17-14 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform

17.3.6 Configuring External Authentication Plug-ins

Oracle Directory Integration Platform supports Java-based external authentication plug-ins. Oracle recommends that you use the Java plug-ins instead of the older, PLSQL-based plug-ins, which only support Microsoft Active Directory and Oracle Directory Server Enterprise Edition Sun Java System Directory Server. The configuration tool for the plug-ins is a Java program called oidexcfg. You use it to configure Java-based external authentication plug-ins for Microsoft Active Directory, Oracle Directory Server Enterprise Edition Sun Java System Directory Server, Novell eDirectory, IBM Tivoli Directory Server, and OpenLDAP. To configure an external authentication plug-in, perform the following steps: 1. Optional Perform this step only if you want to use SSL to secure the communication between the authentication plug-in and the external LDAP directory. If you do not want to secure the communication, proceed to step 2 now. To secure the communication between the authentication plug-in and the external LDAP directory using SSL, a trusted certificate from the external, authenticating directory must reside in a wallet on the file system. When you configure the plug-in using oidexcfg in step 3, you will be prompted to enter information about the external LDAP directory configuration and you can identify the location of this wallet. If you want to use SSL, put the certificate in a new or existing wallet now. 2. Include oidexcfg.jar and ldapjclnt11.jar in the java CLASSPATH environment variable. To set the environment variable: In UNIXLinux environments: setenv CLASSPATH=ORACLE_HOMEjliboidexcfg.jar:ORACLE_ HOME ldapjlibldapjclnt11.jar:CLASSPATH In Windows environments: set CLASSPATH=ORACLE_HOMEjliboidexcfg.jar;ORACLE_ HOME ldapjlibldapjclnt11.jar;CLASSPATH 3. Configure the plug-in using oidexcfg by executing the following command. You will be prompted to enter information about the external LDAP directory See Also: Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for information on managing Oracle Internet Directory password policies. Note: The oidexcfg tool configures an external authentication plug-in to work only with a single domain. You must perform the steps described in Configuring External Authentication Against Multiple Domains to set up an external authentication plug-in to work with multiple domains. Note: The certificate enables SSL to secure the communication between the authentication plug-in and the external LDAP directory—it does not secure the communication with Oracle Internet Directory when you execute oidexcfg in step 3. Configuring Synchronization with a Third-Party Directory 17-15 configuration, including the location of the wallet containing the trusted certificate required for SSL. Execute the following command to configure the plug-in using oidexcfg: java -classpath CLASSPATH oracle.ldap.extplg.oidexcfg -h OID_Host -p OID_Port -D BindDN -w password -t Directory_Type The -t option that identifies the directory type supports the following values: ■ ad for Microsoft Active Directory ■ adam for Microsoft Active Directory Application Mode ■ iplanet for Oracle Directory Server Enterprise Edition and Sun Java System Directory Server ■ edirectory for Novell eDirectory ■ openldap for OpenLDAP ■ tivoli for IBM Tivoli Directory Server

17.3.6.1 Configuring External Authentication Against Multiple Domains

To set up an external authentication plug-in to work with multiple external authentication domains, you must perform some manual instructions after you run the external configuration tool. Proceed as follows:

1. Configure the external authentication plug-in as described in

Configuring External Authentication Plug-ins .

2. Search for the plug-in configuration entries created by the configuration tool in

step 1, and redirect the search output to a file. Use an ldapsearch command similar to this: ldapsearch -p 3060 -D binddn -q -s sub -L \ -b cn=plugin,cn=subconfigsubentry cn=oidexplg__ad output.ldif The example shows an Microsoft Active Directory cn. Use the correct plug-in cn for the type of plug-in you configured, as shown in Table 17–2 . You can use as a wildcard, as shown in the example. Note: You must identify the location of the wallet file using a fully-qualified path, for example: etcORACLE_HOMEwalletsewallet.p12 Note: You will be prompted for the password. Table 17–2 Distinguished Names of External Authentication Plug-ins Plug-in Type DN Microsoft Active Directory cn=oidexplg_compare_ad, cn=plugin,cn=subconfigsubentry cn=oidexplg_bind_ad, cn=plugin,cn=subconfigsubentry 17-16 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 3. Examine the output file. For an Microsoft Active Directory plug-in, the output file resembles the following: dn: cn=oidexplg_compare_ad,cn=plugin,cn=subconfigsubentry cn: oidexplg_compare_ad objectclass: orclPluginConfig objectclass: top orclpluginname: oidexplg.jar orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapcompare orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginattributelist: userpassword orclpluginentryproperties: objectclass=orcladobjectobjectclass=orcluserv2 orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: host.domain.com orclpluginflexfield;walletloc2: locationwallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginclassreloadenabled: 0 orclpluginenable: 0 orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com dn: cn=oidexplg_bind_ad,cn=plugin,cn=subconfigsubentry cn: oidexplg_bind_ad objectclass: orclPluginConfig objectclass: top orclpluginname: oidexplg.jar orclplugintype: operational orclpluginkind: Java orclplugintiming: when Oracle Directory Server Enterprise Edition Sun Java System Directory Server cn=oidexplg_compare_iplanet, cn=plugin,cn=subconfigsubentry cn=oidexplg_bind_iplanet, cn=plugin,cn=subconfigsubentry Novell eDirectory cn=oidexplg_compare_Novell eDirectory, cn=plugin,cn=subconfigsubentry cn=oidexplg_bind_Novell eDirectory, cn=plugin,cn=subconfigsubentry OpenLDAP cn=oidexplg_compare_openldap, cn=plugin,cn=subconfigsubentry cn=oidexplg_bind_openldap, cn=plugin,cn=subconfigsubentry Table 17–2 Cont. Distinguished Names of External Authentication Plug-ins Plug-in Type DN