting Port Configuration ............................................................................. S-12

S.1.9 Troubleshooting Creating Oracle Internet Directory Component with opmnctl ... S-12

S.1.10 Troubleshooting Starting Oracle Internet Directory.................................................... S-12

S.1.10.1 Oracle Internet Directory is Down.......................................................................... S-13

S.1.10.2 Oracle Internet Directory is Read-Only.................................................................. S-14

S.1.11 Troubleshooting Starting, Stopping, and Restarting of the Directory Server.......... S-14

S.1.11.1 About the Tools for Starting, Stopping, and Restarting the Directory Server

Instance S-14

xxxi

S.1.11.2 Problems Starting, Stopping, and Restarting the Directory Server.................... S-16

S.1.11.2.1 OIDCTL or OIDMON fails................................................................................ S-16

S.1.12 Troubleshooting Oracle Internet Directory Replication ............................................. S-18

S.1.12.1 Replication Server Does Not Start........................................................................... S-19

S.1.12.2 Repository Creation Assistant Error....................................................................... S-20

S.1.12.3 Errors in Replication Bootstrap ............................................................................... S-21

S.1.12.4 Changes Are Not Replicated.................................................................................... S-23

S.1.12.5 Replication Stops Working....................................................................................... S-23

S.1.13 Troubleshooting Change Log Garbage Collection ...................................................... S-24

S.1.14 Troubleshooting Dynamic Password Verifiers ............................................................ S-25

S.1.15 Troubleshooting Oracle Internet Directory Password Wallets.................................. S-25

S.1.15.1 Oracle Internet Directory Server Does Not Start .................................................. S-25

S.1.15.2 Password Not Synchronized.................................................................................... S-26

S.1.16 Troubleshooting bulkload ............................................................................................... S-27

S.1.17 Troubleshooting bulkdelete, bulkmodify, and ldifwrite ............................................ S-28

S.1.18 Troubleshooting catalog .................................................................................................. S-28

S.1.19 Troubleshooting remtool................................................................................................. S-28

S.1.20 Troubleshooting Server Chaining .................................................................................. S-29

S.1.21 Viewing Version Information ......................................................................................... S-29

S.1.22 Troubleshooting Fusion Middleware Control and WLST.......................................... S-29

S.1.23 Troubleshooting Oracle Directory Services Manager ................................................. S-30

S.1.23.1 Cannot Invoke ODSM from Fusion Middleware Control .................................. S-30

S.1.23.2 Cannot Invoke ODSM from Fusion Middleware Control in Multiple NIC and

DHCP Enabled Environment S-31

S.1.23.3 Various Failover Issues............................................................................................. S-31

S.1.23.4 ODSM Displays an Error Message.......................................................................... S-32

S.1.23.5 Cursor Loses Focus.................................................................................................... S-33

S.2 Need More Help?..................................................................................................................... S-33

Index

xxxii

xxxiii

List of Figures

1–1 Oracle Internet Directory Overview ........................................................................................ 1-5

3–1 A Typical Oracle Internet Directory Node.............................................................................. 3-2

3–2 Oracle Directory Server Instance Architecture....................................................................... 3-4

3–3 A Directory Information Tree ................................................................................................... 3-7

3–4 Attributes of the Entry for Anne Smith ................................................................................... 3-9

3–5 Correct and Incorrect Naming Contexts............................................................................... 3-14

3–6 A Partitioned Directory........................................................................................................... 3-17

3–7 Using Knowledge References to Point to Naming Contexts............................................. 3-18

3–8 Placement of Resource Access and Resource Type Information in the DIT ................... 3-25

4–1 Oracle Internet Directory Process Control .............................................................................. 4-2

5–1 Planning the Directory Information Tree................................................................................ 5-2

6–1 A Replicated Directory............................................................................................................... 6-1

6–2 Example of Partial Replication.................................................................................................. 6-3

6–3 Example of Single-Master Replication..................................................................................... 6-5

6–4 Example of Multimaster Replication ....................................................................................... 6-5

6–5 Example of Fan-Out Replication............................................................................................... 6-6

6–6 Example of Multimaster Replication with Fan-Out............................................................... 6-8

8–1 DIT Showing Two Instance-Specific Configuration Entries................................................. 8-2

8–2 Oracle Internet Directory Process Control .............................................................................. 8-3

17–1 Alias Entries Example ............................................................................................................. 17-2

17–2 Resulting Tree when Creating the My_file.ldif ................................................................... 17-3

18–1 Example of a Directory Information Tree ............................................................................ 18-4

20–1 Location of Schema Components in Entries of Type subSchemaSubentry..................... 20-2

24–1 Architecture of Oracle Internet Directory Server Manageability...................................... 24-3

28–1 Location of Password Policy Entries..................................................................................... 28-3

28–2 pwdPolicy subentry Attributes Populated with DN of Password Policy....................... 28-3

30–1 Location of the Password Verifier Profile Entry ................................................................. 30-5

30–2 Authentication Model ............................................................................................................. 30-7

30–3 How Password Verification Works....................................................................................... 30-9

31–1 Delegation Flow in an Oracle Fusion Middleware Environment..................................... 31-2

32–1 Indirect Authentication........................................................................................................... 32-3

33–1 Example of an Identity Management Realm ....................................................................... 33-3

33–2 Enterprise Use Case: Single Identity Management Realm ................................................ 33-4

33–3 Enterprise Use Case: Multiple Identity Management Realms .......................................... 33-4

33–4 Hosted Deployment Use Case ............................................................................................... 33-5

33–5 Default Identity Management Realm.................................................................................... 33-6

35–1 Example: Garbage Collection of Change Log Entries......................................................... 35-4

35–2 Garbage Collection Entries in the DIT .................................................................................. 35-5

36–1 Using an LDIF File and bulkload .......................................................................................... 36-2

36–2 Using syncProfileBootstrap Directly..................................................................................... 36-5

36–3 Using an LDIF File and syncProfileBootstrap ..................................................................... 36-5

36–4 Using syncProfileBootstrap, bulkload, and LDIF Files ...................................................... 36-6

36–5 Using the Oracle Directory Integration Server.................................................................... 36-6

36–6 Structure of the Intermediate User File ................................................................................ 36-8

39–1 A Sample Naming Context..................................................................................................... 39-8

39–2 Naming Context Object #1...................................................................................................... 39-9

39–3 Naming Context Object #2.................................................................................................... 39-10

39–4 Result of Combining Naming Context Objects #1 and #2................................................ 39-10

39–5 Naming Context Object #3.................................................................................................... 39-11

39–6 Naming Context Object #4.................................................................................................... 39-11

39–7 Result of Combining Naming Context Objects #3 and #4................................................ 39-12

39–8 Naming Context Object #5.................................................................................................... 39-14

39–9 Naming Context Object #6.................................................................................................... 39-14

39–10 Naming Context Object #7.................................................................................................... 39-15

xxxiv

39–11 Example of Fan-Out Replication.......................................................................................... 39-31

40–1 Replication Failover Scenario................................................................................................. 40-2

40–2 Consumer and New Supplier Connected to Old Supplier by LDAP............................... 40-3

40–3 Old and New Suppliers in the Same Advanced Replication Group................................ 40-3

40–4 Failover Preserving Replica Type.......................................................................................... 40-4

40–5 Compare and Reconcile All Connected Replicas ................................................................ 40-5

41–1 Example: Multimaster Replication and Fan-Out Replication ......................................... 41-10

41–2 Example: Replication Configuration Entries for Node C................................................. 41-11

41–3 Example: Replication Configuration Entries for Node D ............................................... 41-12

44–1 Oracle Internet Directory Plug-in Framework .................................................................... 44-2

B–1 A Component with Two Instances.......................................................................................... B-2

C–1 Example of a Naming Context Container and Its Objects ................................................... C-2

D–1 Advanced Replication Process................................................................................................. D-2

D–2 LDAP Replication Process........................................................................................................ D-4

E–1 Communication Between the Server and the Java Plug-in.................................................. E-3

xxxv

List of Tables

1–1 Comparison of Online Directories and Relational Databases............................................. 1-2

3–1 An Oracle Internet Directory Node......................................................................................... 3-3

3–2 Attributes Created with Each New Entry ........................................................................... 3-10

3–3 Common LDAP Attributes.................................................................................................... 3-10

4–1 Process Control Items in the ODS_PROCESS_STATUS Table............................................ 4-3

6–1 Full or Partial Replication ......................................................................................................... 6-3

6–2 Direction of Replication ............................................................................................................ 6-3

6–3 Transport Protocols ................................................................................................................... 6-4

6–4 Types of Directory Replication Groups .................................................................................. 6-4

6–5 Types of Data Transfer Between Nodes in a Directory Replication Group ...................... 6-7

7–1 Using the Oracle Internet Directory Menu............................................................................. 7-5

8–1 Attribute Changes Requiring Update of Component Registration.................................... 8-8

9–1 Attributes of the Instance-Specific Configuration Entry...................................................... 9-3

9–2 Attributes in the DSA Configuration Entry ........................................................................... 9-9

9–3 Attributes of the DSE.............................................................................................................. 9-12

9–4 Configuration Attributes on Server Properties Page, General Tab. ................................ 9-12

9–5 Configuration Attributes on Server Properties Page, Performance Tab......................... 9-13

9–6 Configuration Attributes on Shared Properties Page, General Tab ................................ 9-14

9–7 Oracle Internet Directory-Related MBeans ......................................................................... 9-16

12–1 Configuration Attributes on Shared Properties, Change Superuser Password Tab..... 12-5

14–1 orclDynamicGroup Attributes for "Connect By" Assertions............................................ 14-5

14–2 Static and Dynamic Group Considerations ........................................................................ 14-8

17–1 Flags for Searching the Directory with Alias Entries......................................................... 17-3

17–2 Entry Alias Dereferencing Messages ................................................................................... 17-6

18–1 Attribute Uniqueness Constraint Entry............................................................................... 18-2

20–1 Attribute Aliases Used in Examples................................................................................... 20-24

20–2 Content Rule Parameters ..................................................................................................... 20-27

22–1 Oracle Internet Directory Audit Configuration Attributes............................................... 22-2

22–2 Audit Configuration Attributes in Fusion Middleware Control ..................................... 22-4

23–1 Oracle Internet Directory Log File Locations...................................................................... 23-1

23–2 Configuration Attributes on Server Properties Page, Logging Tab ................................ 23-5

23–3 Values for OrclDebugFlag ..................................................................................................... 23-7

23–4 Debug Operations................................................................................................................... 23-7

24–1 Components of Oracle Internet Directory Server Manageability.................................... 24-3

24–2 Configuration Attributes on Server Properties Page, Statistics Tab................................ 24-5

24–3 Values of orcloptracklevel ..................................................................................................... 24-8

24–4 Metrics Recorded by Each orcloptracklevel Value ............................................................ 24-9

24–5 Event Levels............................................................................................................................. 24-9

26–1 SSL Cipher Suites Supported in Oracle Internet Directory .............................................. 26-2

26–2 SSL Authentication Modes .................................................................................................... 26-3

26–3 SSL-Related Attributes in Fusion Middleware Control .................................................... 26-8

26–4 SSL Attributes........................................................................................................................ 26-11

27–1 Sensitive Attributes Stored in orclencryptedattributes ..................................................... 27-6

27–2 LDAP and Bulk Operations on Attributes in orclhashedattributes ................................ 27-7

28–1 Password Policy Attributes ................................................................................................... 28-5

28–2 Password Policy-Related Operational Attributes .............................................................. 28-7

29–1 Sample Security Groups......................................................................................................... 29-6

29–2 Types of Access ..................................................................................................................... 29-10

29–3 LDAP Operations and Access Needed to Perform Each One ........................................ 29-11

29–4 Attribute States During ACL Evaluation .......................................................................... 29-12

29–5 DNs Used in Example .......................................................................................................... 29-25

30–1 Attributes for Storing Password Verifiers in User Entries................................................ 30-5

31–1 Default Privileges Granted to Everyone and to Each User............................................... 31-3

xxxvi

31–2 Privileges for Administering the Oracle Technology Stack.............................................. 31-4

31–3 Characteristics of the Subscriber DAS Create User Group............................................... 31-5

31–4 Characteristics of the Subscriber DAS Edit User Group................................................... 31-6

31–5 Characteristics of the DAS Delete User Group................................................................... 31-6

31–6 Characteristics of the User Privilege Assignment Group ................................................. 31-6

31–7 Characteristics of the Group Creation Group..................................................................... 31-7

31–8 Characteristics of the Group Edit Group............................................................................. 31-7

31–9 Characteristics of the Group Delete Group......................................................................... 31-8

31–10 Characteristics of the Group Privilege Assignment Group.............................................. 31-8

31–11 Characteristics of the Oracle Application Server Administrators Group....................... 31-9

31–12 Characteristics of the User Management Application Administrators Group............ 31-10

31–13 Characteristics of the Trusted Application Administrators Group............................... 31-10

31–14 Characteristics of the User Security Administrators Group........................................... 31-12

31–15 Characteristics of the Authentication Services Group..................................................... 31-12

31–16 Characteristics of the Verifier Services Group.................................................................. 31-12

31–17 Characteristics of the User Proxy Privilege Group .......................................................... 31-13

31–18 Characteristics of the Oracle Context Administrators Group........................................ 31-13

31–19 Characteristics of the Common User Attributes Group.................................................. 31-13

31–20 Characteristics of the Common Group Attributes Group .............................................. 31-14

31–21 Characteristics of the Service Registry Viewers Group................................................... 31-14

31–22 Characteristics of the Common Group Attributes Group .............................................. 31-14

32–1 Configuration Attributes on Server Properties, SASL Tab............................................... 32-6

32–2 SASL Authentication Attributes........................................................................................... 32-7

32–3 SASL Authentication Modes ................................................................................................. 32-7

32–4 Orclanonymousbindsflag Value and Directory Server Behavior .................................... 32-8

33–1 Oracle Identity Management Objects................................................................................... 33-5

33–2 Customizing the Default Identity Management Realm .................................................... 33-8

36–1 Features of bulkload and syncProfileBootstrap ................................................................. 36-2

36–2 Mandatory Attributes in a User Entry................................................................................. 36-9

37–1 Configuration Entry Attributes for Server Chaining......................................................... 37-6

37–2 Default Attribute Mapping to Active Directory................................................................. 37-8

37–3 Default Attribute Mapping to Sun Java System Directory Server................................... 37-9

37–4 Default Attribute Mapping to Novell eDirectory .............................................................. 37-9

38–1 Masking Configuration Attributes....................................................................................... 38-1

39–1 Data Migration Using ldifwrite/bulkload versus Automatic Bootstrapping.............. 39-18

39–2 Command-line Parameters to OIDUpgradePasswordPolicies ...................................... 39-29

39–3 Nodes in Example of Partial Replication Deployment.................................................... 39-30

41–1 Attributes of the Replica Subentry ....................................................................................... 41-2

41–2 Attributes of the Replication Agreement Entry.................................................................. 41-3

41–3 Attributes of the Replication Naming Context Entry........................................................ 41-7

41–4 Replication Configuration Set Attributes............................................................................ 41-8

41–5 Configuration Attributes on Shared Properties, Replication Tab.................................. 41-13

41–6 Replication Schedule Attributes ......................................................................................... 41-13

42–1 Configuration Attributes Controlling Worker Threads.................................................... 42-2

42–2 Types of Replication Conflict ................................................................................................ 42-5

42–3 Properties on the Change Log Page .................................................................................... 42-8

42–4 Replication Configset Attributes on Shared Properties, Replication Tab..................... 42-11

42–5 Replication Server Status Attributes on Shared Properties, Replication Tab .............. 42-12

42–6 Replica Details on Shared Properties, Replication Tab ................................................... 42-13

42–7 Important Attributes in the Change Log........................................................................... 42-16

42–8 Replica Subentry Attributes ................................................................................................ 42-16

42–9 Replication Agreement Options ......................................................................................... 42-18

42–10 Replication Configuration Attributes ................................................................................ 42-21

42–11 Replication Debug Levels .................................................................................................... 42-22

42–12 Conflict Resolution Messages ............................................................................................. 42-23

xxxvii

44–1 Plug-in Configuration Objects and Attributes.................................................................... 44-6

A–1 New Locations of 10g Attributes ............................................................................................ A-4

A–2 Some Path Names that Changed ............................................................................................ A-7

D–1 LDAP Replica States................................................................................................................. D-6

E–1 Plug-in Names and Corresponding Paths............................................................................. E-2

E–2 The Meaning of the DN Information for Each LDAP Operation....................................... E-5

E–3 Behavior of Operation Result Code........................................................................................ E-5

E–4 Subclasses of LdapOperation and Class-specific information. .......................................... E-6

E–5 Behavior of LdapEntry Information for Each Plug-in Timing ........................................... E-6

E–6 Behavior of the AttributeName for Each Plug-in Timing................................................... E-7

E–7 Behavior of the Attribute Value for Each Plug-in Timing .................................................. E-7

E–8 Behavior of the Delete DN for Each Plug-in Timing ........................................................... E-8

E–9 Behavior of New Parent DN Information for Each Plug-in Timing.................................. E-8

E–10 Behavior of New Relative Dn Information for Each Plug-in Timing................................ E-8

E–11 Behavior of Delete Old RDN Information for Each Plug-in Timing ................................. E-9

E–12 Behavior of LdapModification Information for Each Plug-in Timing .............................. E-9

E–13 Behavior of the Required Attributes for Each Plug-in Timing........................................... E-9

E–14 Behavior of the Scope for Each Plug-in Timing.................................................................. E-10

E–15 Behavior of the SearchResultSet for Each Plug-in Timing................................................ E-10

E–16 Debug Levels for Java Plug-in Logging............................................................................... E-14

F–1 Plug-in Module Interface......................................................................................................... F-2

F–2 Operation-Based and Attribute-Based Plug-in Procedure Signatures.............................. F-2

F–3 Valid Values for the plug-in Return Code ............................................................................ F-5

F–4 Program Control Handling when a Plug-in Exception Occurs ......................................... F-5

F–5 Program Control Handling when an LDAP Operation Fails............................................. F-6

I–1 Unicode Implementations ......................................................................................................... I-2

I–2 Components of the NLS_LANG Parameter............................................................................ I-3

I–3 Examples: Using the -E Argument with Command-Line Tools .......................................... I-7

N–1 Supported RFCs ........................................................................................................................ N-1

S–1 Standard Error Messages......................................................................................................... S-4

S–2 Additional Error Messages...................................................................................................... S-6

S–3 Password Policy Violation Error Messages........................................................................... S-9

S–4 Error Messages for Dynamic Password Verifiers .............................................................. S-25

xxxviii

xxxix

Preface

Welcome to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Audience

This document is intended for anyone who performs administration tasks for the

Oracle Internet Directory. You should be familiar with either the UNIX operating

system or the Microsoft Windows operating system to understand the line-mode

commands and examples. You can perform all of the tasks through the command line

utilities, and you can perform most of the tasks through Oracle Directory Services

Manager and Oracle Enterprise Manager Fusion Middleware Control, which are

operating system-independent.

To use this document, you need some familiarity with the Lightweight Directory

Access Protocol (LDAP).

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle

Accessibility Program website at

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For

information, visit

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are

hearing impaired.

See Also:

■Chapter 2, "Understanding Oracle Internet Directory in Oracle

Fusion Middleware"

■Oracle Fusion Middleware Concepts

See Also: Chapter 7, "Getting Started With Oracle Internet

Directory"

See Also: Chapter 7, "Getting Started With Oracle Internet

Directory"

xlvi

Oracle Single Sign-On, however, you still must use Oracle Database Advanced

Replication-based replication.

■Improved Replication Manageability: You can set up and manage LDAP-based

replication by using the replication wizard in Oracle Enterprise Manager Fusion

Middleware Control. A separate Replication page enables you to adjust attributes

that control the replication server.

■Sizing and Tuning Wizard: You can obtain recommendations for tuning and

sizing by running the Sizing and Tuning wizard in Oracle Enterprise Manager

Fusion Middleware Control.

■Integration with Common Auditing Infrastructure: Oracle Internet Directory is

now integrated with the Oracle Fusion Middleware common audit framework.

You can configure auditing from the command line or by using Oracle Enterprise

Manager Fusion Middleware Control.

■Improvements to Referential Integrity: Referential Integrity has been completely

reimplemented. You can configure it from the command line or by using Oracle

Enterprise Manager Fusion Middleware Control.

■Updates to Password Policy Controls and Error Messages: New controls and

error messages were added to the LDAP API.

■Configuration Parameter Changes: Most configuration attributes for the LDAP

server now reside in two entries. Instance-specific attributes are in the

instance-specific configuration entry and shared attributes are in the DSA

Configuration entry. You can manage most of these from the command line or by

using Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory

Services Manager.

■Improvements to Attribute and Entry Alias Support: Oracle Internet Directory

now supports several different options for dereferencing aliases in a search.

See Also: Chapter 6, "Understanding Oracle Internet Directory

Replication"

See Also: Part V, "Advanced Administration: Directory Replication"

See Also: The Oracle Internet Directory chapter in Oracle Fusion

Middleware Performance and Tuning Guide.

See Also: Chapter 22, "Managing Auditing"

See Also: Chapter 21, "Configuring Referential Integrity"

See Also:

■"Password Policies" in the "Extensions to the LDAP Protocol"

chapter in Oracle Fusion Middleware Application Developer's Guide

for Oracle Identity Management

■Chapter 28, "Managing Password Policies"

See Also: Chapter 9, "Managing System Configuration Attributes"

xlvii

■Extensible Matching in Search Filters: Oracle Internet Directory now supports

search filters of the form: attr:dn:=value. With this filter, dn attributes are

considered part of the entry for search purposes. Oracle Internet Directory does

not support extensible matching using matching rules specified in the filter.

While Oracle Internet Directory supports extensible filters, ldapsearch and the

Oracle LDAP API do not. You must use a different API, such as JNDI, to use this

type of filter.

■Support for Oracle Single Sign-On and Oracle Delegated Administration

Services 10g (10.1.4.3.0) or later: Oracle Fusion Middleware 11g Release 1 (11.1.1)

does not include Oracle Single Sign-On or Oracle Delegated Administration

Services. Oracle Internet Directory 11g Release 1 (11.1.1), however, is compatible

with Oracle Single Sign-On and Oracle Delegated Administration Services 10g

(10.1.4.3.0) or later.

New Features Introduced with Oracle Internet Directory 10g (10.1.4.1)

■Links to Procedural Information: This document contains a table of links to

important tasks.

■Identity Management Grid Control Plug-in: This new interface enables you to

monitor and manage Oracle Internet Directory, Oracle Single Sign-On, Oracle

Delegated Administration Services, and Oracle Directory Integration Platform,

using the features of the Oracle Enterprise Manager 10g Grid Control Console.

■Improved Bulk Tools: The following bulk tools have been converted into C

executables:

–bulkload

–bulkmodify

–bulkdelete

–catalog

–ldifwrite

Examples and descriptions in this document and in Oracle Fusion Middleware

Reference for Oracle Identity Management have been updated to reflect the new

features of these tools.

■Application-Specific Schema Containers: A product that adds schema to Oracle

Internet Directory can have its own subSchemaSubentry under

cn=subSchemaSubentry.

See Also: Chapter 17, "Managing Alias Entries"

See Also: "Developing Applications with Standard LDAP APIs" in

Oracle Fusion Middleware Application Developer's Guide for Oracle

Identity Management

See Also:

Chapter 15, "Performing Bulk Operations"

The chapter on Oracle Internet Directory server administration tools in Oracle

Fusion Middleware Reference for Oracle Identity Management

xlviii

■Support for Attribute Aliases: You can create user-friendly aliases for attribute

names.

■Caching of Dynamic Groups: Dynamic group members are computed when the

dynamic group is added, and the member list is kept consistent when the dynamic

group is later modified.

■Optimizing Searches for Large Group Entries: There is an additional technique

for optimizing searches by increasing the size of the entry cache instead of

disabling the entry cache.

■Referential Integrity: If you enable Referential Integrity, whenever you update an

entry in the directory, the server also updates other entries that refer to that entry.

■New Monitoring Capabilities for Server Manageability: You can enable

additional health statistics, user statistics, and security events tracking.

■New Password Policy Features: You can apply a password policy to any subtree,

or even a single entry. There are also more password policy attributes to choose

from.

■Server Chaining: This feature enables you to map entries that reside in third party

LDAP directories to part of the directory tree and access them through Oracle

Internet Directory, without synchronization or data migration.

■Paging and Sorting of LDAP Search Results: The ldapsearch command now

has a -T option for sorting and a -j option for paging.

See Also: "Introduction to Managing Directory Schema" in

Chapter 20, "Managing Directory Schema"

See Also: "Understanding Attribute Aliases" in Chapter 20,

"Managing Directory Schema"

See Also: "Dynamic Groups" in Chapter 14, "Managing Dynamic

and Static Groups"

See Also: The Oracle Internet Directory chapter in Oracle Fusion

Middleware Performance and Tuning Guide.

See Also: Chapter 21, "Configuring Referential Integrity"

See Also: Chapter 24, "Monitoring Oracle Internet Directory"

See Also: Chapter 28, "Managing Password Policies"

See Also: Chapter 37, "Configuring Server Chaining"

See Also:

The ldapsearch command-line reference in Oracle Fusion Middleware

Reference for Oracle Identity Management

The chapter on extensions to the LDAP protocol in Oracle Fusion Middleware

Application Developer's Guide for Oracle Identity Management

xlix

■New Replication Features: Oracle Internet Directory Replication has been

enhanced with the following features:

– Two-way LDAP-Based Replication: This feature enables you to deploy

fan-out replication groups where replication flows in both directions and

updates at any node are replicated to the whole group.

– Replication Failover: Failover of LDAP replicas from one supplier to another

is supported, with administrator intervention.

– Oracle Internet Directory Comparison and Reconciliation Tool: A new

oidcmprec command, with improved functionality, replaces the old

oidreconcile tool.

■Java Server Plug-ins: The Oracle Internet Directory Plug-in Framework now

supports plug-ins written in Java and in PL/SQL.

New Features Introduced with Oracle Internet Directory 10g Release 2

(10.1.2)

■Improved integration with other components: New features provide better

integration with components such as Oracle Collaboration Suite. These features

include service-to-service authentication, the service registry, and verifier

generation using dynamic parameters.

See Also:

Chapter 39, "Setting Up Replication"

Chapter 42, "Managing and Monitoring Replication"

The oidcmprec command-line tool reference in Oracle Fusion Middleware

Reference for Oracle Identity Management

See Also: Chapter 44, "Developing Plug-ins for the Oracle Internet

Directory Server"

Notes:

The following chapters have been moved to Oracle Fusion Middleware

High Availability Guide:

■"High Availability And Failover Considerations"

■"Oracle Application Server Cluster (Identity Management)

Configurations"

■"Oracle Application Server Cold Failover Cluster (Identity

Management)"

■"The Directory in an Oracle Real Application Clusters

Environment"

The following appendixes have been rewritten as chapters in Oracle

Fusion Middleware Reference for Oracle Identity Management:

■"Syntax for LDIF and Command-Line Tools"

■"Oracle Internet Directory Schema Elements"

■Support for Certificate Matching Rule: External authentication using certificates

can now take either of two forms: an exact match, in which the subject DN of the

client certificate is used to authenticate the user, or a certificate hash, in which the

client certificate is hashed and is then compared with a certificate hash stored in

the directory.

■Ease of deployment for Replication: Replication is now much easier to install,

configure, and manage.

■Ease of deployment for Clusters: Cluster configurations are now much easier to

install, configure, and manage.

■Enforcing access control for Oracle Internet Directory superuser: The superuser

is now subject to access control policies like any other user. New ACL keywords

allow you to restrict superuser access through privileged groups.

■Oracle Internet Directory Server Diagnostic Tool: The OID Diagnostic Tool

collects diagnostic information that helps triage issues reported on Oracle Internet

Directory.

See Also:

■"The Service Registry and Service to Service Authentication" on

page 3-20

■"Introduction to Generating Ver i fiers by Using Dyna mic

Parameters" on page 30-10

See Also: "Direct Authentication" on page 32-1

See Also:

Chapter 39, "Setting Up Replication"

See Also: Chapter 29, "Managing Directory Access Control"

See Also: The oiddiag command-line tool reference in Oracle

Fusion Middleware Reference for Oracle Identity Management

Part I

Part I Understanding Directory Services

Part I explains what Oracle Internet Directory is and some of the concepts you must

know before using it. It contains these chapters:

■Chapter 1, "Introduction to Directory Services"

■Chapter 2, "Understanding Oracle Internet Directory in Oracle Fusion

Middleware"

■Chapter 3, "Understanding Oracle Internet Directory Concepts and Architecture"

■Chapter 4, "Understanding Process Control of Oracle Internet Directory

Components"

■Chapter 5, "Understanding Oracle Internet Directory Organization"

■Chapter 6, "Understanding Oracle Internet Directory Replication"

Introduction to Directory Services 1-1

1Introduction to Directory Services

This chapter introduces online directories, provides an overview of the Lightweight

Directory Application Protocol (LDAP) version 3, and explains some of the unique

features and benefits of Oracle Internet Directory.

This chapter contains these topics:

■Section 1.1, "What Is a Directory?"

■Section 1.2, "What Is the Lightweight Directory Access Protocol (LDAP)?"

■Section 1.3, "What Is Oracle Internet Directory?"

■Section 1.4, "How Oracle Products Use Oracle Internet Directory"

1.1 What Is a Directory?

A directory is a hierarchically organized collection of entries with similar attributes.

Directories list resources—for example, people, books in a library, or merchandise in a

department store—and give details about each one. A directory can be either

offline—for example, a telephone book or a department store catalog—or online.

Online directories are used by enterprises with distributed computer systems for fast

searches, management of users and security, and integration of multiple applications

and services. Online directories have become critical to e-businesses and hosted

environments.

This section contains these topics:

■Section 1.1.1, "The Expanding Role of Online Directories"

■Section 1.1.2, "The Problem: Too Many Special-Purpose Directories"

1.1.1 The Expanding Role of Online Directories

An online directory is a specialized database that stores and retrieves collections of

information about objects. Such information can represent any resources that require

management: employee names, titles, and security credentials; information about

partners; or information about shared network resources such as conference rooms

and printers.

Online directories can be used by a variety of users and applications, and for a variety

of purposes, including:

■An employee searching for corporate white page information, and, through a mail

client, looking up e-mail addresses

■An application, such as a message transport agent, locating a user's mail server

What Is a Directory?

1-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■A database application identifying role information for a user

Although an online directory is a database—that is, a structured collection of data—it

is not a relational database. The following table contrasts online directories with

relational databases.

1.1.2 The Problem: Too Many Special-Purpose Directories

In the past, some large companies had more than a hundred different directories, each

designated for a special purpose. In addition, some applications had their own

additional directories of user names.

Managing so many special purpose directories caused several problems, including:

■High cost of administration: Administrators had to maintain essentially the same

information in many different places. For example, when an enterprise hired a

new employee, administrators created a new user identity on the network, created

a new e-mail account, added the user to the human-resources database, and set up

all applications that the employee might need—for example, user accounts on

development, testing, and production database systems. Later, if the employee left

the company, administrators had to reverse the process to disable all these user

accounts.

■Inconsistent data: Because of the large administrative overhead, it was difficult for

multiple administrators, entering redundant information in multiple systems, to

synchronize this employee information across all systems. The result was

inconsistent data across the enterprise.

Table 1–1 Comparison of Online Directories and Relational Databases

Online Directories Relational Databases

Designed to handle relatively simple

transactions on relatively small units of data.

For example, an application might use a

directory simply to store and retrieve an

e-mail address, a telephone number, or a

digital portrait.

Designed to handle large and diverse

transactions using many operations on large

units of data.

Designed to be location-independent.

Directory-enabled applications expect, at all

times, to see the same information throughout

the deployment environment—regardless of

which server they are querying. If a queried

server does not store the information locally,

then it must either retrieve the information or

point the client application to it transparently.

Typically designed to be location-specific.

While a relational database can be distributed,

it usually resides on a particular database

server.

Designed to store information in entries.

These entries might represent any resource

customers want to manage: employees,

e-commerce partners, conference rooms, or

shared network resources such as printers.

Associated with each entry are several

attributes, each of which may have one or

more values assigned. For example, typical

attributes for a person entry might include

first and last names, e-mail addresses, the

address of a preferred mail server, passwords

or other login credentials, or a digitized

portrait.

Designed to store information as rows in

relational tables.

What Is the Lightweight Directory Access Protocol (LDAP)?

Introduction to Directory Services 1-3

■Security issues: Each separate directory had its own password policy—which

means that a user had to learn a variety of user names and passwords, each for a

different system.

Today's enterprises need a more general purpose directory infrastructure, one based

on a common standard for supporting a wide variety of applications and services.

1.2 What Is the Lightweight Directory Access Protocol (LDAP)?

LDAP is a standard, extensible directory access protocol that directory clients and

servers use to communicate.

This section contains these topics:

■Section 1.2.1, "LDAP and Simplified Directory Management"

■Section 1.2.2, "LDAP Version 3"

1.2.1 LDAP and Simplified Directory Management

LDAP was conceived as an Internet-ready, lightweight implementation of the

International Standardization Organization (ISO) X.500 standard for directory

services. It requires a minimal amount of networking software on the client side,

which makes it particularly attractive for Internet-based, thin client applications.

The LDAP standard simplifies management of directory information in three ways:

■It provides all users and applications in the enterprise with a single, well-defined,

standard interface to a single, extensible directory service. This makes it easier to

rapidly develop and deploy directory-enabled applications.

■It reduces the need to enter and coordinate redundant information in multiple

services scattered across the enterprise.

■Its well-defined protocol and array of programmatic interfaces make it more

practical to deploy Internet-ready applications that leverage the directory.

1.2.2 LDAP Version 3

The most recent version of LDAP, Version 3, was approved as a proposed Internet

Standard by the Internet Engineering Task Force (IETF) in December 1997. LDAP

Version 3 improves on LDAP Version 2 in several important areas:

■Globalization Support: LDAP Version 3 allows servers and clients to support

characters used in every language in the world.

■Knowledge references (also called referrals): LDAP Version 3 implements a

referral mechanism that allows servers to return references to other servers as a

result of a directory query. This makes it possible to distribute directories globally

by partitioning a directory information tree (DIT) across multiple LDAP servers.

■Security: LDAP Version 3 adds a standard mechanism for supporting Simple

Authentication and Security Layer (SASL), providing a comprehensive and

extensible framework for data security.

■Extensibility: LDAP Version 3 enables vendors to extend existing LDAP

operations by using mechanisms called controls. These are extra pieces of

information carried along with existing operations, altering the behavior of the

operation. When a client application passes a control along with the standard

LDAP command, the behavior of the commanded operation is altered accordingly.

What Is Oracle Internet Directory?

1-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

For example, when a client wants to modify meta-information hidden in the

directory, it can send the manageDSAIT control along with the LDAP command.

■Feature and schema discovery: LDAP Version 3 enables publishing information

useful to other LDAP servers and clients, such as the supported LDAP protocols

and a description of the directory schema.

1.3 What Is Oracle Internet Directory?

Oracle Internet Directory is a general purpose directory service that enables fast

retrieval and centralized management of information about dispersed users and

network resources. It combines Lightweight Directory Access Protocol (LDAP)

Version 3 with the high performance, scalability, robustness, and availability of an

Oracle Database.

This section contains these topics:

■Section 1.3.1, "Overview of Oracle Internet Directory"

■Section 1.3.2, "Components of Oracle Internet Directory"

■Section 1.3.3, "Advantages of Oracle Internet Directory"

1.3.1 Overview of Oracle Internet Directory

Oracle Internet Directory runs as an application on an Oracle Database. It

communicates with the database by using Oracle Net Services, Oracle's operating

system-independent database connectivity solution. The database may or may not be

on the same host. Figure 1–1 illustrates this relationship.

See Also:

■RFCs (Requests for Comments) 2251-2256 of the IETF, available

at: http://www.ietf.org

■Appendix N, "RFCs Supported by Oracle Internet Directory"

■"Related Documents" on page -xxxix for an additional list of

resources on LDAP

■Chapter 3, "Understanding Oracle Internet Directory Concepts

and Architecture" for a conceptual discussion of directory

information trees and knowledge references

■"About LDAP Controls" in Oracle Fusion Middleware Reference

for Oracle Identity Management for a list and description of

controls supported by Oracle Internet Directory

What Is Oracle Internet Directory?

Introduction to Directory Services 1-5

Figure 1–1 Oracle Internet Directory Overview

1.3.2 Components of Oracle Internet Directory

Oracle Internet Directory includes:

■Oracle directory server, which responds to client requests for information about

people and resources, and to updates of that information, by using a multitiered

architecture directly over TCP/IP

■Oracle directory replication server, which replicates LDAP data between Oracle

directory servers

■Directory administration tools, which include:

–The Oracle Internet Directory pages in Oracle Enterprise Manager Fusion

Middleware Control

–Oracle Directory Services Manager

–Command-line administration and data management tools

■Oracle Internet Directory Software Developer's Kit

1.3.3 Advantages of Oracle Internet Directory

Among its more significant benefits, Oracle Internet Directory provides scalability,

high availability, security, and tight integration with the Oracle environment.

See Also: Oracle Fusion Middleware Application Developer's Guide for

Oracle Identity Management for information about the Oracle Internet

Directory Software Developer's Kit

Oracle

Directory

Server

Oracle

Database

Oracle Net

Connections

LDAP Clients

Directory

Administration

LDAP over SSL

How Oracle Products Use Oracle Internet Directory

1-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

1.3.3.1 Scalability

Oracle Internet Directory exploits the strengths of an Oracle Database, enabling

support for terabytes of directory information. In addition, such technologies as

shared LDAP servers and database connection pooling enable it to support thousands

of concurrent clients with subsecond search response times.

Oracle Internet Directory has a multi-threaded, multi-process and multi-instance

physical architecture. This brings great flexibility to deployment options. Oracle

Internet Directory can scale with a very high number of CPUs on SMP or NUMA

hardware. With Oracle RAC database and the Oracle Internet Directory cluster

configuration, you can deploy a single directory on multiple hardware nodes for

horizontal scalability.

Oracle Internet Directory also provides data management tools, such as Oracle

Directory Services Manager and a variety of command-line tools, for manipulating

large volumes of LDAP data.

1.3.3.2 High Availability

Oracle Internet Directory offers the most comprehensive high availability

configurations. Directory replication, active/passive cluster configuration,

active/active cluster configuration with Oracle RAC Database, and Disaster Recovery

configurations with Oracle Data Guard.

Oracle Internet Directory also takes advantage of all the availability features of the

Oracle Database. Because directory information is stored securely in the Oracle

Database, it is protected by Oracle's backup capabilities. Additionally, the Oracle

Database, running with large data stores and heavy loads, can recover from system

failures quickly.

1.3.3.3 Security

Oracle Internet Directory offers comprehensive and flexible access control. An

administrator can grant or restrict access to a specific directory object or to an entire

directory subtree. Moreover, Oracle Internet Directory implements three levels of user

authentication: anonymous, password-based, and certificate-based using Secure

Sockets Layer (SSL) Version 3 for authenticated access and data privacy.

With Oracle Database Vault, Oracle Internet Directory can restrict administrators and

privileged users from accessing Directory data. With Oracle Transparent Data

Encryption, Oracle Internet Directory can ensure protection of data on disk as well as

on backups.

1.3.3.4 Integration with the Oracle Environment

Through Oracle Directory Integration Platform, Oracle Internet Directory provides a

single point of integration between the Oracle environment and other directories such

as NOS directories, third-party enterprise directories, and application-specific user

repositories.

1.4 How Oracle Products Use Oracle Internet Directory

Oracle products use Oracle Internet Directory for easier administration, tighter

security, and simpler integration between multiple directories.

This section contains these topics:

See Also: Oracle Fusion Middleware High Availability Guide

How Oracle Products Use Oracle Internet Directory

Introduction to Directory Services 1-7

■Section 1.4.1, "Easier and More Cost-Effective Administration of Oracle Products"

■Section 1.4.2, "Tighter Security Through Centralized Security Policy

Administration"

■Section 1.4.3, "Integration of Multiple Directories"

1.4.1 Easier and More Cost-Effective Administration of Oracle Products

Oracle Platform Security Services stores users and groups in an embedded LDAP

repository by default. Domains can be configured, however, to use identity data in

LDAP repositories, such as Oracle Internet Directory. In addition, Oracle WebLogic

Server provides a generic LDAP authenticator that can be used with other LDAP

servers.By default, OPSS stores policies and credentials in file-based stores. These

stores can be changed (or reassociated) to an LDAP repository backed by an Oracle

Internet Directory or an Oracle Virtual Directory server.

Oracle Webcenter Suite bases its security on OPSS. It can delegate enforcement to

Oracle Internet Directory for identity, policy, and credential storage. You can use

LDAP commands to add or modify users and to search the directory, which can be

useful when exporting and importing user accounts.

Oracle Access Manager supports storing user, configuration, and policy data in

directories, such as Oracle Internet Directory (multiple realms). You can store data

either together on the same directory server or on different directory servers.

Oracle Net Services uses Oracle Internet Directory to store and resolve database

services and the simple names, called net service names, that can be used to represent

them.

1.4.2 Tighter Security Through Centralized Security Policy Administration

The Oracle Database uses Oracle Internet Directory to store user names and

passwords, along with authorization information such as enterprise roles. It uses

Oracle Internet Directory to store a password verifier along with the entry of each

user.

Oracle Enterprise User Security uses Oracle Internet Directory for:

■Central Management of user authentication credentials

Instead of storing a user's database password in each database, Oracle Advanced

Security stores it in one place: the directory. It stores the password as an attribute

of the user entry.

■Central management of user authorizations

Oracle Advanced Security uses directory entries, called enterprise roles, to

determine the privileges for a given enterprise user within a given schema,

whether that schema is shared or owned. Enterprise roles are containers for

database-specific global roles. For example, a user might be assigned the

enterprise role of clerk, which might contain the global role of hrclerk with its

attendant privileges on the human resources database and the global role of

analyst with its attendant privileges on the payroll database.

■Mappings to shared schemas

Oracle Advanced Security uses mappings—that is, directory entries that point an

enterprise user to shared application schemas on the database instead of to an

individual account. For example, you might map several enterprise users to the

schema sales_application instead of to separate accounts in their names.

How Oracle Products Use Oracle Internet Directory

1-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Single password authentication

In the Oracle Database, Oracle Advanced Security enables enterprise users to

authenticate to multiple databases by using a single, centrally managed password.

The password is stored in the directory as an attribute of the user's entry and is

protected by encryption and access control lists. This spares you from setting up

Secure Sockets Layer (SSL) on clients and users from having to remember multiple

passwords.

■Central storage of PKI credentials

In Oracle Database and Oracle Application Server, user wallets can be stored in

the directory as an attribute of the user's entry. Storing wallets in this manner

enables mobile users to retrieve and open their wallets by using Enterprise Login

Assistant. While the wallet is open, authentication is transparent—that is, users

can access any database on which they own or share a schema without having to

authenticate again.

1.4.3 Integration of Multiple Directories

Another directory services product, Oracle Virtual Directory, provides a single,

dynamic access point to multiple data sources through LDAP or XML protocols. It

does this by providing a real-time data join and an abstraction layer that exposes a

single logical directory, without the need to synchronize or move data from its native

location. Oracle Virtual Directory can provide multiple application-specific views of

identity data stored in, for example, Oracle Internet Directory, Microsoft Active

Directory and Sun Java Systems Directory instances, and can also be used to secure

data access to the application-specific sources and enhance high-availability to existing

data-sources. These capabilities accelerate the deployment of applications and reduce

costs by eliminating the need to consolidate user information before an application can

be deployed. Oracle Virtual Directory can constantly adapt those applications to a

changing identity landscape as user repositories are added, changed, or removed.

Oracle Virtual Directory provides the following benefits:

■Consolidates multiple directories

■Provides virtualization and distribution of directory services

■Reduces administrative cost and improves security

■Extends enterprise applications quickly

■Provides ubiquitous access to information

■Lowers cost of implementation

Oracle Directory Integration Platform is a collection of interfaces and services for

integrating multiple directories by using Oracle Internet Directory and several

associated plug-ins and connectors. It provides these benefits:

■All Oracle components are pre-certified to work with Oracle Internet Directory.

■You can integrate the entire Oracle environment with third-party directories

simply by integrating each third-party directory with Oracle Internet Directory.

This saves you from having to integrate each application with each directory.

See Also: Oracle Fusion Middleware Administrator's Guide for Oracle

Virtual Directory

See Also: Oracle Fusion Middleware Administrator's Guide for Oracle

Directory Integration Platform

Understanding Oracle Internet Directory in Oracle Fusion Middleware 2-1

2Understanding Oracle Internet Directory in

Oracle Fusion Middleware

As of 11g Release 1 (11.1.1), Oracle Internet Directory has been integrated with a

common management infrastructure that in turn uses Oracle WebLogic Server. This

product set is called Oracle Fusion Middleware.

This chapter describes some features of Oracle Fusion Middleware that affect Oracle

Internet Directory management.

This chapter contains the following sections:

■Section 2.1, "WebLogic Server Domain"

■Section 2.2, "Oracle Internet Directory as a System Component"

■Section 2.3, "Oracle Internet Directory Deployment Options"

■Section 2.4, "Middleware Home"

■Section 2.5, "WebLogic Server Home"

■Section 2.7, "Oracle Home"

■Section 2.8, "Oracle Instance"

■Section 2.9, "Oracle Enterprise Manager Fusion Middleware Control"

■Section 2.10, "Logging, Auditing, and Diagnostics"

■Section 2.11, "MBeans and the WebLogic Scripting Tool"

2.1 WebLogic Server Domain

A WebLogic Server administration domain is a logically related group of Java

components. Domains include a special WebLogic Server instance called the

Administration Server, which is the central point from which you configure and

manage all resources in the domain. Usually, you configure a domain to include

additional WebLogic Server instances called managed servers. You deploy Java

components, such as Web applications and Web services, and other resources onto the

managed servers and use the Administration Server for configuration and

management purposes only. The managed servers can be grouped together into a

cluster.

See Also: The chapter entitled "Understanding Oracle Fusion

Middleware Concepts" in Oracle Fusion Middleware Administrator's

Guide.

Oracle Internet Directory as a System Component

2-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

2.2 Oracle Internet Directory as a System Component

Oracle Internet Directory is a system component. That is, it is a manageable process

that is not an Oracle WebLogic Server. System components can use the WebLogic

Administrative Domain for management services, including Oracle Enterprise

Manager Fusion Middleware Control, Audit Framework, configuration management

through MBeans and Secure Sockets Layer and Wallet Management. The Oracle

WebLogic Server Administration Server controls Oracle Internet Directory and other

system components through OPMN.

Oracle Internet Directory itself is a C-based process. Its only run time dependency is

the Oracle Database. To be managed by the Oracle Fusion Middleware management

framework, Oracle Internet Directory must register itself with a local or a remote

Oracle WebLogic Server administration domain during installation or from the

command line after installation. Therefore, an Oracle Internet Directory 11g

installation requires either a local or a remote installation of Oracle WebLogic Server.

Also, the Directory Management user interface, ODSM, is a Java component deployed

on Oracle WebLogic Server.

If you must manage Oracle Internet Directory in your deployment using only

command-line tools and a remote ODSM, there is also an option to install and

configure Oracle Internet Directory without registering with a Oracle WebLogic Server

Domain.

2.3 Oracle Internet Directory Deployment Options

During installation, there are four deployment options for Oracle Internet Directory:

1. Create New Domain–Oracle Internet Directory with a local Oracle WebLogic

Server Domain. Oracle WebLogic Server is installed locally with Oracle Internet

Directory and an admin domain is created for Oracle Internet Directory.

2. Extend Existing Domain–Oracle Internet Directory with a remote Oracle

WebLogic Server Domain. Oracle WebLogic Server admin server and domain

have been installed and created separately and Oracle Internet Directory registers

with the Domain remotely.

3. Expand Cluster–Oracle Internet Directory in an Oracle WebLogic Server cluster

for High Availability. This option will not be discussed here.

4. Configure Without Domain–Oracle Internet Directory without a Oracle

WebLogic Server Domain. Oracle Internet Directory can be installed and

configured without Oracle WebLogic Server Server and without registering to any

Oracle WebLogic Server Admin Domains. In this case, Oracle Internet Directory

cannot be managed by Oracle Enterprise Manager Fusion Middleware Control or

other common Oracle Fusion Middleware management services. You must rely on

command-line utilities such as opmnctl and the LDAP tools. ODSM can be

deployed separately and used to manage Oracle Internet Directory.

If you choose Create New Domain or Extend Existing Domain, the Oracle Internet

Directory component you create is registered with that domain when the installation is

complete.

If you choose Configure Without Domain, the Oracle Internet Directory component is

not registered with any domain when the installation is complete. You will be unable

to manage Oracle Internet Directory, or any other component in that Oracle instance,

with Oracle Enterprise Manager Fusion Middleware Control until you register the

component with a WebLogic domain by using the command-line tool opmnctl.

Oracle Instance

Understanding Oracle Internet Directory in Oracle Fusion Middleware 2-3

2.4 Middleware Home

A Middleware home consists of the WebLogic Server home, and optionally one or

more other Oracle product homes (also known as Oracle homes). A middleware home

can reside on a local file system or on a remote shared disk that is accessible through

NFS. The Oracle Fusion Middleware home is represented in path names as MW_HOME.

2.5 WebLogic Server Home

A WebLogic Server home contains installed files necessary to host a WebLogic Server.

The WebLogic Server home directory is a peer of other Oracle home directories

underneath the middleware home directory. In path names, it is represented as WLS_

HOME.

2.6 Oracle Common Home

The Oracle home that contains the binary and library files required for the Oracle

Enterprise Manager Fusion Middleware Control and Java Required Files (JRF). There

can be only one Oracle Common home within each Middleware home. In path names,

it is represented as ORACLE_COMMON_HOME.

2.7 Oracle Home

An Oracle home contains installed files necessary to host a specific software suite. An

Oracle home resides within the directory structure of the Middleware home. Each

Oracle home can be associated with multiple Oracle instances

The Oracle home is usually represented in path names as ORACLE_HOME. Each Oracle

home can be associated with multiple Oracle instances or Weblogic server domains.

2.8 Oracle Instance

In 11g Release 1, product configuration data has been separated from product binaries.

The product binaries reside in the Oracle home, ORACLE_HOME, while updatable files

reside in an Oracle instance, represented in path names as ORACLE_INSTANCE.

Most Oracle Internet Directory commands require that you set the environment

variable ORACLE_INSTANCE to the value of ORACLE_INSTANCE. You dereference this

variable as $ORACLE_INSTANCE on UNIX or Linux systems and as %ORACLE_

INSTANCE% on Windows.

All configuration files, repositories, log files, deployed applications, and temporary

files reside in a oracle instance. Keeping updatable files separate from non-updatable

files facilitates administrative tasks such as patching, upgrades, backup and restore,

and cloning. It allows administrators to have their run-time and install-time binaries

follow independent life cycles.

Oracle instance refers not only to a physical location on disk but also encompasses the

associated processes. An Oracle instance contains one or more active middleware

system components, such as Oracle Virtual Directory or Oracle Internet Directory. You

determine which components are part of an instance, either at install time or by

creating and configuring an instance at a later time.

When you install Oracle Internet Directory on a host computer, Oracle Identity

Management 11g Installer creates an Oracle Fusion Middleware component of type

OID in a new or existing Oracle instance. The component name for the first Oracle

Internet Directory component is oid1.

Oracle Enterprise Manager Fusion Middleware Control

2-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Oracle Identity Management 11g Installer also creates some directories in the

filesystem under the Oracle instance, including the following, when you install Oracle

Internet Directory:

ORACLE_INSTANCE/config/OID/componentName

ORACLE_INSTANCE/diagnostics/logs/OID/componentName

ORACLE_INSTANCE/diagnostics/logs/OID/tools

ORACLE_INSTANCE/OID/admin

ORACLE_INSTANCE/OID/admin/SSLwallet-name

ORACLE_INSTANCE/OID/load

ORACLE_INSTANCE/tmp

2.9 Oracle Enterprise Manager Fusion Middleware Control

As of release 11g, you create, configure, and manage many Oracle Internet Directory

features by using Oracle Enterprise Manager Fusion Middleware Control and Oracle

Directory Services Manager.

Fusion Middleware Control enables you to configure and manage all Oracle products

from one user interface. You can perform most configuration functions in Fusion

Middleware Control that you can perform from the command line. Oracle Enterprise

Manager Fusion Middleware Control also includes wizards for setting up replication

and for estimating sizing and tuning needs.

Oracle Directory Services Manager is an additional administrative interface for Oracle

Internet Directory and Oracle Virtual Directory. It is accessible from Oracle Enterprise

Manager Fusion Middleware Control or directly from its own URL.

2.10 Logging, Auditing, and Diagnostics

Using Oracle Enterprise Manager Fusion Middleware Control, you can monitor the

Oracle Internet Directory Server and related components and activities.

Using the monitoring functions, you can gain insight into system activity and

performance, for example, total logins, successful and unsuccessful logins, average

You can monitor the following items:

■Metrics: To monitor system health

■General: A high-level rollup of load, performance, security, login, CPU utilization,

and other data

■Performance: Key metrics for the directory server and its host

■Reports: Data on operation success and failure

■Topol o g y : Information on the Oracle HTTP Server instances, directory server

instances, associated databases, and other components

2.11 MBeans and the WebLogic Scripting Tool

The Oracle WebLogic Scripting Tool (WLST) is a command-line scripting environment

that you can use to create, manage, and monitor Oracle WebLogic Server domains. It is

based on the Java scripting interpreter, Jython. You can use WLST to perform some

Oracle Internet Directory management operations.

MBeans and the WebLogic Scripting Tool

Understanding Oracle Internet Directory in Oracle Fusion Middleware 2-5

A managed bean (MBean) is a Java object that represents a JMX manageable resource

in a distributed environment, such as an application, a service, a component or a

device. When Oracle Internet Directory is registered with an Oracle WebLogic Server

Admin Domain, Oracle Internet Directory MBeans are deployed in the Oracle

WebLogic Server Admin Server. These MBeans enable management of Oracle Internet

Directory configuration through Oracle Enterprise Manager Fusion Middleware

Control or WLST.

See Also: Oracle Fusion Middleware Administrator's Guide

MBeans and the WebLogic Scripting Tool

2-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Understanding Oracle Internet Directory Concepts and Architecture 3-1

3 Understanding Oracle Internet Directory

Concepts and Architecture

This chapter provides conceptual descriptions of the basic elements of Oracle Internet

Directory and discusses Oracle Internet Directory architecture.

This chapter contains these topics:

■Section 3.1, "Oracle Internet Directory Architecture"

■Section 3.2, "How Oracle Internet Directory Processes a Search Request"

■Section 3.3, "Directory Entries"

■Section 3.4, "Attributes"

■Section 3.5, "Object Classes"

■Section 3.6, "Naming Contexts"

■Section 3.7, "Security"

■Section 3.8, "Globalization Support"

■Section 3.9, "Distributed Directories"

■Section 3.10, "Knowledge References and Referrals"

■Section 3.11, "Oracle Delegated Administration Services and the Oracle Internet

Directory Self-Service Console"

■Section 3.12, "The Service Registry and Service to Service Authentication"

■Section 3.13, "Oracle Directory Integration Platform"

■Section 3.14, "Oracle Internet Directory and Identity Management"

■Section 3.15, "Resource Information"

3.1 Oracle Internet Directory Architecture

This section contains these topics:

■Section 3.1.1, "An Oracle Internet Directory Node"

■Section 3.1.2, "An Oracle Directory Server Instance"

■Section 3.1.3, "Oracle Internet Directory Ports"

■Section 3.1.4, "Directory Metadata"

See Also: "Related Documents" on page -xxxix for suggestions on

further reading about LDAP-compliant directories

Oracle Internet Directory Architecture

3-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

3.1.1 An Oracle Internet Directory Node

An Oracle Internet Directory node consists of one or more directory server instances

connected to the same directory store. The directory store—that is, the repository of

the directory data—is an Oracle Database.

Figure 3–1 on page 3-2 shows the various directory server elements and their

relationships running on a single node.

Oracle Net Services is used for all connections between the Oracle database server and:

■The Oracle directory server non-SSL port (3060 by default)

■The Oracle directory server SSL-enabled port (3131 by default)

■The OID Monitor

LDAP is used for connections between directory server and:

■Oracle Directory Services Manager

■Oracle directory replication server

The Oracle directory server instance and the Oracle directory replication server

connect to OID Monitor by way of the operating system.

Figure 3–1 A Typical Oracle Internet Directory Node

As shown in Figure 3–1, an Oracle Internet Directory node includes the following

major elements:

Note: All Oracle Internet Directory instances in the same domain

connect to the same Oracle Database.

Oracle

Directory

Services

Manager

Oracle

Directory

Replication

Server

OID

Monitor

(oidmon)

LDAP LDAP

OPMN

Oracle

Database

Server

Oracle

Net

Oracle

Net

Oracle

Directory

Server

Instance 1

SSL port 3131

non-SSL

port 3060

Oracle Internet Directory Architecture

Understanding Oracle Internet Directory Concepts and Architecture 3-3

The Oracle directory replication server uses LDAP to communicate with an Oracle

directory (LDAP) server instance. To communicate with the database, all components

use OCI/Oracle Net Services. Oracle Directory Services Manager and the

command-line tools communicate with the Oracle directory servers over LDAP.

3.1.2 An Oracle Directory Server Instance

Figure 3–2 illustrates an Oracle directory server instance, also called an LDAP server

instance.

Table 3–1 An Oracle Internet Directory Node

Element Description

Oracle directory server

instance

Also called either an LDAP server instance or a directory server

instance, it services directory requests through a single Oracle

Internet Directory dispatcher process listening at specific

TCP/IP ports. There can be more than one directory server

instance on a node, listening on different ports.

Oracle directory

replication server

Also called a replication server, it tracks and sends changes to

replication servers in another Oracle Internet Directory system.

There can be only one replication server on a node. You can

choose whether to configure the replication server.

Oracle Database Server Stores the directory data. Oracle strongly recommends that you

dedicate a database for use by the directory. The database can

reside on the same node as the directory server instances.

Oracle Process Manager

and Notification Server

(OPMN)

Manages Oracle Internet Directory as an Oracle Fusion

Middleware system component. OPMN uses the directives in

the OID component snippet in ORACLE_

INSTANCE/config/OPMN/opmn/opmn.xml and invokes

OIDMON and OIDCTL as required. The command-line utility is

ORACLE_INSTANCE/bin/opmnctl.

OID Monitor (OIDMON) Initiates, monitors, and terminates the LDAP server and

replication server processes. When you invoke process

management commands, such as oidctl or opmnctl, or when

you use Fusion Middleware Control to start or stop server

instances, your commands are interpreted by this process.

OIDMON also monitors servers and restarts them if they have

stopped running for abnormal reasons.

OIDMON starts a default instance of OIDLDAPD. If the default

instance of OIDLDAPD is stopped using the OIDCTL command,

then OIDMON stops the instance. However, when OIDMON is

restarted by OPMN, OIDMON restarts the default instance.

All OID Monitor activity is logged in the file ORACLE_

INSTANCE/diagnostics/logs/OID/Component_

Name/oidmon-xxxx.log. This file is on the Oracle Internet

Directory server file system.

OID Monitor checks the state of the servers through mechanisms

provided by the operating system.

OID Control Utility

(OIDCTL)

Communicates with OID Monitor by placing message data in

Oracle Internet Directory server tables. This message data

includes configuration parameters required to run each Oracle

directory server instance. Normally used from the command line

only to stop and start the replication server. OIDCTL is also used

for checking the status of Oracle Internet Directory.

Oracle Internet Directory Architecture

3-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Figure 3–2 Oracle Directory Server Instance Architecture

One instance comprises one dispatcher process and one or more server processes. The

Oracle Internet Directory dispatcher and server processes can use multiple threads to

distribute the load. LDAP clients send LDAP requests to an Oracle Internet Directory

listener/dispatcher process listening for LDAP commands at its port.

Oracle Internet Directory listener/dispatcher starts a configured number server

process at startup time. The number of server processes is controlled by the

orclserverprocs attribute in the instance-specific configuration entry. The default

value for orclserverprocs is 1. Multiple server processes enable Oracle Internet

Directory to take advantage of multiple processor systems.

The Oracle Internet Directory dispatcher process sends the LDAP connections to the

Oracle Internet Directory server process in a round robin fashion. The maximum

number of LDAP connections accepted by each server is 1024 by default. This number

can be increased by changing the attribute orclmaxldapconns in the

instance-specific configuration entry, which has a DN of the form:

cn=componentname,cn=osdldapd,cn=subconfigsubentry

3.1.3 Oracle Internet Directory Ports

An Oracle Internet Directory component can be created by Oracle Identity

Management 11g Installer or by a command-line tool. The program that creates Oracle

Internet Directory follows specific steps in assigning the SSL and non-SSL port. First, it

attempts to use 3060 as the non-SSL port. If that port is unavailable, it tries ports in the

range 3061 to 3070, then 13060 to 13070.

Similarly, the program that creates Oracle Internet Directory attempts to use 3131 as its

SSL port, then ports in the range 3132 to 3141, then 13131 to 13141.

3.1.4 Directory Metadata

Directory metadata is the information used by the directory server during run time for

processing LDAP requests. It is stored in the underlying data repository. During

startup, the directory server reads this information and stores it in a local metadata

Oracle Directory

Server

LDAP Server Instance

Oracle Directory

Server

Oracle Net

Oracle Directory

Server

Oracle Net

OID

Listener/

Dispatcher Oracle Net

Listener/

Dispatcher

Oracle Net

LDAP

Clients

LDAP

Requests

Oracle Fusion

Middleware

Oracle Internet Directory Architecture

Understanding Oracle Internet Directory Concepts and Architecture 3-5

cache. It then uses this cache during its run time to process incoming LDAP operation

requests.

The directory server has the following types of metadata in its local metadata cache:

■Directory Schema

The definitions of object classes, attributes, and matching rules supported by the

directory server. The directory server uses this information during creation and

modification of directory objects. A directory object is a collection of object classes

and their associated attributes and matching rules. See Chapter 20, "Managing

Directory Schema."

■Access control policy point (ACP)

A directory administrative domain for defining and controlling access to the

information in that domain. The directory server uses ACPs when determining

whether to allow a certain LDAP operation performed by a user. See Chapter 29,

"Managing Directory Access Control."

■Root DSE entry

The root DSE (Directory Service Agent-Specific Entry) contains several attributes

that store information about the directory server itself. For example, these

attributes contain the following information items, to mention just a few:

–Naming contexts DNs

–Sub Schema Subentry DN

–Superior references (referrals) DNs

–Special entry DNs like Oracle Internet Directory configuration and registry

containers

–Special Entry DNs like change log and change status containers

–DN of replications agreement container

See "Attributes of the DSE" on page 9-11.

■Privilege groups

Groups that can be used in access control policies.

The directory schema supports directory group objects through the standard

groupofuniquenames and groupofnames object classes. These object classes

hold information for such groups as distribution lists and mailing lists to mention

just two.

Oracle Internet Directory extends these standard group objects through an

auxiliary object class called orclprivilegegroup. This object class, which

supports privilege groups that can be used in access control policies, provides

flexibility to grant or deny access to groups of users. The directory server uses this

information during:

–LDAP bind operations to find out the subscribed privileged groups for a given

user

Note: The metadata cache is a write-through cache. An LDAP

operation first writes to the database and then invalidates the

corresponding cache entry. A subsequent search of that entry causes

the cache to be refreshed.

How Oracle Internet Directory Processes a Search Request

3-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

–Access control policy evaluation if the policy has directives that grant or deny

access to privileged groups

■Catalog entry

A special entry containing information about indexed attributes in the underlying

database. The directory uses this information during directory search operations.

See "About Indexing Attributes" on page 20-6.

■Common entry

A special entry containing information about hosted companies. A hosted

company is an enterprise to which another enterprise provides services. The

metadata in this entry includes the hosted company DN, user search base,

nickname and other attributes, all of which are described in Chapter 33, "Planning,

Deploying and Managing Realms".

■Plug-in entry

A special entry containing information about the kind of operation that triggers a

plug-in event, and the point in the operation when that plug-in is to be triggered.

Chapter 44, "Developing Plug-ins for the Oracle Internet Directory Server,"

describes this information.

■Password verifier entry

A special entry containing information about the encryption and verifier attribute

types. Chapter 30, "Managing Password Verifiers," describes this information.

■Password policy entry

One or more special entries containing information about policies enforced by the

directory server for the user password credentials. The directory server uses this

information during run time to enforce the password policies. See Chapter 28,

"Managing Password Policies".

3.2 How Oracle Internet Directory Processes a Search Request

This example shows you how Oracle Internet Directory processes a search request.

1. The user or client enters a search request that is conditioned by one or more of the

following options:

■SSL: The client and server can establish a session that uses SSL encryption and

authentication, or SSL encryption only. If SSL is not used, the client's message

is sent in clear text.

■Type of user: The user can seek access to the directory either as a particular

user or as an anonymous user, depending on which of the two has the

necessary privileges to perform the desired function.

■Filters: The user can narrow the search by using one or more search filters,

including those that use the Boolean conditions "and," "or," and "not," and

those that use other operators such as "greater than, "equal to," and "less than."

2. The C API, using the LDAP protocol, sends a request to a directory server instance

to connect to the directory.

See Also: Chapter 14, "Managing Dynamic and Static Groups"

Directory Entries

Understanding Oracle Internet Directory Concepts and Architecture 3-7

3. The directory server authenticates the user, a process called binding. The directory

server also checks the Access Control Lists (ACLs) to verify that the user is

authorized to perform the requested search.

4. The directory server converts the search request from LDAP to Oracle Call

Interface (OCI)/Oracle Net Services and sends it to the Oracle Database.

5. The Oracle Database retrieves the information and passes it back through the

chain—to the directory server, then to the C API, and, finally, to the client.

3.3 Directory Entries

In an online directory, each collection of information about an object is called an entry.

An entry can include, for example, information about an employee, a conference room,

an e-commerce partner, or a shared network resource such as a printer.

This section contains these topics:

■Section 3.3.1, "Distinguished Names (DNs) and Directory Information Trees

(DITs)"

■Section 3.3.2, "Entry Caching"

3.3.1 Distinguished Names (DNs) and Directory Information Trees (DITs)

Each entry in an online directory is uniquely identified by a distinguished name (DN).

The distinguished name tells you exactly where the entry resides in the directory

hierarchy. This hierarchy is represented by a directory information tree (DIT).

To understand the relation between a distinguished name and a directory information

tree, look at Figure 3–3.

Figure 3–3 A Directory Information Tree

The DIT in Figure 3–3 includes entries for two employees of Acme Corporation who

are both named Anne Smith. It is structured along geographical and organizational

lines. The Anne Smith contained in the left branch works in the Sales division in the

United States, while the other works in the Server Development division in the United

Kingdom.

The Anne Smith contained in the right branch has the common name (cn) Anne Smith.

She works in an organizational unit (ou) named Server Development, in the country

(o) Acme.

Note: The maximum number of attributes you can specify in a

search filter is 255.

c=us

ou=Sales ou=Server Developmen

cn=Anne Smith cn=Anne Smith

c=uk

root

o=acme

Attributes

3-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

The DN for this "Anne Smith" entry is:

cn=Anne Smith,ou=Server Development,c=uk,o=acme

Note that the conventional format of a distinguished name places the lowest DIT

component at the left, then follows it with the next highest component, moving

progressively up to the root.

Within a distinguished name, the lowest component is called the relative

distinguished name (RDN). For example, in the previous entry for Anne Smith, the

RDN is cn=Anne Smith. Similarly, the RDN for the entry immediately above Anne

Smith's RDN is ou=Server Development, the RDN for the entry immediately

above ou=Server Development is c=uk, and so on. A DN is thus a concatenation

of RDNs that reflects parent-child relationships in the DIT. Within the DN, RDNs are

separated by commas.

To locate a particular entry within the overall DIT, a client uniquely identifies that

entry by using the full DN—not simply the RDN—of that entry. For example, within

the global organization in Figure 3–3, to avoid confusion between the two Anne

Smiths, you would use each one's full DN. If there are potentially two employees with

the same name in the same organizational unit, you could use additional

mechanisms—for example, you could identify each employee with a unique number.

3.3.2 Entry Caching

To make operations on entries quick and efficient, Oracle Internet Directory uses entry

caching. When you enable this feature, Oracle Internet Directory assigns a unique

identifier to each entry, then stores a specified number of those identifiers in cache

memory. When a user performs an operation on an entry, the directory server looks in

the cache for the entry identifier, then retrieves the corresponding entry from the

directory. This method enhances Oracle Internet Directory performance, and is

especially useful in smaller and medium-sized enterprises.

3.4 Attributes

In a typical telephone directory, an entry for a person contains such information items

as an address and a phone number. In an online directory, such an information item is

Notes:

■Beginning with Release 11gR1 (11.1.1.6), the entry cache resides

in shared memory, so multiple Oracle Internet Directory server

instances on the same host can share the same cache. Attributes

for confuring the cache now reside in the DSA configuration

entry.

■The entry cache is a write-through cache. An LDAP operation

first writes to the database and then invalidates the

corresponding cache entry. A subsequent search of that entry

causes the cache to be refreshed.

See Also:

■The Server Entry Cache section of the Oracle Internet

Directory chapter in Oracle Fusion Middleware Performance and

Tuning Guide.

■Chapter 19, "Managing Knowledge References and Referrals."

Attributes

Understanding Oracle Internet Directory Concepts and Architecture 3-9

called an attribute. Attributes in a typical employee entry can include, for example, a

job title, an e-mail address, or a phone number.

For example, in Figure 3–4, the entry for Anne Smith in Great Britain (uk) has several

attributes, each providing specific information about her. These are listed in the

balloon to the right of the tree, and they include emailaddrs, printername,

jpegPhoto, and app preferences. Moreover, each bullet in Figure 3–4 is also an

entry with attributes, although the attributes for each are not shown.

Figure 3–4 Attributes of the Entry for Anne Smith

Each attribute consists of an attribute type and one or more attribute values. The

attribute type is the kind of information that the attribute contains—for example,

jobTitle. The attribute value is the particular occurrence of information appearing

in that entry. For example, the value for the jobTitle attribute could be manager.

This section contains these topics:

■Section 3.4.1, "Kinds of Attribute Information"

■Section 3.4.2, "Single-Valued and Multivalued Attributes"

■Section 3.4.3, "Common LDAP Attributes"

■Section 3.4.4, "Attribute Syntax"

■Section 3.4.5, "Attribute Matching Rules"

■Section 3.4.6, "Attribute Options"

3.4.1 Kinds of Attribute Information

Attributes contain two kinds of information.

■Application Attributes

This information is maintained and retrieved by directory clients and is

unimportant to the operation of the directory. A telephone number, for example, is

application information.

■System Configuration Attributes

This information pertains to the operation of the directory itself. Some operational

information is specified by the directory to control the server—for example, the

time stamp for the creation or modification of an entry, or the name of the user

who creates or modifies an entry. Other operational information, such as access

c=us

ou=Sales ou=Server Development

cn=Anne Smith cn=Anne Smith

c=uk

root emailaddrs=

printername=

jpegPhoto=

app preferences=

...

cn=Anne Smith

o=acme

Attributes

3-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

information, is defined by administrators and is used by the directory program in

its processing.

To enhance your ability to search for entries, Oracle Internet Directory automatically

creates several system configuration attributes when you add an entry to the directory.

These include:

Moreover, when a user modifies an entry, Oracle Internet Directory automatically

updates the modifiersName and modifyTimestamp attributes to, respectively, the

name of the person modifying the entry, and the time of the entry modification in

UTC.

3.4.2 Single-Valued and Multivalued Attributes

Attributes can be either single-valued or multivalued. Single-valued attributes carry

only one value in the attribute, whereas multivalued attributes can have several. An

example of a multivalued attribute is a group membership list with names of everyone

in the group.

3.4.3 Common LDAP Attributes

Oracle Internet Directory implements all of the standard LDAP attributes. Some of the

more common ones defined by RFC 2798 of the Internet Engineering Task Force (IETF)

are shown in Table 3–3.

See Also: Chapter 9, "Managing System Configuration Attributes"

for more information about system configuration attributes.

Table 3–2 Attributes Created with Each New Entry

Attribute Description

creatorsName Name of the person creating the entry

createTimestamp Time of entry creation in UTC (Coordinated Universal Time)

modifiersName Name of person modifying the entry

modifyTimestamp Time of last entry modification in UTC

See Also: Chapter 9, "Managing System Configuration

Attributes" for instructions on configuring system configuration

attributes.

Table 3–3 Common LDAP Attributes

Attribute Type Attribute String Description

commonName cn Common name of an entry—for example, Anne Smith.

domainComponent dc The DN of the component in a Domain Name System

(DNS)—for example, dc=uk,dc=acme,dc=com.

jpegPhoto jpegPhoto Photographic image in JPEG format. This is stored in binary

format.

organization oName of an organization—for example, my_company.

organizationalUnitName ou Name of a unit within an organization—for example, Server

Development.

Attributes

Understanding Oracle Internet Directory Concepts and Architecture 3-11

3.4.4 Attribute Syntax

Attribute syntax is the format of the data that can be loaded into each attribute. For

example, the syntax of the telephoneNumber attribute might require a telephone

number to be a string of numbers containing spaces and hyphens. However, the

syntax for another attribute might require specifying whether the data has to be in the

form of a date, or whether the data can consist of numbers only. Each attribute must

have one and only one syntax.

Oracle Internet Directory recognizes most of the syntaxes specified in RFC 2252 of the

Internet Engineering Task Force (IETF), allowing you to associate most of the syntaxes

described in that document with an attribute. In addition to recognizing the syntaxes

in RFC 2252, Oracle Internet Directory also enforces some LDAP syntaxes. You cannot

add new syntaxes beyond those already supported by Oracle Internet Directory.

3.4.5 Attribute Matching Rules

In response to most incoming client requests, the directory server performs search and

compare operations. During these operations, the directory server consults the

relevant matching rule to determine equality between the attribute value sought and

the attribute value stored. For example, matching rules associated with the

telephoneNumber attribute could cause "(650) 123-4567" to be matched with either

"(650) 123-4567" or "6501234567" or both. When you create an attribute, you associate a

matching rule with it.

Oracle Internet Directory implements all the standard LDAP matching rules. You

cannot add new matching rules beyond those already supported by Oracle Internet

Directory.

owner owner Distinguished name of the person who owns the entry, for

example, cn=Anne Smith, ou=Server Development,

o= Acme, c=uk.

surname, sn sn Last name of a person—for example, Smith.

telephoneNumber telephoneNumber Telephone number—for example, (650) 123-4567 or

6501234567.

See Also: "Oracle Identity Management LDAP Attribute

Reference" in Oracle Fusion Middleware Reference for Oracle Identity

Management for a list of several attributes Oracle Internet Directory

provides.

See Also: "About LDAP Attribute Syntax" in Oracle Fusion

Middleware Reference for Oracle Identity Management.

See Also:

■Chapter 20, "Managing Directory Schema" for information on

viewing matching rules.

■"About LDAP Matching Rules" in Oracle Fusion Middleware

Reference for Oracle Identity Management.

Table 3–3 (Cont.) Common LDAP Attributes

Attribute Type Attribute String Description

Object Classes

3-12 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

3.4.6 Attribute Options

An attribute type can have various options that enable you to specify how the value

for that attribute is made available in a search or a compare operation. For example,

suppose that an employee has two addresses, one in London, the other in New York.

Options for that employee's address attribute could allow you to store both

addresses.

Moreover, attribute options can include language codes. For example, options for John

Doe's givenName attribute could enable you to store his given name in both French

and Japanese.

For clarity, we can distinguish between an attribute with an option and its base

attribute, which is the same attribute without an option. For example, in the case of

givenName;lang-fr=Jean, the base attribute is givenName; the French value for

that base attribute is givenName;lang-fr=Jean.

An attribute with one or more options inherits the properties—for example, matching

rules and syntax— of its base attribute. To continue the previous example, the

attribute with the option cn;lang-fr=Jean inherits the properties of cn.

3.5 Object Classes

An object class is a group of attributes that define the structure of an entry. When you

define a directory entry, you assign one or more object classes to it. Some of the

attributes in these object classes are mandatory and must have values, others are

optional and can be empty.

For example, the organizationalPerson object class includes the mandatory

attributes commonName (cn) and surname (sn), and the optional attributes

telephoneNumber, uid, streetAddress, and userPassword. When you define

an entry by using the organizationalPerson object class, you must specify values

for commonName (cn) and surname (sn). You do not need to provide values for

telephoneNumber, uid, streetAddress, and userPassword.

This section contains these topics:

■Section 3.5.1, "Subclasses, Superclasses, and Inheritance"

■Section 3.5.2, "Object Class Types"

3.5.1 Subclasses, Superclasses, and Inheritance

A subclass is an object class derived from another object class. The object class from

which a subclass is derived is called its superclass. For example, the object class

organizationalPerson is a subclass of the object class person. Conversely, the

object class person is the superclass of the object class organizationalPerson.

Subclasses inherit all of the attributes belonging to their superclasses. For example, the

subclass organizationalPerson inherits the attributes of its superclass, person.

Entries also inherit attributes that their superclasses have inherited.

Note: You cannot use an attribute option within a DN. For

example, the following DN is incorrect: cn;lang-fr=Jean,

ou=sales,o=acme,c=uk.

See Also: Chapter 13, "Managing Directory Entries."

Object Classes

Understanding Oracle Internet Directory Concepts and Architecture 3-13

One special object class, called top, has no superclasses. It is one of the superclasses of

every object class in the directory, and its attribute definitions are inherited by every

entry.

3.5.2 Object Class Types

There are three types of object classes:

■Structural

■Auxiliary

■Abstract

3.5.2.1 Structural Object Classes

Structural object classes describe the basic aspects of an object. Most of the object

classes that you use are structural object classes, and every entry should belong to at

least one structural object class. Examples of structural object classes are person and

groupOfNames.

These object classes model real-world entities and their physical or logical attributes.

Examples include people, printers, and database connections.

Structural object classes use structure rules to place restrictions on the kinds of objects

you can create under any given object class. For example, a structure rule might

require all objects below the organization (o) object class to be organizational

units (ou). Following this rule, you could not enter person objects directly below an

organization object class. Similarly, a structure rule might disallow you from

placing an organizational unit (ou) object below a person object.

3.5.2.2 Auxiliary Object Classes

Auxiliary object classes are groupings of optional attributes that expand the existing

list of attributes in an entry. Unlike structural object classes, they do not place

restrictions on where an entry may be stored, and you can attach them to any entry

regardless of that entry's location in the DIT.

3.5.2.3 Abstract Object Classes

An abstract object class is a virtual object class. It is used only for convenience when

specifying the highest levels of the object class hierarchy. It cannot be the only object

class for an entry. For example, the object class top is an abstract object class. It is

required as a superclass for all structural object classes, but it cannot be used alone.

The top object class includes the mandatory attribute objectClass and several

optional attributes. The optional attributes in top are:

■orclGuid: Global identification which remains constant if the entry is moved

Note: In itself, an object class contains no values. Only an instance

of an object class—that is, an entry—contains values. When a

subclass inherits attributes from a superclass, it inherits only the

attribute definitions of the superclass.

Note: Oracle Internet Directory does not enforce structure rules. It

therefore handles both structural and auxiliary object classes in the

same way.

Naming Contexts

3-14 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■creatorsName: Name of the creator of the object class

■createTimestamp: Time when the object class was created

■modifiersName: Name of the last person to modify the object class

■modifyTimestamp: Time when the object class was last modified

■orclACI: access control list (ACL) directives that apply to all entries in the

subtree below the access control policy point (ACP) where this attribute is defined

■orclEntryLevelACI: Access control policy pertaining to only a specific entity,

for example, a special user

3.6 Naming Contexts

A directory naming context is a subtree that resides entirely on one server. It must be a

complete subtree, that is, it must begin at an entry that serves as the top of the subtree,

and extend downward to either leaf entries or references to subordinate naming

contexts. It can range in size from a single entry to the entire directory information tree

(DIT).

Figure 3–5 illustrates correct and incorrect naming contexts. Notice that the correct

ones on the left are contiguous, and the incorrect ones on the right are not.

Figure 3–5 Correct and Incorrect Naming Contexts

To enable users to discover specific naming contexts, you can publish those naming

contexts in Oracle Internet Directory by using ldapmodify.

See Also:

■Section 3.8, "Globalization Support" for more information on

access control policies and ACLs

■Section 20.1.3, "Understanding Attributes" for a discussion of

how to add additional content to entries

See Also: Chapter 11, "Managing Naming Contexts" for

instructions on how to publish a naming context

Naming context

Correct Incorrect

Globalization Support

Understanding Oracle Internet Directory Concepts and Architecture 3-15

3.7 Security

Oracle Internet Directory is a key element of Oracle Identity Management. You can

deploy multiple Oracle components to work against a shared instance of Oracle

Internet Directory. This sharing allows an enterprise to simplify security management

across all applications.

In addition to the role it plays in the Oracle Identity Management infrastructure,

Oracle Internet Directory provides many powerful features for protecting information.

Security features within Oracle Internet Directory itself include:

■The Secure Sockets layer: Ensuring that data is not modified, deleted, or replayed

during transmission

■Data privacy: Ensuring that data is not inappropriately observed while it is stored

in Oracle Internet Directory

■Password policies: Establishing and enforcing rules for how passwords are

defined and used

■Authorization: Ensuring that a user reads or updates only the information for

which that user has privileges

■Password protection: Ensuring that passwords are not easily discovered by others

■Authentication: Ensuring that the identities of users, hosts, and clients are

correctly validated

You can use all these features to enforce a uniform security policy for multiple

applications enabled for Oracle Internet Directory, and do so in either an enterprise or

hosted environment. You do this by deploying the directory for administrative

delegation. This deployment allows, for example, a global administrator to delegate to

department administrators access to the metadata of applications in their departments.

These department administrators can then control access to their department

applications.

You can also use security features of the underlying Oracle Database, such as

Transparent Data Encryption and Database Vault, to protect Oracle Internet Directory

data.

3.8 Globalization Support

Oracle Internet Directory follows LDAP Version 3 internationalization (I18N)

standards. These standards require that the database storing directory data use

Unicode Transformation Format 8-bit (UTF-8) character set. With Oracle9i, Oracle

added a new UTF-8 character set called AL32UTF8. This database character set

supports the latest version of Unicode (3.2), including the latest supplementary

characters. This allows Oracle Internet Directory to store the character data of almost

any language supported by Oracle Globalization Support. Moreover, although several

different application program interfaces are involved in the Oracle Internet Directory

implementation, Oracle Internet Directory ensures that the correct character encoding

is used with each API.

Globalization Support means support for both single-byte and multibyte characters. A

single-byte character is represented by one byte of memory. ASCII text, for example,

uses single-byte characters. By contrast, a multibyte character can be represented by

more than one byte. Simplified Chinese, for example, uses multibyte characters. An

See Also: Part III, "Advanced Administration: Security"

Distributed Directories

3-16 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

ASCII representation of a simplified Chinese directory entry definition might look like

this:

dn: o=\274\327\271\307\316\304,c=\303\300\271\372

objectclass: top

objectclass: organization

o: \274\327\271\307\316\304

Where the attribute values correspond to an ASCII representation of a simplified

Chinese directory entry definition.

By default, the main Oracle Internet Directory components—OID Monitor (OIDMON),

OID Control Utility (OIDCTL), Oracle directory server (OIDLDAPD), and Oracle

directory replication server (OIDREPLD)—accept only the UTF-8 character set. The

Oracle character set name is AL32UTF8.

The Oracle directory server and database tools are no longer restricted to run on a

UTF8 database. However, you must ensure that all characters in the client character set

are included in the database character set (with same or different character codes) if

the database underlying the Oracle Internet Directory server is not AL32UTF8 or

UTF8. Otherwise, there may be data loss during LDAP add, delete, modify, or

modifydn operations if the client data cannot be mapped to the database character set.

Oracle Directory Services Manager uses Unicode (UTF-16—that is, fixed-width 16-bit

Unicode). It can support internationalized character sets.

3.9 Distributed Directories

Although an online directory is logically centralized, it can be physically distributed

onto several servers. This distribution reduces the work a single server would

otherwise have to do, and enables the directory to accommodate a larger number of

entries.

A distributed directory can be either replicated or partitioned. When information is

replicated, the same naming contexts are stored by more than one server. When

information is partitioned, one or more unique, non-overlapping naming contexts are

stored on each directory server. In a distributed directory, some information may be

partitioned and some may be replicated.

This section contains these topics:

■Section 3.9.1, "Directory Replication"

■Section 3.9.2, "Directory Partitioning"

3.9.1 Directory Replication

Replication is the process of copying and maintaining the same naming contexts on

multiple directory servers. See Chapter 6, "Understanding Oracle Internet Directory

Replication" for a discussion of replication concepts.

See Also:

■Appendix I, "Globalization Support in the Directory."

■Oracle Database Globalization Support Guide in the Oracle

Database Documentation Library for a detailed discussion of

Globalization Support.

Distributed Directories

Understanding Oracle Internet Directory Concepts and Architecture 3-17

3.9.2 Directory Partitioning

Partitioning, in which each directory server stores one or more unique,

non-overlapping naming contexts, is another way of distributing directory

information.

Figure 3–6 shows a partitioned directory in which some naming contexts reside on

different servers.

Figure 3–6 A Partitioned Directory

In Figure 3–6 on page 3-17, four naming contexts reside on Server A:

■dc=acme,dc=com

■c=us,dc=acme,dc=com

■c=uk,dc=acme,dc=com

■c=au,dc=acme,dc=com

Two naming contexts on Server A are replicated on Server B:

■dc=acme,dc=com

■c=au,dc=acme,dc=com

The directory uses one or more knowledge references to locate information that is

requested of Server B, but that resides on Server A. It passes this information to a

client in the form of a referral.

Server A

Naming context

Knowledge reference

Replicated naming

context

dc=com

dc=acme

Server B

dc=com

dc=acme

c=us c=uk c=au c=us c=uk c=au

Knowledge References and Referrals

3-18 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

3.10 Knowledge References and Referrals

A knowledge reference provides the names and addresses of the various naming

contexts held in another partition. For example, in Figure 3–6 on page 3-17, Server B

uses knowledge references to point to the c=us and c=uk naming contexts on Server

A. When Server B is asked for information residing on Server A, it sends back one or

more referrals to Server A. Clients can then use these referrals to contact Server A.

Typically, each directory server contains both superior and subordinate knowledge

references. Superior knowledge references point upward in the DIT toward the root.

They tie the partitioned naming context to its parent. Subordinate knowledge

references point downward in the DIT to other partitions.

For example, in Figure 3–7 on page 3-18, Server B holds four naming contexts, two of

which are superior to the others. These two superior naming contexts use subordinate

knowledge references to point to their subordinate naming contexts. Conversely, the

naming context on Server A has an immediate superior residing on Server B. Server A

therefore uses a superior knowledge reference to point to its parent on Server B.

Figure 3–7 Using Knowledge References to Point to Naming Contexts

Naming contexts that start at the top of the DIT obviously cannot have a knowledge

reference to a superior naming context.

Server A

Server B Server C

Separate servers

Naming context

Subordinate - Immediate superio

reference pair

Oracle Delegated Administration Services and the Oracle Internet Directory Self-Service Console

Understanding Oracle Internet Directory Concepts and Architecture 3-19

There are two kinds of referrals:

■Smart referrals

These are returned to the client when the knowledge reference entry is in the

scope of the search. It points the client to the server that stores the requested

information.

For example, suppose that:

■Server A holds the naming context, ou=server

development,c=us,o=acme, and has a knowledge reference to Server B.

■Server B holds the naming context ou=sales,c=us,o=acme.

When a client sends a request to Server A for information in

ou=sales,c=us,o=acme, Server A provides the user with a referral to Server B.

■Default referrals

These are returned when the base object is not in the directory, and the operation

is performed in a naming context on another server. A default referral typically

sends the client to a server that has more detailed information about the directory

partitioning arrangement.

For example, suppose that Server A holds:

■The naming context c=us,o=acme

■A knowledge reference to Server PQR that has more knowledge about the

overall directory partitioning arrangement

Now suppose that a client requests information on c=uk,o=acme. When Server A

finds that it does not have the c=uk,o=acme naming context, it provides the

client with a referral to Server PQR. From there, the client can find the server

holding the requested naming context.

3.11 Oracle Delegated Administration Services and the Oracle Internet

Directory Self-Service Console

Oracle Delegated Administration Services is a set of pre-defined, Web-based units for

performing directory operations on behalf of a user. This set of services frees directory

administrators from the routine tasks of directory management by enabling them to

delegate specific functions to other administrators and to end users. It provides most

Notes:

■There are presently no Internet standards for enforcing the

validity of knowledge references, and Oracle Internet Directory

does not do so. It is up to the administrator to ensure

consistency among knowledge references within an enterprise

network.

■Oracle recommends that permission for managing knowledge

reference entries be restricted, as is the case with any other

privileged administrative function such as schema or access

control.

See Also: Chapter 19, "Managing Knowledge References and

Referrals."

The Service Registry and Service to Service Authentication

3-20 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

of the functionality that directory-enabled applications require, such as creating a user

entry, creating a group entry, searching for entries, changing user passwords, and

other employee-specific data.

You can use Oracle Delegated Administration Services to develop your own tools for

administering application data in the directory. Or you can use the Oracle Internet

Directory Self-Service Console, a tool based on Oracle Delegated Administration

Services that comes ready-to-use with Oracle Internet Directory. This console is used

by several Oracle components to provide delegated administration.

3.12 The Service Registry and Service to Service Authentication

The Service Registry and the Service to Service Authentication framework are Oracle

Internet Directory features that facilitate integration between Oracle technology

components that request services from one another. The Service Registry provides a

place to store information, so that the components can discover each other. The Service

to Service Authentication framework allows one component to authenticate to another

and establishes trust among them.

The Service Registry is a container in Oracle Internet Directory (under cn=Services,

Cn=OracleContext) where components store connectivity information, such as

protocol, and other information, such as type of service. During installation, each OCS

component registers its information in the Registry. At run-time the components

discover information registered by other components. Service Registry objects are

stored in the Oracle Internet Directory DIT in a component-specific Services container

in the rootOracleContext.

Service to Service Authentication is a framework that allows one service to

authenticate to another and establish trusts among the services. At install time, each of

the client services is provisioned with a username and password in Oracle Internet

Directory. In addition, each target service defines an authorization role in Oracle

Internet Directory to control which components should it trust. When a component

requests services of another component, the requestor must authenticate to the target

service like any other client, using its own identity and credentials. The requesting

service must also be listed in the Target services Trusted Application group (Default

Group: contrasted Applications, counterpoise, cn=OracleContext). The requesting

service also must send the user's identity so that the target service can authenticate the

user as well. The data is sent securely, using either Digest authentication or the target

service's native secure authentication.

3.13 Oracle Directory Integration Platform

Oracle Directory Integration Platform enables an enterprise to integrate its

applications and other directories with Oracle Internet Directory. It provides all the

interfaces and infrastructure necessary to keep the data in Oracle Internet Directory

consistent with that in enterprise applications and connected directories. It also makes

it easier for third-party vendors and developers to develop and deploy their own

connectivity agents.

Note: All references to Oracle Delegated Administration Services in

this chapter refer to Oracle Delegated Administration Services 10g

(10.1.4.3.0) or later.

See Also: Oracle Identity Management Guide to Delegated

Administration in the 10g (10.1.4.0.1) library.

Oracle Internet Directory and Identity Management

Understanding Oracle Internet Directory Concepts and Architecture 3-21

For example, an enterprise might want employee records in its HR database to be

synchronized with Oracle Internet Directory. In addition, the enterprise may deploy

certain LDAP-enabled applications (such as Oracle Portal) that must be notified

whenever changes are applied to Oracle Internet Directory.

Based on the nature of integration, Oracle Directory Integration Platform provides two

distinct services:

■The synchronization integration service, which keeps connected directories

consistent with the central Oracle Internet Directory

■The provisioning integration service, which sends notifications to target

applications to reflect changes made to a entries of interest, such as users and

groups

3.14 Oracle Internet Directory and Identity Management

This section contains these topics:

■Section 3.14.1, "About Identity Management"

■Section 3.14.2, "Oracle Identity Management Products"

■Section 3.14.3, "Identity Management Realms"

3.14.1 About Identity Management

Identity management usually refers to the management of an organization's

application users. Steps in their security life cycle include account creation,

suspension, privilege modification, and account deletion. The managed entities may

also include devices, processes, applications, or anything else that must interact in a

networked environment. They may also include users outside of the organization, for

example customers, trading partners, or Web services.

Identity management is important to IT deployments because it can reduce

administrative costs while at the same time improving security.

The Oracle Identity Management products enable deployments to manage centrally

and securely all enterprise identities and their access to various applications in the

enterprise. Identity management comprises these tasks:

■Creating enterprise identities and managing shared properties of these identities

through a single enterprise-wide console

■Creating groups of enterprise identities

■Provisioning these identities in various services available in the enterprise. This

includes:

–Account creation

–Account suspension

–Account deletion

■Managing policies associated with these identities. These include:

–Authorization policies

–Authentication Policies

See Also: Oracle Fusion Middleware Administrator's Guide for Oracle

Directory Integration Platform.

Oracle Internet Directory and Identity Management

3-22 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

–Privileges delegated to existing identities

3.14.2 Oracle Identity Management Products

The Oracle Identity Management products include the following:

■Oracle Internet Directory, a scalable, robust LDAP Version 3-compliant directory

service implemented on the Oracle Database.

■Oracle Virtual Directory, which provides access to multiple data sources without

the need to synchronize or move data from its native location. Oracle Virtual

Directory can provide multiple application-specific views of identity data and can

also be used to secure data access to the application-specific sources and enhance

high-availability to existing data-sources.

■Oracle Directory Integration Platform, which permits synchronization between

Oracle Internet Directory and other directories and user repositories.

■Oracle Delegated Administration Services, which provides trusted proxy-based

administration of directory information by users and application administrators.

(Oracle Internet Directory 11g Release 1 is compatible with Oracle Single Sign-On

10g (10.1.4.3.0) or later.)

■Oracle Single Sign-On, which provides single sign-on access to Oracle and third

party web applications. (Oracle Internet Directory 11g Release 1 is compatible with

Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.)

■Oracle Identity Federation, which provides a self-contained federation solution

that combines the ease of use and portability of a standalone application with a

scalable, standards-based proven interoperable architecture.

■Oracle Identity Manager is a provisioning system for automatically granting and

revoking access to enterprise applications and managed systems.

■Oracle Role Manager is an enterprise-class application for managing business and

organizational relationships, roles, and entitlements.

■Oracle Enterprise Single Sign-On is an access management system for delivering

enterprise authentication and single sign-on for mainframe, client/server and Web

applications

■Oracle Access Manager is a management system for configuring digital identities

and controlling access to protected applications and content in heterogeneous

environments, primarily on the Web.

■Oracle Adaptive Access Manager is the solution for web access real-time fraud

detection and multi-factor online authentication security for the enterprise.

■Oracle Entitlements Server, which enables application developers to externalize

and centralize fine-grained authorization policies that would previously have been

embedded within applications.

■Oracle Authentication Services for Operating Systems, which enables you to

centralize storage, authentication, and management of user identities on Linux

and UNIX systems using Oracle Internet Directory.

While Oracle Identity Management is designed to provide an enterprise infrastructure

for Oracle products, it can also serve as a general-purpose identity management

solution for user-written and third-party enterprise applications. It provides a robust

and scalable enterprise-wide identity management platform for third-party

applications, hardware, and network operating systems. Custom applications can

Oracle Internet Directory and Identity Management

Understanding Oracle Internet Directory Concepts and Architecture 3-23

leverage Oracle Identity Management through a set of documented and supported

services and APIs, for example:

■Oracle Internet Directory provides LDAP APIs for C, Java, and PL/SQL, and is

compatible with other LDAP SDKs.

■Oracle Delegated Administration Services provide a core self-service console that

may be customized to support third-party applications. In addition, it provides

several services for building customized administration interfaces that manipulate

directory data.

■The Oracle Directory Synchronization Service facilitates the development and

deployment of custom solutions for synchronizing Oracle Internet Directory with

third-party directories and other user repositories.

■The Oracle Directory Integration Platform enables you to provision third-party

applications and integrate the Oracle environment with other provisioning

systems.

■Oracle Single Sign-On provides APIs for developing and deploying partner

applications that share a single sign-on session with other Oracle Web

applications.

In addition, Oracle works with third-party application vendors to ensure that their

applications can leverage Oracle Identity Management out of the box.

3.14.3 Identity Management Realms

An identity management realm defines an enterprise scope over which certain identity

management policies are defined and enforced by the deployment. It comprises:

■A well-scoped collection of enterprise identities—for example, all employees in

the US domain.

■A collection of identity management policies associated with these identities. An

example of an identity management policy would be to require that all user

passwords have at least one alphanumeric character.

■A collection of groups—that is, aggregations of identities—that simplifies the

setting of the identity management policies.

You can define multiple identity management realms within the same Oracle Identity

Management infrastructure. Multiple realms enable you to isolate user populations

and enforce a different identity management policy—for example, password policy,

naming policy, self-modification policy—in each realm.

Each identity management realm is uniquely named to distinguish it from other

realms. It also has a realm-specific administrator with complete administrative control

over the realm.

3.14.3.1 Default Identity Management Realm

For all Oracle components to function, an identity management realm is required. One

particular realm, created during installation of Oracle Internet Directory, is called the

default identity management realm. It is where Oracle components expect to find

users, groups, and associated policies whenever the name of a realm is not specified.

There can be only one default identity management realm in the directory. If a

deployment requires multiple identity management realms, then one of them must be

chosen as the default.

Resource Information

3-24 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

3.14.3.2 Identity Management Policies

The Oracle Identity Management infrastructure supports a flexible set of management

policies which comprise:

■Directory structure and naming policies that enable you to:

–Customize the directory structure in Oracle Internet Directory for your

deployment.

–Specify where various identities are to be located and how they are uniquely

identified.

■Authentication policies that enable you to specify authentication methods and

protocols supported by the Oracle Identity Management infrastructure

■Identity management authorizations that enable you to control access to certain

privileged services and delegate administration wherever necessary

3.15 Resource Information

To fulfill the requests of users, some Oracle components gather data from various

repositories and services. To gather the data, these components require the following

information:

■Information specifying the type of resource from which the data is to be gathered.

The type of resource could be, for example, an Oracle Database. This is called

resource type information.

■Information for connecting and authenticating users to the resources. This is called

resource access information.

This section contains these topics:

■Section 3.15.1, "Resource Type Information"

■Section 3.15.2, "Resource Access Information"

■Section 3.15.3, "Location of Resource Information in the DIT"

3.15.1 Resource Type Information

Information about the resources that an application uses to service a user request is

called resource type information. A resource type can be, for example, an Oracle

Database or a Java Database Connectivity Pluggable Data Source. Resource type

information includes such items as the class used to authenticate a user, the user

identifier, and the password.

You specify resource type information by using the Oracle Internet Directory

Self-Service Console.

3.15.2 Resource Access Information

Information for connecting and authenticating users to the databases is called resource

access information. It is stored in an entry called a resource access descriptor (RAD)

from which it can be retrieved and shared by various Oracle components.

Note: In Oracle Internet Directory Release 9.0.2, the equivalent

term for "identity management realm" was "subscriber."

Resource Information

Understanding Oracle Internet Directory Concepts and Architecture 3-25

For example, to service the request of a user for a sales report, Oracle Reports queries

multiple databases. When it does this, it does the following:

1. Retrieves the necessary connect information from the RAD

2. Uses that information to connect to those databases and to authenticate the user

requesting the data

After it has done this, it compiles the report.

You specify resource access information by using the Oracle Internet Directory

Self-Service Console. You can specify resource access information for each individual

user or commonly for all users. In the latter case, all users connecting to a given

application use, by default, the same information to connect to the necessary

databases. Oracle recommends defining default resource access information whenever

an application has its own integrated account management—for example, where each

user is defined within the application itself with a unique single sign-on user name.

3.15.3 Location of Resource Information in the DIT

Figure 3–8 shows where resource information is located in the DIT.

Figure 3–8 Placement of Resource Access and Resource Type Information in the DIT

As Figure 3–8 shows, the resource access and resource type information is stored in the

Oracle Context.

Resource access information for each user is stored in the cn=User Extensions

node in the Oracle Context. In this example, the cn=User Extensions node

contains resource access information for both the default user and for specific users. In

User Extensions

Products

dc=us

OracleContext

dc=acme

dc=com

root

RADs

Default

User

RADs

Oracle

Database

Server

User 2

User 1

Sales

Database

Bug

Database

Sales

Database

Bug

Database

Common

Oracle Application

Server Reports

Services

Resource

Types Common

Information

Resource Information

3-26 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

the latter cases, the resource access information includes that needed for accessing

both the Sales and the Bug databases.

Resource access information for each application is stored in the object identified by

the application name—in this example, cn=Oracle Reports Services,

cn=Products,cn=Oracle Context,dc=us,dc=acme,dc=com. This is the user

information specific to that product.

Resource type information is stored in the container cn=resource types,

cn=common,cn=products,cn=Oracle Context.

See Also:

■The sections about managing your own resource information,

creating user entries, configuring default resources, and

creating new resource types in Oracle Identity Management Guide

to Delegated Administration in the 10g (10.1.4.0.1) library for

instructions for an end user to specify resource access

information

■"Plug-in Schema Elements" in Oracle Fusion Middleware

Reference for Oracle Identity Management

■Oracle Fusion Middleware Publishing Reports to the Web with

Oracle Reports Services

Understanding Process Control of Oracle Internet Directory Components 4-1

4Understanding Process Control of Oracle

Internet Directory Components

This chapter describes the Oracle Internet Directory process control model and related

concepts. The process control model applies to the Oracle Internet Directory LDAP

server and the replication server.

This chapter contains these topics:

■Section 4.1, "Oracle Internet Directory Process Control Architecture"

■Section 4.2, "The ODS_PROCESS_STATUS Table"

■Section 4.3, "Starting, Stopping, and Monitoring of Oracle Internet Directory

Processes"

■Section 4.4, "Oracle Internet Directory Process Control–Best Practices"

For information on creating and destroying Oracle Internet Directory server instances,

see Chapter 8, "Managing Oracle Internet Directory Instances."

For information on starting and stopping the Oracle Directory Integration and

Provisioning server, see the chapter on managing the Oracle Directory Integration and

Provisioning server in Oracle Fusion Middleware Administrator's Guide for Oracle

Directory Integration Platform.

4.1 Oracle Internet Directory Process Control Architecture

The Oracle Process Manager and Notification Server (OPMN) is a daemon process that

monitors Oracle Fusion Middleware system components, including Oracle Internet

Directory. Oracle Enterprise Manager Fusion Middleware Control uses OPMN to stop

or start instances of Oracle Internet Directory. If you stop or start Oracle Internet

Directory components from the command line, you use opmnctl, the command-line

interface to OPMN

OPMN is responsible for the direct start, stop, restart and monitoring of the daemon

process, OIDMON (ORACLE_HOME/bin/oidmon). OIDMON is responsible for the

process control of an Oracle Internet Directory instance. In 11g Release 1, you can have

multiple instances of Oracle Internet Directory on the same Oracle instance on the

See Also:

■Chapter 8, "Managing Oracle Internet Directory Instances"

■Oracle Fusion Middleware Oracle Process Manager and Notification

Server Administrator's Guide for more information about the Oracle

Process Manager and Notification Server

The ODS_PROCESS_STATUS Table

4-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

same node. The recommended way to create a new Oracle Internet Directory instance

is to create a Oracle Fusion Middleware component of type OID. Each Oracle Internet

Directory instance created in this manner has its own OIDMON.

Figure 4–1 shows the overall architecture for Oracle Internet Directory process control.

For each Oracle Fusion Middleware component of type OID, OPMN spawns an

OIDMON process. The figure shows two components, oid1 and oid2. OIDMON

spawns the OIDLDAPD dispatcher process, then the dispatcher process spawns one or

more OIDLDAPD server processes. If replication is configured for that instance,

OIDMON spawns a replication server process. Each dispatcher process has its own

non-SSL and SSL port for receiving requests. The number of OIDLDAPD server

processes that the dispatcher spawns for a component is controlled by the attribute

orclserverprocs in the instance-specific configuration entry for the component.

Figure 4–1 Oracle Internet Directory Process Control

4.2 The ODS_PROCESS_STATUS Table

Oracle Internet Directory process information is maintained in the ODS_PROCESS_

STATUS table in the ODS database user schema. OIDMON reads the contents of the

table at a specified interval and acts upon the intent conveyed by the contents of that

table. The interval is controlled by the value of the sleep command line argument

used at OIDMON startup, and the default value is 10 seconds.

Table 4–1 describes the information in the ODS_PROCESS_STATUS table that is

relevant to process control:

See Also: Chapter 8, "Managing Oracle Internet Directory Instances"

for information about creating new Oracle Internet Directory

instances.

OIDLDAPD

Server2

OIDLDAPD

Server1

OIDLDAPD

Server

OIDLDAPD

Dispatcher

non-SSL Port = 3061

SSL Port = 3132

OIDREPLD

OIDMON

ias_component=oid2

OIDMON

ias_component=oid1

OIDLDAPD

Dispatcher

non-SSL Port = 3060

SSL Port = 3131

OPMN

Oracle Database

Shared Memory

Starting, Stopping, and Monitoring of Oracle Internet Directory Processes

Understanding Process Control of Oracle Internet Directory Components 4-3

4.3 Starting, Stopping, and Monitoring of Oracle Internet Directory

Processes

This section describes the events that occur when OPMN starts and stops Oracle

Internet Directory. It also describes process monitoring. This section includes the

following topics:

■Section 4.3.1, "Oracle Internet Directory Snippet in opmn.xml"

■Section 4.3.2, "OPMN Starting Oracle Internet Directory"

■Section 4.3.3, "OPMN Stopping of Oracle Internet Directory"

■Section 4.3.4, "Process Monitoring"

4.3.1 Oracle Internet Directory Snippet in opmn.xml

When OPMN starts OIDMON, it determines what arguments to use based on the

Oracle Internet Directory snippet in the OPMN configuration file, ORACLE_

INSTANCE/config/OPMN/opmn/opmn.xml. The following is a sample Oracle

Internet Directory snippet:

<ias-component id="<componentName>">

<process-type id="OID" module-id="OID">

<process-set id="OID" numprocs="1">

Table 4–1 Process Control Items in the ODS_PROCESS_STATUS Table

Item Meaning

Instance Unique instance number for a given server ID on a given host

PID Process ID of the server that is up and running

ServerID Server ID (2=OIDLDAPD, 3=OIDREPLD)

Flags Command line arguments that must be passed to the server

instance

Hostname Name of the host on which this server must be present

State State of the Server Instance (0=stop, 1=start, 2=running,

3=restart, 4=shutdown, 5=failed-over, 7=delete, 8=add).

OIDMON updates the state.

RetryCount Number of attempts to start the server instance before it could

be started successfully

Instancename Name of the server instance, for example: server1

Compname Name of the server component, for example: OID1

Notes:

■There is a uniqueness constraint on: Instance,Instancename,

Compname, ServerID,Hostname.

■Details about ODS_PROCESS_STATUS are provided here for

informational purposes only. Do not attempt to modify this table

directly.

Starting, Stopping, and Monitoring of Oracle Internet Directory Processes

4-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

</environment>

<module-data>

</category>

</module-data>

</process-set>

</process-type>

</ias-component>

Two tags are specific to Oracle Internet Directory:

■Oracle Internet Directory component-specific directives for OPMN are located

under the tag <ias-component id="OID" status="enabled>.

■OIDMON-related requirements are located under the tag <category

id="oidmon parameters">. There should be only one such directive.

4.3.2 OPMN Starting Oracle Internet Directory

Oracle Internet Directory is started as follows:

■You start an Oracle Internet Directory instance with Oracle Enterprise Manager

Fusion Middleware Control or with the command opmnctl.

■OPMN issues an oidmon start command with appropriate arguments, as

specified in the "oidmon parameters" in the OID Snippet in opmn.xml.

■OIDMON then starts all Oracle Internet Directory Server instances whose

information in the ODS_PROCESS_STATUS table has state value 1 or 4 and

ORACLE_INSTANCE, COMPONENT_NAME, INSTANCE_NAME values matching

the environment parameters set by OPMN.

4.3.3 OPMN Stopping of Oracle Internet Directory

Oracle Internet Directory is stopped as follows:

■You stop an Oracle Internet Directory instance with Oracle Enterprise Manager

Fusion Middleware Control or with opmnctl.

See Also:

■Section 8.2.2, "Starting the Oracle Internet Directory Server by

Using Fusion Middleware Control"

■Section 8.3.7, "Starting the Oracle Internet Directory Server by

Using opmnctl"

Note: When you use opmnctl to start only Oracle Internet Directory

instances, the opmn.xmlparameters are not reloaded as they are when

you use opmnctl startall. Execute opmnctl reload to reload

the changes in the file ORACLE_

INSTANCE/config/OPMN/opmn/opmn.xml.

Oracle Internet Directory Process Control–Best Practices

Understanding Process Control of Oracle Internet Directory Components 4-5

■OPMN issues an oidmon stop.

■For each row in the ODS_PROCESS_STATUS table that matches the environment

parameters ORACLE_INSTANCE, COMPONENT_NAME, and INSTANCE_

NAME, the oidmon stop command kills OIDMON, OIDLDAPD, and OIDREPLD

processes and updates the state to 4.

4.3.4 Process Monitoring

OPMN does not monitor server processes directly. OPMN monitors OIDMON and

OIDMON monitors the server processes. The events are as follows:

■When you start OIDMON through OPMN, OPMN starts OIDMON and ensures

that OIDMON is up and running.

■If OIDMON goes down for some reason, OPMN brings it back up.

■OIDMON monitors the status of the Oracle Internet Directory dispatcher process,

LDAP server processes, and replication server process and makes this status

available to OPMN and Fusion Middleware Control. The opmnctl status

command can show OIDLDAPD process PIDS because OIDMON sends OPMN

that information.

4.4 Oracle Internet Directory Process Control–Best Practices

The recommended approach for using opmnctl and oidctl is as follows:

■Use opmnctl to stop or start Oracle Internet Directory as a component. That is,

use it to stop or start all Oracle Internet Directory LDAP and replication server

instances.

–Using opmnctl to stop Oracle Internet Directory causes OPMN to issue an

oidmon stop, which results in OIDMON shutting down all configured

LDAP and replication server instances.

–Using opmnctl to start Oracle Internet Directory causes OPMN to issue an

oidmon start, which results in OIDMON starting up all configured LDAP

and replication server instances.

See Also:

■Section 8.2.3, "Stopping the Oracle Internet Directory Server by

Using Fusion Middleware Control"

■Section 8.3.8, "Stopping the Oracle Internet Directory Server by

Using opmnctl"

Note: When you use opmnctl to start only Oracle Internet Directory

instances, the opmn.xmlparameters are not reloaded as they are when

you use opmnctl startall. Execute opmnctl reload to reload

the changes in the file ORACLE_

INSTANCE/config/OPMN/opmn/opmn.xml.

See Also:

■Chapter 8, "Managing Oracle Internet Directory Instances"

■Chapter 39, "Setting Up Replication" for more information on

starting and stopping Oracle Internet Directory

Oracle Internet Directory Process Control–Best Practices

4-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Use oidctl to stop and start an Oracle Internet Directory Replication Server

Instance without affecting the associated OIDMON and LDAP server instance

managed by OIDMON.

See Also:

■Chapter 39, "Setting Up Replication" for more information on

starting and stopping a replication server.

■Appendix B, "Managing Oracle Internet Directory Instances by

Using OIDCTL."

Understanding Oracle Internet Directory Organization 5-1

5Understanding Oracle Internet Directory

Organization

This chapter discusses further details to consider when designing the logical

organization of directory information. It contains these topics:

■Section 5.1, "The Directory Information Tree"

■Section 5.2, "Planning the Overall Directory Structure"

■Section 5.3, "Planning the Names and Organization of Users and Groups"

■Section 5.4, "Migrating a DIT from a Third-Party Directory"

5.1 The Directory Information Tree

Oracle Internet Directory serves as a shared repository for the entire Oracle Identity

Management infrastructure. A carefully planned logical structure of the directory

enables:

■Enforcement of security policies that meet the requirements of your deployment

■An efficient physical deployment of the directory service

■Easier configuration of synchronization of a third-party directory with Oracle

Internet Directory

Figure 5–1 shows a directory information tree for a hypothetical company, called

MyCompany, that is deploying identity management.

Planning the Overall Directory Structure

5-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Figure 5–1 Planning the Directory Information Tree

MyCompany makes the following decisions with respect to the logical organization of

the directory in their U.S. deployment:

■A domain name-based scheme is to represent the overall DIT hierarchy. Because

the identity management infrastructure is being rolled out in the us domain, the

root of the DIT is dc=us,dc=mycompany,dc=com.

■Within the naming context chosen, all users are represented under a container

called cn=users. Within this container, all users are represented at the same

level—that is, there is no organization-based hierarchy. In addition, the uid

attribute is chosen as the unique identifier for all users.

■Within the naming context chosen, all enterprise groups are represented under a

container called cn=groups. Within this container, all enterprise groups are

represented at the same level. The naming attribute for all group entries is cn.

■Finally, the container dc=us is chosen as the root of the identity management

realm. In this case, the name of the realm is us. The deployment expects to enforce

similar security policies for all users who fall under the scope of the us realm.

Planning the logical organization of the directory for Oracle Identity Management

involves planning:

■The overall structure of the directory information tree

■The directory containment and naming for users and groups

■The identity management realm

5.2 Planning the Overall Directory Structure

This task involves designing the basic directory information tree that all identity

management-integrated applications in the enterprise are to use. As you do this, keep

these considerations in mind:

■The directory organization should facilitate clean and effective access control. If

either full or partial replication is planned, then proper boundaries and policies for

replication can be enforced only if the design of the DIT brings out the separation.

cn=Groups

cn=Users

dc=us

dc=MyCompany

dc=com

root

cn=

group2

cn=

group1

uid=

user1

uid=

user2

Identity Management Realm

Realm name: 'US'

User / Group Naming

and Containment

Overall

DIT

Structure

Planning the Names and Organization of Users and Groups

Understanding Oracle Internet Directory Organization 5-3

■If the enterprise is integrating with a third-party directory server, then it is best to

align the DIT design of Oracle Internet Directory with the existing DIT. This

consideration also applies to deployments that are rolling out Oracle Internet

Directory now but plan to roll out another directory later—for example, Microsoft

Active Directory that is required for the operation of software from Microsoft. In

each case, choosing an Oracle Internet Directory DIT design that is more consistent

with that of the third-party directory makes management of user and group

objects easier through Oracle Delegated Administration Services and other

middle-tier applications.

■In a single enterprise scenario, choosing a DIT design that aligns with the DNS

domain name of the enterprise suffices. For example, if Oracle Internet Directory is

set up in a company having the domain name mycompany.com, then a directory

structure that has dc=mycompany,dc=com is recommended. Oracle recommends

that you not use departmental or organization level domain components such as

engineering in engineering.mycompany.com.

■If the enterprise has an X.500 directory service, and no other third-party LDAP

directories in production, then it may benefit by choosing a country-based DIT

design. For example, a DIT design with the root of o=mycompany, c=US might

be more suitable for enterprises which already have an X.500 directory service.

■Because the directory can be used by several applications—both from Oracle and

from third-parties alike—the naming attributes used in relative distinguished

names (RDNs) constituting the overall DIT structure should be restricted to

well-known attributes. The following attributes are generally well-known among

most directory-enabled applications:

–c: The name of a country

–dc: A component of a DNS domain name

–l: The name of a locality, such as a city, county or other geographic region

–o: The name of an organization

–ou: The name of an organizational unit

–st: The name of a state or province

■A common mistake is to design the DIT to reflect either the corporate divisional or

organizational structure. Because most corporations undergo frequent

reorganization and divisional restructuring, this is not advisable. It is important to

insulate the corporate directory from organizational changes as much as possible.

5.3 Planning the Names and Organization of Users and Groups

This section offers some things to consider when modeling users and groups in Oracle

Internet Directory. Most of the design considerations that are applicable to the overall

DIT design are also applicable to the naming and containment of users and groups.

5.3.1 Organizing Users

The Oracle Identity Management infrastructure uses Oracle Internet Directory as the

repository for all user identities. Even though a user might have account access to

multiple applications in the enterprise, there is only one entry in Oracle Internet

Directory representing that user's identity. The location and content of these entries in

the overall DIT must be planned before deploying Oracle Internet Directory and other

components of the Oracle Identity Management infrastructure.

Planning the Names and Organization of Users and Groups

5-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■As mentioned in the previous section, it is tempting to organize users according to

their current departmental affiliations and hierarchy. However, this is not

advisable because most corporations undergo frequent reorganization and

divisional restructuring. It is more manageable to capture a person's

organizational information as an attribute of that person's directory entry.

■There are no performance benefits derived from organizing users in a hierarchy

according to organizational affiliations or management chain. Oracle recommends

that you keep the DIT containing users as flat as possible.

■If the deployment has different user populations with each one maintained and

managed by a different organization, then Oracle recommends subdividing users

into containers based on these administrative boundaries. This simplifies the

setting of access controls and helps in cases where replication is needed.

■The out-of-the-box default nickname attribute for uniquely identifying users in

lookup operations is uid. This is the default attribute used for logins. The

out-of-the-box default naming attribute for constructing a DN is cn.

■The default attribute for uniquely identifying users is cn or CommonName. The

typical value of CommonName is the person's full name. People's names or email

addresses, however, can change and therefore might not be suitable as values of

this attribute. If possible, choose a value that will not change and that uniquely

identifies a user, such as the employee id.

■Typically, most enterprises have a Human Resources department that establishes

rules for assigning unique names and numbers for employees. When choosing a

unique naming component for directory entries, it is good to exploit this

administrative infrastructure and use its policies.

■It is required that all user entries created in the directory belong to the following

object classes: inetOrgPerson, orclUserV2.

■If you already have a third-party directory, or plan to integrate with one in the

future, then it is beneficial to align the user naming and directory containment in

Oracle Internet Directory with the one used in the third-party directory. This

simplifies the synchronization and subsequent administration of the distributed

directories.

5.3.2 Organizing Groups

Some applications integrated with the Oracle Identity Management infrastructure can

also base their authorizations on enterprise-wide groups created by the deployment in

Oracle Internet Directory. Like user entries, the location and content of these group

entries should also be carefully planned. When you design groups, consider the

following:

■There are no performance benefits to be gained from organizing enterprise groups

in a hierarchy based on the organizational affiliations or ownership. Oracle

recommends keeping the DIT that contains groups as flat as possible. This

facilitates easy discovery of groups by all applications and fosters sharing of these

groups across applications.

■It is preferable to separate the users and groups in the DIT so that different

management policies can be applied to each set of entries.

Note: In Oracle Internet Directory Release 9.0.2, the default value

for the nickname attribute was cn. As of Release 9.0.4, the default

value for this attribute is uid.

Migrating a DIT from a Third-Party Directory

Understanding Oracle Internet Directory Organization 5-5

■The attribute used to uniquely identify a group should be cn or CommonName.

■All group entries created by the enterprise in the directory should belong to the

following object classes: groupOfUniqueNames and orclGroup. The former

object class is an internet standard for representing groups. The latter is useful

when using the Oracle Internet Directory Self-Service Console to manage groups.

■Instead of creating new directory access controls for each enterprise-wide group,

consider doing the following:

1. Use the owner attribute of the group to list which users own this group.

2. Create an access control policy at a higher level that grants all users listed in

the owner attribute special privileges to perform the various operations.

■In the description attribute, provide information for users to understand the

purpose of the group.

■Consider using the displayName attribute from the orclGroup object class. This

attribute enables Oracle Delegated Administration Services and Oracle Internet

Directory Self-Service Console to display a more readable name for the group.

■If you have different sets of groups, each of which is maintained and managed by

a different organization with its own administrative policies, then sub-divide the

groups into containers based on these administrative boundaries. This simplifies

the setting of access controls. It also helps when replication is needed.

■If you already have a third-party directory, or plan to integrate with one in the

future, then align the group naming and directory containment in Oracle Internet

Directory with the one used in the third-party directory. This simplifies the

synchronization and subsequent administration of the distributed directories.

5.4 Migrating a DIT from a Third-Party Directory

To migrate a DIT from a third-party directory, use the techniques described in

Chapter 36, "Migrating Data from Other Data Repositories" and in Oracle Fusion

Middleware Administrator's Guide for Oracle Directory Integration Platform for

synchronizing with third-party metadirectory solutions and integrating with

third-party directories. If you are migrating a DIT from a Microsoft Active Directory

environment, also see the chapter on integration with the Microsoft Active Directory

Environment. Oracle recommends that you configure the Oracle Internet Directory

DIT to be identical to the third-party DIT.

Migrating a DIT from a Third-Party Directory

5-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Understanding Oracle Internet Directory Replication 6-1

6 Understanding Oracle Internet Directory

Replication

This chapter provides an introduction to Oracle Internet Directory replication.

Replication is the process of copying and maintaining the same naming contexts on

multiple directory servers. It can improve performance by providing more servers to

handle queries and by bringing the data closer to the client. It improves reliability by

eliminating risks associated with a single point of failure.

Figure 6–1 shows a replicated directory.

Figure 6–1 A Replicated Directory

This chapter contains the following topics:

■Section 6.1, "Why Use Replication?"

■Section 6.2, "Replication Concepts"

Server A

Naming context

Replicated naming

context

dc=com

dc=acme

Server B

dc=com

dc=acme

c=us c=uk c=au c=us c=uk c=au

Why Use Replication?

6-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Section 6.3, "What Kind of Replication Do You Need?"

6.1 Why Use Replication?

There are many reasons to implement replication, including the following:

■Local accessibility and performance requirements

Most corporations have operations in many regions in the world, and those

operations need a common directory. Suppose that the regions were

interconnected with low bandwidth links involving multiple intermediate routers.

A client accessing a directory server from outside the region could experience a

very high latency, and even inadequate throughput. In such cases, a regional

replica is essential.

■Load balancing

When directory access exceeds the capacity of an existing server, an additional

server can share the load. Even if the deployment meets the load, it can be less

costly to maintain two relatively low-end systems than one high-end system.

■Failure tolerance and higher overall system availability

One of the most important reasons to implement directory replication is to

increase overall system availability. When one server is unavailable, the traffic can

be routed to other available servers. This can be transparent to clients.

6.2 Replication Concepts

This section briefly introduces some basic concepts.

This section contains the following topics:

■Section 6.2.1, "Content to be Replicated: Full or Partial"

■Section 6.2.2, "Direction: One-Way, Two-Way, or Peer to Peer"

■Section 6.2.3, "Transport Mechanism: LDAP or Oracle Database Advanced

Replication"

■Section 6.2.4, "Directory Replication Group (DRG) Type: Single-master,

Multimaster, or Fan-out"

■Section 6.2.5, "Loose Consistency Model"

■Section 6.2.6, "How the Replication Concepts Fit Together"

■Section 6.2.7, "Multimaster Replication with Fan-Out"

6.2.1 Content to be Replicated: Full or Partial

One decision you must make when setting up replication is how much of the DIT to

replicate from one node to another. The choices are:

See Also:

■Part V, "Advanced Administration: Directory Replication"

■Appendix C, "Setting Up Oracle Database Advanced

Replication-Based Replication"

■Appendix D, "How Replication Works"

Replication Concepts

Understanding Oracle Internet Directory Replication 6-3

Full replication involves propagating the entire DIT to another node. This type of

replication ensures the high availability of the entire directory. You can also use it to

distribute operations on the entire directory among different nodes. Full replication

can be based on either LDAP or Oracle Database Advanced Replication.

Partial replication enables you to propagate one or more subtrees, rather than the

entire DIT, to another node. Decentralizing a directory in this way enables you to

balance the workload between servers and build a highly available distributed

directory, complete with fault tolerance and failover. You can set up partial replication

by using command-line tools or the Replication Wizard in Oracle Enterprise Manager.

Partial replication is most often LDAP-based.

Figure 6–2 shows an example of partial replication.

Figure 6–2 Example of Partial Replication

6.2.2 Direction: One-Way, Two-Way, or Peer to Peer

The direction of replication can be one-way, two-way or peer-to-peer:

Table 6–1 Full or Partial Replication

Content to Replicate Description

Full Propagates the entire DIT to another node.

Partial Propagates one or more subtrees, rather than the entire DIT, to

another node.

Table 6–2 Direction of Replication

Direction Description

One-Way One node is configured as the supplier and the other as the

consumer. The consumer is read-only.

Two-Way Both nodes are both supplier and consumer. They are both

read/write, or updatable.

Peer-to-Peer All nodes in a replication group are both supplier and consumer

to all other nodes

Replicated Naming

Context

Server 1 Server 2

AB C BC

Replication Concepts

6-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Sometimes the terms read-only and read/write are used to describe direction of

replication. In a one-way replication agreement, the consumer node is said to be

read-only. That is, you cannot propagate changes to other nodes by writing to that

node. In a two-way replication agreement, both nodes are considered to be

read/write. Another term for read/write is updatable.

Sometimes the term multimaster is used instead of peer-to-peer. Multimaster actually

refers to the type of replication group, as described in Section 6.2.4, "Directory

Replication Group (DRG) Type: Single-master, Multimaster, or Fan-out."

6.2.3 Transport Mechanism: LDAP or Oracle Database Advanced Replication

Oracle Internet Directory supports two protocols you can use for replicating data from

one node to another. The protocols are:

LDAP replication can be configured as peer-to-peer, one-way or two-way. Advanced

Replication is usually peer-to-peer.

6.2.4 Directory Replication Group (DRG) Type: Single-master, Multimaster, or Fan-out

The directory servers that participate in the replication of a given naming context form

a directory replication group (DRG). The relationship among the directory servers in a

DRG is represented on each node by a special directory entry called a replication

agreement. A replication agreement can be either one-way or two-way.

Each copy of a naming context contained within a server is called a replica. A server

that sends the updates made to it to other servers is known as a supplier. A server that

accepts those changes is called a consumer. A server can be both a supplier and a

consumer.

A directory replication group can be single-master, multimaster, or fan-out as

described in Table 6–4.

Table 6–3 Transport Protocols

Transport Mechanism Description

LDAP Uses the industry-standard Lightweight Directory Access

Protocol Version 3. This is the recommended protocol to use for

replication, unless you are also performing Oracle Single

Sign-On replication.

Oracle Database Advanced

Replication

Uses the replication feature of Oracle Database. Also called

Advanced Replication. This replication protocol is currently

required for Oracle Single Sign-On replication.

Table 6–4 Types of Directory Replication Groups

Group Description

Single-master Has only one supplier replicating changes to one or more consumers.

Clients can update only the master node, and can only read data on any

of the consumers. This type of group typically uses LDAP. It is also

possible to configure Advanced Replication as single-master, by

switching all nodes in a group except one to read-only mode.

Multimaster Enables multiple sites, acting as equals, to manage groups of replicated

data. In a multimaster replication environment, each node is both a

supplier and a consumer node. Multimaster replication can use either

LDAP or Advanced Replication as its transport mechanism. The full

DIT is replicated on each node. Replication is always peer-to-peer.

Replication Concepts

Understanding Oracle Internet Directory Replication 6-5

6.2.4.1 Single-Master Replication Example

Figure 6–3, "Example of Single-Master Replication" shows a single-master replication

environment.

Figure 6–3 Example of Single-Master Replication

In Figure 6–3, each bullet represents a node of Oracle Internet Directory. Node A is a

supplier that replicates consumer nodes B and C. Node A is read/write, and Nodes B

and C are read-only. The data transfer protocol is LDAP.

6.2.4.2 Multimaster Replication Example

The example in Figure 6–4 shows three nodes—A, B, and C—that update each other in

a multimaster replication group. Replication between nodes is two-way.

Figure 6–4 Example of Multimaster Replication

In Figure 6–4, all replication is two-way.

Fan-out Also called a point-to-point replication group, has a supplier replicating

directly to a consumer. That consumer can then replicate to one or more

other consumers. Fan-out uses LDAP as its transport mechanism. The

replication can be either full or partial. It can be either one-way or

two-way.

Table 6–4 (Cont.) Types of Directory Replication Groups

Group Description

Read-Write

Read-Only

One -Way LDAP

Read-Write

Multimaster Replication

Replication Concepts

6-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

6.2.4.3 Fan-out Replication Example

Figure 6–5 shows a fan-out replication environment.

Figure 6–5 Example of Fan-Out Replication

In Figure 6–5, supplier A replicates to two consumers, B and C. Consumer node B

contains a partial replica of A, whereas consumer node C contains a full replica of A.

Each of these nodes, in turn, serves as a supplier that replicates data to two other

consumers: Node B partially replicates to nodes D and E, and node C fully replicates

to nodes F and G. Nodes D and F are read-only.

In fan-out replication, nodes transfer data by using LDAP.

6.2.5 Loose Consistency Model

Directory replication architecture is based on a loose consistency model: Two

replicated nodes in a replication agreement are not guaranteed to be consistent in real

time. This increases the overall flexibility and availability of the directory network,

because a client can modify data without all interconnected nodes being available.

Suppose, for example, that one node is unavailable or heavily loaded. With

multimaster replication, the operation can be performed on an alternate node, and all

interconnected nodes synchronize in due course.

6.2.6 How the Replication Concepts Fit Together

Table 6–5 shows each of the two transport mechanisms, LDAP and Oracle Database

Advanced Replication, and describes how each type can be combined with other

replication concepts.

Note: Multimaster replication is the only replication mechanism

supported in Oracle Single Sign-On, as described in the section

"Configuring Oracle Single Sign-On for Replication" in the chapter

on high availability in the Oracle Application Server Single Sign-On

Administrator's Guide in the 10g (10.1.4.0.1) library.

Full Replica

Partial Replica

One-Way LDAP

Two-Way LDAP

ED GF

Replication Concepts

Understanding Oracle Internet Directory Replication 6-7

6.2.7 Multimaster Replication with Fan-Out

Oracle Internet Directory enables any node in a multimaster replication group to also

participate in a fan-out replication agreement. Within the multimaster replication

agreement, data transfer between the nodes occurs by way of Oracle Database

Advanced Replication or LDAP. Within the fan-out replication agreement, data

transfer from supplier to consumer occurs by way of LDAP and can be either one-way

or two-way.

Figure 6–6 shows an example of multimaster replication used with fan-out replication.

Table 6–5 Types of Data Transfer Between Nodes in a Directory Replication Group

Concept LDAP-Based Replication

Oracle Database Advanced

Replication-Based Replication

Content replicated Full replica

Partial replica

Full replica (usually)

Direction of replication Peer-to-peer

One-way

Two-way

Peer-to-peer

DRG Type Multimaster replication

Single-master replication

Fan-out replication

Multimaster replication

Single-master replication, by

switching all masters in a

multimaster configuration except one

to read-only mode.

What Kind of Replication Do You Need?

6-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Figure 6–6 Example of Multimaster Replication with Fan-Out

In the example in Figure 6–6, nodes A, B, and C form a multimaster replication group.

They transfer data among them by using either LDAP or Advanced Replication.

Node B supplies changes to Node D, a replica of the entire directory. Node D, in turn,

supplies changes to Nodes F and G by using LDAP-based replication. Both Nodes F

and G are replicas of the entire directory. Similarly, Node E is a full replica of Node C.

Node E, in turn supplies changes to Node H, a replica of the entire directory, and

Node I, a partial replica, by using LDAP-based replication. Nodes F and H are

read-only.

6.3 What Kind of Replication Do You Need?

The type of replication you need depends on the features that are important in your

enterprise. This section discusses the types of replication to use to achieve three

features: local availability, load balancing, and high availability

Local Availability

Local availability is important in the following situations:

■You need a local copy of the master data that is specific to the local site. This might

be the entire DIT or a partial DIT.

See Also: "LDAP-Based Replication" on page 29-23 for more

information about fan-out replication

Multimaster Replication-based replica

Full Replica

Partial Replica

One-Way LDAP

Multimaster Replication

Multimaster

Replication

Fan-Out

Replication

Two-Way LDAP

What Kind of Replication Do You Need?

Understanding Oracle Internet Directory Replication 6-9

■You need the increased scalability and performance that you can get by

distributing the work load among multiple servers.

■You want to reduce the network dependency and network load caused by users

from local sites connecting to the master site.

If the local site does not update the data, use one-way replication from master node to

local nodes

If the local site does need to update the data and the updates must be replicated back

to the master site, use two-way replication between master node and local nodes.

Load Balancing

Load Balancing is important in the following situations:

■You want to increase scalability and performance by distributing work load

among multiple servers

■You want to dedicate specific servers to certain applications, such as single sign-on

or e-mail applications

■You require network load balancing.

You can use LDAP multi-master replication to replicate the data between two or more

nodes. If Oracle Single Sign-On10g (10.1.4.3.0) or later is also installed and Oracle

Single Sign-On schema must be replicated for load balancing, use Oracle Database

Advanced Replication-based multimaster replication. Otherwise, you can use

LDAP-based multimaster replication.

High Availability

High availability is important in the following situations:

■You require a high availability solution with at least one backup server to prevent

loss from single server failure

■You need a disaster recovery solution that uses geographically distributed

deployments to protect applications from disasters.

Usually, you can use LDAP-based multimaster replication to replicate the data

between two or more nodes. If Oracle Single Sign-On 10g (10.1.4.3.0) or later is also

installed along with Oracle Internet Directory, however, then use Oracle Database

Advanced Replication-based multimaster replication.

Note: When you configure a load balancer for use with replication,

use sticky routing and not round-robin routing. Replication is

asynchronous in nature, so changes made on one node are not

available immediately on the other nodes.

What Kind of Replication Do You Need?

6-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Part II

Part II Basic Administration

This part guides you through common Oracle Internet Directory configuration and

maintenance tasks. This part contains these chapters:

■Chapter 7, "Getting Started With Oracle Internet Directory"

■Chapter 8, "Managing Oracle Internet Directory Instances"

■Chapter 9, "Managing System Configuration Attributes"

■Chapter 10, "Managing IP Addresses"

■Chapter 11, "Managing Naming Contexts"

■Chapter 12, "Managing Accounts and Passwords"

■Chapter 13, "Managing Directory Entries"

■Chapter 14, "Managing Dynamic and Static Groups"

■Chapter 15, "Performing Bulk Operations"

■Chapter 16, "Managing Collective Attributes"

■Chapter 17, "Managing Alias Entries"

■Chapter 18, "Managing Attribute Uniqueness Constraint Entries"

■Chapter 19, "Managing Knowledge References and Referrals"

■Chapter 20, "Managing Directory Schema"

■Chapter 21, "Configuring Referential Integrity"

■Chapter 22, "Managing Auditing"

■Chapter 23, "Managing Logging"

■Chapter 24, "Monitoring Oracle Internet Directory"

■Chapter 25, "Backing Up and Restoring Oracle Internet Directory"

Getting Started With Oracle Internet Directory 7-1

7Getting Started With Oracle Internet

Directory

This chapter assumes you have installed and configured Oracle Internet Directory as

described in: Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

This chapter describes the management interfaces and documents the first tasks you

must perform as an administrator of Oracle Internet Directory.

It contains the following sections:

■Section 7.1, "Patching Your System to 11g Release 1 (11.1.1.6.0)"

■Section 7.2, "Postinstallation Tasks and Information"

■Section 7.3, "Using Fusion Middleware Control to Manage Oracle Internet

Directory"

■Section 7.4, "Using Oracle Directory Services Manager"

■Section 7.5, "Using Command-Line Utilities to Manage Oracle Internet Directory"

■Section 7.6, "Basic Tasks for Configuring and Managing Oracle Internet Directory"

7.1 Patching Your System to 11g Release 1 (11.1.1.6.0)

To patch an existing system to 11g Release 1 (11.1.1.6.0), follow the procedures in

Oracle Fusion Middleware Patching Guide. In addition, perform the following task:

7.1.1 Upgrading a Directory Replication Group

If replication is configured in your existing Oracle Internet Directory environment,

you must follow the procedure in Appendix Q, "Performing a Rolling Upgrade."

7.2 Postinstallation Tasks and Information

Perform these tasks after you complete installation and basic configuration of Oracle

Internet Directory.

■Section 7.2.1, "Setting Up the Environment"

■Section 7.2.2, "Adding Datafiles to the OLTS_CT_STORE and OLTS_ATTRSTORE

Tablespaces"

■Section 7.2.3, "Changing Settings of Windows Services"

■Section 7.2.4, "Starting and Stopping the Oracle Stack"

■Section 7.2.5, "Identifying Default URLs and Ports"

Postinstallation Tasks and Information

7-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Section 7.2.6, "Tuning Oracle Internet Directory"

■Section 7.2.7, "Enabling Anonymous Binds"

■Section 7.2.8, "Enabling Oracle Internet Directory to run on Privileged Ports"

■Section 7.2.9, "Verifying Oracle Database Time Zone"

7.2.1 Setting Up the Environment

Set the environment variables described at the beginning of Section 7.5, "Using

Command-Line Utilities to Manage Oracle Internet Directory."

7.2.2 Adding Datafiles to the OLTS_CT_STORE and OLTS_ATTRSTORE Tablespaces

You can skip this step if you have a fresh installation of Oracle Internet Directory 11g

Release 1 (11.1.1.6.0) or newer. In that case your Oracle Internet Directory schemas

were created by using the Release 1 (11.1.1.6.0) or newer versions of RCU and

config.sh.

If your schema were created during installation of a version prior to 11g Release 1

(11.1.1.6.0), you must add datafiles to the OLTS_CT_STORE and OLTS_ATTRSTORE

tablespaces if you intend to add more than a million entries to Oracle Internet

Directory. Perform this step prior to the bulkload or ldapadd operation. For details,

see the section "Creating Datafiles and Adding Datafiles to a Tablespace" in Oracle

Database Administrator's Guide.

7.2.3 Changing Settings of Windows Services

Change the Startup type of the following Windows services from Automatic to

Manual: Oracle Database, TNS Listener, OPMN. This is necessary to ensure that the

services start in the correct order.

7.2.4 Starting and Stopping the Oracle Stack

See Appendix P, "Starting and Stopping the Oracle Stack" for information.

7.2.5 Identifying Default URLs and Ports

This section lists some default URLs and ports:

7.2.6 Tuning Oracle Internet Directory

The default Oracle Internet Directory configuration must be tuned in almost all

deployments. You must change the values of the certain configuration attributes,

based on your deployment. See the "Basic Tuning Recommendations" section of the

Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning

URL or Port Default Value

Oracle Directory Services Manager (ODSM) http://host:7005/odsm

Oracle Enterprise Manager Fusion Middleware

Control

http://host:7001/em/

Oracle WebLogic Server Administrative Console http://host:7001/console/

Oracle Internet Directory LDAP 3060

Oracle Internet Directory LDAPS 3131

Postinstallation Tasks and Information

Getting Started With Oracle Internet Directory 7-3

Guide especially the tables " Minimum Values for Oracle Database Instance

Parameters" and "LDAP Server Attributes to Tune."

For more information about tuning, see the Oracle Internet Directory chapter in Oracle

Fusion Middleware Performance and Tuning Guide. For descriptions of all the attributes,

see Chapter 9, "Managing System Configuration Attributes" and Chapter 41,

"Managing Replication Configuration Attributes."

7.2.7 Enabling Anonymous Binds

Anonymous searches, except those on the root DSE, are disabled by default. In some

deployment environments, clients might need access to more than the root DSE. If you

have such a deployment, set the orclanonymousbindsflag attribute to 1. See

"Managing Anonymous Binds" on page 32-8 for more information.

7.2.8 Enabling Oracle Internet Directory to run on Privileged Ports

On many operating systems, only processes running with superuser privilege can use

port numbers less than 1024. By default, Oracle Identity Management 11g Installer

does not assign privileged ports to Oracle Internet Directory, although you can

override the default by using staticports.ini. (See Oracle Fusion Middleware

Installation Guide for Oracle Identity Management.)

If you want to change the SSL and non-SSL ports to numbers in the privileged range

after installation, proceed as follows:

1. As the root user, execute ORACLE_HOME/oidRoot.sh.

2. Reassign the port numbers in one of the following ways:

■Change the SSL Port and Non-SSL Port values on the General tab of the

Server Properties page in Oracle Enterprise Manager Fusion Middleware

Control, as described in"Configuring Server Properties" on page 9-12.

■Change the values of orclnonsslport and orclsslport in the

instance-specific configuration entry by using ldapmodify, as described in

Section 9.4.1, "Setting System Configuration Attributes by Using ldapmodify."

3. Run opmnctl updatecomponentregistration, as described in Section 8.3.4,

"Updating the Component Registration of an Oracle Instance by Using opmnctl."

(This step is not necessary if you are running a standalone instance of Oracle

Internet Directory, as described in "Creating Additional Oracle Internet Directory

Instances" on page 8-3.)

4. Restart Oracle Internet Directory, as described inSection 8.2.4, "Restarting the

Oracle Internet Directory Server by Using Fusion Middleware Control" or

Section 8.3.9, "Restarting the Oracle Internet Directory Server by Using opmnctl."

7.2.9 Verifying Oracle Database Time Zone

To ensure that the Oracle Internet Directory garbage collection logic works correctly,

verify the Oracle Database dbtimezone parameter, as described in Section 35.2, "Set

Oracle Database Time Zone for Garbage Collection."

See Also: Oracle Database Net Services Administrator's Guide

Using Fusion Middleware Control to Manage Oracle Internet Directory

7-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

7.3 Using Fusion Middleware Control to Manage Oracle Internet Directory

Oracle Enterprise Manager Fusion Middleware Control is a graphical user interface

that provides a comprehensive systems management platform for Oracle Fusion

Middleware. Fusion Middleware Control organizes a wide variety of performance

data and administrative functions into distinct, Web-based home pages for the

domain, Oracle instances, middleware system components, and applications.

Oracle Internet Directory is a target type in Oracle Enterprise Manager Fusion

Middleware Control. To use the interface to Oracle Internet Directory:

1. Connect to Fusion Middleware Control.

The URL is of the form:

https://host:port/em

2. In the left panel topology tree, expand the domain, then Fusion Middleware, then

Identity and Access. Alternatively, from the domain home page, expand Fusion

Middleware, then Identity and Access. Instances of Oracle Internet Directory are

listed in both places. To view the full name of a component instance, move the

mouse over the instance name.

3. Select the Oracle Internet Directory component you want to manage.

4. Use the Oracle Internet Directory menu to select tasks.

Notes:

■If you selected Configure Without a Domain when prompted for

a domain while installing Oracle Internet Directory, Oracle

Enterprise Manager Fusion Middleware Control will not be

available.

■Oracle Enterprise Manager Fusion Middleware Control manages

Oracle Internet Directory through its SSL port. The Oracle Internet

Directory SSL port must be configured for no authentication or

server authentication. In addition, the ciphers configured must

include one or more of the Diffie-Hellman no-auth ciphers:

■SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

■SSL_DH_anon_WITH_RC4_128_MD5

■SSL_DH_anon_WITH_DES_CBC_SHA

If the Oracle Internet Directory SSL port is configured for mutual

authentication, or if the appropriate ciphers are not configured,

you will not be able to change Oracle Internet Directory

parameters by using Oracle Enterprise Manager Fusion

Middleware Control. See Section 26.1.3, "SSL Authentication

Modes."

■For information about supported browsers for Fusion Middleware

Control and Oracle Directory Services Manager, refer to System

Requirements and Supported Platforms for Oracle Fusion

Middleware 11gR1, which is linked from:

http://www.oracle.com/technetwork/middleware/ias/

downloads/fusion-certification-100350.html

Using Oracle Directory Services Manager

Getting Started With Oracle Internet Directory 7-5

You can use the Oracle Internet Directory menu to navigate to other Fusion

Middleware Control pages for Oracle Internet Directory, navigate to Oracle Directory

Services Manager pages for Oracle Internet Directory, and perform other tasks, as

described in Table 7–1.

7.4 Using Oracle Directory Services Manager

This section contains the following topics:

■Section 7.4.1, "Introduction to Oracle Directory Services Manager"

■Section 7.4.2, "Configuring ODSM for SSO Integration"

Table 7–1 Using the Oracle Internet Directory Menu

Task Select

Return to Home page Home

View a performance summary Monitoring, then Performance

Start, stop, or restart the Oracle Internet Directory

component

Control, then Start Up, Shut Down,

or Restart, respectively.

View Oracle Internet Directory logs Logs, then View Log Messages

View non-SSL and SSL port information. Port Usage

Manage properties that are specific to this Oracle Internet

Directory component

Administration, then Server

Properties

Manage properties that are shared by all Oracle Internet

Directory components that are connected to the same

Oracle Database

Administration, then Shared

Properties

Set up replication Administration, then Replication

Management

Get tuning and sizing recommendations, Administration, then Tuning and

Sizing

Manage Oracle Internet Directory entries by using Oracle

Directory Services Manager

Directory Services Manager, then

Data Browser

Manage the Oracle Internet Directory schema by using

Oracle Directory Services Manager

Directory Services Manager, then

Schema

Manage Oracle Internet Directory security by using

Oracle Directory Services Manager

Directory Services Manager, then

Security

Manage Oracle Internet Directory advanced features by

using Oracle Directory Services Manager

Directory Services Manager, then

Advanced

Configure auditing for Oracle Internet Directory Security, then Audit Policy Settings

Create wallets for Oracle Internet Directory Security, then Wallets

View target name, software version, Oracle home, Oracle

instance, Oracle Enterprise Manager Fusion Middleware

Control agent, and host

General Information.

See Also:

■Oracle Enterprise Manager Concepts

■Oracle Enterprise Manager Advanced Configuration

■Oracle Fusion Middleware Installation Guide for Oracle Identity

Management

Using Oracle Directory Services Manager

7-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Section 7.4.3, "Configuring the SSO Server for ODSM Integration"

■Section 7.4.4, "Configuring the Oracle HTTP Server for ODSM-SSO Integration"

■Section 7.4.5, "Invoking Oracle Directory Services Manager"

■Section 7.4.6, "Connecting to the Server from Oracle Directory Services Manager"

■Section 7.4.7, "Configuring Oracle Directory Services Manager Session Timeout"

■Section 7.4.8, "Configuring Oracle HTTP Server to Support Oracle Directory

Services Manager in an Oracle WebLogic Server Cluster"

7.4.1 Introduction to Oracle Directory Services Manager

Oracle Directory Services Manager is a web-based interface for managing instances of

Oracle Internet Directory and Oracle Virtual Directory. It is a replacement for Oracle

Directory Manager, which is now deprecated. Oracle Directory Services Manager

enables you to configure the structure of the directory, define objects in the directory,

add and configure users, groups, and other entries. ODSM is the interface you use to

manage entries, schema, security, and other directory features.

You can also use ODSM to manage system configuration attributes, which can be

useful if Fusion Middleware Control is not available or if you must modify an

attribute that has no Fusion Middleware Control interface. See Section 9.5, "Managing

System Configuration Attributes by Using ODSM Data Browser" and Section 13.2,

"Managing Entries by Using Oracle Directory Services Manager."

7.4.1.1 Using the JAWS Screen Reader with Oracle Directory Services Manager

When you use JAWS with ODSM, whenever a new window pops up, JAWS reads

"popup." To read the entire page, enter the keystrokes Insert+b.

7.4.1.2 Non-Super User Access to Oracle Directory Services Manager

Oracle Directory Services Manager allows you to connect to Oracle Internet Directory

as any user with a valid DN and password in the directory. If you connect as the super

user, cn=orcladmin, or as a user who is a member of

cn=DirectoryAdminGroup,cn=oracle internet directory, you can access

all the tabs in the interface. If you log in as any other user, you can access only the

Home and Data Browser tabs.

7.4.1.3 Single Sign-On Integration with Oracle Directory Services Manager

You can configure Oracle Directory Services Manager to use Single Sign-On (SSO).

When configured with SSO, Oracle Directory Services Manager allows a user who has

been authenticated by the SSO server to connect to an SSO-enabled directory without

logging in, provided that user has privileges to manage the directory.

Oracle Directory Services Manager maintains a list of Oracle Internet Directory servers

that SSO-authenticated users can manage. To validate whether an SSO-authenticated

user has the required privileges to manage Oracle Internet Directory, Oracle Directory

Services Manager maps the SSO-authenticated user to a DN in the Oracle Internet

Directory server.

Oracle Directory Services Manager uses proxy authentication to connect to the

directory. The proxy user's DN and password are stored in a secure storage

framework called the Credential Store Framework (CSF).

See Also: Appendix O, "Managing Oracle Directory Services

Manager's Java Key Store."

Using Oracle Directory Services Manager

Getting Started With Oracle Internet Directory 7-7

To map an SSO-authenticated user, Oracle Directory Services Manager authenticates

to the Oracle Virtual Directory server using the credentials of a user with proxy

privileges. Oracle Directory Services Manager then tries to map the SSO-authenticated

user's unique identifier to the Oracle Virtual Directory user's unique identifier.

The WLS Administrator configures the proxy user's credentials, unique identifier

attribute, and the base DN under which Oracle Directory Services Manager searches

for the user, which are stored in the CSF. If Oracle Directory Services Manager gets a

valid DN, it maps the SSO-authenticated user to that DN. When the SSO-authenticated

user is mapped to a valid DN, Oracle Directory Services Manager uses proxy

authentication to connect to the Oracle Virtual Directory server with the

SSO-authenticated user's mapped DN.

To configure SSO integration, see the following sections:

■Section 7.4.2, "Configuring ODSM for SSO Integration"

■Section 7.4.3, "Configuring the SSO Server for ODSM Integration"

■Section 7.4.4, "Configuring the Oracle HTTP Server for ODSM-SSO Integration".

7.4.2 Configuring ODSM for SSO Integration

To configure ODSM-SSO integration, use the ODSM Proxy Bind Configuration Screen,

at http://host:port/odsm-config. Log in as the WebLogic administrator.

On this screen, you provide Oracle Directory Services Manager with the set of

directory servers that SSO users can manage. This screen lists the Single Sign-On

accessible directories.

Use the View list to modify the number and order of the columns. To remove an

existing directory, click Remove.

To modify an existing directory, click Modify.

To add a new Single Sign-On accessible directory, click Add.

When you click Modify or Add, the Directory Details screen appears. Proceed as

follows:

1. Select Non-SSL or SSL from the Port Type list.

2. Select OID or OVD from the Directory Type list.

3. Provide the following information:

■Host and Port of the directory.

■Proxy User's DN and Password: The DN and password that Oracle Directory

Services Manager uses for proxy authentication.

■User Container DN: The DN under which user entries are located in the

directory.

■User Lookup Attribute: A unique attribute for looking up a user's DN in the

directory. For example, if the SSO server sends the user's mail ID to Oracle

Directory Services Manager as the user's unique identifier, you can configure

mail as the user look-up attribute.

4. Click Validate to verify your directory connection details.

Oracle Directory Services Manager authenticates to the directory server with the

credentials provided.

5. Click Apply to apply your selections.

Using Oracle Directory Services Manager

7-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Click Revert to abandon your selections.

6. Specify the SSO server's Logout URL in the SSO Logout URL text box.

For example, http://myoamhost.mycompany.com:14100/oam/server/logout is the

default Logout URL for the Oracle Access Manager 11g server. If you only

configure this field, Oracle Directory Services Manager displays the Login link at

the top right corner of the Oracle Directory Services Manager page.

7.4.3 Configuring the SSO Server for ODSM Integration

To make SSO-ODSM integration work correctly, you must configure specific ODSM

URLs as protected or unprotected.

ODSM's home page must be an unprotected URL. That is, all users must be able to

access the ODSM home page, including those who have not gone through the SSO

authentication process.

The URL /odsm/odsm-sso.jsp must be protected by the SSO server. When a user

clicks the Login link appearing on the top right corner of the home page, ODSM

redirects the user to /odsm/odsm-sso.jsp. The SSO server challenges the user for a

username and password, if the user is not already authenticated. Upon successful

authentication, the user is directed back to the ODSM home page.

You must configure /odsm/odsm-sso.jsp as a protected URL. In addition you must

configure the following URLs as unprotected URLs:

■/odsm/faces/odsm.jspx

■/odsm/.../

You can use either Oracle Access Manager 11g or Oracle Access Manager 10g as your

SSO provider.

To configure Oracle Access Manager 11g, see "Deploying the OAM 11g SSO Solution"

in Oracle Fusion Middleware Application Security Guide.

You must configure an Oracle Access Manager server to send the SSO-authenticated

user's unique identifier through an HTTP header to Oracle Directory Services

Manager. Oracle Directory Services Manager looks for the OAM_REMOTE_USER HTTP

header. The Oracle Access Manager server sets the OAM_REMOTE_USER header by

default. If this header is not available, Oracle Directory Services Manager looks for the

odsm-sso-user-unique-id HTTP header. If Oracle Directory Services Manager

cannot find any of these headers, Oracle Directory Services Manager SSO integration

will not work.

In addition to sending the user's unique identifier through HTTP header, you can

optionally configure Oracle Access Manager to send following HTTP headers:

■Configure the odsm-sso-user-firstname HTTP header to send the user's first

name.

■Configure the odsm-sso-user-lastname HTTP header to send the user's last

name.

If these headers are available, Oracle Directory Services Manager displays the user's

first name and last name in the "Logged in as" section located in the top right corner of

Oracle Directory Services Manager. If the first name or the last name is not available,

Oracle Directory Services Manager displays the user's unique identifier in the "Logged

in as" section.

To configure Oracle Access Manager 11g, see "Deploying the OAM 11g SSO

Solution" in Oracle Fusion Middleware Application Security Guide.

Using Oracle Directory Services Manager

Getting Started With Oracle Internet Directory 7-9

To configure Oracle Access Manager 10g, see "Deploying SSO Solutions with OAM

10g" in Oracle Fusion Middleware Application Security Guide.

7.4.4 Configuring the Oracle HTTP Server for ODSM-SSO Integration

If you are using Oracle HTTP Server to host the SSO server's WebGate agent and as a

front end to the WebLogic server hosting ODSM, you must configure Oracle HTTP

Server's mod_wl_ohs module to forward all requests starting with /odsm to the

WebLogic server hosting ODSM. The mod_wl_ohs module allows requests to be

proxied from Oracle HTTP Server to Oracle WebLogic Server.

To configure mod_wl_ohs, see "Configuring the mod_wl_ohs Module" in Oracle

Fusion Middleware Administrator's Guide for Oracle HTTP Server.

7.4.5 Invoking Oracle Directory Services Manager

You can invoke Oracle Directory Services Manager directly or from Oracle Enterprise

Manager Fusion Middleware Control.

■To invoke Oracle Directory Services Manager directly, enter the following URL

into your browser's address field:

http://host:port/odsm

In the URL to access Oracle Directory Services Manager, host is the name of the

managed server where Oracle Directory Services Manager is running. port is the

managed server port number from the WebLogic server. You can determine the

exact port number by examining the $Fusion_Middleware_Home/Oracle_Identity_

Management_domain/servers/wls_ods/data/nodemanager/wls_ods1.url file,

where Fusion_Middleware_Home represents the root directory where Fusion

Middleware is installed.

■To invoke Oracle Directory Services Manager from Fusion Middleware Control,

select Directory Services Manager from the Oracle Internet Directory menu in the

Oracle Internet Directory target, then Data Browser, Schema, Security, or

Advanced. (You can connect from the Oracle Virtual Directory menu in a similar

manner.)

A new browser window, containing the ODSM Welcome screen, pops up. Connect

to the server as described in the next section.

Notes:

■If you selected Configure Without a Domain when prompted for

a domain while installing Oracle Internet Directory, Oracle

Directory Services Manager will not be available.

■For information about supported browsers for Fusion Middleware

Control and Oracle Directory Services Manager, refer to System

Requirements and Supported Platforms for Oracle Fusion

Middleware 11gR1, which is linked from:

http://www.oracle.com/technetwork/middleware/ias/

downloads/fusion-certification-100350.html

See Also: Section S.1.23, "Troubleshooting Oracle Directory Services

Manager."

Using Oracle Directory Services Manager

7-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

7.4.6 Connecting to the Server from Oracle Directory Services Manager

When the ODSM Welcome screen appears, you can connect to either an Oracle

Internet Directory server or a Oracle Virtual Directory server.

This section contains the following topics:

■Section 7.4.6.1, "Logging in to the Directory Server from Oracle Directory Services

Manager"

■Section 7.4.6.2, "Logging Into the Directory Server from Oracle Directory Services

Manager Using SSL"

7.4.6.1 Logging in to the Directory Server from Oracle Directory Services Manager

You log in to a directory server's non-SSL port from Oracle Directory Services

Manager as follows:

1. Click the small arrow to the right of the label Click to connect to a directory. It

opens a dialog box containing the following sections:

■Live Connections–current connections that you can return to.

■Disconnected Connections–a list of directory servers you have connected to

and then disconnected from. Oracle Directory Services Manager saves

information about connections that you've used previously and lists them, by

optional Name or by server, so that you can select them again.

■New Connections–used to initiate a new connection

If you are SSO-authenticated, you might see an additional section, described in

Section 7.4.6.3, "Connecting to an SSO-Enabled Directory as an SSO-Authenticated

User."

2. To reconnect to a live connection, click it.

Notes:

■After you have logged into ODSM, you can connect to multiple

directory instances from the same browser window.

■Avoid using multiple windows of the same browser program to

connect to different directories at the same time. Doing so can

cause a Target unreachable error.

■You can log in to the same ODSM instance from different browser

programs, such as Internet Explorer and Firefox, and connect each

to a different directory instance.

■If you change the browser language setting, you must update the

session in order to use the new setting. To update the session,

either reenter the ODSM URL in the URL field and press Enter or

quit and restart the browser.

Note: If the connection information changes, for example, if the

server's port number changes, Oracle Directory Services Manager's

connection information becomes incorrect and the connection fails.

You cannot edit connection information, so you must delete the

connection from the list and create a new connection.

Using Oracle Directory Services Manager

Getting Started With Oracle Internet Directory 7-11

To select a disconnected connection, click the entry. You see a short version of the

and then select Delete.

To initiate a connection to a new directory server, click Create a New Connection

or type Ctrl+N. The New Connection Dialog appears.

3. Select OID or OVD.

4. Optionally, enter an alias name to identify this entry on the Disconnected

Connections list.

5. Enter the server and non-SSL port for the Oracle Internet Directory or Oracle

Virtual Directory instance you want to manage.

6. Deselect SSL Enabled.

7. Enter the user (usually cn=orcladmin) and password.

8. Select the Start Page you want to go to after logging in.

9. Click Connect.

After you have logged in to an Oracle Internet Directory or Oracle Virtual Directory

server, you can use the navigation tabs to select other pages.

The Oracle Directory Services Manager home pages for Oracle Internet Directory and

Oracle Virtual Directory list version information about Oracle Directory Services

Manager itself, as well as the directory and database. It also lists directly statistics.

7.4.6.2 Logging Into the Directory Server from Oracle Directory Services Manager

Using SSL

If you are unfamiliar with SSL authentication modes, see "SSL Authentication Modes"

on page 26-3.

When you log in to the server's SSL port, you follow the procedure in Section 7.4.6.1,

"Logging in to the Directory Server from Oracle Directory Services Manager," except

that you specify the SSL port in Step 5 and do not deselect SSL Enabled in Step 6.

After you click Connect in Step 9, you might be presented with a certificate,

depending on the type of SSL authentication.

7.4.6.2.1 SSL No Authentication If the directory server is using SSL No Authentication

mode (the default), you are not presented with a certificate. SSL No Authentication

provides data confidentiality and integrity only but no authentication using X509

certificates.

7.4.6.2.2 SSL Server Only Authentication If the directory server is using SSL Server

Authentication Only Mode, when you click connect in Step 9, you are presented with

the server's certificate. After manually verifying the authenticity of the server

certificate, you can accept the certificate permanently, accept the certificate for the

current session only, or reject the certificate. If you accept the certificate permanently,

the certificate is stored in its Java Key Store (JKS). From then on, you are not prompted

to accept the certificate when you connect to that server. If you accept the certificate

only for the current session, you are prompted to accept or reject the certificate every

time you connect to the server. If you reject the certificate, ODSM closes the connection

to the server.

See Also: Section S.1.23, "Troubleshooting Oracle Directory Services

Manager."

Using Oracle Directory Services Manager

7-12 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

7.4.6.2.3 SSL Client and Server Authentication If the server is using SSL Client and Server

Authentication Mode, when you click Connect in Step 9, you are presented with a

certificate. Follow the instructions in Section 7.4.6.2.2, "SSL Server Only

Authentication."

After OSDM accepts the server's certificate, ODSM sends its own certificate to the

server for authentication. The server accepts ODSM's certificate if that certificate is

present in its trusted list of certificates.

If the DN of ODSM's certificate is present in the server, you do not need to provide the

username and password in the connection dialog.

If the DN of ODSM's certificate is not present in the server, you must provide the user

name and password.

ODSM's certificate is a self-signed certificate. You must use the keytool command to

assign a CA signed certificate to ODSM. See Appendix O, "Managing Oracle Directory

Services Manager's Java Key Store."

7.4.6.3 Connecting to an SSO-Enabled Directory as an SSO-Authenticated User

If you have already been authenticated by the single sign-on server, ODSM allows you

to connect to SSO-enabled directories without logging in, provided you have an entry

in that directory. When you access the ODSM Welcome page, if you have an entry in

only one SSO-enabled directory, ODSM connects you to it. If you have entries in more

than one SSO-enabled directory ODSM allows you to select directory you want to

connect to, as follows.

Click the small arrow to the right of the label Click to connect to a directory. In this

case, the dialog box contains an extra section, listing SSO-enabled directories you are

authorized to connect to. Select the directory you want. ODSM connects you without

requesting a username or password.

If the port you connected to is an SSL port, you still must perform the appropriate

steps in Section 7.4.6.2.1, "SSL No Authentication," Section 7.4.6.2.2, "SSL Server Only

Authentication," or Section 7.4.6.2.3, "SSL Client and Server Authentication."

7.4.7 Configuring Oracle Directory Services Manager Session Timeout

The default session timeout for Oracle Directory Services Manager is 35 minutes. You

can change it by editing the file web.xml, which resides in DOMAIN_

HOME/servers/wls_ods1/tmp/_WL_user/odsm_

11.1.1.2.0/randomid/war/WEB-INF. (This assumes your managed server is

named wls_ods1. Adjust the pathname if your managed server has a different name.)

The file fragment containing the timeout value looks like this:

<session-config>

<session-timeout>35</session-timeout>

</session-config>

After you change the value, restart the managed server or restart Oracle Directory

Services Manager through the WebLogic console.

If you edit the file web.xml, keep in mind that the change you make might not be

permanent. Oracle Directory Services Manager is deployed from ORACLE_

HOME/ldap/odsm/odsm.ear to the WebLogic server. The WebLogic server expands

See Also: Section O.1, "Introduction to Managing ODSM's Java Key

Store."

Using Command-Line Utilities to Manage Oracle Internet Directory

Getting Started With Oracle Internet Directory 7-13

odsm.ear into the DOMAIN_HOME/servers/wls_ods1/tmp/_WL_user/odsm_

11.1.1.2.0 directory for performance reasons. This is a temporary cache directory

for WebLogic server. If you apply a patch that overwrites ORACLE_

HOME/ldap/odsm/odsm.ear, the changes you made to web.xml in the temporary

cache directory are also overwritten.

7.4.8 Configuring Oracle HTTP Server to Support Oracle Directory Services Manager in

an Oracle WebLogic Server Cluster

Perform the following steps to configure Oracle HTTP Server to route Oracle Directory

Services Manager requests to multiple Oracle WebLogic Servers in a clustered Oracle

WebLogic Server environment:

1. Create a backup copy of the Oracle HTTP Server's httpd.conf file. The backup

copy provides a source to revert to if you encounter problems after performing

this procedure.

2. Add the following text to the end of the Oracle HTTP Server's httpd.conf file

and replace the variable placeholder values with the host names and managed

server port numbers specific to your environment. Be sure to use the <Location

/odsm/ > as the first line in the entry. Using <Location /odsm/faces > or

<Location /odsm/faces/odsm.jspx > can distort the appearance of the

Oracle Directory Services Manager interface.

SetHandler weblogic-handler

WebLogicCluster host-name-1:managed-server-port,host-name_2:managed_server_port

</Location>

3. Stop, then start the Oracle HTTP Server to activate the configuration change.

7.5 Using Command-Line Utilities to Manage Oracle Internet Directory

To use most Oracle Internet Directory command-line utilities and Database client

utilities like sqlplus, you must set the following environmental variables:

■ORACLE_HOME - The location of non-writable files in your Oracle Identity

Management installation.

■ORACLE_INSTANCE - The location of writable files in your Oracle Identity

Management installation.

■TNS_ADMIN - The directory where the database connect string is defined in the

tnsnames.ora file. By default it is the $ORACLE_INSTANCE/config directory. The

database connect alias as defined in tnsnames.ora is OIDDB by default.

■NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8) - The default language set at

installation is AMERICAN_AMERICA.

■PATH - The following directory locations should be added to your PATH:

$ORACLE_HOME/bin

Note: Oracle Directory Services Manager loses its connection and

displays a session time-out message if the Oracle WebLogic Server in

the cluster that it is connected to fails. Oracle Directory Services

Manager requests are routed to the secondary Oracle WebLogic

Server in the cluster that you identified in the httpd.conf file after you

log back in to Oracle Directory Services Manager.

Using Command-Line Utilities to Manage Oracle Internet Directory

7-14 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

$ORACLE_HOME/ldap/bin

$ORACLE_INSTANCE/bin

Many of the activities that you can perform at the command line can also be

performed in Oracle Enterprise Manager Fusion Middleware Control or Oracle

Directory Services Manager. A few functions are only available from the command

line.

7.5.1 Using Standard LDAP Utilities

Oracle Internet Directory supports the standard LDAP command-line utilities

ldapadd, ldapaddmt, ldapbind, ldapcompare, ldapdelete, ldapmoddn,

ldapmodify, ldapmodifymt, and ldapsearch. For example:

ldapbind -D "cn=orcladmin" -q -h "myserver.example.com" -p 3060

ldapsearch -b "cn=subschemasubentry" -s base "objectclass=*" -p 3060 \

-D "cn=orcladmin" -q

This book contains many examples of LDAP tool use.

For security reasons, avoid supplying a password on the command line whenever

possible. A password typed on the command line is visible on your screen and might

appear in log files or in the output from the ps command. When you supply a

password at a prompt, it is not visible on the screen, in ps output, or in log files. Use

the -q and -Q options, respectively, instead of the -P password and -w password

options.

The LDAP tools have been modified to disable the options -w password and -P

password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to

TRUE or 1. Use this feature whenever possible.

7.5.2 Using Bulk Tools

Oracle Internet Directory provides several tools to help you manage large numbers of

entries. See Chapter 15, "Performing Bulk Operations."

7.5.3 Using WLST

The Oracle WebLogic Scripting Tool (WLST) is a Jython-based command-line scripting

environment that you can use to manage and monitor WebLogic Server domains. To

use it to manage and monitor Oracle Internet Directory, you must navigate to the

See Also:

■Section 13.3, "Managing Entries by Using LDAP Command-Line

Tools."

■The chapter "Oracle Internet Directory Data Management Tools"

in Oracle Fusion Middleware Reference for Oracle Identity Management

for a detailed description of each tool.

See Also: "Using Passwords with Command-Line Tools" in Oracle

Fusion Middleware Reference for Oracle Identity Management.

See Also: The chapter "Oracle Internet Directory Data Management

Tools" in Oracle Fusion Middleware Reference for Oracle Identity

Management for a detailed description of each tool.

Basic Tasks for Configuring and Managing Oracle Internet Directory

Getting Started With Oracle Internet Directory 7-15

custom MBean tree where Oracle Internet Directory is located. Then you can list, get

values, and change values of the managed beans (MBeans) that represent Oracle

Internet Directory resources. See Section 9.3, "Managing System Configuration

Attributes by Using WLST" and Section 26.3, "Configuring SSL by Using WLST."

7.6 Basic Tasks for Configuring and Managing Oracle Internet Directory

The following provides a summary of the steps you must take to configure and

manage a basic Oracle Internet Directory environment:

1. Start and stop the LDAP server. See Chapter 8

2. Manage system configuration attributes. See Chapter 9.

3. Manage directory entries. See Chapter 13.

4. Manage directory schema. See Chapter 20.

5. Configure auditing. Chapter 22.

6. Manage log files. See Chapter 23.

7. Configure SSL. See Chapter 26.

8. Configure password policies. See Chapter 28.

9. Configure access control. See Chapter 29.

10. Get sizing and tuning recommendations for Oracle Internet Directory

deployments. See the "Obtaining Recommendations by Using the Tuning and

Sizing Wizard" section of the Oracle Internet Directory chapter in Oracle Fusion

Middleware Performance and Tuning Guide.

11. Set up replication. See Chapter 39 and Appendix C.

12. Convert an Advanced Replication-based replication agreement to an LDAP-based

replication agreement. See Section 39.2, "Converting an Advanced

Replication-Based Agreement to an LDAP-Based Agreement."

13. Modify an existing replication setup. See Chapter 42.

This guide describes other tasks that you might need to perform, depending on your

Oracle Fusion Middleware environment.

Note: WLST manages Oracle Internet Directory through its SSL port.

The Oracle Internet Directory SSL port must be configured for no

authentication or server authentication. If the Oracle Internet

Directory SSL port is configured for mutual authentication, you will

not be able to change Oracle Internet Directory attributes by using

WLST. See "SSL Authentication Modes" on page 26-3.

Basic Tasks for Configuring and Managing Oracle Internet Directory

7-16 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Managing Oracle Internet Directory Instances 8-1

8Managing Oracle Internet Directory

Instances

This chapter describes how to create and manage server instances. It contains these

topics:

■Section 8.1, "Introduction to Managing Oracle Internet Directory Instances"

■Section 8.2, "Managing Oracle Internet Directory Components by Using Fusion

Middleware Control"

■Section 8.3, "Managing Oracle Internet Directory Components by Using opmnctl"

■Section 8.4, "Starting an Instance of the Replication Server by Using OIDCTL"

8.1 Introduction to Managing Oracle Internet Directory Instances

This introduction contains the following topics:

■Section 8.1.1, "The Instance-Specific Configuration Entry"

■Section 8.1.2, "Creating the First Oracle Internet Directory Instance"

■Section 8.1.3, "Creating Additional Oracle Internet Directory Instances"

■Section 8.1.4, "Registering an Oracle Instance or Component with the WebLogic

Server"

8.1.1 The Instance-Specific Configuration Entry

In 11g Release 1 (11.1.1), configuration information for an Oracle Internet Directory

instance resides in an instance-specific configuration entry, which has a DN of the

form

cn=componentname,cn=osdldapd,cn=subconfigsubentry

where componentname is the name of a Oracle Fusion Middleware system

component of Type=OID, for example, oid2. You do not manually create an

instance-specific configuration entry. Instead, you create a Oracle Fusion Middleware

system component of Type=OID. Creating the Oracle Internet Directory component

automatically generates an instance-specific configuration entry.

Figure 8–1 shows the configuration entries for two Oracle Internet Directory

components in the DIT. The DNs for the instance-specific configuration entries are:

cn=oid1,cn=osdldapd,cn=subconfigsubentry

See Also: Appendix B, "Managing Oracle Internet Directory

Instances by Using OIDCTL,"

Introduction to Managing Oracle Internet Directory Instances

8-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

cn=oid2,cn=osdldapd,cn=subconfigsubentry

Figure 8–1 DIT Showing Two Instance-Specific Configuration Entries

The attributes in the instance-specific configuration specify information such as

hostname, ports, events to be audited, number of child processes, and security

configuration. For a complete list, see Section 9.1.3, "Attributes of the Instance-Specific

Configuration Entry."

8.1.2 Creating the First Oracle Internet Directory Instance

When you install Oracle Internet Directory on a host computer, Oracle Identity

Management 11g Installer creates an Oracle Fusion Middleware system component of

Type=OID in a new or existing Oracle instance (ASINST). The Oracle Internet

Directory component contains an OIDMON process and an Oracle Internet Directory

instance (inst=1). The Oracle Internet Directory instance consists of a dispatcher

process and one or more OIDLDAPD processes. The component name for the first

Oracle Internet Directory component is usually oid1 and the Oracle instance name is

chosen during the installation, usually asinst_1.

Oracle Identity Management 11g Installer creates the following instance-specific

configuration entry for this component during installation:

cn=oid1,cn=osdldapd,cn=subconfigsubentry

In addition, Oracle Identity Management 11g Installer creates some file system

directories under the Oracle instance directory. Some of the pathnames it creates are

are specific to the component name. For example, the pathnames under your Oracle

instance on UNIX or Linux include:

ORACLE_INSTANCE/config/OID/oid1

ORACLE_INSTANCE/diagnostics/logs/OID/oid1

If you selected Create New Domain or Extend Existing Domain during installation,

the Oracle Internet Directory component is registered with a WebLogic domain. If you

selected Configure Without a Domain during installation, the Oracle Internet

Directory component is not registered with a domain. You can register it later from the

command line. Registering with a domain in this case is optional.

Note: Oracle Internet Directory is frequently configured in a cluster

where instances on different hosts are all connected to the same

Oracle Database. Oracle Identity Management 11g Installer detects

that other OID components are using the same Oracle Database and

increments the component name for the new component by 1. That is,

successive installations in the cluster will have the component names

oid2, oid3, and so forth.

cn=osdldapd

cn=oid2

cn=osdrepld

cn=subConfigSubEntry

root DSE

cn=oid1

Introduction to Managing Oracle Internet Directory Instances

Managing Oracle Internet Directory Instances 8-3

8.1.3 Creating Additional Oracle Internet Directory Instances

The recommended way to add another Oracle Internet Directory instance is to add an

additional system component of Type=OID in the Oracle instance.

To do this, you use opmnctl createcomponent, specifying the component type

Type=OID, the component name for the new component, and the instance name of the

Oracle instance. This new Oracle Internet Directory component consists of an

OIDMON process, an OIDLDAPD dispatcher process, and one or more OIDLDAPD

server processes. For example, see ias_component=oid2 at the bottom of

Figure 8–2.

Figure 8–2 Oracle Internet Directory Process Control

You use an OPMN command, opmnctl createcomponent, to create a new

instance-specific configuration entry in the DIT. If the new component name is oid2,

the new entry looks like this:

cn=oid2,cn=osdldapd,cn=subconfigsubentry

You can change the values of attributes in this entry to customize the instance.

The opmnctl command also creates additional pathnames in the filesystem under the

ORACLE_INSTANCE directory for the Oracle instance asinst_1. If the new

component name is oid2, the pathnames include:

ORACLE_INSTANCE/config/OID/oid2

ORACLE_INSTANCE/diagnostics/logs/OID/oid2

You can use opmnctl process control commands to manage the components oid1

and oid2 individually. You can register the new Oracle Internet Directory instance

with the WebLogic domain, either at creation time or later.

OIDLDAPD

Server2

OIDLDAPD

Server1

OIDLDAPD

Server

OIDLDAPD

Dispatcher

non-SSL Port = 3061

SSL Port = 3132

OIDREPLD

OIDMON

ias_component=oid2

OIDMON

ias_component=oid1

OIDLDAPD

Dispatcher

non-SSL Port = 3060

SSL Port = 3131

OPMN

Oracle Database

Shared Memory

Managing Oracle Internet Directory Components by Using Fusion Middleware Control

8-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

8.1.4 Registering an Oracle Instance or Component with the WebLogic Server

If you want to manage an Oracle Internet Directory component with Oracle Enterprise

Manager Fusion Middleware Control, you must register the component and the

Oracle instance that contains it with a WebLogic domain. You can register an Oracle

instance with a WebLogic domain during installation or Oracle instance creation, but

you are not required to do so. If an Oracle instance was not previously registered with

a WebLogic domain, you can register it by using opmnctl registerinstance.

If the Oracle instance is already registered, and you are adding a new Oracle Internet

Directory system component to the Oracle instance, opmnctl automatically registers

the component as part of that Oracle instance.

If you change the configuration of a registered component, you must update the

information by running opmnctl updatecomponentregistration. See

Managing Oracle Internet Directory Components by Using opmnctl.

8.2 Managing Oracle Internet Directory Components by Using Fusion

Middleware Control

You can view, stop, and start Oracle Internet Directory components by using Oracle

Enterprise Manager Fusion Middleware Control. This section contains the following

topics:

■Section 8.2.1, "Viewing Active Server Information by Using Fusion Middleware

Control"

■Section 8.2.2, "Starting the Oracle Internet Directory Server by Using Fusion

Middleware Control"

■Section 8.2.3, "Stopping the Oracle Internet Directory Server by Using Fusion

Middleware Control"

■Section 8.2.4, "Restarting the Oracle Internet Directory Server by Using Fusion

Middleware Control"

Note: You can use oidctl to create an instance if you are running

Oracle Internet Directory as a standalone server, not part of a

WebLogic domain. When you create an instance with oidctl, you

must use oidctl to stop and start the instance. An Oracle Internet

Directory instance created with oidctl cannot be registered with a

WebLogic server, so you cannot use Oracle Enterprise Manager

Fusion Middleware Control to manage the instance. See Appendix B,

"Managing Oracle Internet Directory Instances by Using OIDCTL."

See Also:

■Oracle Fusion Middleware Oracle Process Manager and Notification

Server Administrator's Guide for more information about OPMN

and the opmnctl command.

■Chapter 4, "Understanding Process Control of Oracle Internet

Directory Components" for information about Oracle Internet

Directory processes.

See Also: "WebLogic Server Domain" on page 2-1.

Managing Oracle Internet Directory Components by Using opmnctl

Managing Oracle Internet Directory Instances 8-5

8.2.1 Viewing Active Server Information by Using Fusion Middleware Control

To view information about any Oracle Internet Directory component—including type,

debug level, host name, and configuration parameters—use Oracle Enterprise

Manager Fusion Middleware Control. To do this:

1. Connect to Oracle Enterprise Manager Fusion Middleware Control as described in

Section 7.3, "Using Fusion Middleware Control to Manage Oracle Internet

Directory."

2. The Domain Home Page displays the status of components, including Oracle

Internet Directory.

3. Select the Oracle Internet Directory component you want to view.

4. View the status information on the Oracle Internet Directory Home page.

8.2.2 Starting the Oracle Internet Directory Server by Using Fusion Middleware Control

Start the Oracle Internet Directory server as follows:

1. Go to the Oracle Internet Directory home page in Oracle Enterprise Manager

Fusion Middleware Control.

2. From the Oracle Internet Directory menu, select Availability, then Start Up.

3. When the confirmation dialog appears, click OK.

If Fusion Middleware Control cannot start the server, an error dialog appears.

8.2.3 Stopping the Oracle Internet Directory Server by Using Fusion Middleware

Control

Stop the Oracle Internet Directory server as follows:

1. Go to the Oracle Internet Directory home page in Oracle Enterprise Manager

Fusion Middleware Control.

2. From the Oracle Internet Directory menu, select Availability, then Shut Down.

3. When the confirmation dialog appears, click OK.

If Fusion Middleware Control cannot stop the server, an error dialog appears.

8.2.4 Restarting the Oracle Internet Directory Server by Using Fusion Middleware

Control

Restart the Oracle Internet Directory server as follows:

1. Go to the Oracle Internet Directory home page in Oracle Enterprise Manager

Fusion Middleware Control.

2. From the Oracle Internet Directory menu, select Availability, then Restart.

3. When the confirmation dialog appears, click OK.

If Fusion Middleware Control cannot restart the server, an error dialog appears.

8.3 Managing Oracle Internet Directory Components by Using opmnctl

You can perform the following Oracle Internet Directory-related tasks from the

command line by using opmnctl:

Managing Oracle Internet Directory Components by Using opmnctl

8-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Section 8.3.1, "Creating an Oracle Internet Directory Component by Using

opmnctl"

■Section 8.3.2, "Registering an Oracle Instance by Using opmnctl"

■Section 8.3.3, "Unregistering an Oracle Instance by Using opmnctl"

■Section 8.3.4, "Updating the Component Registration of an Oracle Instance by

Using opmnctl"

■Section 8.3.5, "Deleting an Oracle Internet Directory Component by Using

opmnctl"

■Section 8.3.6, "Viewing Active Server Instance Information by Using opmnctl"

■Section 8.3.7, "Starting the Oracle Internet Directory Server by Using opmnctl"

■Section 8.3.8, "Stopping the Oracle Internet Directory Server by Using opmnctl"

■Section 8.3.9, "Restarting the Oracle Internet Directory Server by Using opmnctl"

■Section 8.3.10, "Changing the Oracle Database Information in opmn.xml"

8.3.1 Creating an Oracle Internet Directory Component by Using opmnctl

You create an Oracle Internet Directory system component in an Oracle instance by

using opmnctl createcomponent. This command automatically registers the

component with a WebLogic domain at the time you create the component, as long as

the instance is in a registered state. The syntax is:

ORACLE_INSTANCE/bin/opmnctl createcomponent

-componentType OID

-componentName componentName

-adminHost webLogicHostName

-adminPort webLogicPort

[-adminUsername weblogicAdminUsername]

[-adminPasswordFile text_file_containing_admin_password]

-Db_info "DBHostName:Port:DBSvcName"

[-Ods_Password_File 'File_with_DB_ODS_USER_PASSWORD']

Note: Arguments to opmnctl are case sensitive. Be sure to type

them exactly as shown. For example, createcomponent must be in

all lower case and -adminUsername must have only the letter U in

upper case.

For more information about options to an opmnctl command, type:

ORACLE_INSTANCE/bin/opmnctl usage command

For example:

$ORACLE_INSTANCE/bin/opmnctl usage createcomponent

See Also:

■"Oracle Internet Directory Administration Tools" in Oracle Fusion

Middleware Reference for Oracle Identity Management for more

information on the syntax of the commands used in the examples

■Oracle Fusion Middleware Oracle Process Manager and Notification

Server Administrator's Guide for more information about opmnctl

commands, such as opmnctl createinstance.

Managing Oracle Internet Directory Components by Using opmnctl

Managing Oracle Internet Directory Instances 8-7

[-Sm_Password_File 'File_with_DB_ODSSM_USER_PASSWD']

[-Admin_Password_File 'File_with_OID_Admin_Passwd']

-Namespace "dc=domain_component1,dc=domain_component2..."

[-Port nonSSLPort]

[-Sport SSLPort]

The DBHostName:Port:DBSvcName argument to the -DB_info parameter must be

the same as that provided during installation. If it is not, the command will fail. You

can find this value in the file ORACLE_INSTANCE/config/tnsnames_copy.ora.

If the Oracle Database is based on Real Application Clusters, the argument to the -DB_

info parameter is of the form:

DBHostName1:Port1^DBHostName2:Port2@DBSvcName

The opmnctl command prompts for the WebLogic administrator's user name if you

do not supply it. It also prompts for the passwords if you do not supply password file

names on the command line. The opmnctl command also uses available ports if you

do not specify -Port or -Sport, as described in Section 3.1.3, "Oracle Internet

Directory Ports."

8.3.2 Registering an Oracle Instance by Using opmnctl

During an Oracle Internet Directory installation, Oracle Identity Management 11g

Installer requests domain information. If you choose Configure Without a Domain,

your Oracle Internet Directory instance is not registered with a WebLogic domain.

After the installation is complete, you can choose to register an Oracle instance and all

the components in that Oracle instance by using opmnctl registerinstance. The

syntax is:

ORACLE_INSTANCE/bin/opmnctl registerinstance

-adminHost hostname

-adminPort weblogic_port

-adminUsername weblogic_admin_username

You are prompted for the WebLogic administrator's user name and password.

For example:

ORACLE_INSTANCE/bin/opmnctl registerinstance \

-adminHost myhost \

-adminPort 7001 \

-adminUsername weblogic \

The default administrative port on the WebLogic Administration Server is 7001.

8.3.3 Unregistering an Oracle Instance by Using opmnctl

If you registered an Oracle instance with a WebLogic domain during installation, you

can unregister it after the install is complete. You might want to do this if you decide

to use Oracle Internet Directory in standalone mode. (In standalone mode, you cannot

use Fusion Middleware Control or wlst to manage Oracle Internet Directory.)

To unregister an Oracle instance and all the components in that Oracle instance, you

use opmnctl unregisterinstance. The syntax is:

ORACLE_INSTANCE/bin/opmnctl unregisterinstance

-adminHost hostname

-adminPort weblogic_port

-adminUsername weblogic_admin

Managing Oracle Internet Directory Components by Using opmnctl

8-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

you are prompted for the WebLogic administrator's user name and password if you

do not supply them.

For example:

$ORACLE_INSTANCE/bin/opmnctl unregisterinstance \

-adminHost myhost \

-adminPort 7001 \

-adminUsername weblogic \

The default administrative port on the WebLogic Administration Server is 7001.

8.3.4 Updating the Component Registration of an Oracle Instance by Using opmnctl

You must update the registration of an Oracle Internet Directory component in a

registered Oracle instance whenever you change any of the configuration attributes in

Table 8–1. If you do not update the component registration, you will be unable to use

Fusion Middleware Control or wlst to manage that component.

To update the registration of an Oracle Internet Directory component, you use

opmnctl updatecomponentregistration. The syntax is:

ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration

-adminHost hostname

-adminPort weblogic_port

-adminUsername weblogic_admin

-componentType OID

-componentName compName

-Port non-sslport

-Sport sslport

For example:

$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration \

-adminHost myhost \

-adminPort 7001 \

-adminUsername weblogic \

-componentType OID \

-componentName oid2 \

-Port 3061 \

-Sport 3131

You are prompted for the WebLogic administrator's user name and password if you

do not supply them.

The default administrative port on the WebLogic Administration Server is 7001.

Table 8–1 Attribute Changes Requiring Update of Component Registration

Attribute See Also

orclhostname Section 9.1.3, "Attributes of the Instance-Specific Configuration

Entry"

orclnonsslport Section 9.1.3, "Attributes of the Instance-Specific Configuration

Entry"

orclsslport Section 9.1.3, "Attributes of the Instance-Specific Configuration

Entry"

userpassword Section 12.10, "Changing the Password for the EMD

Administrator Account"

Managing Oracle Internet Directory Components by Using opmnctl

Managing Oracle Internet Directory Instances 8-9

You must supply both a non-SSL port and an SSL port.

8.3.5 Deleting an Oracle Internet Directory Component by Using opmnctl

You remove an Oracle Internet Directory component by using opmnctl

deletecomponent. This also unregisters the component with the WebLogic server.

The syntax is:

$ORACLE_INSTANCE/bin/opmnctl deletecomponent

-adminHost webLogicHostName

-adminPort webLogicPort

-adminUsername weblogicAdminUsername

-adminPasswordFile text_file_containing_admin_password

-componentType OID

-componentName componentName

you are prompted for the WebLogic administrator's user name and password if you

do not supply them.

8.3.6 Viewing Active Server Instance Information by Using opmnctl

To view the status of components and processes by using opmnctl, type:

opmnctl status -l

For example:

$ ./opmnctl status -l

Processes in Instance: asinst_2

---------------------------------+--------------------+---------+----------+------

------+----------+-----------+------

ias-component | process-type | pid | status |

uid | memused | uptime |

ports---------------------------------+--------------------+---------+----------+-

-----------+----------+-----------+------

oid2 | oidldapd | 24760 | Alive |

988238800 | 102744 | 0:01:12 | N/A

oid2 | oidldapd | 24756 | Alive |

988238799 | 55052 | 0:01:12 | N/A

oid2 | oidmon | 24745 | Alive |

988238796 | 48168 | 0:01:14 | LDAPS:6789,LDAP:6788

oid1 | oidldapd | 21590 | Alive |

988238048 | 103716 | 19:51:48 | N/A

oid1 | oidldapd | 21586 | Alive |

988238047 | 54420 | 19:51:49 | N/A

oid1 | oidmon | 21577 | Alive |

988238046 | 48168 | 19:51:49 | LDAPS:3133,LDAP:3060

8.3.7 Starting the Oracle Internet Directory Server by Using opmnctl

The component name of the first Oracle Internet Directory component is oid1.

To start the first Oracle Internet Directory instance, type:

opmnctl startproc ias-component=oid1

To start all Oracle Internet Directory instances, type

Starting an Instance of the Replication Server by Using OIDCTL

8-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

opmnctl startproc process-type=OID

To start all components, type

opmnctl startall

8.3.8 Stopping the Oracle Internet Directory Server by Using opmnctl

To stop the first Oracle Internet Directory server component, type:

opmnctl stopproc ias-component=oid1

To stop all Oracle Internet Directory instances, type

opmnctl stopproc process-type=OID

To stop all components, type

opmnctl stopall

8.3.9 Restarting the Oracle Internet Directory Server by Using opmnctl

To restart the first Oracle Internet Directory instance, type:

opmnctl restartproc ias-component=oid1

To restart all Oracle Internet Directory instances, type

opmnctl restartproc process-type=OID

8.3.10 Changing the Oracle Database Information in opmn.xml

By default, ORACLE_INSTANCE/config/OPMN/opmn/opmn.xml contains an XML

snippet that opmnctl uses when it attempts to start the default Oracle Internet

Directory LDAP server instance. Occasionally, you might need to edit the opmn.xml

file. For example, if you change the Oracle Database instance in ORACLE_

INSTANCE/config/tnsnames.ora, you must add the Oracle Database DB_

CONNECT_STR to ORACLE_INSTANCE/config/OPMN/opmn/opmn.xml. You can

use a text editor to edit opmn.xml.

8.4 Starting an Instance of the Replication Server by Using OIDCTL

To configure an instance of Oracle Internet Directory Replication Server, use the

oidctl start command with server=oidrepld. Best practice is to create a

separate instance of Oracle Internet Directory to use for replication.

First create a new instance of Oracle Internet Directory as described in Section 8.1.3,

"Creating Additional Oracle Internet Directory Instances." Then, ensure that the

environment variable ORACLE_INSTANCE is set and type:

oidctl connect=connStr server=oidrepld inst=1 componentname=Component_Name \

name=Instance_Name start

The componentname value must be the component name of the running oidldapd

server. The name value must be the instance name of the running oidldapd server.

See Also: Section 4.3.1, "Oracle Internet Directory Snippet in

opmn.xml."

Starting an Instance of the Replication Server by Using OIDCTL

Managing Oracle Internet Directory Instances 8-11

Do not start more than one instance of oidrepld on a host. Do not start oidrepld on

more than one Oracle Internet Directory instance sharing the same Oracle Database.

Note: The environment variables ORACLE_INSTANCE, ORACLE_

HOME, and COMPONENT_NAME must be set before you run the oidctl

command to start or stop the replication server.

See Also:

■Chapter 6, "Understanding Oracle Internet Directory Replication"

■Chapter 39, "Setting Up Replication"

Starting an Instance of the Replication Server by Using OIDCTL

8-12 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Managing System Configuration Attributes 9-1

9Managing System Configuration Attributes

This chapter describes attributes that control the LDAP server. See Chapter 41,

"Managing Replication Configuration Attributes" for information about attributes that

control the replication server.

This chapter contains the following topics:

■Section 9.1, "Introduction to Managing System Configuration Attributes"

■Section 9.2, "Managing System Configuration Attributes by Using Fusion

Middleware Control"

■Section 9.3, "Managing System Configuration Attributes by Using WLST"

■Section 9.4, "Managing System Configuration Attributes by Using LDAP Tools"

■Section 9.5, "Managing System Configuration Attributes by Using ODSM Data

Browser"

9.1 Introduction to Managing System Configuration Attributes

This introduction contains the following topics:

■Section 9.1.1, "What are Configuration Attributes?"

■Section 9.1.2, "What are Operational Attributes?"

■Section 9.1.3, "Attributes of the Instance-Specific Configuration Entry"

■Section 9.1.4, "Attributes of the DSA Configuration Entry"

■Section 9.1.5, "Attributes of the DSE"

9.1.1 What are Configuration Attributes?

Most Oracle Internet Directory configuration information is stored in the directory

itself. The information is stored as attributes of specific configuration entries. You

must have superuser privileges to set system configuration attributes.

Some configuration attributes are specific to an individual instance of the Oracle

Internet Directory server. Instance-specific attributes are located in the

instance-specific configuration entry, a specific subentry of the Oracle Internet

Directory instance entry. Figure 8–1, "DIT Showing Two Instance-Specific

Configuration Entries" show s the location of these entries in the DIT.

Some configuration attributes are shared by all Oracle Internet Directory server

instances in a WebLogic Server domain that are connected to the same database.

See Also: Section 3.4.1, "Kinds of Attribute Information."

Introduction to Managing System Configuration Attributes

9-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Shared attributes reside in the DSA Configuration entry. Replication-specific attributes

reside in the Replica Subentry, Replication Configuration, and Replication Agreement

Entry.

Some attributes reside in the DSE Root. Most of those are non-configurable.

You can manage all the configuration attributes from the command-line. In addition,

many of the configuration attributes have specific, task-oriented management

interfaces in Oracle Enterprise Manager Fusion Middleware Control or Oracle

Directory Services Manager. You can also use the Data Browser feature of Oracle

Directory Services Manager to manage the entries directly.

9.1.2 What are Operational Attributes?

Do not confuse configuration attributes with operational attributes. Operational

attributes have special meaning to the directory server and they are used for storing

information needed for processing by the server itself or for holding other data

maintained by the server that is not explicitly provided by clients. These are attributes

that are maintained by the server and either reflect information the server manages

about an entry or affect server operation.

Operational attributes are not returned by a search operation unless you specifically

request them by name or with the "+" option in the search request. See Section 13.3.2,

"Listing Operational Attributes by Using ldapsearch" for more information.

Examples of operational attributes include the time stamp for an entry and the state

values needed for enforcing password policies, described in Section 28.1.6, "Password

Policy-Related Operational Attributes." You cannot modify operational attributes.

9.1.3 Attributes of the Instance-Specific Configuration Entry

During installation, Oracle Identity Management 11g Installer creates an

instance-specific configuration entry for the first Oracle Internet Directory instance. It

copies default values from a read-only entry under cn=configset0. (You can specify

different values for the SSL port and non-SSL during the install.)

The DN of an instance-specific configuration entry has the form:

cn=componentname,cn=osdldapd,cn=subconfigsubentry

For example, if the component name for a server instance is oid1,then the DIT of the

instance-specific configuration entry would be:

cn=oid1,cn=osdldapd,cn=subconfigsubentry

See Also: Chapter 4, "Understanding Process Control of Oracle

Internet Directory Components".

See Also:

■Section 9.2, "Managing System Configuration Attributes by Using

Fusion Middleware Control"

■Section 9.4, "Managing System Configuration Attributes by Using

LDAP Tools"

■Section 9.5, "Managing System Configuration Attributes by Using

ODSM Data Browser"

Introduction to Managing System Configuration Attributes

Managing System Configuration Attributes 9-3

Table 9–1 lists the attributes of the instance-specific configuration entry. The Update

Mechanism column contains the following abbreviations:

■EM – Oracle Enterprise Manager Fusion Middleware Control. See Section 9.2,

"Managing System Configuration Attributes by Using Fusion Middleware

Control."

■WLST–WebLogic Scripting tool. See Section 9.3, "Managing System Configuration

Attributes by Using WLST."

■LDAP–LDAP command-line tools, such as ldapmodify and ldapadd. See

Section 9.4, "Managing System Configuration Attributes by Using LDAP Tools."

Table 9–1 Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

orclserverprocs Number of Server

Processes.

Restart the server after

changing.

See Chapter 4.

EM, LDAP,

WLST

1 Integer, up to 1024.

orclreqattrcase Preserve the case of

required attribute names

specified in an

ldapsearch request.

See Chapter 7.

EM, LDAP 0 0: Do not preserve

attribute case

1: Preserve attribute case

orclhostname Hostname or IP address.

See Chapter 10.

If you change the

hostname, run opmnctl

updatecomponentregi

stration and restart the

server. See Chapter 8,

"Managing Oracle Internet

Directory Instances"

LDAP Set during

install

Host or IP address

orclnonsslport Non-SSL port

See Section 9.2.1,

"Configuring Server

Properties." If you change

the port number, restart

the server and run

opmnctl

updatecomponentregi

stration. See Chapter 8,

"Managing Oracle Internet

Directory Instances".

EM, LDAP,

WLST

3060 Port number

orclsslport SSL port

See Section 9.2.1,

"Configuring Server

Properties." If you change

the port number, restart

the server and run

opmnctl

updatecomponentregi

stration. See Chapter 8,

"Managing Oracle Internet

Directory Instances".

EM, LDAP,

WLST

3131 Port number

Introduction to Managing System Configuration Attributes

9-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

orcltxntimelimit Maximum time allowed in

a transaction (seconds).

See Using LDAP

Transactions in Oracle

Fusion Middleware

Application Developer's

Guide for Oracle Identity

Management and

Section 9.2.1, "Configuring

Server Properties."

EM, LDAP,

WLST

0 Positive integer (seconds)

orcltxnmaxoperations Maximum number of

operations allowed in a

transaction. See Using

LDAP Transactions in

Oracle Fusion Middleware

Application Developer's

Guide for Oracle Identity

Management and

Section 9.2.1, "Configuring

Server Properties."

EM, LDAP,

WLST

0 Positive integer

orclservermode Server Mode

See Chapter 15.

EM, LDAP,

WLST

rw R: read-only

rw: read/write

rm: read-modify

orclaudcustevents A comma-separated list of

events and category

names to be audited.

Custom events are only

applicable when

orclAudFilterPreset

is Custom. See Chapter 22.

EM, LDAP,

WLST

Empty Examples include:

Authentication.SUCCESSE

SONLY,

Authorization(Permissio

n -eq 'CSFPerfmission")

orclaudfilterpreset Replaces the audit levels

used in 10g (10.1.4.0.1) and

earlier releases. See

Chapter 22.

EM, LDAP,

WLST

None None, Low, Medium, All,

and Custom.

orclaudsplusers A comma separated list of

users for whom auditing is

always enabled, even if

orclAudFilterPreset

is None. See Chapter 22.

EM, LDAP,

WLST

Empty Valid users. For example:

cn=orcladmin.

orcldebugflag Debug Flag

See Chapter 23.

EM, LDAP,

WLST

0 0 ~ 117440511

See Table 23–3.

orcldebugforceflush Force flush debug

messages

See Chapter 23.

LDAP 0 0: Disable

1: Enable

orcldebugop Operations Enabled for

Debug

See Chapter 23.

EM, LDAP,

WLST

511 See Table 23–4, " Debug

Operations". on page 23-7

orclmaxlogfiles Maximum Number of Log

Files to Keep in Rotation

See Chapter 23.

EM, LDAP,

WLST

100 Integer

Table 9–1 (Cont.) Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

Managing System Configuration Attributes 9-5

orclmaxlogfilesize Maximum Log File Size

(MB)

See Chapter 23.

EM, LDAP,

WLST

1 MB Size, in MB

orcleventlevel Statistics collection event

level

See Chapter 24.

EM, LDAP,

WLST

0 See Table 24–5, " Event

Levels" on page 24-9.

orcloptracklevel Security event tracking

level

See Chapter 24.

EM, LDAP,

WLST

0Table 24–3, " Values of

orcloptracklevel" on

page 24-8

orclstatsflag Flag to turn on or off OID

statistics data

See Chapter 24.

EM, LDAP,

WLST

1 0: disable

1: enable

orclstatslevel Enable user statistics

collection

See Chapter 24.

EM, LDAP,

WLST

0 0: disable

1: enable

orclstatsperiodicity Frequency of flushing

statistics to data bases

See Chapter 24.

EM, LDAP,

WLST

30 60

orclsslauthentication SSL Authentication

Restart the server after

changing

See Chapter 26.

EM, LDAP,

WLST

1 1: No SSL authentication

32: One-way

authentication

64: Two-way

authentication

orclsslciphersuite SSL Cipher Suite

Restart the server after

changing

See Chapter 26.

EM, LDAP,

WLST

Empty See Table 26–1, " SSL

Cipher Suites Supported

in Oracle Internet

Directory" on page 26-2,

left column.

orclsslenable SSL Enable

Restart the server after

changing. Do not set

orclsslenable to 1 if

you use WLST or EM to

configure the server.

See Chapter 26.

EM, LDAP,

WLST

2 0: Non-SSL only

1: SSL only,

2: Non-SSL & SSL mode

orclsslinteropmode SSL Interoperability Mode

Restart the server after

changing

See Chapter 26

LDAP 1 0: disabled

1: enabled

orclsslversion SSL Version

Restart the server after

changing

See Chapter 26.

EM, LDAP,

WLST

Table 9–1 (Cont.) Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

9-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

orclsslwalleturl SSL Wallet URL

Restart the server after

changing

See Chapter 26.

EM, LDAP,

WLST

File SSL wallet file location.

orclanonymousbindsflag Allow Anonymous binds

See Chapter 32,

EM, LDAP,

WLST

2 See Table 32–4,

" Orclanonymousbindsflag

Value and Directory Server

Behavior" on page 32-8.

orclsaslauthenticationm

ode

SASL Authentication

Restart the server after

changing Mode

See Chapter 32.

EM, LDAP,

WLST

1auth, auth-int, auth-conf.

Specify all three or a

subset of these 3 as a

comma separated string.

orclsaslcipherchoice SASL Cipher Choice

Restart the server after

changing

See Chapter 32.

EM, LDAP,

WLST

Rc4-56,rc4-40,r

c4,des,3des

Any combination of

Rc4-56, des, 3des, rc4,

rc4-40

orclsaslmechanism SASL Mechanism

Restart the server after

changing

See Chapter 32.

EM, LDAP,

WLST

DIGEST-MD5,

EXTERNAL

DIGEST-MD5,

EXTERNAL

orclmaskrealm DIT Masking

See Chapter 38.

LDAP No value List of DIT subtrees.

orclmaskfilter DIT Masking

See Chapter 38.

LDAP No value LDAP attribute filter.

orclmaskattribute DIT Masking

See Chapter 38.

LDAP No value List of attributes, possibly

preceded by !.

orcldispthreads Maximum number of

dispatcher threads per

server process.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide

Restart server after

changing.

EM, LDAP,

WLST

1 Integer (Max 16)

orclldapconntimeout LDAP Connection

Timeout, in minutes

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

0 Integer

Note: Users configured for

statistics tracking do not

time out as per this setting.

Table 9–1 (Cont.) Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

Managing System Configuration Attributes 9-7

orclmaxcc Maximum Number of DB

Connections

Restart the server after

changing.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

2 Integer, maximum128

orclmaxconnincache Maximum number of

cached user group

connections

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

100000 Integer

orclmaxldapconns Maximum number of

concurrent connections

per server process

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

1024 Int (Max system max file

descriptors per process)

orclmaxserverresptime Maximum Time in

seconds for Server process

to respond back to

Dispatcher process

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

300 seconds Number of Seconds

0: Dispatcher does not

detect the server hang.

orclnwrwtimeout Maximum time in seconds

for OID Server to wait for

LDAP client respond to a

Read/Write operation.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

30 seconds Integer

Table 9–1 (Cont.) Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

9-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

orcloptrackmaxtotalsize Maximum number of

bytes of RAM that security

events tracking can use for

each type of operation.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

LDAP 100000000

Bytes

Available RAM, in bytes

orcloptracknumelemcontainers;

1stlevel

Number of in-memory

cache containers for

storing information about

users performing

operations.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

LDAP 256 Integer

orcloptracknumelemcontainers;

2ndlevel

Number of in-memory

cache containers for

storing information about

users whose user

password is compared

and tracked when detailed

compare operation

statistics is programmed.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

LDAP 256 Integer

orclpluginworkers Maximum number of

plug-in worker threads

per server process

Restart the server after

changing.

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

EM, LDAP,

WLST

2 Int (Max 64)

Table 9–1 (Cont.) Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

Managing System Configuration Attributes 9-9

9.1.4 Attributes of the DSA Configuration Entry

The DSA configuration entry has the DN:

cn=dsaconfig,cn=configsets,cn=oracle internet directory

Table 9–2 shows shared attributes in the DSA configuration entry. The Update

Mechanism column contains the following abbreviations:

■EM – Oracle Enterprise Manager Fusion Middleware Control. See Section 9.2,

"Managing System Configuration Attributes by Using Fusion Middleware

Control."

■LDAP–LDAP command-line tools, such as ldapmodify and ldapadd. See

Section 9.4, "Managing System Configuration Attributes by Using LDAP Tools."

orclsizelimit Number of entries that can

be returned in an

ldapsearch result

See the Oracle Internet

Directory chapter in

Oracle Fusion Middleware

Performance and Tuning

Guide.

LDAP 10000 Integer

orcltimelimit Maximum time that server

can spend for a given

ldapsearch operation

EM, LDAP,

WLST

3600 Integer (seconds)

orclsdumpflag Generate stack dump.

See Appendix S.

LDAP 0 0: Generate stack trace file.

1: Do not generate stack

trace file, but generate a

core file.

Note: DSA is an X.500 term for the directory server.

Table 9–2 Attributes in the DSA Configuration Entry

Attribute Description Update Mechanism Default Possible Values

orclmaxfiltsize Maximum Filter Size

See Section 9.2.2, "Configuring

Shared Properties."

EM, LDAP 24576 Integer

orclrefreshdgrmems Refresh Dynamic Group

Memberships. See Chapter 14.

LDAP 0 Set to 1 to cause a

refresh. Server will

reset it to 0.

orclautocatalog Index attributes on first

search. See Section 20.1.3.4,

"About Indexing Attributes."

EM, LDAP 1 0: Disabled

1: Enabled

orclrienabled Referential Integrity. See

Chapter 21.

EM, LDAP 0 0: Disabled

1: Enabled

orclstatsdn User DNs for statistics

collection. See Chapter 24.

EM, LDAP Empty DNs of entries

Table 9–1 (Cont.) Attributes of the Instance-Specific Configuration Entry

Attribute Description

Update

Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

9-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

orcldataprivacymod

Sensitive attributes encrypted

when returned

See Chapter 27.

LDAP 0 0: Disabled

1: Enabled

orclencryptedattri

butes

Sensitive attributes stored in

encrypted format.

See Chapter 27.

LDAP See Table 27–1

on page 27-6.

Attributes

orclhashedattribut

Attributes stored in hashed

format.

See Chapter 27.

EM, LDAP Empty Attributes

orclpkimatchingrul

PKI Matching Rule for

mapping user's PKI certificate

DN to the user's entry DN. See

Chapter 32.

EM, LDAP 2 0: Exact match.

1: Certificate search.

2: Combination of 0

and 1.

3: Mapping rule only.

4: Try in order: 3, 2

orclgeneratechange

log

Whether to generate change

logs for user operations.

See Chapter 42 and the

Oracle Internet Directory

chapter of Oracle Fusion

Middleware Performance and

Tuning Guide

LDAP 1 1: enable

0: disable

orcljvmoptions Options passed to the JVM

when a server plug-in is

invoked. See Chapter 44.

EM, LDAP -Xmx64M Valid JVM options

orclinmemfiltproce

Search Filters to be processed

in memory See the Oracle

Internet Directory chapter

in Oracle Fusion Middleware

Performance and Tuning Guide.

EM, LDAP See list in

Oracle Fusion

Middleware

Performance and

Tuning Guide

Valid search filters

orclmatchdnenabled Whether to provide detailed

MatchDN information when

base DN of a search is not

present. See the Oracle

Internet Directory chapter

of Oracle Fusion Middleware

Performance and Tuning Guide

EM, LDAP 1 0: Do not match

1: Match

orclskewedattribut

Skewed attributes.

Server restart recommended

after changing.

See the Oracle Internet

Directory chapter in Oracle

Fusion Middleware Performance

and Tuning Guide.

EM, LDAP objectclass List of attributes

Table 9–2 (Cont.) Attributes in the DSA Configuration Entry

Attribute Description Update Mechanism Default Possible Values

Introduction to Managing System Configuration Attributes

Managing System Configuration Attributes 9-11

9.1.5 Attributes of the DSE

The DSA-specific entry (DSE) is the root of the DIT. This is where Oracle Internet

Directory publishes information about itself, such as naming contexts, supported

controls, and matching rules. Most attributes of the DSE should not be modified

directly. Some attributes that you might need to modify are listed in Table 9–3.

orclskiprefinsql Skip referral for search.

Server restart recommended

after changing. See the

Oracle Internet Directory

chapter in Oracle Fusion

Middleware Performance and

Tuning Guide.

EM, LDAP 0 0: Disabled

1: Enabled

orcltlimitmode Specify search time limit

mode to be either accurate or

approximate. See the Oracle

Internet Directory chapter

in Oracle Fusion Middleware

Performance and Tuning Guide.

LDAP 0 0: Accurate

1: Approximate

orclecacheenabled Enable Entry Cache. See the

Oracle Internet Directory

chapter in Oracle Fusion

Middleware Performance and

Tuning Guide.

EM, LDAP, WLST 1 1: Enable, 0: Disable

orclecachemaxentri

Maximum Entries in Entry

Cache. See the Oracle

Internet Directory chapter

in Oracle Fusion Middleware

Performance and Tuning Guide.

EM, LDAP, WLST 100000 Integer

orclecachemaxsize Entry Cache Size in bytes. See

the Oracle Internet

Directory chapter in Oracle

Fusion Middleware Performance

and Tuning Guide.

EM, LDAP, WLST 200000000

Bytes

Size_t (can be

specified using K, M,

or G as Kilo, Mega

and Giga bytes

respectively). For

example, 200M is a

valid value.

orclrscacheattr Result Set Cache Attributes

See the Oracle Internet

Directory chapter in Oracle

Fusion Middleware Performance

and Tuning Guide.

EM, LDAP, WLST cn, mail, uid,

orclguid

Comma-separated list

of attributes.

Typically these

attributes are not

modified for the life

of the entry.

orclenablegroupcac

Enable/Disable Group cache

See the Oracle Internet

Directory chapter in Oracle

Fusion Middleware Performance

and Tuning Guide.

LDAP 1 1 Enable,

0 Disable

Table 9–2 (Cont.) Attributes in the DSA Configuration Entry

Attribute Description Update Mechanism Default Possible Values

Managing System Configuration Attributes by Using Fusion Middleware Control

9-12 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

9.2 Managing System Configuration Attributes by Using Fusion

Middleware Control

You can view and set most of the configuration attributes for an Oracle directory

server by using Oracle Enterprise Manager Fusion Middleware Control.

This section contains the following topics:

■Section 9.2.1, "Configuring Server Properties"

■Section 9.2.2, "Configuring Shared Properties"

■Section 9.2.3, "Configuring Other Parameters"

9.2.1 Configuring Server Properties

You can configure most of the attributes in the instance-specific configuration entry by

using the Oracle Internet Directory Server Properties pages of Fusion Middleware

Control., as follows:

1. Select Administration, then Server Properties from the Oracle Internet Directory

menu.

2. Select General, Performance, SASL, Statistics, or Logging, depending on which

parameters you want to configure.

3. After changing the configuration, choose Apply.

The correspondence between server properties and configuration attributes on the

General tab of the Server Properties page is shown in Table 9–4.

General

Table 9–3 Attributes of the DSE

Attribute Description

Update

Mechanism Default Possible Values

namingcontexts Naming contexts. See

Chapter 11.

LDAP c=us

dc=com

Any valid naming context.

ref Referral specification.

See Chapter 19.

LDAP

orclaci Access control at the

root DSE level. See

Chapter 29.

LDAP

orclcryptoscheme Hashing algorithm for

protecting passwords.

See Chapter 30.

LDAP SHA MD4, MD5, SHA, SSHA,

SHA256, SHA384, SHA512,

SSHA256, SSHA384, SSHA512,

SMD5, UNIX Crypt

subentry Contains DN of

password policy

governing the DSE

root. See Chapter 28.

LDAP cn=default,cn=pw

dPolicies,cn=Com

mon,cn=Products,

cn=OracleContext

Table 9–4 Configuration Attributes on Server Properties Page, General Tab.

Field or Heading Configuration Attribute

Server Mode orclservermode

Managing System Configuration Attributes by Using Fusion Middleware Control

Managing System Configuration Attributes 9-13

Performance

The correspondence between server properties and configuration attributes on the

Performance tab of the Server Properties page is shown in Table 9–5

Restart the server after changing orclserverprocs, orclmaxcc,

orcldispthreads, or orclpluginworkers.

SASL

The correspondence between server properties and configuration attributes on the

SASL tab of the Server Properties page is shown in Table 32–1, " Configuration

Attributes on Server Properties, SASL Tab".

Maximum number of entries to be returned by a

orclsizelimit

Maximum time allowed for a search to complete

(sec)

orcltimelimit

Preserve Case of Required Attribute Name

specified in Search Request

orclreqattrcase

Anonymous Bind orclanonymousbindsflag

Maximum time allowed in a Transaction (sec) orcltxntimelimit

Maximum Number of Operations allowed in a

Transaction

orcltxnmaxoperations

Non-SSL Port orclnonsslport

SSL Port orclsslport

Table 9–5 Configuration Attributes on Server Properties Page, Performance Tab

Field or Heading Configuration Attribute

Number of OID LDAP Server Processes orclserverprocs

Number of DB Connections per Server Process orclmaxcc

Number of users in privilege Group membership

Cache

orclmaxconnincache

LDAP Idle Connection Timeout (minutes) orclldapconntimeout

OID server Network Read/Write Retry Timeout

(sec)

orclnwrwtimeout

Maximum Number of LDAP connections per

Server Process

orclmaxldapconns

Maximum Time in seconds for Server process to

respond back to Dispatcher process

orclMaxServerRespTime

Number of Dispatcher Threads per Server Process orcldispthreads

Number of Plugin Threads per Server Process orclpluginworkers

Enable Change Log Generation orclgeneratechangelog

Table 9–4 (Cont.) Configuration Attributes on Server Properties Page, General Tab.

Field or Heading Configuration Attribute

Managing System Configuration Attributes by Using Fusion Middleware Control

9-14 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Statistics

The correspondence between server properties and configuration attributes on the

Statistics tab of the Server Properties page is shown in Table 24–2, " Configuration

Attributes on Server Properties Page, Statistics Tab".

Logging

The correspondence between server properties and configuration attributes on the

Logging tab of the Server Properties page is shown in Table 23–2, " Configuration

Attributes on Server Properties Page, Logging Tab".

9.2.2 Configuring Shared Properties

You can configure some of the shared system configuration attributes in the DSA

configuration entry by using the Oracle Internet Directory Shared Properties page of

Fusion Middleware Control. Select Administration, then Shared Properties, then

select General, Change Superuser Password, or Replication from the Oracle Internet

Directory menu. After changing the configuration, choose Apply. The correspondence

is as follows:

General

A server restart is recommended after changing orclskiprefinsql or

orclskewedattribute.

Change Superuser Password

See Section 12.5, "Changing the Superuser Password by Using Fusion Middleware

Control."

Table 9–6 Configuration Attributes on Shared Properties Page, General Tab

Field or Heading Configuration Attribute

User DN orclstatsdn

Skip referral for search orclskiprefinsql

Skewed attributes orclskewedattribute

Search Filters to be processed in memory orclinmemfiltprocess

Hashed attributes orclhashedattributes

Match DN orclMatchDnEnabled

PKI Matching Rule orclPKIMatchingRule

Referential Integrity orclrienabled

Maximum Filter Size orclmaxfiltsize

Enable Entry Cache orclecacheenabled

Maximum Entries in Entry Cache orclecachemaxentries

Maximum Entry Cache Size (MB) orclecachemaxsize

Number of users in privilege group

membership cache NOT on EM page

orclmaxconnincache

Result Set Cache Attributes orclrscacheattr

Java Plug-in VM Options orcljvmoptions

Managing System Configuration Attributes by Using WLST

Managing System Configuration Attributes 9-15

Replication

Replication-related attributes are described in Chapter 41, "Managing Replication

Configuration Attributes." See Section 41.2.1, "Configuring Attributes on the Shared

Properties, Replication Tab."

9.2.3 Configuring Other Parameters

You can configure SSL parameters by using the Oracle Internet Directory SSL

Configuration Page. See Section 26.2, "Configuring SSL by Using Fusion Middleware

Control." You must restart the server for SSL configuration changes to take effect.

You can configure Audit attributes by using the Oracle Internet Directory Audit Policy

Settings page. See Section 22.2, "Managing Auditing by Using Fusion Middleware

Control."

9.3 Managing System Configuration Attributes by Using WLST

A managed bean (MBean) is a Java object that represents a JMX manageable resource

in a distributed environment, such as an application, a service, a component or a

device. The WebLogic server uses custom MBeans as its interface to OPMN-managed

components, such as Oracle Internet Directory. You can use the WebLogic Scripting

Tool (wlst) in the Oracle Common home to manage the attributes of the Oracle

Internet Directory instance-specific configuration entry that have Oracle Enterprise

Manager Fusion Middleware Control interfaces.

You use WLST as follows:

1. Invoke WLST

ORACLE_COMMON_HOME/common/bin/wlst.sh

2. Connect to the WebLogic server

connect('username', 'password', 'localhost:7001')

3. To navigate to the custom mbean tree, type:

custom()

at the wlst prompt.

4. To get a one-level list of the MBean in the custom MBean tree, type:

Note: WLST manages Oracle Internet Directory through its SSL port.

The Oracle Internet Directory SSL port must be configured for no

authentication or server authentication. If the Oracle Internet

Directory SSL port is configured for mutual authentication, you will

not be able to change Oracle Internet Directory attributes by using

WLST. See Section 26.1.3, "SSL Authentication Modes."

See Also:

■Oracle Fusion Middleware Administrator's Guide

■Oracle Fusion Middleware Oracle WebLogic Scripting Tool

■Section 26.3, "Configuring SSL by Using WLST"

■Section 22.3, "Managing Auditing by Using WLST"

Managing System Configuration Attributes by Using WLST

9-16 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

ls()

In the ls() output, you see two domains that contain MBeans that are related to

Oracle Internet Directory configuration. The domains are

oracle.as.management.mbeans.register and oracle.as.oid.

5. To get to a domain, use the cd() command. For example:

cd('oracle.as.management.mbeans.register')

cd('oracle.as.oid')

If you type ls(), you see a list of MBeans in that domain. There are three MBeans

related to Oracle Internet Directory configuration under

oracle.as.management.mbeans.register and two under

oracle.as.oid. Table 9–7lists them.

INSTANCE and COMPONENT_NAME refer to the Oracle instance where your

Oracle Internet Directory component is located and the name of the component,

respectively.

6. To get to a specific MBean, type:

cd('MBEAN_NAME')

For example, if you are in the domain

oracle.as.management.mbeans.register, and you want to manage the

Root Proxy MBean for Oracle Internet Directory component oid1 in Oracle

instance instance1, type:

cd('oracle.as.management.mbeans.register:type=OID,name=oid1,instance=instance1'

)

Table 9–7 Oracle Internet Directory-Related MBeans

MBean Name MBean Domain MBean Format in ls() Output

Root Proxy MBean

oracle.as.management.mbeans

.register

oracle.as.management.mbeans.register:type=comp

onent,name=COMPONENT_NAME,instance=INSTANCE

Non-SSL Port

MBean

oracle.as.management.mbeans

.register

oracle.as.management.mbeans.register:type=comp

onent.nonsslport,name=nonsslport1,instance=INS

TANCE,component=COMPONENT_NAME

Audit MBean

oracle.as.management.mbeans

.register

oracle.as.management.mbeans.register:type=comp

onent.auditconfig,name=auditconfig1,instance=I

NSTANCE,component=COMPONENT_NAME

SSL Port MBean

oracle.as.oid oracle.as.oid:type=component.sslconfig,name=ss

lport1,instance=INSTANCE,component=COMPONENT_

NAME

Key Store MBean

oracle.as.oid oracle.as.oid:type=component.keystore,name=key

store,instance=INSTANCE,component=COMPONENT_

NAME

Note: The Audit MBean is shown here for completeness, but you use

different commands for managing auditing by using wlst. See

"Managing Auditing by Using WLST" on page 22-5.

Managing System Configuration Attributes by Using LDAP Tools

Managing System Configuration Attributes 9-17

7. Once you have navigated to the desired MBean, you can get the current value for

an attribute by typing:

get('ATTRIBUTE_NAME')

For example, to get the value for orclserverprocs, type:

get('orclserverprocs')

8. Before you make any changes to attributes, you must ensure that the MBean has

the current server configuration. To do that, load the configuration from Oracle

Internet Directory server to the mbean. Type:

invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin

g))

9. Then you can use the set command to set a specific attribute. Type:

set('ATTRIBUTE_NAME', ATTRIBUTE_VALUE)

For example, to set orclserverprocs = 12, type:

set('orclserverprocs', 12)

10. After making changes, you must save the MBean configuration to the Oracle

Internet Directory server. Type:

invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin

g))

9.4 Managing System Configuration Attributes by Using LDAP Tools

From the command line, you can modify most system configuration attributes by

using ldapmodify and list most system configuration by using ldapsearch.

9.4.1 Setting System Configuration Attributes by Using ldapmodify

You can modify most attributes in Table 9–1, Table 9–2, and Table 9–3 by using the

command-line:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

The contents of the LDIF file depends on the DN and the operation being performed.

The LDIF file for changing the value of the orclgeneratechangelog attribute in

the instance-specific entry to 1 would be:

dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orclgeneratechangelog

orclgeneratechangelog: 1

The LDIF file for adding the orclinmemfiltprocess attribute to the DSA

configuration entry would be:

dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory

changetype: modify

add: orclinmemfiltprocess

orclinmemfiltprocess: (objectclass=inetorgperson)(orclisenabled=TRUE)

Managing System Configuration Attributes by Using LDAP Tools

9-18 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

9.4.2 Listing Configuration Attributes with ldapsearch

You can use ldapsearch to list most attributes.

Instance-Specific Configuration Entry

If the component name for a server instance is oid1,then you can list the attributes in

the instance-specific configuration entry with a command line such as:

ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \

-b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" -s base "objectclass=*"

DSA Configuration Entry

You can list the attributes with the command line:

ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \

-b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" \

-s base "objectclass=*"

DSE

You can list the attributes with the command line:

ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \

-b "" -s base "objectclass=*"

Notes:

■In 11g Release 1 (11.1.1), consecutive settings of orcldebugflag

and of orcloptracklevel are additive.

■Restart the server after changing orclskiprefinsql,

orclskewedattribute, orclserverprocs,

orcldispthreads, orclmaxcc, orclpluginworkers, or any

attribute with a name that begins with "orclssl" or "orclsasl."

■After changing orclnonsslport or orclsslport, restart the

server and run opmnctl updatecomponentregistration, as

described in Section 8.3.4, "Updating the Component Registration

of an Oracle Instance by Using opmnctl."

See Also:

■The Oracle Internet Directory chapter of Oracle Fusion

Middleware Performance and Tuning Guide for more examples of

LDIF files

■The ldapmodify command-line tool reference in Oracle Fusion

Middleware Reference for Oracle Identity Management for a more

detailed discussion of ldapmodify, and a list of its options

■The "Oracle Identity Management LDAP Attribute Reference"

in Oracle Fusion Middleware Reference for Oracle Identity

Management for descriptions of the modifiable system

configuration attributes.

Managing System Configuration Attributes by Using ODSM Data Browser

Managing System Configuration Attributes 9-19

9.5 Managing System Configuration Attributes by Using ODSM Data

Browser

Oracle Enterprise Manager Fusion Middleware Control is the recommended graphical

user interface for managing system configuration attributes. You can also use ODSM

to manage system configuration attributes, which can be useful if Fusion Middleware

Control is not available or if you must modify an attribute that has no Fusion

Middleware Control interface.

See Section 13.2, "Managing Entries by Using Oracle Directory Services Manager" for

detailed instructions for changing the attributes of a directory entry. The following

sections explain how to get to the entries that contain system configuration attributes

in ODSM.

9.5.1 Navigating to the Instance-Specific Configuration Entry

On the Data Browser tab, in the navigation tree, expand subconfigsubentry, then

osdldapd. Then select the name of the Oracle Internet Directory component you want

to manage.

9.5.2 Navigating to the DSA Configuration Entry

On the Data Browser tab, in the navigation tree, expand oracle internet

directory, then configsets, then select the entry dsaconfig.

9.5.3 Navigating to the DSE Root

On the Data Browser tab, click Root in the navigation tree to select the DSE.

Managing System Configuration Attributes by Using ODSM Data Browser

9-20 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Managing IP Addresses 10-1

10Managing IP Addresses

This chapter discusses how to manage Oracle Internet Directory's IP addresses. It

contains the following sections:

■Section 10.1, "Introduction to Managing IP Addresses"

■Section 10.2, "Configuring an IP Address for IP V6, Cold Failover Cluster, or

Virtual IP"

10.1 Introduction to Managing IP Addresses

When you install Oracle Internet Directory on a dual stack (IPV4/IPV6) host, Oracle

Internet Directory listens on both addresses. You cannot install Oracle Internet

Directory on a host with only an IPV6 address because the Oracle Database requires

an IPV4 address to connect to.

If you install Oracle Internet Directory on an IPV4 host and then change the host's

address to IPV6, you must configure Oracle Internet Directory's IP address separately

to the IPV6 address by changing the orclhostname attribute in the instance-specific

configuration entry.

If you must have Oracle Internet Directory listen on a specific address for some other

reason, you also do that by changing the orclhostname attribute in the

instance-specific configuration entry.

10.2 Configuring an IP Address for IP V6, Cold Failover Cluster, or Virtual

Perform the following steps to configure Oracle Internet Directory to listen on a

specific IP address:

1. Create an LDIF file similar to this:

dn: cn=COMPONENT_NAME, cn=osdldapd, cn=subconfigsubentry

changetype: modify

replace: orclhostname

orclhostname: IP_address

2. Execute the following ldapmodify command:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

3. Restart Oracle Internet Directory by using opmnctl, as follows:

opmnctl stopall

opmnctl startall

Configuring an IP Address for IP V6, Cold Failover Cluster, or Virtual IP

10-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

4. Update the registration of the Oracle Internet Directory component, as described

in Section 8.3.4, "Updating the Component Registration of an Oracle Instance by

Using opmnctl." For example:

$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration \

-adminHost myhost \

-adminPort 7001 \

-adminUsername weblogic \

-componentType OID \

-componentName oid2\

-Port 3061

If you fail to perform this step, you will be unable to use Fusion Middleware

Control or wlst to manage that component.

You can also use ODSM to change the orclhostname attribute in the

instance-specific configuration entry. See Section 9.5, "Managing System Configuration

Attributes by Using ODSM Data Browser."

Managing Naming Contexts 11-1

11Managing Naming Contexts

To enable users to search for specific naming contexts, you can publish those naming

contexts. This section contains these topics:

■Section 11.1, "Introduction to Managing Naming Contexts"

■Section 11.2, "Searching for Published Naming Contexts"

■Section 11.3, "Publishing a Naming Context"

11.1 Introduction to Managing Naming Contexts

See "Naming Contexts" on page 3-14 for a description of naming contexts.

To publish a naming context, you specify the topmost entry of each naming context as

a value of the namingContexts attribute in the root DSE. For example, suppose you

have a DIT with three major naming contexts, the topmost entries of which are c=uk,

c=us, and c=de. If these entries are specified as values in the namingContexts

attribute, then a user, by specifying the appropriate filter, can find information about

them by searching the root DSE. The user can then focus the search—for example, by

concentrating on the c=de naming context in particular.

11.2 Searching for Published Naming Contexts

To search for published naming contexts, perform a base search on the root DSE with

objectClass =* specified as a search filter. The retrieved information includes

those entries specified in the namingContexts attribute. For example:

ldapsearch -p 3060 -q -D cn=orcladmin -b "" -s base -L "objectclass=*" \

namingcontexts

Before you publish a naming context, be sure that:

■You are a directory administrator with the necessary access to the root DSE.

■The topmost entry of that naming context exists in the directory.

Note: This command will not return anything unless naming

contexts have been published.

Publishing a Naming Context

11-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

11.3 Publishing a Naming Context

You use ldapmodify to publish a naming context. The namingContexts attribute is

multi-valued, so you can specify multiple naming contexts.

You can modify namingContexts by using the command-line:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

The following sample LDIF file specifies the entry c=uk as a naming context.

dn:

changetype: modify

add: namingcontexts

namingcontexts: c=uk

Managing Accounts and Passwords 12-1

12Managing Accounts and Passwords

This chapter contains these topics:

■Section 12.1, "Introduction to Managing Accounts and Passwords"

■Section 12.2, "Managing Accounts and Passwords by Using Command-Line Tools"

■Section 12.3, "Managing Accounts and Passwords by Using the Self-Service

Console"

■Section 12.4, "Listing and Unlocking Locked Accounts by Using Oracle Directory

Services Manager"

■Section 12.5, "Changing the Superuser Password by Using Fusion Middleware

Control"

■Section 12.6, "Creating Another Account With Superuser Privileges"

■Section 12.7, "Managing the Superuser Password by Using ldapmodify"

■Section 12.8, "Changing the Oracle Internet Directory Database Password"

■Section 12.9, "Resetting the Superuser Password"

■Section 12.10, "Changing the Password for the EMD Administrator Account"

■Section 12.11, "Changing the Password for the ODSSM Administrator Account"

12.1 Introduction to Managing Accounts and Passwords

This chapter describes some administrative tasks related to accounts and passwords.

See Also:

■Chapter 13, "Managing Directory Entries"

■Chapter 28, "Managing Password Policies"

■Section 42.3.13, "Changing the Replication Administrator's

Password for Advanced Replication"

Note: All references to the Self-Service console in this chapter refer to

the console included with Oracle Delegated Administration Services

10g (10.1.4.3.0) or later, which is compatible with Oracle Internet

Directory 11g Release 1 (11.1.1). See Oracle Identity Management Guide

to Delegated Administration in the 10g (10.1.4.0.1) Library for more

information.

Managing Accounts and Passwords by Using Command-Line Tools

12-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

Using command-line tools or the Self-Service console, you can temporarily disable a

user's account, then enable it again. If you are a member of the Security

Administrators Group, then you can unlock an account without resetting the user

password. This saves you from having to explicitly tell the user the new password.

The user can simply log in using the old password.

Using command-line tools, you can force users to change their passwords when they

If you forget your password or become locked out of your account, then you can reset

your password. You do this by using the Self-Service Console. This involves

identifying yourself to the server by providing values for a set of password validation

attributes. This takes the form of answering a password hint question to which you

had earlier specified an answer.

The Superuser is a special directory administrator with full access to directory

information. The default user name of the superuser is orcladmin. The password is

set by the administrator during installation.

You can use either Oracle Enterprise Manager or ldapmodify to administer the

Superuserpassword.

Another privileged account is the administrator, "cn=emd admin,cn=oracle

internet directory". This account is used for starting and stopping Oracle

Internet Directory server manageability information collection. It is also used by

Oracle Enterprise Manager Fusion Middleware Control to make configuration changes

to Oracle Internet Directory. These changes are made over a secure connection.

The only way you can change this account's password is to use the procedure

documented in Section 12.10, "Changing the Password for the EMD Administrator

Account." There is no support in the oidpasswd tool for changing this password.

12.2 Managing Accounts and Passwords by Using Command-Line Tools

This section contains these topics:

■Section 12.2.1, "Enabling and Disabling Accounts by Using Command-Line Tools"

■Section 12.2.2, "Unlocking Accounts by Using Command-Line Tools"

■Section 12.2.3, "Forcing a Password Change by Using Command-Line Tools"

12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools

You can temporarily disable a user's account, then enable it again, by using

command-line tools.

To permanently disable the account, set the orclisenabled attribute to DISABLED.

Setting this attribute to any other value enables the account.

To enable the account after you have disabled it, delete this attribute from the entry.

Note: Oracle recommends that you change the password

immediately after installation.

See Also: Chapter 29, "Managing Directory Access Control" for

information on how to set access rights

Managing Accounts and Passwords by Using the Self-Service Console

Managing Accounts and Passwords 12-3

To enable the account for a specific period, set the orclActiveStartDate and

orclActiveEndDate attributes in the user entry to the proper value in UTC

(Coordinated Universal Time) format. For example, you could use a command line

such as:

ldapmodify -p port -h host -D cn=orcladmin -q -v -f my.ldif

where my.ldif contains:

dn:cn=John Doe,cn=users,o=my_company,dc=com

orclactivestartdate:20030101000000z

orclactiveenddate: 20031231000000z

In this example, John Doe can log in only between January 1, 2003 and December 31,

2003. He cannot login before January 1, 2003 or after December 31, 2003. If you want to

disable his account for the period between these dates, then set the orclisenabled

attribute to DISABLED.

12.2.2 Unlocking Accounts by Using Command-Line Tools

If you are a member of the Security Administrators Group, then you can unlock an

account without resetting the user password. This saves you from having to explicitly

tell the user the new password. The user can simply log in using the old password.

To unlock an account, set the orclpwdaccountunlock attribute to 1.

The following example unlocks the account for user John Doe.

ldapmodify -p port -h host -D cn=orcladmin -q -v -f file.ldif

where file.ldif contains:

dn: cn=John Doe,cn=users,o=my_company,dc=com

changetype: modify

add: orclpwdaccountunlock

orclpwdaccountunlock: 1

12.2.3 Forcing a Password Change by Using Command-Line Tools

You can force users to change their passwords when they log in for the first time. To

do this, set the pwdMustChange attribute in the pwdpolicy entry to 1, and then reset

the password. If you do this, you must explicitly tell the user the new password so that

the user can log in to change that password.

12.3 Managing Accounts and Passwords by Using the Self-Service

Console

For administrators, Oracle Directory Services Manager is the primary tool for

managing users and passwords.

See Also:

■Section 12.3.3, "Resetting Your Own Password by Using the

Oracle Internet Directory Self-Service Console"for instructions

on resetting passwords

■Section 28.3.4, "Setting Password Policies by Using

Command-Line Tools" for instructions on setting attributes of a

password policy

Managing Accounts and Passwords by Using the Self-Service Console

12-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

You can also use Oracle Identity Manager to centralize user and account provisioning

to Oracle Internet Directory 11g Release 1 (11.1.1). For end user self-service, Oracle

Identity Manager is the recommended solution. The Oracle Identity Manager

documentation is available on Oracle Technology Network at:

http://www.oracle.com/technology/documentation/oim.html

Customers who already have Oracle Delegated Administration Services in their

environment can use it for end user self-service with Oracle Internet Directory 11g

Release 1 (11.1.1). However, 10g is the terminal release for Oracle Delegated

Administration Services, and the component is deprecated in 11g and later releases.

This section contains these topics:

■Section 12.3.1, "Enabling and Disabling Accounts by Using the Oracle Internet

Directory Self-Service Console"

■Section 12.3.2, "Unlocking Accounts by Using the Oracle Internet Directory

Self-Service Console"

■Section 12.3.3, "Resetting Your Own Password by Using the Oracle Internet

Directory Self-Service Console"

12.3.1 Enabling and Disabling Accounts by Using the Oracle Internet Directory

Self-Service Console

You can temporarily disable a user's account, then enable it again, by using the Oracle

Internet Directory Self-Service Console.

12.3.2 Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console

If you are a member of the Security Administrators Group, then, if an account becomes

locked, you can unlock it without resetting the user password. This saves you from

having to explicitly tell the user the new password. The user can simply log in by

using the old password.

12.3.3 Resetting Your Own Password by Using the Oracle Internet Directory

Self-Service Console

If you forget your password or become locked out of your account, then you can reset

your password. This involves identifying yourself to the server by providing values

for a set of password validation attributes. This takes the form of answering a

password hint question to which you had earlier specified an answer.

See Also: The section on managing accounts in Oracle Identity

Management Guide to Delegated Administration in the 10g (10.1.4.0.1)

library for instructions on enabling and disabling accounts by using

the Oracle Internet Directory Self-Service Console

See Also: The section on managing accounts in Oracle Identity

Management Guide to Delegated Administration in the 10g (10.1.4.0.1)

library for instructions on using the Oracle Internet Directory

Self-Service Console to unlock accounts

See Also: The section on resetting your password if you forget it

in Oracle Identity Management Guide to Delegated Administration in

the 10g (10.1.4.0.1) library for instructions on using the Oracle

Internet Directory Self-Service Console to reset your password

Creating Another Account With Superuser Privileges

Managing Accounts and Passwords 12-5

12.4 Listing and Unlocking Locked Accounts by Using Oracle Directory

Services Manager

You can use Oracle Directory Services Manager to list and unlock locked accounts.

1. Invoke Oracle Directory Services Manager as described in Section 7.4.5, "Invoking

Oracle Directory Services Manager."

2. From the task selection bar, select Data Browser.

3. Perform a simple search, as described in Section 13.2.2, "Searching for Entries by

Using Oracle Directory Services Manager," using the search string

(pwdaccountlockedtime=*). A list of entries with locked accounts appears.

4. Select the entry whose account you want to unlock.

5. When an account is locked, Unlock Account appears before the Apply and Revert

buttons. Click Unlock Account.

12.5 Changing the Superuser Password by Using Fusion Middleware

Control

To change the password for the superuser by using Oracle Enterprise Manager Fusion

Middleware Control:

1. Select Administration, then Shared Properties from the Oracle Internet Directory

menu.

2. Click the Change Superuser Password tab.

3. Specify the old password.

4. Specify the new password.

5. Confirm the new password.

6. Click Apply.

The configuration attribute orclsupassword is an attribute of the DSE root.

12.6 Creating Another Account With Superuser Privileges

The Superuser, cn=orcladmin, gets its privileges from membership in several

privileged groups. You can query for those groups by using the following ldapsearch

command:

ldapsearch -h host -p port -D "cn=orcladmin" -q -b "" -L \

-s sub "(|(uniquemember=cn=orcladmin)(member=cn=orcladmin)" dn

To create a second account with Superuser privilege, create another user entry that

belongs to the same groups. Also add the user as member of the group

cn=directoryadmingroup,cn=oracle internet directory.

After you have created additional users with Superuser privileges, you no longer need

to use cn=orcladmin to administer Oracle Internet Directory. The privileged

Table 12–1 Configuration Attributes on Shared Properties, Change Superuser Password

Tab.

Field or Heading Configuration Attribute

Superuser Password orclsupassword

Managing the Superuser Password by Using ldapmodify

12-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

accounts should be sufficient. The attribute orclsuname, however, must have the

value cn=orcladmin.

12.7 Managing the Superuser Password by Using ldapmodify

You should never change the Superuser's name. The value of orclsuname must

remain cn=orcladmin

To set or modify the password for the superuser, use ldapmodify to modify the

attribute orclsuname or orclsupassword, respectively, in the DSE root. Changing

the user name of the superuser can have serious repercussions and is not

recommended.

To change the password of the superuser to superuserpassword, use an LDIF file

such as the following:

dn:

changetype:modify

replace:orclsupassword

orclsupassword:superuserpassword

12.8 Changing the Oracle Internet Directory Database Password

The Oracle Internet Directory uses a password when connecting to its own designated

Oracle database. The default for this password when you install Oracle Internet

Directory is the same as that for the Oracle Fusion Middleware administrator. You can

change this password by using oidpasswd.

The following example shows how to change the Oracle Internet Directory database

password, assuming the database in on the same machine.

oidpasswd connect=dbs1 change_oiddb_pwd=true

current password: oldpassword

new password: newpassword

confirm password: newpassword

password set.

See Also: Chapter 13, "Managing Directory Entries" to learn how to

create a user entry and Chapter 14, "Managing Dynamic and Static

Groups" to learn how to add a user to a group.

Note: To maintain system security, keep the number of privileged

users to a minimum and ensure that all privileged accounts are

audited. See Chapter 22, "Managing Auditing."

See Also: The ldapmodify command-line tool reference in

Oracle Fusion Middleware Reference for Oracle Identity Management for

ldapmodify syntax and usage notes.

See Also: The oidpasswd command-line tool reference in Oracle

Fusion Middleware Reference for Oracle Identity Management

Changing the Password for the EMD Administrator Account

Managing Accounts and Passwords 12-7

12.9 Resetting the Superuser Password

If you forget the Oracle Internet Directory superuser (cn=orcladmin) password, you

can use the oidpasswd tool to reset it. You must provide the Oracle Internet Directory

database password. When you first install Oracle Internet Directory, the superuser

password and Oracle Internet Directory database password are the same. After

installation, however, you can change the Oracle Internet Directory superuser

password using ldapmodify. If you forget the Oracle Internet Directory superuser

password, you can reset it using the oidpasswd tool separately.

The following example shows how to reset the Oracle Internet Directory superuser

password. The oidpasswd tool prompts you for the Oracle Internet Directory

database password.

Example:

oidpasswd connect=dbs1 reset_su_password=true

OID DB user password: oid_db_password

password: new_su_password

confirm password: new_su_password

OID superuser password reset successfully

12.10 Changing the Password for the EMD Administrator Account

The EMD administrator account, "cn=emd admin,cn=oracle internet

directory", has very limited privilege and is used primarily by for starting and

stopping Oracle Internet Directory server manageability information collection.

To change the password for the EMD administrator, you must change it in Oracle

Internet Directory, then change it on both the WebLogic domain server and on each

Oracle instance in the domain. Use the following procedure:

1. Change the userpassword of the account "cn=emd admin,cn=oracle internet

directory" in Oracle Internet Directory by using ldapmodify.

2. Invoke wlst and connect to the WebLogic server.

java weblogic.WLST

connect('weblogic', 'weblogic_user_password', 'protocol:host:port')

3. Run the following WLST command:

upupdateCred(map='emd',keu='EMD_instance_name',

password='newpassword',user='EMD')

4. On each Oracle instance in the WebLogic domain, execute the following command

line:

Note: The account described here is different from the ODSSM

account used for accessing server manageability information.

Section 24.1.4, "Account Used for Accessing Server Manageability

Information" describes that account. For information about changing

that account, see Section 12.11, "Changing the Password for the

ODSSM Administrator Account."

See Also: Chapter 24, "Monitoring Oracle Internet Directory" for

information about Oracle Internet Directory server manageability

information collection.

Changing the Password for the ODSSM Administrator Account

12-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

ORACLE_HOME/ldap/bin/oidcred emd update [instanceName]

5. Update the component registration of the Oracle instance, as described in

Section 8.3.4, "Updating the Component Registration of an Oracle Instance by

Using opmnctl."

12.11 Changing the Password for the ODSSM Administrator Account

Oracle Internet Directory connects to its Oracle Database, using the password

specified for the ODS schema during schema creation. It also connects to retrieve its

metrics using the ODSSM schema password, given during schema creation as well.The

Oracle Enterprise Manager Fusion Middleware Control default password, at the end

of install, is the same as the ODSSM password.

To change the password for the ODSSM administrator, you must change it in the

Oracle Database and then change it on both the WebLogic domain server and on each

Oracle instance in the domain. Use the following procedure:

1. Use SQLPlus or a similar tool to alter the password in the database.

2. Go to ORACLE_HOME/common/bin and run the following command:

sh wlst.sh

3. Connect to the WebLogic Administration Server:

connect('weblogic_username','pwd', 't3://host:port')

4. Run the updateCred() command:

updateCred(map='odssm', key='ODSSM_instance_name', password='newpassword',

user='ODSSM')

where instance_name is the instance name provided during installation, for

example, asinst_1.

5. On each Oracle instance in the WebLogic domain, execute the following command

line:

ORACLE_HOME/ldap/bin/oidcred odssm update [instance_name]

6. Update the component registration of the Oracle instance, as described in

Section 8.3.4, "Updating the Component Registration of an Oracle Instance by

Using opmnctl."

If Oracle Directory Integration Platform is also configured in the instance, then you

must update this new ODSSM password in one additional place. Proceed as follows:

1. Log in to the WebLogic Administration console at:

http://host:port/console

2. Select Data Sources -> schedulerDS -> Connection Pool.

3. Click Lock & Edit in the top left corner of the screen.

4. Enter the new password in the Password and Confirm Password fields.

Click Save.

5. Click Activate Changes.

Managing Directory Entries 13-1

13Managing Directory Entries

This chapter contains these topics:

■Section 13.1, "Introduction to Managing Directory Entries"

■Section 13.2, "Managing Entries by Using Oracle Directory Services Manager"

■Section 13.3, "Managing Entries by Using LDAP Command-Line Tools"

13.1 Introduction to Managing Directory Entries

The primary function of most directories is to store information about users and return

that information in response to requests. Applications that request information from

the directory server are called clients of the server.

As administrator, you manage users, groups, and other types of entries by using

Oracle Directory Services manager or the command-line tools.

13.2 Managing Entries by Using Oracle Directory Services Manager

You display entries, including users and groups, by using the Data Browser in Oracle

Directory Services Manager.

The current chapter focuses on users and other types of entries. Chapter 14, "Managing

Dynamic and Static Groups" discusses groups and group entries in more detail.

This section contains these topics:

■Section 13.2.1, "Displaying Entries by Using Oracle Directory Services Manager"

■Section 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager"

■Section 13.2.3, "Importing Entries from an LDIF File by Using Oracle Directory

Services Manager"

■Section 13.2.4, "Exporting Entries to an LDIF File by Using Oracle Directory

Services Manager"

■Section 13.2.5, "Viewing Attributes for a Specific Entry by Using Oracle Directory

Services Manager"

■Section 13.2.7, "Deleting an Entry or Subtree by Using Oracle Directory Services

Manager"

Section 13.2.6, "Adding a New Entry by Using Oracle Directory Services Manager"

See Also: Chapter 3, "Understanding Oracle Internet Directory

Concepts and Architecture," for introductory information about

entries, object classes, and attributes.

Managing Entries by Using Oracle Directory Services Manager

13-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Section 13.2.8, "Adding an Entry by Copying an Existing Entry in Oracle Directory

Services Manager"

■Section 13.2.9, "Modifying an Entry by Using Oracle Directory Services Manager"

13.2.1 Displaying Entries by Using Oracle Directory Services Manager

To display entries by using the Data Browser in Oracle Directory Services Manager

proceed as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. From the task selection bar, select Data Browser.

3. If desired, expand items in the data tree in the left panel to view the entries in each

subtree.

Entries of some object class types have generic icons in the data tree. Others are

shown with a specific icon. For example:

When an access control list (ACL) has been set on an entry, the icon changes; a

small key appears to the right of the icon. For example:

See Also:

■Section 29.2.4, "Adding or Modifying an ACP by Using the Data

Browser in ODSM"

■Section 29.2.5, "Setting or Modifying Entry-Level Access by Using

the Data Browser in ODSM"

for information on setting or modifying access control on an entry.

Object Class Icon

User

Group

OrganizationalUnit

Organization

Domain

Country

Generic

Object Class Icon with ACL

User

Group

See Also: Chapter 29, "Managing Directory Access Control."

Managing Entries by Using Oracle Directory Services Manager

Managing Directory Entries 13-3

4. If desired, mouse over each icon in the tool bar to read the icon's action.

5. Select the Refresh the entry icon to refresh only the entry in the right pane. Select

the Refresh subtree entries icon to refresh child entries of the selected entry.

6. To limit the number of entries displayed in a subtree, select the entry at the root of

the subtree, then click the Filter child entries icon and specify a filter, as follows:

a. In the Max Results field, specify a number from 1 to 1000, indicating the

maximum number of entries to return.

b. From the list at the left end of the search criteria bar, select an attribute of the

entries you want to view.

c. From the list in the middle of the search criteria bar, select a filter.

d. In the text box at the right end of the search criteria bar, type the value for the

attribute you just selected. For example, if the attribute you selected was cn,

you could type the particular common name you want to find.

e. Click + to add this search criterion to the LDAP Query field.

f. To view the LDAP filter you have selected, select Show LDAP filter.

g. To further refine your search, use the list of conjunctions (AND, OR, NOT

AND, and NOT OR) and the lists and text fields on the search criteria bar to

add additional search criteria. Click + to add a search criterion to the LDAP

Query field.Click X to delete a search criterion from the LDAP Query field.

7. When you have finished configuring the search criteria, click OK. The child entries

that match the filter are shown under the selected entry. The filter is applied for

first level children only, not for the entire subtree. Click the Refresh icon to

remove the filter.

13.2.2 Searching for Entries by Using Oracle Directory Services Manager

To search for a directory entry:

1. Invoke Oracle Directory Services Manager as described in Section 7.4.5, "Invoking

Oracle Directory Services Manager."

2. From the task selection bar, choose Data Browser.

3. To perform a simple keyword search, enter text in the field next to the Search icon

to specify keywords to search for in the attributes cn, uid, sn, givenname, mail

and initials.

4. Click the Simple Search arrow to the right of the text field or press the Enter key.

Search results, if any, are displayed below the data tree. Click the information icon

to view information about this search. Click the Refresh the search results entries

icon to refresh the results. Click the Close search result icon to dismiss the search.

5. To perform a more complex search, click Advanced. The Search Dialog appears.

6. In the Root of the Search field, enter the DN of the root of your search.

For example, suppose you want to search for an employee who works in the

Manufacturing division in the IMC organization in the Americas. The DN of the

root of your search would be:

ou=Manufacturing,ou=Americas,o=IMC,c=US

You would therefore type that DN in the Root of the Search text box.

You can also select the root of your search by browsing the data tree. To do this:

Managing Entries by Using Oracle Directory Services Manager

13-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

a. Click Browse to the right of the Root of the Search field. The Select

Distinguished Name (DN) Path: Tree View dialog box appears.

b. Expand an item in the tree view to display its entries.

c. Continue navigating to the entry that represents the level you want for the

root of your search.

d. Select that entry, then click OK. The DN for the root of your search appears in

the Root of the Search text box in the right pane.

7. In the Max Results (entries) box, type the maximum number of entries you want

your search to retrieve. The default is 200. The directory server retrieves the value

you set, up to 1000.

8. In the Max Search Time (seconds) box, type the maximum number of seconds for

the duration of your search. The value you enter here must be at least that of the

default, namely, 25. The directory server searches for the amount of time you

specify, up to one hour.

9. In the Search Depth list, select the level in the DIT to which you want to search.

The options are:

■Base: Retrieves a particular directory entry. Along with this search depth, you

use the search criteria bar to select the attribute objectClass and the filter

Present.

■One Level: Limits your search to all entries beginning one level down from

the root of your search.

■Subtree: Searches entries within the entire subtree, including the root of your

search. This is the default.

10. Set search criteria.

Optionally, select Show LDAP filter, then type a query string directly into the

LDAP Query text field.

Alternatively, use the lists and text fields on the search criteria bar to focus your

search.

a. From the list at the left end of the search criteria bar, select an attribute of the

entry for which you want to search. Because not all attributes are used in

every entry, be sure that the attribute you specify actually corresponds to one

in the entry for which you are looking. Otherwise, the search fails.

b. From the list in the middle of the search criteria bar, select a filter.

c. In the text box at the right end of the search criteria bar, type the value for the

attribute you just selected. For example, if the attribute you selected was cn,

you could type the particular common name you want to find.

d. Click + to add this search criterion to the LDAP Query field.

e. To view the LDAP filter you have selected, select Show LDAP filter.

f. To further refine your search, use the list of conjunctions (AND, OR, NOT

AND, and NOT OR) and the lists and text fields on the search criteria bar to

to add additional search criteria. Click + to add a search criterion to the LDAP

Query field. Click X to delete a search criterion from the LDAP Query field.

11. Click Search. Search results, if any, are displayed below the data tree. If an LDAP

error icon appears, mouse over it to see the error. Search again with different

criteria, if necessary, to correct the error. Click the Search Filter icon to see

Managing Entries by Using Oracle Directory Services Manager

Managing Directory Entries 13-5

information about the search. Chick the Refresh the search result entries icon to

refresh the results. You can delete the search results by clicking the Close search

result icon.

13.2.3 Importing Entries from an LDIF File by Using Oracle Directory Services Manager

You can import entries from an LDIF file, as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. Click the Data Browser tab.

3. Click the Import LDIF icon. The Import File dialog appears.

4. Enter the path to the LDIF file you want to import, or click Browse and navigate to

the file, then click Open in the browser window.

5. Click OK in the Import File dialog. The LDIF Import Progress window shows the

progress of the operation. Expand View Import Progress Table to see detailed

progress.

Click Cancel to stop importing entries. Entries already imported are not aborted.

The Data Browser tree refreshes to show the new entries.

13.2.4 Exporting Entries to an LDIF File by Using Oracle Directory Services Manager

You can export entries to an LDIF file, as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. Click the Data Browser tab.

3. Navigate to the top level DN of the subtree you want to export.

4. Click the Export LDIF icon. The Export File dialog appears. Select Export

Operational Attributes if you want to export them.

5. Click OK. The Download LDIF File dialog appears. By default, the entries are

exported to a temporary file on the machine where Oracle Directory Services

Manager is deployed. If you want to save a copy of the LDIF file to your

computer, click Click here to open the LDIF file and save the file.

Click OK.

13.2.5 Viewing Attributes for a Specific Entry by Using Oracle Directory Services

Manager

You can view the attributes for a specific entry as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

See Also: Section 8.3.6, "Viewing Active Server Instance Information

by Using opmnctl" on page 8-9For instructions on setting the number

of entries to display in searches, and to set the time limit for searches

Managing Entries by Using Oracle Directory Services Manager

13-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

2. Locate the entry by navigating to it in the data tree or by searching for it, as

described in Section 13.2.2, "Searching for Entries by Using Oracle Directory

Services Manager."

3. Click the entry. Attributes for that entry are displayed in the right pane. The

display for the entry has at least the three tabs: Attributes, Subtree Access, and

Local Access. If the entry is a person, the display in the right pane also has an

Person tab, which displays basic user information. If the entry is a group, the

display screen has a Group tab, which displays basic group information.

4. To view the attributes of an entry, click the Attributes tab.

5. You can switch between Managed Attributes and Show All by using the Views

list.

6. To change the list of attributes shown as managed attributes, click the icon under

Optional Attributes. Select attributes you want to move from the All Attributes

list to the Shown Attributes lists and use the Move and Move All arrows to move

the attributes. Select attributes you want to move from the shown Attributes list to

the All Attributes lists and use the Remove and Remove All arrows to move the

attributes. Click Add Attributes to make your changes take effect or click Cancel

to discard your changes. After you click Add Attributes, only the attributes that

were on the Shown Attributes list are shown in the Managed Attributes view.

7. For information on using the Subtree Access and Local Access tabs to view access

control settings, see Section 29.2.4, "Adding or Modifying an ACP by Using the

Data Browser in ODSM."

13.2.6 Adding a New Entry by Using Oracle Directory Services Manager

To add or delete entries with Oracle Directory Services Manager, you must have write

access to the parent entry and you must know the DN to use for the new entry.

To add a group entry, follow the procedure described in Section 14.2, "Managing

Group Entries by Using Oracle Directory Services Manager." For other entry types,

proceed as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. From the task selection bar, select Data Browser.

3. On the toolbar, select the Create a new entry icon. Alternatively, right click any

entry and choose Create.

The Create New Entry wizard appears.

4. Specify the object classes for the new entry. Click the Add icon and use the Add

Object Class dialog to select object class entries. Optionally, use the search box to

filter the list of object classes. To add the object class, select it and then click OK.

(All the superclasses from this object class through top are also added.)

Note: When you add or modify an entry, the Oracle directory server

does not verify the syntax of the attribute values in the entry.

Managing Entries by Using Oracle Directory Services Manager

Managing Directory Entries 13-7

5. In the Parent of the entry field, you can specify the full DN of the parent entry of

the entry you are creating. You can also click Browse to locate and select the DN of

the parent for the entry you want to add. If you leave the Parent of the entry field

blank, the entry is created under the root entry.

6. Click Next.

7. Choose an attribute which will be the Relative Distinguished Name value for this

entry and enter a value for that attribute. You must enter values for attributes that

are required for the object class you are using, even if none of them is the RDN

value. For example, for object class inetorgperson, attributes cn (common

name) and sn (surname or last name) are required, even if neither of them is the

Relative Distinguished Name value.

8. Click Next. The next page of the wizard appears. (Alternatively, you can click

Back to return to the previous page.)

9. Click Finish.

10. To manage optional attributes, navigate to the entry you have just created in the

Data Tree

11. If the entry is a person, click the Person tab and use it to manage basic user

attributes. Click Apply to save your changes or Revert to discard them.

If the entry is a group, see Section 14.2, "Managing Group Entries by Using Oracle

Directory Services Manager."

12. If this is a person entry, you can upload a photograph. Click Browse, navigate to

the photograph, then click Open. To update the photograph, click Update and

follow the same procedure. Click the Delete icon to delete the photograph.

13. To manage object classes, as well as attributes that are not specific to a person or

group entry, click the Attributes tab.

14. To add an object class:

a. Click the Attributes tab.

b. Click the Add icon next to objectclass and use the Add Object Class dialog

to select object class entries. Optionally, use the search box to filter the list of

object classes. To add the object class, click it and then click OK.

15. To delete an object class,

a. Click the Attributes tab.

b. Select the object class you want to delete.

c. Click the Delete icon next to objectclass. The Delete Object Class dialog

lists the attributes that will be deleted with that class.

d. Click Delete to proceed.

16. By default, only non-empty attributes are shown. You can switch between

Managed Attributes and Show All by using the Views list.

17. To change the list of attributes shown as managed attributes, click the icon under

Optional Attributes. Select attributes you want to move from the All Attributes

Note: You must assign user entries to the inetOrgPerson object

class in order for the entries to appear in the Oracle Internet Directory

Self-Service Console in Oracle Delegated Administration Services.

Managing Entries by Using Oracle Directory Services Manager

13-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

list to the Shown Attributes lists and use the Move and Move All arrows to move

the attributes. Select attributes you want to move from the shown Attributes list to

the All Attributes lists and use the Remove and Remove All arrows to move the

attributes. Click Add Attributes to make your changes take effect or click Cancel

to discard your changes. After you click Add Attributes, only the attributes that

were on the Shown Attributes list are shown in the Managed Attributes view.

18. Specify values for the optional properties. You can also modify the values of the

mandatory properties. For multivalued attributes, you can use the Add and

Delete icons to add and delete multiple values.

19. Click Apply to save your changes or Revert to discard them.

20. For information on using the Subtree Access and Local Access tabs to set access

control, see Section 29.2.4, "Adding or Modifying an ACP by Using the Data

Browser in ODSM."

13.2.7 Deleting an Entry or Subtree by Using Oracle Directory Services Manager

You can delete an entry, including an entire subtree, as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. From the task selection bar, select Data Browser.

3. Navigate to the entry you want to delete.

4. To delete only the entry, click the Delete icon. When the Delete dialog appears,

click Yes. If the entry has no subentries, deletion succeeds. If the entry has

subentries, the deletion fails and ODSM displays an error message. Click OK to

dismiss the error message.

To delete an entire subtree, click the icon labelled Delete the selected entry and its

subtree. When the Delete Subtree dialog appears, read the contents of the dialog.

Click Yes to proceed with the deletion or No to abort.

13.2.8 Adding an Entry by Copying an Existing Entry in Oracle Directory Services

Manager

You can use Oracle Directory Services Manager to create a new entry by copying from

an existing entry and changing its DN. When you do this, you should also change the

attributes, such as name and address, so that they correspond with the new DN. To

add an entry, you must have write access to its parent.

To add a group entry, follow the procedure described in Section 14.2, "Managing

Group Entries by Using Oracle Directory Services Manager." For other entry types,

proceed as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. From the task selection bar, select Data Browser.

Tip: You can find a template for the new DN by looking up other

similar entries in the search pane.

Managing Entries by Using Oracle Directory Services Manager

Managing Directory Entries 13-9

3. In the data tree, navigate to the entry you want to use as a template. Alternatively,

click Advanced Search, and use it to search for an entry that you want to use as a

template.

4. In the left panel, click the Create a new entry like this one icon. Alternatively,

click the entry you want to use as a template, right click, and choose Create Like.

A New Entry: Create Like wizard appears. The object classes and the DN of the

parent entry are already filled in.

5. To add an object class:

a. Click the Attributes tab.

b. Click the Add icon next to objectclass and use the Add Object Class dialog

to select object class entries. Optionally, use the search box to filter the list of

object classes. To add the object class, click it and then click OK.

6. To delete an object class,

a. Click the Attributes tab.

b. Select the object class you want to delete.

c. Click the Delete icon next to objectclass. The Delete Object Class dialog

lists the attributes that will be deleted with that class.

d. Click Delete to proceed.

7. Specify the DN of the parent entry, either by changing the content in the text box

or by using the Browse button to locate a different DN.

8. Click Next. The next page of the wizard appears.

9. Choose an attribute which will be the Relative Distinguished Name value for this

entry and enter a value for that attribute. You must enter values for attributes that

are required for the object class you are using, even if none of them is the RDN

value. For example, for object class inetorgperson, attributes cn (common

name) and sn (surname or last name) are required, even if neither of them is the

Relative Distinguished Name value.

10. Click Next.

11. Click Finish.

12. To manage optional attributes, navigate to the entry you have just created in the

Data Tree, then proceed to Step 11 in Section 13.2.6, "Adding a New Entry by

Using Oracle Directory Services Manager."

13.2.9 Modifying an Entry by Using Oracle Directory Services Manager

You can add auxiliary object classes to an existing entry.

To modify a group entry, follow the procedure described in Section 14.2, "Managing

Group Entries by Using Oracle Directory Services Manager." For other entry types,

proceed as follows:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

Note: When you add or modify an entry, the Oracle directory server

does not verify the syntax of the attribute values in the entry.

Managing Entries by Using Oracle Directory Services Manager

13-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

2. From the task selection bar, select Data Browser.

3. Navigate to an entry in the data tree. Alternatively, perform a search for the entry

you want to modify as described inSection 13.2.2, "Searching for Entries by Using

Oracle Directory Services Manager." In the search result in the left pane, select the

entry you want to modify.

4. To edit the RDN, select the Edit RDN icon above the Data Tree. Alternatively, you

can select the entry in the Data Tree, right click, and select Edit RDN.

Specify the new RDN value. For a multivalued RDN you can use the Delete Old

RDN checkbox to specify whether the old RDN should be deleted. Select OK to

save the change or Cancel to abandon the change.

5. To add an object class:

a. Click the Attributes tab.

b. Click the Add icon next to objectclass and use the Add Object Class dialog

to select object class entries. Optionally, use the search box to filter the list of

object classes. To add the object class, click it and then click OK.

6. To delete an object class,

a. Click the Attributes tab.

b. Select the object class you want to delete.

c. Click the Delete icon next to objectclass. The Delete Object Class dialog

lists the attributes that will be deleted with that class.

d. Click Delete to proceed or Cancel to cancel the deletion.

7. If the entry is a person, click the Person tab and use it to manage basic user

attributes. Click Apply to save your changes or Revert to discard them.

If the entry is a group, see Section 14.2, "Managing Group Entries by Using Oracle

Directory Services Manager."

8. If this is a person entry, you can upload a photograph. Click Browse, navigate to

the photograph, then click Open. To update the photograph, click Update and

follow the same procedure. Click the Delete icon to delete the photograph.

9. To modify the values of attributes that are not specific to a person or group, click

the Attributes tab in the right pane and make the desired changes.

By default, only non-empty attributes are shown. You can switch between

Managed Attributes and Show All by using the Views list.

10. To change the list of attributes shown as managed attributes, click the icon under

Optional Attributes. Select attributes you want to move from the All Attributes

list to the Shown Attributes lists and use the Move and Move All arrows to move

the attributes. Select attributes you want to move from the shown Attributes list to

the All Attributes lists and use the Remove and Remove All arrows to move the

attributes. Click Add Attributes to make your changes take effect or click Cancel

to discard your changes. After you click Add Attributes, only the attributes that

were on the Shown Attributes list are shown in the Managed Attributes view.

11. Specify values for the optional properties. You can also modify the values of the

mandatory properties. For multivalued attributes, you can use the Add and

Delete icons to add and delete multiple values.

12. When you have completed all your changes, click Apply to make them take effect.

Alternatively, click Revert to abandon your changes.

Managing Entries by Using LDAP Command-Line Tools

Managing Directory Entries 13-11

13. You can set an access control point (ACP) on this entry by using the Subtree

Access and Local Access tabs. The procedures are described in Section 29.2.4,

"Adding or Modifying an ACP by Using the Data Browser in ODSM" and

Section 29.2.5, "Setting or Modifying Entry-Level Access by Using the Data

Browser in ODSM."

13.3 Managing Entries by Using LDAP Command-Line Tools

This section contains the following topics:

■Section 13.3.1, "Listing All the Attributes in the Directory by Using ldapsearch"

■Section 13.3.2, "Listing Operational Attributes by Using ldapsearch"

■Section 13.3.3, "Attribute Case in ldapsearch Output"

■Section 13.3.4, "Adding a User Entry by Using ldapadd"

■Section 13.3.5, "Modifying a User Entry by Using ldapmodify"

■Section 13.3.6, "Adding an Attribute Option by Using ldapmodify"

■Section 13.3.7, "Deleting an Attribute Option by Using ldapmodify"

■Section 13.3.8, "Searching for Entries with Attribute Options by Using ldapsearch"

13.3.1 Listing All the Attributes in the Directory by Using ldapsearch

Use the following command line to list of all the attributes, including those that do not

have values:

ldapsearch -p port -h host -D "cn=orcladmin" -q -b "cn=subschemasubentry" \

-s base "objectclass=*"

13.3.2 Listing Operational Attributes by Using ldapsearch

By default, ldapsearch does not return operational attributes. If you add the

character "+" to the list of attributes in the search request, however, ldapsearch

returns all operational attributes.

Searching for an entry with "+" returns only operational attributes. For example:

$ ldapsearch -h adc2190517 -p 3060 -D cn=orcladmin -w welcome -b "c=uk" -L -s base

"(objectclass=*)" +

dn: c=UK

orclguid: 8EB5730F5852DECBE040E80A7452694E

creatorsname: cn=orcladmin

createtimestamp: 20100826065339z

modifytimestamp: 20100826065339z

modifiersname: cn=orcladmin

orclnormdn: c=uk

By comparison, a search with "*" but not "+" returns all user attributes:

$ ldapsearch -h adc2190517 -p 3060 -D cn=orcladmin -w welcome -b "c=uk" -L -s base

"(objectclass=*)"

dn: c=UK

c: uk

objectclass: top

objectclass: country

Managing Entries by Using LDAP Command-Line Tools

13-12 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

13.3.3 Attribute Case in ldapsearch Output

In the output from the ldapsearch command, the attribute names are shown in

lower case if the attribute orclReqattrCasein the instance-specific configuration

entry is 0. If orclReqattrCase is set to 1, the attribute names in the output are

shown in the same case in which they were entered on the command line.

Example:

ldapsearch -h localhost -p 389 -b "dc=oracle,dc=com" -s base -L "objectclass=*" DC

If orclReqattrCase is 0 the output looks like this:

dn: dc=oracle,dc=comdc: oracle

If orclReqattrCase is 1, the output looks like this:

dn: dc=oracle,dc=comDC: oracle

If an attribute is specified more than once on the same command line, the attribute

names in the output will match the case of the first attribute specification.

13.3.4 Adding a User Entry by Using ldapadd

The following example shows how to add an entry for an employee named John.

Use ldapadd as follows:

ldapadd -p port_number -h host -D cn=orcladmin -q -f entry.ldif

where entry.ldif looks like this:

dn: cn=john, c=us

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

cn: john

cn;lang-fr:Jean

cn;lang-en-us:John

sn: Doe

jpegPhoto: /photo/john.jpg

userpassword: password

This file contains the cn, sn, jpegPhoto, and userpassword attributes.

For the cn attribute, it specifies two options: cn;lang-fr, and cn;lang-en-us.

These options return the common name in either French or American English.

For the jpegPhoto attribute, it specifies the path and file name of the corresponding

JPEG image you want to include as an entry attribute.

Notes:

■When you add or modify an entry, the Oracle directory server

does not verify the syntax of the attribute values in the entry.

■Do not insert a tilde (~) in a user name.

Managing Entries by Using LDAP Command-Line Tools

Managing Directory Entries 13-13

13.3.5 Modifying a User Entry by Using ldapmodify

The following example changes the password for a user to a new value. As in the

previous example, the data for this user entry is in the entry.ldif file. This file

contains the following:

dn: cn=audrey,c=us

changetype: modify

replace: userpassword

userpassword: password

Substitute the new password for password in the file.

Issue this command to modify the file:

ldapmodify -p 3060 -D "cn=orcladmin" -q -v -f entry.ldif

where -v specifies verbose mode.

13.3.6 Adding an Attribute Option by Using ldapmodify

The following entry adds the Spanish equivalent of an entry for John. The data for this

user entry is in the entry.ldif file. This file contains the following:

dn: cn=john,c=us

changetype: modify

add: cn;lang-sp

cn;lang-sp: Juan

Issue this command to modify the file:

ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f entry.ldif

13.3.7 Deleting an Attribute Option by Using ldapmodify

The following example deletes the cn;lang-fr attribute option from the entry for

John. As in the previous example, assume that the data for this user entry is in the

entry.ldif file. This file contains the following:

dn: cn=john, c=us

changetype: modify

delete: cn;lang-fr

cn;lang-fr: Jean

Issue this command to modify the file:

ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f entry.ldif

13.3.8 Searching for Entries with Attribute Options by Using ldapsearch

The following example retrieves entries with common name (cn) attributes that have

an option specifying a language code attribute option. This particular example

retrieves entries in which the common names are in French and begin with the letter R.

ldapsearch -D "cn=orcladmin" -q -p 3060 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code

attribute option. In this case, the following example fails:

Note: When you add or modify an entry, the Oracle directory server

does not verify the syntax of the attribute values in the entry.

Managing Entries by Using LDAP Command-Line Tools

13-14 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

ldapsearch -D "cn=orcladmin" -q -p 3060 -h myhost -b "c=us" \

-s sub "cn;lang-it=Giovanni"

You can use the -X or -B options to ldapsearch to print binary values.

See Also: Section 3.4.6, "Attribute Options."

See Also: The ldapsearch command reference in Oracle Fusion

Middleware Reference for Oracle Identity Management.

Managing Dynamic and Static Groups 14-1

14Managing Dynamic and Static Groups

This chapter explains how to administer both static and dynamic groups in Oracle

Internet Directory. This chapter contains these topics:

■Section 14.1, "Introduction to Managing Dynamic and Static Groups"

■Section 14.2, "Managing Group Entries by Using Oracle Directory Services

Manager"

■Section 14.3, "Managing Group Entries by Using the Command Line"

14.1 Introduction to Managing Dynamic and Static Groups

Oracle Internet Directory enables you to assign and manage membership in two types

of groups—namely, static groups and dynamic groups. Each type of group suited for a

different purpose.

This section contains these topics:

■Section 14.1.1, "Static Groups"

■Section 14.1.2, "Dynamic Groups"

■Section 14.1.3, "Hierarchies"

■Section 14.1.4, "Querying Group Entries"

■Section 14.1.5, "orclMemberOf Attribute"

■Section 14.1.6, "When to Use Each Kind of Group"

Note: If you are creating a hierarchy of groups, be sure that it is a

true hierarchy as described in Section 14.1.3, "Hierarchies."

See Also:

■Section 29.1.1.4, "Security Groups" for instructions on setting

access control policies for group entries

■Section 3.8, "Globalization Support" on page 3-15 and

Chapter 29, "Managing Directory Access Control" for

information about access privileges.

Introduction to Managing Dynamic and Static Groups

14-2 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

14.1.1 Static Groups

A static group is one whose entry contains a list of members that you explicitly

administer.

A static group requires you to explicitly administer its membership. For example, if a

member changes his name, then you must change that user's DN for each group he

belongs to. For this reason, a static group is best suited for a group whose membership

is unlikely to change frequently.

14.1.1.1 Schema Elements for Creating Static Groups

When you create the entry for this kind of group, you associate it with either the

groupOfNames or groupOfUniqueNames object class.

Each of these object classes has a multivalued attribute for storing the names of group

members. To assign a user as a member of a group, you add the DN of each member

to the respective multivalued attribute. Conversely, to remove a member from a

group, you delete the member's DN from the respective attribute. In the

groupOfNames object class, this multivalued attribute is member, and, in the

groupOfUniqueNames object class, it is uniqueMember.

14.1.2 Dynamic Groups

A dynamic group is one whose membership, rather than being maintained in a list, is

computed, based on rules and assertions you specify. Oracle Internet Directory

supports the following methods for dynamically computing the membership of the

group:

■Using orclDynamicGroup object class and labeleduri attribute

■Using orclDynamicGroup object class and CONNECT_BY attributes

■Using orclDynamicList object class and labeleduri attribute (referred as

dynamic list)

Dynamic groups can have static and dynamic members. The static members are listed

as values of the member or uniquemember attribute.

14.1.2.1 Cached and Uncached Dynamic Groups

Dynamic groups can be cached or uncached. By cached, we mean that dynamic group

members are computed and stored when the dynamic group is added, and that the

member list is kept consistent when the dynamic group is later modified. As entries

are added, modified, deleted, and renamed, the member lists of all dynamic groups

are kept consistent. For example, if there is a dynamic group containing all person

entries under "c=us", when we add "cn=user1,c=us", that entry is automatically

added to the member list of the dynamic group. Similarly, when we delete

"cn=user1,c=us", the entry is removed from the dynamic group's member list. This

feature ensures that whenever a search is performed for a dynamic group, the member

list can be fetched from the stored data without any additional computation. The

search performance for cached dynamic groups is almost the same as for static groups.

Cached Dynamic Group

Starting with Oracle Internet Directory 10g (10.1.4.0.1), dynamic groups based on

orclDynamicGroup object class using labeleduri attribute are cached

Introduction to Managing Dynamic and Static Groups

Managing Dynamic and Static Groups 14-3

Uncached Dynamic Group

■Dynamic groups based on orclDynamicGroup object class using CONNECT_BY

attributes are not cached.

■As of Oracle Internet Directory 11g Release 1 (11.1.1.4), a second type of dynamic

group based on labeleduri attribute is available. It is referred to as a dynamic

list, and its members are not cached. You determine whether a dynamic group

based on the labeleduri attribute is cached or uncached by selecting the type of

auxiliary object class your group is associated with, as described in

Section 14.1.2.3, "Schema Elements for Creating a Dynamic Group." If you want a

cached group, associate your group with the auxiliary object class

orclDynamicGroup. If you want an uncached group, associate your group with

the auxiliary object class or orclDynamicList object class.

14.1.2.2 Enhancements to and Limitations of Dynamic Groups in Oracle Internet

Directory

In Oracle Internet Directory 10g (10.1.4.1) and later releases, you can use dynamic

groups in the same ways you use static groups. For example, you can use them in:

Notes:

■You cannot add a dynamic group based on the labeledURI

attribute with scope base. Only scope sub and one are

supported.

■To refresh dynamic group memberships for dynamic groups

using the orclDynamicGroup object class and labeleduri

attribute, set the attribute orclrefreshdgrmems in the DSA

Configuration entry to 1. Oracle Internet Directory recomputes

the member lists for all dynamic groups and resets the value of

orclrefreshdgrmems to 0. If there are many groups, this

operation can take a long time to complete.

■When you query for the groups that a user belongs to, dynamic

groups based on the labeledURI attribute are automatically

included in the result. Dynamic groups based on the CONNECT_

BY assertion and dynamic lists must be explicitly queried. For

example, assume nc=jdoe,cn=users,o=oracle is a member

of three groups: labeleduri dynamic group dgrouplab1,

CONNECT BY dynamic group dgroupcby1, and dynamic list

dlist1. The search

uniquemember=cn=jdoe,cn=users,o=oracle finds only the

cached labeleduri dynamic group dgrouplab1.

See Also:

■"About LDAP Controls" in Oracle Fusion Middleware Reference for

Oracle Identity Management for more information on controls used

by Oracle Internet Directory

■The C API chapter in Oracle Fusion Middleware Application

Developer's Guide for Oracle Identity Management

■Performing Hierarchical Searches in Oracle Fusion Middleware

Application Developer's Guide for Oracle Identity Management

Introduction to Managing Dynamic and Static Groups

14-4 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

■Access control lists, by associating the group with either the orclACPgroup or

the orclPrivilegeGroup object class.

■Hierarchical group resolution queries

Dynamic groups have the following limitations in Oracle Internet Directory:

■Hierarchical queries and queries involving specific attributes of members can only

be done on cached dynamic groups.

■Dynamic groups can only be added using ldapadd or ODSM. They cannot be

added by using bulkload.

■The attributes used in the LDAP filter part of the labeleduri must be indexed.

See Section 20.3.7, "Indexing an Attribute by Using ldapmodify," Section 15.7,

"Creating and Dropping Indexes from Existing Attributes by Using catalog," and

Section 20.1.3.4, "About Indexing Attributes."

■You cannot change the objectclass of a dynamic group after the group has been

created. You must delete the group and re-create it.

■Searches for the uniquemember attribute will not pick up dynamic lists or

CONNECT BY assertion-based dynamic groups.

14.1.2.3 Schema Elements for Creating a Dynamic Group

When you create a dynamic group, you begin as when creating a static group—that is,

you associate its entry with either the groupOfNames or groupOfUniqueNames

object class. You then associate that object class with the auxiliary object class

orclDynamicGroup or orclDynamicList.

The auxiliary object class orclDynamicGroup has various attributes in which you

specify one of two methods for dynamically computing the membership of the group:

using the labeledURI attribute and using a CONNECT BY assertion. The auxiliary

object class orclDynamicList supports only the labeledURI attribute method of

computing membership.

The two methods of computing membership are:

■Using the labeledURI attribute

Both of the auxiliary object classes orclDynamicGroup and orclDynamicList

have the labeledURI attribute. If you associate your group with

orclDynamicGroup and use the labeledURI attribute to compute membership,

the group is cached. If you associate your group with orclDynamicList and use

the labeledURI attribute to compute membership, the group is not cached. This

uncached type, using orclDynamicList objectclass, is referred to as a dynamic

list.

When using the labeledURI method, the directory server performs a typical

search based on the hierarchy of the DIT. It requires you to provide a value for one

of the attributes of the orclDynamicGroup or orclDynamicList object class,

namely labeledURI. In this attribute, you specify the base of the query, the

filters, and any required attributes. For example, suppose that you have entered

the following value for the labeledURI attribute:

labeledURI:ldap://host:port/ou=NewUnit,o=MyCompany,c=US??sub?(objectclass=perso

When you use this method, a search for the entry returns entries for all members

of the group.

Introduction to Managing Dynamic and Static Groups

Managing Dynamic and Static Groups 14-5

Do not set orclConnectByAttribute or orclConnectByStartingValue

when using the labeledURI attribute method.

■Using a CONNECT BY assertion

Unlike the labeledURI attribute method, this method relies not on the hierarchy

of the DIT, but on attributes that implicitly connect entries to each other,

regardless of their location in the DIT. For example, the manager attribute

connects the entries of employees with those of their managers, and this

connection applies regardless of the location of the employee entries in the DIT.

This method uses a CONNECT BY clause in which you specify the attribute to use

for building the hierarchy—for example, manager—and the starting value for

such a hierarchy—for example, cn=Anne

Smith,cn=users,dc=example,dc=com.

More specifically, to use this method, you specify in the orclDynamicGroup

object class a value for each of the single-valued attributes in Table 14–1.

For example, to retrieve the entries of all employees who report to Anne Smith in

the MyOrganizational Unit in the Americas, you would provide values for these

attributes as follows:

orclConnectByAttribute=manager

orclConnectByStartingValue= "cn=Anne

Smith,ou=MyOrganizationalUnit,o=MyCompany,c=US"

Do not set labeledURI when using the CONNECT BY assertion method.

You can also develop an application specifying that you want the values for a

particular attribute—for example, the email attribute—of all the members.

Note: In the labeledURI attribute, the host:port section is present

for syntax purposes alone. Irrespective of the host and port settings in

the labeledURI attribute, the directory server always computes

members of dynamic group from the local directory server. It cannot

retrieve members from other directory servers.

See Also: "The LDAP URL Format" (RFC 2255). T. Howes, M.

Smith, December 1997. This RFC provides more information about

how LDAP URLs are to be represented—as, for example, in the

labeledURI attribute. It is available at http://www.ietf.org.

See Also: Performing Hierarchical Searches in Oracle Fusion

Middleware Application Developer's Guide for Oracle Identity Management

Table 14–1 orclDynamicGroup Attributes for "Connect By" Assertions

Attribute Description

orclConnectByAttribute The attribute that you want to use as the filter for the

query—for example, manager. This attributed must be

indexed.

orclConnectByStartingValue The DN of the attribute you specified in the

orclConnectByAttribute attribute—for example,

cn=Anne Smith,cn=users,dc=example,dc=com

Introduction to Managing Dynamic and Static Groups

14-6 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

The following examples show the two kinds of dynamic group entries.

Example: a Dynamic Group Entry Using the labeledURI Attribute

The following is an example of a dynamic group entry using the labeledURI

attribute.

dn: cn=dgroup1

cn: dgroup1

description: this is an example of a dynamic group

labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle,

dc=dgrptest??sub?objectclass=person

objectclass: orcldynamicgroup

objectclass: groupOfUniqueNames

objectclass: top

This group will have uniquemember values that are the DNs of all entries associated

with the object class person in the subtree

ou=oid,l=amer,dc=oracle,dc=dgrptest.

Example: a Dynamic List Entry Using the labeledURI Attribute

The following is an example of a dynamic list entry using the labeledURI attribute.

(Dynamic lists are not cached.) It is the same as the previous example, except that the

auxiliary object class is orclDynamicList instead of orclDynamicGroup

dn: cn=dgroup1

cn: dgroup1

description: this is an example of a dynamic group

labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle,

dc=dgrptest??sub?objectclass=person

objectclass: orcldynamiclist

objectclass: groupOfUniqueNames

objectclass: top

This group will have uniquemember values that are the DNs of all entries associated

with the object class person in the subtree

ou=oid,l=amer,dc=oracle,dc=dgrptest. Searches for the uniquemember

attribute, however, will not pick up dynamic lists

Example: a Dynamic Group Entry Using the CONNECT BY Assertion

The following is an example of a dynamic group entry that uses the CONNECT_BY

assertion.

dn: cn=dgroup2

cn: dgroup2

description: this is connect by manager assertion dynamic group

orclconnectbyattribute: manager

orclconnectbystartingvalue: cn=john doe sr,l=amer,dc=oracle,dc=dgrptest

objectclass: orcldynamicgroup

objectclass: groupOfUniqueNames

objectclass: top

This dynamic group has unique members with values that are DNs of all the entries

whose manager attribute is cn=john doe sr. either indirectly or directly. If several

See Also: Oracle Fusion Middleware Application Developer's Guide

for Oracle Identity Management for more information about how to

develop applications that retrieve values for particular attributes

Introduction to Managing Dynamic and Static Groups

Managing Dynamic and Static Groups 14-7

individuals have cn=john doe JR. as their manager, and he, in turn, has cn=john

doe SR. as his manager, then all the lower-level individuals are returned.

14.1.3 Hierarchies

Hierarchies can be either explicit or implicit.

In explicit hierarchies, the relationship is determined by the location of the entry in the

DIT—for example, Group A may reside higher in the DIT than Group B.

In implicit hierarchies, the relationship between entries is determined not by the

location in the DIT, but by the values of certain attributes. For example, suppose that

you have a DIT in which the entry for John Doe is at the same level of the hierarchy as

Anne Smith. However, suppose that, in the entry for John Doe, the manager attribute

specifies Anne Smith as his manager. In this case, although their locations in the DIT

are at an equal level, their rankings in the hierarchy are unequal because Anne Smith

is specified as John Doe's manager.

14.1.4 Querying Group Entries

An application can query either kind of group to do the following:

■List all members of a group

■List all groups of which a user is a member

■Check to see if a user is a member of a particular group

In addition, you can query dynamic groups, but not static ones, for whatever member

attributes you specify.

14.1.5 orclMemberOf Attribute

orclMemberOf is a mutivalued attribute containing the groups to which the entry

belongs. The groups in orclMemberOf include static groups and labeleduri-based

dynamic groups. CONNECT BY assertion-based dynamic groups and dynamic lists are

not included. The membership includes both direct groups and nested groups.

Note: In a query based on an implicit hierarchy, the client can

specify in the search request the control 2.16.840.1.113894.1.8.3. The

filter in this query specifies the attribute used to build the implicit

hierarchy. For example, (manager=cn=john doe, o=foo)

specifies the query for all people reporting directly or indirectly to

John Doe. The implicit hierarchy is based on the manager attribute.

The base of the search is ignored for such queries.

For more information on controls used by Oracle Internet

Directory, see "About LDAP Controls" in Oracle Fusion Middleware

Reference for Oracle Identity Management.

See Also: The C API chapter in Oracle Fusion Middleware Application

Developer's Guide for Oracle Identity Management

See Also: The GSL_REQDATTR_CONTROL entry under "LDAP

Controls" in Oracle Fusion Middleware Reference for Oracle Identity

Management.

Introduction to Managing Dynamic and Static Groups

14-8 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

For example, suppose Mary is a member of the static group directors and the group

directors is a member of the static group managers. If you do a specific query for

the attribute orclMemberOf on Mary's DN, it will show the value:

managers,directors

The attribute values are computed during search and are not stored. This attribute

cannot be used in search filters. orclMemberOf is not returned in a search unless

explicitly requested by name.

orclMemberOf has the aliases memberof and ismemberof for compatibility with

Active Directory and Oracle Directory Server Enterprise Edition (formerly Sun Java

System Directory Server and SunONE iPlanet).

Examples:

■Search single user:

ldapsearch -h host -p 3060 -D binddn -q -b "cn=jdoe,cn=users,o=oracle" -s base

"(objectclass=*)" orclmemberof

■Search with alias:

ldapsearch -h host -p 3060 -D binddn -q -b "cn=jdoe,cn=users,o=oracle" -s base

"(objectclass=*)" memberof

■Get all attributes and orclmemberof:

ldapsearch -h host -p 3060 -D binddn -q -b "cn=jdoe,cn=users,o=oracle" -s base

"(objectclass=*)" orclmemberof *

■Search multiple users:

ldapsearch -h host -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub

"(objectclass=person)" orclmemberof

14.1.6 When to Use Each Kind of Group

When deliberating about which kind of group to use, you must weigh the ease of

administration against higher performance. For example, dynamic groups provide for

easier administration, but cause a decrease in performance. Table 14–2 lists some

things to consider when deliberating whether to use static or dynamic groups.

See Also: Chapter 17, "Managing Alias Entries."

Table 14–2 Static and Dynamic Group Considerations

Consideration Static Groups Dynamic Groups

Ease of administration More difficult to administer

if group memberships are

large and change frequently

Easier to use, especially

when group memberships

are large and change

frequently

Managing Group Entries by Using Oracle Directory Services Manager

Managing Dynamic and Static Groups 14-9

14.2 Managing Group Entries by Using Oracle Directory Services

Manager

You can manage static and dynamic group entries by using the Data Browser page in

Oracle Directory Services Manager. You can display group entries, search for groups,

and view groups using the procedures described in Section 13.2, "Managing Entries by

Using Oracle Directory Services Manager." The procedures for creating and modifying

groups are described in this section. This section contains the following topics:

■Section 14.2.1, "Creating Static Group Entries by Using Oracle Directory Services

Manager"

■Section 14.2.2, "Modifying a Static Group Entry by Using Oracle Directory Services

Manager"

■Section 14.2.3, "Creating Dynamic Group Entries by Using Oracle Directory

Services Manager"

■Section 14.2.4, "Modifying a Dynamic Group Entry by Using Oracle Directory

Services Manager"

14.2.1 Creating Static Group Entries by Using Oracle Directory Services Manager

If the static group entry belongs to the groupOfNames object class, then you

determine membership in the group by adding DNs to the multivalued attribute

member. If the entry belongs to the groupOfUniqueNames object class, then you

determine membership in the group by adding DNs to the multivalued attribute

uniqueMember.

To add a static group entry:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet

Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services

Manager."

2. From the task selection bar, select Data Browser.

3. On the toolbar, choose the Create a new entry icon. Alternatively, right click any

entry and choose Create.

You can, alternatively, select a group that is similar to the one you want to create,

then choose the Create a new entry like this one icon. Alternatively, right click

any entry and choose Create.

The Create New Entry wizard appears.

Search Performance Higher level of performance

because you explicitly

administer the membership

list

Slightly decreased level of

performance with dynamic

groups using labeleduri,

but almost same when

compared to static groups,

because memberships are

cached. Decrease in

performance with uncached

groups, when compared to

static groups and cached

dynamic groups because

memberships are computed

as needed.

Table 14–2 (Cont.) Static and Dynamic Group Considerations

Consideration Static Groups Dynamic Groups

Managing Group Entries by Using Oracle Directory Services Manager

14-10 Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

4. Specify the object classes for the new entry. Click the Add icon and use the Add

Object Class dialog to select either groupOfNames or groupOfUniqueNames.

(All the superclasses from this object class through top are also added.)

Click OK.

5. In the Parent of the entry field, you can specify the full DN of the parent entry of

the entry you are creating. You can also click Browse to locate and select the DN of

the parent for the entry you want to add, then click Select.

If you leave the Parent of the entry field blank, the entry is created under the root

entry.

6. Click Next.

7. Choose an attribute which will be the Relative Distinguished Name value for this

entry and enter a value for that attribute. You must enter a value for the cn

attribute, even if it is not the RDN value.

8. Click Next. The next page of the wizard appears. (Alternatively, you can click

Back to return to the previous page.)

9. Click Finish.

10. To add an owner or member, navigate to the group entry you just created in the

Data Tree.

11. Select the Group tab.

12. To add an owner to the group, click the Add icon next to the Owner box.

13. Enter the owner's DN or click the button to select the entry you want to add as

owner (usually a user or group entry) in the Select Distinguished Name Path

dialog.

Click OK.

14. To add a member to the group, click the Add icon next to the Members text box

15. Enter the member's DN or click the button to select the entry you want to add as a

member (usually a user or group entry) in the Select Distinguished Name Path

dialog.

Click OK.

16. Optionally, enter a description for the entry.

17. Choose Apply to apply your changes or choose Revert to abandon your changes.

18. To make other changes to the group entry, see Section 14.2.2, "Modifying a Static

Group Entry by Using Oracle Directory Services Manager."

14.2.2 Modifying a Static Group Entry by Using Oracle Directory Services Manager

To modify an attribute, such as the member list, for a group entry:

1. Select the group in the data tree.

2. To add or delete an owner or member, select the Group tab or the Attributes tab.

See Also:

■Section 14.1.2, "Dynamic Groups"

■Section 29.1.1.4, "Security Groups"

■Section 3.8, "Globalization Support"

Managing Group Entries by Using Oracle Directory Services Manager

Managing Dynamic and Static Groups 14-11

3. To add a member to the group, click the Add icon next to the Members text box.

4. Select the entry you want to add as a member (usually a user or group entry) in

the Select Distinguished Name Path dialog.

Click OK.

5. To add an owner to the group, click the Add icon next to the Owners text box.

6. Select the entry you want to add as an owner (usually a user or group entry) in the

Select Distinguished Name Path dialog

Click OK.

7. To delete an owner or member, select it in the list and click the Delete icon.

8. To add or modify an attribute other than an owner or member, select the

Attributes tab.

9. By default, only non-empty attributes are shown. You can switch between