Create a new LDAP Adapter for the second domain using the EUS_

Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-27 ■ A locked user account cannot be used to log in to the Oracle Database After performing the Oracle Virtual Directory-Enterprise User Security integration, you can enable user account lockout by performing the following steps: 1. Create and configure the euslockout plug-in for the Enterprise User Security integration LDAP Adapter by referring to Managing Adapter Plug-ins on page 13-1. When you configure the euslockout plug-in, you must: ■ Create a directoryType parameter with a value according to your back-end LDAP server, such as ActiveDirectory for Active Directory, iPlanet for Oracle Directory Server Enterprise Edition, or eDirectory for Novell eDirectory. ■ Create a namespace using the name of your user container. 2. If you are using Oracle Directory Server Enterprise Edition as a back-end LDAP server, you must configure an additional plug-in parameter on the Enterprise User Security integration LDAP Adapter. If you are using Novell eDirectory as a back-end LDAP server, go to step 3. a. Query the Oracle Directory Server Enterprise Edition to determine its passwordMaxFailure value. For example: ORACLE_HOME binldapsearch -h Sun_Java_System_Directory_Server_Name \ -D bindDN -q -s base -b cn=password policy,cn=config objectclass= passwordmaxfailure

b. Set the passwordMaxFailure parameter in the EUSiPlanet plug-in using the

value returned from the query. Click the EUSiPlanet plug-in, then click the Create New Parameter button. Select passwordMaxFailure and enter the value in the Parameter field. Click OK. 3. Create the following Access Control Lists. Refer to Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs: Note: If you are using Oracle Internet Directory as the back-end LDAP server, skip steps 1 and 2 in the following procedure. Target DN Your_User_Container Scope subtree Applies To orclaccountstatusevent Deny All operations Access Public Target DN Your_User_Container Scope subtree Applies To orclaccountstatusevent Grant Write Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your namespace. 19-28 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 4. For Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory, ensure the proxy user configured for the Enterprise User Security LDAP Adapter has permission to modify the account lockout related attributes.

19.2.6 Integration Limitations

The following is a list of Oracle Virtual Directory-Enterprise User Security integration known limitations: ■ The following functionality is not supported in the integration: – DN mapping between Microsoft Active Directory and Oracle Virtual Directory if the Active Directory domain containing the domain DN is mapped to Oracle Virtual Directory. For example, if the Active Directory DN is dc=us,dc=oracle,dc=com and you try to map it to dc=oracle,dc=com in Oracle Virtual Directory, this type of DN mapping is not supported. – Administrative Groups except for OracleContextAdmins – Enterprise Security Manager console to Oracle Internet Directory Delegated Administration Services – Password Policy – Client certificate authentication – Kerberos authentication when integrating for use with Oracle Directory Server Enterprise Edition and Oracle Internet Directory – User Migration Utility UMU – Multiple Domain environments – JDBC Thin Driver—you must use the OCI driver – Combined Microsoft Active Directory and Oracle Directory Server Enterprise Edition environments ■ Resetting the account lockout counter after a correct login is not available for Oracle Virtual Directory-Enterprise User Security integrations with Active Directory. Alternatively, Active Directory can reset the account lockout counter after a specified period has elapsed. You can use this option to prevent the lockout counter from accumulating indefinitely. ■ In the Enterprise Security Manager interface: – Listed databases may sometimes include an Active Directory tombstone entry. – Database and Oracle Internet Directory version information is not available.

19.3 Integrating with Oracle’s Net Services

This topic describes how to integrate Oracle Virtual Directory with Oracle Database Net Services to centralize name services with Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. This topic contains the following sections: ■ Overview ■ Starting the Integration ■ Integrating for Use with Microsoft Active Directory Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-29 ■ Integrating for Use with Oracle Directory Server Enterprise Edition ■ Integrating for Use with Oracle Internet Directory

19.3.1 Overview

Oracle Virtual Directory can be integrated with Oracles Net Services database product. Integrating Oracle Virtual Directory and Net Services enhances and simplifies your name service capabilities by allowing you to leverage service entries stored in an external LDAP repository without any additional synchronization.

19.3.2 Starting the Integration

This section lists the common steps required for all Oracle Virtual Directory-Net Services integrations. Perform the steps in this section first to start the integration, then proceed to a subsequent section specific to Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. Different steps are presented depending on whether you are integrating Oracle Virtual Directory with Net Services for use with Oracle Internet Directory, Microsoft Active Directory, or Oracle Directory Server Enterprise Edition. Only perform the steps appropriate for your environment. Perform the following steps to start the Oracle Virtual Directory-Net Services integration process: 1. Create a back-up copy of the ORACLE_HOMEovdeus directory. 2. Create the subschemasubentry plug-in as global server plug-in. Refer to Managing Global Server Plug-ins on page 13-4 for steps on creating server plug-ins.

19.3.3 Integrating for Use with Microsoft Active Directory

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Microsoft Active Directory. Perform these only after you have completed the steps in the Starting the Integration section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Microsoft Active Directory includes the following tasks: ■ Configuring Active Directory for the Integration ■ Configuring Oracle Virtual Directory for the Integration

19.3.3.1 Configuring Active Directory for the Integration

Perform the following steps to configure Active Directory for the integration: 1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required. 2. Load the Net Services required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOMEjdkbin directory. java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN