Understanding Oracle Virtual Directory Routing 3-11 ■ whether the user credentials map under an adapter listed in the Include Binds From field, and also, whether the user credential maps under an excluded adapter listed in the Exclude Binds From field. Consider the following example with adapter root ou=admin,o=depts,dc=oracle,dc=com. A user credential may either:

1. Case A

: Map within the namespace of ou=admin,o=depts,dc=oracle,dc=com

2. Case B

: Not map within the namespace of ou=admin,o=depts,dc=oracle, dc=com for example, the credential has DN ends with ou=sales,o=depts, dc=oracle,dc=com. Case A User credential ends with ou=admin,o=depts,dc=oracle,dc=com: If the Exclude Binds From field is not empty, then the users credential must be checked to see if they are a child of an excluded adapter. If it is, then the Proxy credential must be used instead of passing through the clients credential. If the users credential does not belong to an excluded adapter, then the users credential may be passed through the current adapter. This scenario most often occurs when two LDAP Adapters are defined where the second adapter is a child of the first or parent adapter. A credential that is part of the child adapter could also erroneously be considered to be part of the parent adapter. Using the Exclude Binds From setting helps correct the problem where the credential from the child adapter would be incorrectly passed through to the parent adapter. Using the Exclude Binds From setting allows Oracle Virtual Directory to understand that certain child DNs do not map to the parent adapters credential set. Case B User credential ends with root different from ou=admin,o=depts, dc=oracle,dc=com: If the Include Binds From field is not empty, but has adapters defined as shared, the user credential must be checked to see if it maps to a shared adapter. If it does, the credential is mapped by the shared adapter and returned to the original adapter. The original adapter is then able to pass through the credential mapped by the shared adapter. If the credential does not map to the current adapter, or any of the shared adapters, then the proxy credential must be used rather than passing through the provided credential. An example of this is an Oracle Virtual Directory that proxies multiple Microsoft Active Directory domains. User credentials may have different roots, but since all proxies go to the same forest, it is possible that one domain controller can authenticate a DN from another domain controller. In this situation, credentials from either adapter can be shared in common across both adapters. For example, Domain A adapter proxies Domain A, Domain B adapter proxies Domain B. Domain A and B are in the same forest. Therefore, on both the Domain A and Domain B adapter, you can set the Include Binds From setting to Domain A, Domain B and both adapters are able to pass through each-others credentials.