Understanding Oracle Virtual Directory Plug-Ins 4-41 activationAttribute Use the activationAttribute parameter when an application has no knowledge of the underlying directorys user activation system. The activationAttribute parameter informs Oracle Virtual Directory which incoming attribute contains the user activation flag, which is then mapped to a directory specific attribute and flag. For example: Parameter Name: activationAttribute Parameter Value: myuseraccountcontrol deactivationValue Comma separated list of attribute values specified in activationAttribute that indicate this user should be marked as inactive. activationValue Comma separated list of attribute values specified in activationAttribute that indicate this user should be marked as active. mapObjectClass An objectClass to be mapped in the form of client-ObjectClass = AD-ObejctClass . For example: Parameter Name: mapObjectClass Parameter Value: inetOrgPerson=user You can use the mapObjectClass parameter multiple times for multiple mappings. The default values are groupOfUniqueNames=group, inetOrgPerson=user. addAttribute[-objectclassvalue] Adds attributes for a user during the add process. An optional objectclass value may be added to the configuration name to add the attribute only for certain objectclasses. For example, to add a userAccountControl attribute to only the user objectclass, use: Parameter Name: addAttribute-user Parameter Value: userAccountControl=546 filterAttribute[-objectclassvalue] Comma-separated list of attributes to be removed during the add operation and from all returned entries. A conditional objectclass value may be added to the name of the parameter to filter out attributes for a specific objectclass. For example: Parameter Name: filterAttribute Parameter Value: objectsid,memberof,samaccountname mapAttribute An attribute to be mapped in the form of client-Attribute=AD-attribute. For example: Parameter Name: mapAttribute Note: An additional attribute value may be substituted as an expression by supplying its name surrounded by the percentage character . The default configuration is: addAttribute-user: useraccountcontrol=544, addAttribute-group:samaccountname=cn, addAttribute-group: grouptype=-2147483646 4-42 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Parameter Value: uniqueMember=member You can use the mapAttribute parameter multiple times for multiple mappings. The default values are uniqueMember=member, uid=samaccountname, ntgrouptype=grouptype. filterAuxiliaryClass Comma separated list of objectclasses that must be removed on an add operation. Active Directory for Windows 2000 does not allow auxiliary object classes to be listed while adding an entry, while Microsoft Active Directory and ADAM for Windows Server 2003 does allow for auxiliary classes to be listed. The default value is person, organizationalPerson. filterObjectClassOnModify Comma-separated list of attributes to be removed during the modify operation for a specific objectclass. For example: Parameter Name: filterObjectClassOnModify Parameter Value: objectsid,memberof,samaccountname mapPassword Indicates whether the password must be converted to the unicodePwd attribute true, or false if not ADAM. Supported values are true or false. The default value is true. sslAdapter The name of the adapter to which this plug-in reroutes requests if they contain userPassword. The current adapter is used if the sslAdapter parameter is not set. The adapter identified by the sslAdapter parameter must have: ■ The same local base as the adapter the InetAD plug-in is configured on ■ Its Routing Visibility set to Internal

4.5 Understanding the Oracle Access Manager Plug-Ins

Oracle Virtual Directory includes plug-ins to simplify the integration with Oracle Access Manager. This topic describes the plug-ins related to this integration and contains the following sections: ■ OAMPolicyControl Plug-In

4.5.1 OAMPolicyControl Plug-In

For Oracle Virtual Directory-Oracle Access Manager integrations only, the OAMPolicyControl plug-in is for applications that use LDAP for authentication and want to use Oracle Access Manager policy controls, but cannot integrate with Oracle Access Manager. Before deploying the OAMPolicyControl plug-in, you must: ■ Set the Bind pass-through settings to Never for any LDAP Adapters that are using the Oracle Access Manager policy configuration. The plug-in handles all authentications and uses proxy credentials to perform all operations. ■ Configure different adapters for Oracle Access Manager. Understanding Oracle Virtual Directory Plug-Ins 4-43 These adapters should use the OAMPolicyControl plug-in to use Oracle Access Manager policies. If you deploy these adapters on the same Oracle Virtual Directory server, you must configure one of the following options: – Use a different LDAP namespace for each adapter. An Oracle Access Manager adapter namespace must be independent from the namespaces used by general purpose LDAP clients. – Use an Oracle Virtual Directory view, with accessibility criteria that distinguishes requests for different Oracle Access Manager adapters. ■ Configure the Oracle Access Manager Access Server by: – Creating a proxy resource that corresponds to Oracle Virtual Directory. – Disabling the policy domains for Identity Server and Access Server because the plug-in does not cache the OBSSO Cookie. ■ Configure the AccessSDK as follows: – Configure an AccessSDK installation for the Oracle Access Manager Access Server by using AccessServerSDK\oblix\tools\configureAccessGate. – Configure the opmn to start the Oracle Virtual Directory component by pointing the -Djava.library.path to the AccessSDK installation. Edit the INSTANCE_HOMEconfigOPMNopmnopmn.xml file as follows: ias-component id=ovd1 process-type id=OVD module-id=OVD module-data category id=start-options data id=java-bin value=ORACLE_HOMEjdkbinjava data id=java-options value=-server -Xms512m -Xmx512m -Dvde.soTimeoutBackend=0 -Doracle.security.jps.config=ORACLE_ INSTANCEconfigJPSjps-config-jse.xml -Djava.library.path=AccessSDK_install_ dirAccessSDKAccessServerSDKoblixlib data id=java-classpath value=ORACLE_ HOMEovdjlibvde.jar:ORACLE_HOMEjdbclibojdbc6.jar category module-data stop timeout=120 process-type ias-component – Copy the jobaccess.jar file from AccessSDK_install_ dirAccessServerSDKoblixlib to ORACLE_HOMEovdpluginslib.

4.5.1.1 Configuration Parameters

The OAMPolicyControl plug-in has the following configuration parameters: Note: Failure to successfully complete the preceding prerequisite configurations will cause the Oracle Virtual Director to generate a NoClassDefFound error.