Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-11 13. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command: ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a –f realmRoot.ldif 14. Create a new LDAP Adapter for the user search base in Active Directory using the following settings and by entering the Active Directory host information, including the Remote Base. Refer to Creating LDAP Adapters on page 12-3 for information on creating LDAP Adapters. ■ Use the EUS_ActiveDirectory template for the adapter. ■ For Remote Base, enter the container in Active Directory, for example: cn=users,dc=adrealm,dc=com 15. Check if the EUSActiveDirectory.py mapping is already deployed. If it is, go to step 16 now. If the EUSActiveDirectory.py mapping is not deployed, you must create a mapping for the Active Directory user search base adapter by clicking the Create Mapping button, then select EUSActiveDirectory.py, then enter a unique mapping name, then click the OK button, and then click the Apply button. 16. Add the Mapped Namespace to the orclcommonusersearchbase under cn=Common,cn=Products,cn=oraclecontext,OID realm. You can use an LDIF file such as: dn: cn=Common,cn=Products,cn=oraclecontext,dc=oracle,dc=com changetype: modify add: orclcommonusersearchbase orclcommonusersearchbase: cn=users,dc=adrealm,dc=com 17. Create the following ACLs. Refer to Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations. Note: The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user’s Enterprise User Security hashed password attribute. Target DN cn=subschemasubentry Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN cn=subschemasubentry Scope subtree Applies To All Attributes 19-12 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Grant Search and Read Access Public Target DN cn=OracleContext Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN cn=OracleContext Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN cn=OracleSchemaVersion Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN cn=OracleSchemaVersion Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN dc=com Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN dc=com Scope subtree Applies To All Attributes Grant Search and Read Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-13 18. Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:

19. Set the ACLs in the Oracle Internet Directory to protect the data under

cn=OracleContext,YOUR DOMAIN.

19.2.2.3 User Identities in Oracle Directory Server Enterprise Edition

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Directory Server Enterprise Edition: Access Public Target DN dc=com Scope subtree Applies To authpassword Deny All operations Access Public Note: The following ACL must be the last ACL in the ACL list for dc=com. Target DN dc=com Scope subtree Applies To authpassword Grant Search and Read Access Group with DN of: cn=EUSDBGroup,Your Mapped OID domain . Target DN cn=OracleContext,YOUR DOMAIN Scope subtree Applies To Entry Grant All Access Group with DN of: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN Target DN cn=OracleContext,YOUR DOMAIN Scope subtree Applies To All Attributes Grant All Access Group with DN of: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN 19-14 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ Configuring Oracle Directory Server Enterprise Edition for the Integration ■ Configuring Oracle Virtual Directory for the Integration

19.2.2.3.1 Configuring Oracle Directory Server Enterprise Edition for the Integration Perform

the following steps to configure Oracle Directory Server Enterprise Edition for the integration: 1. Extend the iPlanet LDAP attribute and objectclass using the following command: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .iPlanetSchema.ldif 2. Create a realm in iPlanet by performing the following steps: a. Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain. b. Run the following command to create a realm in iPlanet using the realmiPlanet.ldif file: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .realmiPlanet.ldif 3. Configure the user and group containers by either creating new user and group containers, or using existing user and group containers. Creating New User and Group Containers a. Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain. b. Run the following command to create user and group containers in iPlanet using the iPlanetContainers.ldif file: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .iPlanetContainers.ldif Using Existing User and Group Containers a. Open the useiPlanetContainers.ldif file. b. Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string with the name of your user container. c. Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container. d. Run the following command to create a realm in iPlanet using the useiPlanetContainers.ldif file: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .useiPlanetContainers.ldif

19.2.2.3.2 Configuring Oracle Virtual Directory for the Integration Perform the following

steps to configure Oracle Virtual Directory for the integration: Note: Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-15 1. Ensure you have performed all steps in Preparing Oracle Virtual Directory for the Enterprise User Security Integration on page 19-3 before proceeding with this procedure. 2. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server. 3. Create three new Local Store Adapters using the following settings. Refer to Creating Local Store Adapters on page 12-23 for information on creating Local Store Adapters. ■ Use the Local_Storage_Adapter template for each adapter. ■ The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other the Local Store Adapters must be dc=com, unless your Sun Java System Directory domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net. ■ The Database File and Backup File fields for each of the adapters must be unique. 4. Update and load the entries into the Local Store Adapters by performing the following steps: a. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOMEovdeus directory. ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif b. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Oracle Directory Server Enterprise Edition and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif file is located in the ORACLE_ HOME ovdeus directory. c. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command: ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a –f realmRoot.ldif 5. Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Oracle Directory Server Enterprise Edition host information, including the appropriate Remote Base and Mapped Namespace. Refer to Creating LDAP Adapters on page 12-3 for information on creating LDAP Adapters. Note: The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user’s Enterprise User Security hashed password attribute. 19-16 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ Use the EUS_Sun template for the adapter. ■ The proxy DN user must be able to read the userPassword attribute in the Oracle Directory Server Enterprise Edition. After creating the LDAP Adapter for Enterprise User Security, DBCA adds a user under cn=oraclecontext, YOUR Mapped DOMAIN DN in Oracle Virtual Directory . Make sure this user can read the userPassword attribute in the Oracle Directory Server Enterprise Edition. 6. Configure the Enterprise User Security plug-ins by performing the following steps:

a. Click the Advanced tab, click the EUS_Sun entry under Mapping Templates,

and then click the Apply to deploy the mapping. b. Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.

c. Select the ObjectclassMapper plug-in, click the Create Namespace button,

enter cn=OracleContext,YOUR Mapped DOMAIN DN in Oracle Virtual Directory in the Namespace field, and then click the OK button.

d. Click the Create Mapping button, then select EUS_Sun.py, then enter a

unique mapping name, then click the Create Namespace button, then enter the name of your domain in the Namespace field, and then click the OK button.

e. Click the Apply button.

7. Configure the Access Control Lists ACLs for the integration. Refer to Configuring Access Control Lists for the Enterprise User Security Integration on page 19-21 for details about each ACL. After you configure the ACLs, continue the integration by proceeding to step 8. 8. Update the realm information with Root Oracle Context by performing the following steps: a. Edit the modifyRealm.ldif file to use your Oracle Directory Server Enterprise Edition domain name. If you use DN mappings between Oracle Virtual Directory and Oracle Directory Server Enterprise Edition, use the mapped DN in Oracle Virtual Directory. b. Update the realm information using the following command: ORACLE_HOME binldapmodify –h Oracle_Virtual_Directory_Host –p port \ -D bindDN –q –v –f modifyRealm.ldif The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Oracle Directory Server Enterprise Edition are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrators Guide. Note: To update the Oracle Directory Server Enterprise Edition-Oracle Virtual Directory configuration, edit the modifyRealm.ldif file and execute ldapmodify with the updated modifyRealm.ldif file. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-17

19.2.2.4 User Identities in Novell eDirectory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Novell eDirectory: ■ Configuring Novell eDirectory for the Integration ■ Configuring Oracle Virtual Directory for the Integration

19.2.2.4.1 Configuring Novell eDirectory for the Integration Perform the following steps to

configure Novell eDirectory for the integration:

1. Extend the eDirectory LDAP attribute and objectclass using the following

command: ORACLE_HOME binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirSchema.ldif

2. Modify X-NDS_CONTAINMENT in the groupofuniquenames objectclass by

executing the following command: ORACLE_HOME binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirgoun.ldif

3. Create a realm in Novell eDirectory by performing the following steps:

a. Open the eDirRealm.ldif file and replace all instances of the

dc=oracle,dc=com string with the name of your domain.

b. Run the following command to create a realm in eDirectory using the

eDirRealm.ldif: ORACLE_HOME binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirRealm.ldif

4. Configure the user and group containers by performing the following steps:

a. Open the eDirUserContainer.ldif file.

b. Replace all instances of the ou=users,dc=oracle,dc=com string with the

name of your user container. c. Replace all instances of the ou=groups,dc=oracle,dc=com string with the name of your group container.

d. Run the following command to configure the user and group containers:

ORACLE_HOME binldapmodify -h eDirectory_Host_Name -p eDirectory_Port \ -D bindDN -q -v -f eDirUserContainer.ldif

5. Enable Universal Password in eDirectory and allow the administrator to retrieve

the user password. Refer to Novells eDirectory documentation on Password Management for more information.

19.2.2.4.2 Configuring Oracle Virtual Directory for the Integration Perform the following

steps to configure Oracle Virtual Directory for the integration: Note: Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container. 19-18 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 1. Ensure you have performed all steps in Preparing Oracle Virtual Directory for the Enterprise User Security Integration on page 19-3 before proceeding with this procedure. 2. Download the NMAS toolkit from the Novell Developer Community Web site. 3. Upload this library to Oracle Virtual Directory by using Oracle Directory Services Manager. Refer to Loading Libraries into the Oracle Virtual Directory Server for more information. Restart the Oracle Virtual Directory server. 4. Start Oracle Directory Services Manager and connect to the Oracle Virtual Directory server. 5. Create three new Local Store Adapters using the following settings. Refer to Creating Local Store Adapters on page 12-23 for information on creating Local Store Adapters. ■ Use the Local_Storage_Adapter template for each adapter. ■ The Adapter Suffix for a Local Store Adapter must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other Local Store Adapter must be dc=com, unless your eDirectory domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net. ■ The Database File and Backup File fields for each of the adapters must be unique. 6. Update and load the entries into the Local Store Adapters by performing the following steps: a. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Enterprise User Security queries. The loadOVD.ldif file is located in the ORACLE_HOMEovdeus directory. ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif b. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Novell eDirectory and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory. The realmRoot.ldif file is located in the ORACLE_HOMEovdeus directory. c. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command: ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a –f realmRoot.ldif Note: The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user’s Enterprise User Security hashed password attribute. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-19 7. Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the Novell eDirectory host information, including the appropriate Remote Base and Mapped Namespace. Refer to Creating LDAP Adapters on page 12-3 for information on creating LDAP Adapters. ■ Use the EUS_eDirectory template for the adapter. ■ Enable the Use SSLTLS option. 8. Configure the Enterprise User Security plug-ins by performing the following steps:

a. Click the Advanced tab, click the EUS_EDir entry under Mapping Templates,

and then click the Apply to deploy the mapping. b. Access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.

c. Select the ObjectclassMapper plug-in, click the Create Namespace button,

enter cn=OracleContext,YOUR Mapped DOMAIN DN in Oracle Virtual Directory in the Namespace field, and then click the OK button.

d. Click the Create Mapping button, then select EUS_EDir.py, then enter a

unique mapping name, and then click the OK button. e. Click the Apply button. 9. Configure the Access Control Lists ACLs for the integration. Refer to Configuring Access Control Lists for the Enterprise User Security Integration on page 19-21 for details about each ACL. After you configure the ACLs, continue the integration by proceeding to step 10. 10. Update the realm information with Root Oracle Context by performing the following steps: a. Edit the modifyRealm.ldif file to use your Novell eDirectory domain name. If you use DN mappings between Oracle Virtual Directory and Novell eDirectory, use the mapped DN in Oracle Virtual Directory. b. Update the realm information using the following command: ORACLE_HOME binldapmodify –h Oracle_Virtual_Directory_Host –p port \ -D bindDN –q –v –f modifyRealm.ldif The steps to configure Oracle Virtual Directory for integration with Enterprise Security and use with Novell eDirectory are complete. Continue the integration process and configure Enterprise User Security by referring to the Oracle Database Enterprise User Administrators Guide.

19.2.2.5 User Identities in Oracle Internet Directory

Perform the following procedures to integrate Oracle Virtual Directory with Enterprise User Security for user identities stored in Oracle Internet Directory: ■ Configuring Oracle Internet Directory for the Integration ■ Configuring Oracle Virtual Directory for the Integration

19.2.2.5.1 Configuring Oracle Internet Directory for the Integration To configure Oracle

Internet Directory for the integration, extend the Oracle Internet Directory LDAP attribute and objectclass using the following command: