Configuring Server Chaining 37-11 orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Active Directory server: dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscsslenabled orcloidscsslenabled:1 - replace: orcloidscextsslport orcloidscextsslport: 3133 - replace: orcloidscwalletlocation orcloidscwalletlocation: adwalletewallet.p12 - replace: orcloidscwalletpassword orcloidscwalletpassword: passw0rd 3. To apply the changes, use a command line such as ldapmodify -p OID_port -h OID_host -D cn=orcladmin -q -v -f ldif_file_name Active Directory with New Attributes Example The attributes mapUIDtoADAttribute, showExternalGroupEntries, showExternalUserEntries, and addOrcluserv2ToADUsers have been added since Oracle Internet Directory 10g 10.1.4.0.1. To add these attributes to an existing Active Directory server chaining entry, modify the following LDIF file with the appropriate values: dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: mapUIDtoADAttribute mapUIDtoADAttribute: name - replace: showExternalGroupEntries showExternalGroupEntries: base - replace: showExternalUserEntries showExternalUserEntries: base - replace: addOrcluserv2ToADUsers addOrcluserv2ToADUsers: 0 Use a command line such as ldapmodify -p OID_port -h OID_host -D cn=orcladmin -q -v -f ldif_file_name to modify the configuration entry. Oracle Directory Server Enterprise Edition and Sun Java System Directory Server iPlanet Example The following example shows server chaining configured to use the Sun Java System Directory Server dlin-pc10.us.example.com, port 103060, as its external directory store. All the attributes are explained in Table 37–1 on page 37-6. cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: dlin-pc10.us.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager 37-12 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory orclOIDSCExtPassword: orclOIDSCExtUserContainer: ou=people,dc=example,dc=com orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled:0 The following example is the LDIF file used to modify the configuration entry: dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscextdn orcloidscextdn: cn=directory manager - replace: orcloidscextpassword orcloidscextpassword: password - replace: orcloidscexthost orcloidscexthost: dlin-pc10.us.example.com - replace: orcloidscextport orcloidscextport: 10389 - replace: orcloidsctargetusercontainer orcloidsctargetusercontainer: cn=iplanet,cn=users,dc=us,dc=oracle,dc=com - replace: orcloidsctargetgroupcontainer orcloidsctargetgroupcontainer: cn=iplanet,cn=groups,dc=us,dc=oracle,dc=com - replace: orcloidscextusercontainer orcloidscextusercontainer: ou=people,dc=example,dc=com - replace: orcloidscextgroupcontainer orcloidscextgroupcontainer: ou=groups,dc=example,dc=com - replace: orcloidscextsearchenabled orcloidscextsearchenabled: 1 - replace: orcloidscextmodifyenabled orcloidscextmodifyenabled: 1 - replace: orcloidscextauthenabled orcloidscextauthenabled: 1 Oracle Directory Server Enterprise Edition and Sun Java System Directory Server iPlanet with SSL Example The following example shows server chaining configured to use the Sun Java System Directory Server sunone.example.com, SSL port 10636, and the wallet located at ipwalletewallet.p12 cn=oidsciplanet,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: sunone.example.com orclOIDSCExtPort: 10389 orclOIDSCExtDN: cn=directory manager orclOIDSCExtPassword: orclOIDSCExtUserContainer: ou=people,dc=example,dc=com Configuring Server Chaining 37-13 orclOIDSCExtGroupContainer: ou=groups,dc=example,dc=com orclOIDSCTargetUserContainer: cn=iPlanet,cn=users,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=iPlanet,cn=groups,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 10636 orclOIDSCWalletLocation: ipwalletewallet.p12 orclOIDSCWalletPassword: Perform the following steps to configure server chaining with SSL from the command line: 1. Configure server chaining without SSL, as described in the previous section. 2. Create the following LDIF file to enable SSL connection to the external directory. Replace the values of orcloidscextsslport, orcloidscwalletlocation and orcloidscwalletpassword with values that match the actual Oracle Directory Server Enterprise EditionSun Java System Directory Server. dn: cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscsslenabled orcloidscsslenabled:1 - replace: orcloidscextsslport orcloidscextsslport: 10636 - replace: orcloidscwalletlocation orcloidscwalletlocation: ipwalletewallet.p12 - replace: orcloidscwalletpassword orcloidscwalletpassword: passw0rd 3. Execute a command such as ldapmodify -p OID_port -h OID_host -D cn=orcladmin -q -v -f ldif_file_name to modify the configuration entry. eDirectory Example A sample eDirectory configuration looks like this: cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: edirhost.domain.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=admin,o=domain orclOIDSCExtPassword: orclOIDSCExtUserContainer: ou=users,o=domain orclOIDSCExtGroupContainer: ou=groups,o=domain orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled:0 37-14 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory eDirectory with SSL Example A sample edirectory configuration with SSL looks like this: cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry orclOIDSCExtHost: edirhost.domain.com orclOIDSCExtPort: 3060 orclOIDSCExtDN: cn=admin,o=domain orclOIDSCExtPassword: orclOIDSCExtUserContainer: ou=users,o=domain orclOIDSCExtGroupContainer: ou=groups,o=domain orclOIDSCTargetUserContainer: cn=edir,cn=users,dc=us,dc=oracle,dc=com orclOIDSCTargetGroupContainer: cn=edir,cn=groups,dc=us,dc=oracle,dc=com orclOIDSCExtSearchEnabled: 1 orclOIDSCExtModifyEnabled: 1 orclOIDSCExtAuthEnabled: 1 orclOIDSCSSLEnabled: 1 orclOIDSCExtSSLPort: 3133 orclOIDSCWalletLocation: edirewallet.p12 orclOIDSCWalletPassword: Debugging Server Chaining To debug server chaining, perform the following steps:

1. Set the Oracle Internet Directory server debug logging level, as described in

Managing Logging by Using Fusion Middleware Control on page 4 or Managing Logging from the Command Line on page 6. Use the logging level value 402653184. This value enables logging of all messages related to the Java plug-in framework.

2. Modify the Oracle Internet Directory server chaining debugging settings. For both

cn=oidscad,cn=oid server chaining,cn=subconfigsubentry and cn=oidsciplanet,cn=oid server chaining, cn=subconfigsubentry. set the attribute orcloidscDebugEnabled to 1. For example, to set orcloidscDebugEnabled to 1 in cn=oidscad,cn=oid server chaining,cn=subconfigsubentry, you would type: ORACLE_HOMEbinldapmodify -h host -p port -D cn=orcladmin -q -f file where file contains: dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry changetype: modify replace: orcloidscDebugEnabled orcloidscDebugEnabled: 1 Configuring an Active Directory Plug-in for Password Change Notification When you use Enterprise User Security EUS with Server Chaining, a hash password is required in order to authenticate users. This section describes how to install a plug-in in the Microsoft Active Directory AD server so that this hash password is available to users accessed through Oracle Internet Directory. Customers planning to See Also: The Java Plug-in Debugging and Logging section in Oracle Fusion Middleware Application Developers Guide for Oracle Identity Management. Configuring Server Chaining 37-15 configure Enterprise User Security EUS to work with users accessed through Server Chaining must configure this feature. The steps are as follows 1. In Active Directory, create an attribute called orclCommonAttribute to store the hash password. Use a command line such as: ldapadd –p AD_Port –h AD_host -D AD_administrator_DN –w AD_administrator_ password -v –f orclca.ldif Use an orclca.ldif file similar to the following example. Replace DC=bill,DC=com with the actual Active Directory domain name and choose an appropriate attributeID. dn: cn=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com objectClass: top objectClass: attributeSchema cn: orclcommonattribute distinguishedName: CN=orclcommonattribute,CN=Schema,CN=Configuration,DC=bill,DC=com instanceType: 4 uSNCreated: 16632 attributeID: 1.9.9.9.9.9.9.9.9 attributeSyntax: 2.5.5.3 isSingleValued: TRUE uSNChanged: 16632 showInAdvancedViewOnly: TRUE adminDisplayName: orclCommonAttribute oMSyntax: 27 lDAPDisplayName: orclCommonAttribute name: orclcommonattribute objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bill,DC=com 2. Associate the attribute with the user objectclass. Use a command line such as: ldapadd –p AD_Port –h AD_host -D AD_administrator_DN –w AD_administrator_ password -v –f user.ldif In the following file, user.ldif, replace DC=bill,DC=com with the actual Active Directory domain name. dn: CN=User,CN=Schema,CN=Configuration,DC=bill,DC=com changetype: modify add: mayConatin mayContain: orclCommonAttribute It might take Active Directory a few minutes to refresh the schema. 3. Install the password change notification plug-in, as follows: a. Copy ORACLE_HOME\ldap\admin\oidpwdcn.dll to the Active Directory WINDOWS\system32 folder. b. Use regedt32 to modify the registry. In the line:HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, add oidpwdcn to the end. It should look like the following: RASSFM KDCSVC WDIGEST scecli oidpwdcn 37-16 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory c. Restart Active Directory. d. Verify that the plug-in is installed properly by resetting the password of a user. The orclCommonAttribute should contain the hash password value. 4. Reset the password for all the Active Directory users so that the password verifier is present for all the users. Part V Part V Advanced Administration: Directory Replication This part provides detailed discussions of replication and high availability and how to plan and manage them. It contains these chapters: ■ Chapter 38, Setting Up Replication ■ Chapter 39, Setting Up Replication Failover ■ Chapter 40, Managing Replication Configuration Attributes ■ Chapter 41, Managing and Monitoring Replication 38 Setting Up Replication 38-1 38 Setting Up Replication Replication is the process of copying and maintaining the same naming contexts on multiple directory servers. It can improve performance by providing more servers to handle queries and by bringing the data closer to the client. It improves reliability by eliminating risks associated with a single point of failure. Before reading this chapter, please see Chapter 6, Understanding Oracle Internet Directory Replication for an introduction to basic replication concepts. This chapter presents some information that is common to both Advance Replication-based replication and LDAP-based replication. The procedural sections of the chapter describe how to set up LDAP-based replication and multimaster replication with fan-out. For information and procedures specific to Oracle Database Advanced Replication-based replication, please see Appendix C, Setting Up Oracle Database Advanced Replication-Based Replication. This chapter contains the following topics: ■ Introduction to Setting Up Replication ■ Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement ■ Setting Up an LDAP-Based Replication Agreement by Using the Replication Wizard ■ Testing Replication by Using Oracle Directory Services Manager ■ Setting Up an LDAP-Based Replication by Using the Command Line ■ Setting Up a Multimaster Replication Group with Fan-Out See Also: Transport Mechanism: LDAP or Oracle Database Advanced Replication on page 6-4. See Also: Oracle Fusion Middleware High Availability Guide for information on setting up replication in high availability configurations. Note: All references to Oracle Single Sign-On or Oracle Delegated Administration Services in this chapter refer to Oracle Single Sign-On 10g 10.1.4.3.0 or later and Oracle Delegated Administration Services 10g 10.1.4.3.0 or later. 38-2 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Introduction to Setting Up Replication If you are unfamiliar with basic replication concepts, please see Chapter 6, Understanding Oracle Internet Directory Replication before reading this introduction. This introduction contains the following topics: ■ Replication Transport Mechanisms ■ Replication Setup Methods ■ Bootstrap Rules ■ The Replication Agreement ■ Other Replication Configuration Attributes ■ Replication Process and Architecture ■ Rules for Configuring LDAP-Based Replication ■ Replication Security ■ LDAP Replication Filtering for Partial Replication Replication Transport Mechanisms Oracle Internet Directory supports two replication transport mechanisms. ■ LDAP-based replication uses the industry-standard Lightweight Directory Access Protocol Version 3. You can set up LDAP-based replication in one-way, two-way, and multimaster configurations. This is the recommended protocol for most environments. ■ Oracle Database Advanced Replication-based replication uses the replication capability of Oracle Database. Only multimaster configurations are supported. You can create a single master DRG by switching all nodes in a group but one to read-only mode. If you must replicate Oracle Single Sign-On data, you must use Oracle Database Advanced Replication-based replication. For information and procedures specific to Advanced Replication-based replication, please see Appendix C, Setting Up Oracle Database Advanced Replication-Based Replication. You can convert an existing Oracle Database Advanced Replication-based multimaster agreement to an LDAP-based multimaster agreement. by using remtool -asr2ldap. See Converting an Advanced Replication-Based Agreement to an LDAP-Based Agreement on page 38-15. Replication Setup Methods The following methods are available for setting up Oracle Internet Directory replication. Replication Wizard The recommended method for setting up LDAP-based replication is to use the replication wizard in Oracle Enterprise Manager Fusion Middleware Control. The See ALso: The remtool command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for more information about the Replication Environment Management Tool Setting Up Replication 38-3 procedure is described in Setting Up an LDAP-Based Replication Agreement by Using the Replication Wizard on page 38-16. You can also use the wizard for modifying an existing replication agreement, as described in Viewing or Modifying a Replication Setup by Using the Replication Wizard on page 41-9 and Deleting an LDAP-Based Replication Agreement by Using the Replication Wizard on page 41-10. Command Line Tools You must use command line tools to set up Advanced Replication-based replication. You can also use command line tools to set up LDAP-based replication. Command-line setup of LDAP-based replication is described in Setting Up an LDAP-Based Replication by Using the Command Line on page 38-17. Command-line setup of Advanced Replication-based replication is described in Appendix C, Setting Up Oracle Database Advanced Replication-Based Replication. When setting up replication from the command line, you use the oidctl command for stopping and starting the replication server. You use bulk tools for backing up data and loading it to other nodes. You use LDAP tools for a few operations. Optionally, you can use the bootstrap capability of the replication server for the initial data migration. You use the Replication Environment Management Tool, remtool, to perform various replication-related tasks, including: ■ Setting up a replication group ■ Converting an existing Oracle Database Advanced Replication-based agreement to an LDAP multimaster agreement. ■ Adding and deleting replicas ■ Managing the directory replication group ■ Modifying or resetting the replication Bind DN password ■ Modifying the database replication user REPADMIN password ■ Displaying various errors and status information for change log propagation Database Copy Procedure It is possible to set up replication on a new host by copying the Oracle Database from an existing host. This is a complex procedure that is not recommended for most environments. The procedure is described in Appendix L, Adding a Directory Node by Using the Database Copy Procedure. Bootstrap Rules Whether you are using the replication wizard in Fusion Middleware Control or the command line, you can use the bootstrap capability of the replication server for the initial data migration. You set the bootstrap flag by setting the attribute orclreplicastate to 0 under the replicadn. See Also: The remtool command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for more information about the Replication Environment Management Tool