Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-11
13.
Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif
14.
Create a new LDAP Adapter for the user search base in Active Directory using the following settings and by entering the Active Directory host information,
including the Remote Base. Refer to Creating LDAP Adapters
on page 12-3 for information on creating LDAP Adapters.
■
Use the EUS_ActiveDirectory template for the adapter.
■
For Remote Base, enter the container in Active Directory, for example: cn=users,dc=adrealm,dc=com
15.
Check if the EUSActiveDirectory.py mapping is already deployed. If it is, go to step 16 now.
If the EUSActiveDirectory.py mapping is not deployed, you must create a mapping for the Active Directory user search base adapter by clicking the Create
Mapping
button, then select EUSActiveDirectory.py, then enter a unique mapping name, then click the OK button, and then click the Apply button.
16.
Add the Mapped Namespace to the orclcommonusersearchbase under cn=Common,cn=Products,cn=oraclecontext,OID realm. You can use
an LDIF file such as:
dn: cn=Common,cn=Products,cn=oraclecontext,dc=oracle,dc=com changetype: modify
add: orclcommonusersearchbase orclcommonusersearchbase: cn=users,dc=adrealm,dc=com
17.
Create the following ACLs. Refer to Creating Access Control Lists Using Oracle
Directory Services Manager on page 16-1 for information on creating ACLs. If you
have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.
Note: The realmRoot.ldif file contains core entries in the
directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains
the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the
user’s Enterprise User Security hashed password attribute.
Target DN cn=subschemasubentry
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN cn=subschemasubentry
Scope subtree
Applies To All Attributes
19-12 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
Grant Search and Read
Access Public
Target DN cn=OracleContext
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN cn=OracleContext
Scope subtree
Applies To All Attributes
Grant Search and Read
Access Public
Target DN cn=OracleSchemaVersion
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN cn=OracleSchemaVersion
Scope subtree
Applies To All Attributes
Grant Search and Read
Access Public
Target DN dc=com
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN dc=com
Scope subtree
Applies To All Attributes
Grant Search and Read
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-13
18.
Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:
19. Set the ACLs in the Oracle Internet Directory to protect the data under
cn=OracleContext,YOUR DOMAIN.
19.2.2.3 User Identities in Oracle Directory Server Enterprise Edition
Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Directory Server Enterprise Edition:
Access Public
Target DN dc=com
Scope subtree
Applies To authpassword
Deny All operations
Access Public
Note: The following ACL must be the last ACL in the ACL list for
dc=com.
Target DN dc=com
Scope subtree
Applies To authpassword
Grant Search and Read
Access Group with DN of: cn=EUSDBGroup,Your Mapped OID
domain .
Target DN cn=OracleContext,YOUR DOMAIN
Scope subtree
Applies To Entry
Grant All
Access Group with DN of:
cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN Target DN
cn=OracleContext,YOUR DOMAIN Scope
subtree Applies To
All Attributes Grant
All Access
Group with DN of: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN
19-14 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
■
Configuring Oracle Directory Server Enterprise Edition for the Integration
■
Configuring Oracle Virtual Directory for the Integration
19.2.2.3.1 Configuring Oracle Directory Server Enterprise Edition for the Integration Perform
the following steps to configure Oracle Directory Server Enterprise Edition for the integration:
1.
Extend the iPlanet LDAP attribute and objectclass using the following command: ORACLE_HOME
binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .iPlanetSchema.ldif
2.
Create a realm in iPlanet by performing the following steps:
a.
Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.
b.
Run the following command to create a realm in iPlanet using the realmiPlanet.ldif file:
ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn=directory manager -q -v -a -f .realmiPlanet.ldif
3.
Configure the user and group containers by either creating new user and group containers, or using existing user and group containers.
Creating New User and Group Containers a.
Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.
b.
Run the following command to create user and group containers in iPlanet using the iPlanetContainers.ldif file:
ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn=directory manager -q -v -a -f .iPlanetContainers.ldif
Using Existing User and Group Containers a.
Open the useiPlanetContainers.ldif file.
b.
Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string with the name of your user container.
c.
Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.
d.
Run the following command to create a realm in iPlanet using the useiPlanetContainers.ldif file:
ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn=directory manager -q -v -a -f .useiPlanetContainers.ldif
19.2.2.3.2 Configuring Oracle Virtual Directory for the Integration Perform the following
steps to configure Oracle Virtual Directory for the integration:
Note: Make sure the user and group containers are in the same
domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then
ou=people,dc=ultrademo,dc=org is not a valid user container.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-15
1.
Ensure you have performed all steps in Preparing Oracle Virtual Directory for the
Enterprise User Security Integration on page 19-3 before proceeding with this
procedure.
2.
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
3.
Create three new Local Store Adapters using the following settings. Refer to Creating Local Store Adapters
on page 12-23 for information on creating Local Store Adapters.
■
Use the Local_Storage_Adapter template for each adapter.
■
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be
cn=OracleSchemaVersion; and the Adapter Suffix for the other the Local Store Adapters must be dc=com, unless your Sun Java System Directory
domain is something like dc=example,dc=net, in which case the Adapter Suffix
must be dc=net.
■
The Database File and Backup File fields for each of the adapters must be unique.
4.
Update and load the entries into the Local Store Adapters by performing the following steps:
a.
Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for
Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOMEovdeus directory.
ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif
b.
Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you
have a DN mapping between Oracle Directory Server Enterprise Edition and Oracle Virtual Directory, use the DN that you see from Oracle Virtual
Directory. The realmRoot.ldif file is located in the ORACLE_ HOME
ovdeus directory.
c.
Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif
5.
Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Oracle Directory Server Enterprise Edition host information,
including the appropriate Remote Base and Mapped Namespace. Refer to Creating LDAP Adapters
on page 12-3 for information on creating LDAP Adapters.
Note: The realmRoot.ldif file contains core entries in the
directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains
the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the
user’s Enterprise User Security hashed password attribute.
19-16 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
■
Use the EUS_Sun template for the adapter.
■
The proxy DN user must be able to read the userPassword attribute in the Oracle Directory Server Enterprise Edition.
After creating the LDAP Adapter for Enterprise User Security, DBCA adds a user under cn=oraclecontext, YOUR Mapped DOMAIN DN in Oracle
Virtual Directory . Make sure this user can read the userPassword
attribute in the Oracle Directory Server Enterprise Edition.
6.
Configure the Enterprise User Security plug-ins by performing the following steps:
a. Click the Advanced tab, click the EUS_Sun entry under Mapping Templates,
and then click the Apply to deploy the mapping. b.
Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.
c. Select the ObjectclassMapper plug-in, click the Create Namespace button,
enter cn=OracleContext,YOUR Mapped DOMAIN DN in Oracle Virtual Directory
in the Namespace field, and then click the OK
button.
d. Click the Create Mapping button, then select EUS_Sun.py, then enter a
unique mapping name, then click the Create Namespace button, then enter the name of your domain in the Namespace field, and then click the OK
button.
e. Click the Apply button.
7.
Configure the Access Control Lists ACLs for the integration. Refer to Configuring Access Control Lists for the Enterprise User Security Integration
on page 19-21 for details about each ACL. After you configure the ACLs, continue the
integration by proceeding to step 8.
8.
Update the realm information with Root Oracle Context by performing the following steps:
a.
Edit the modifyRealm.ldif file to use your Oracle Directory Server Enterprise Edition domain name. If you use DN mappings between Oracle
Virtual Directory and Oracle Directory Server Enterprise Edition, use the mapped DN in Oracle Virtual Directory.
b.
Update the realm information using the following command: ORACLE_HOME
binldapmodify –h Oracle_Virtual_Directory_Host –p port \ -D bindDN –q –v –f modifyRealm.ldif
The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Directory Server Enterprise Edition are complete. Continue the
integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrators Guide.
Note: To update the Oracle Directory Server Enterprise
Edition-Oracle Virtual Directory configuration, edit the modifyRealm.ldif file and execute ldapmodify with the updated
modifyRealm.ldif file.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-17
19.2.2.4 User Identities in Novell eDirectory
Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Novell eDirectory:
■
Configuring Novell eDirectory for the Integration
■
Configuring Oracle Virtual Directory for the Integration
19.2.2.4.1 Configuring Novell eDirectory for the Integration Perform the following steps to
configure Novell eDirectory for the integration:
1. Extend the eDirectory LDAP attribute and objectclass using the following
command: ORACLE_HOME
binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirSchema.ldif
2. Modify X-NDS_CONTAINMENT in the groupofuniquenames objectclass by
executing the following command: ORACLE_HOME
binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirgoun.ldif
3. Create a realm in Novell eDirectory by performing the following steps:
a. Open the eDirRealm.ldif file and replace all instances of the
dc=oracle,dc=com string with the name of your domain.
b. Run the following command to create a realm in eDirectory using the
eDirRealm.ldif: ORACLE_HOME
binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirRealm.ldif
4. Configure the user and group containers by performing the following steps:
a. Open the eDirUserContainer.ldif file.
b. Replace all instances of the ou=users,dc=oracle,dc=com string with the
name of your user container.
c.
Replace all instances of the ou=groups,dc=oracle,dc=com string with the name of your group container.
d. Run the following command to configure the user and group containers:
ORACLE_HOME binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \
-D bindDN -q -v -f eDirUserContainer.ldif
5. Enable Universal Password in eDirectory and allow the administrator to retrieve
the user password. Refer to Novells eDirectory documentation on Password Management for more information.
19.2.2.4.2 Configuring Oracle Virtual Directory for the Integration Perform the following
steps to configure Oracle Virtual Directory for the integration:
Note: Make sure the user and group containers are in the same
domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then
ou=people,dc=ultrademo,dc=org is not a valid user container.
19-18 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
1.
Ensure you have performed all steps in Preparing Oracle Virtual Directory for the
Enterprise User Security Integration on page 19-3 before proceeding with this
procedure.
2.
Download the NMAS toolkit from the Novell Developer Community Web site.
3.
Upload this library to Oracle Virtual Directory by using Oracle Directory Services Manager. Refer to
Loading Libraries into the Oracle Virtual Directory Server for
more information. Restart the Oracle Virtual Directory server.
4.
Start Oracle Directory Services Manager and connect to the Oracle Virtual Directory server.
5.
Create three new Local Store Adapters using the following settings. Refer to Creating Local Store Adapters
on page 12-23 for information on creating Local Store Adapters.
■
Use the Local_Storage_Adapter template for each adapter.
■
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be
cn=OracleSchemaVersion; and the Adapter Suffix for the other Local Store Adapter must be dc=com, unless your eDirectory domain is something
like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.
■
The Database File and Backup File fields for each of the adapters must be unique.
6.
Update and load the entries into the Local Store Adapters by performing the following steps:
a.
Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for
Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOMEovdeus directory.
ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a -f loadOVD.ldif
b.
Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you
have a DN mapping between Novell eDirectory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif
file is located in the ORACLE_HOMEovdeus directory.
c.
Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \
-D bindDN -q -v -a –f realmRoot.ldif
Note: The realmRoot.ldif file contains core entries in the
directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains
the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the
user’s Enterprise User Security hashed password attribute.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-19
7.
Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Novell eDirectory host information, including the appropriate
Remote Base and Mapped Namespace. Refer to Creating LDAP Adapters
on page 12-3 for information on creating LDAP Adapters.
■
Use the EUS_eDirectory template for the adapter.
■
Enable the Use SSLTLS option. 8.
Configure the Enterprise User Security plug-ins by performing the following steps:
a. Click the Advanced tab, click the EUS_EDir entry under Mapping Templates,
and then click the Apply to deploy the mapping. b.
Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.
c. Select the ObjectclassMapper plug-in, click the Create Namespace button,
enter cn=OracleContext,YOUR Mapped DOMAIN DN in Oracle Virtual Directory
in the Namespace field, and then click the OK
button.
d. Click the Create Mapping button, then select EUS_EDir.py, then enter a
unique mapping name, and then click the OK button. e.
Click the Apply button. 9.
Configure the Access Control Lists ACLs for the integration. Refer to Configuring Access Control Lists for the Enterprise User Security Integration
on page 19-21 for details about each ACL. After you configure the ACLs, continue the
integration by proceeding to step 10.
10.
Update the realm information with Root Oracle Context by performing the following steps:
a.
Edit the modifyRealm.ldif file to use your Novell eDirectory domain name. If you use DN mappings between Oracle Virtual Directory and Novell
eDirectory, use the mapped DN in Oracle Virtual Directory.
b.
Update the realm information using the following command: ORACLE_HOME
binldapmodify –h Oracle_Virtual_Directory_Host –p port \ -D bindDN –q –v –f modifyRealm.ldif
The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Novell eDirectory are complete. Continue the integration process and
configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrators Guide.
19.2.2.5 User Identities in Oracle Internet Directory
Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Internet Directory:
■
Configuring Oracle Internet Directory for the Integration
■
Configuring Oracle Virtual Directory for the Integration
19.2.2.5.1 Configuring Oracle Internet Directory for the Integration To configure Oracle
Internet Directory for the integration, extend the Oracle Internet Directory LDAP attribute and objectclass using the following command: