Proxy Authorization Support Plug-In

Understanding Oracle Virtual Directory Plug-Ins 4-27 apply a consistent security and audit trail that maps to the authenticated user, which is called identity propagation. The Proxy Authorization Support plug-in leverages the proxy authentication capability of enterprise directories so that even though the user is actually authenticated in Active Directory, the user identity can be propagated to one or more other sources so that securityaudit in these additional sources are mapped to the actual user authenticated to Oracle Virtual Directory and not to an application account stored in Oracle Virtual Directory. The Proxy Authorization Support plug-in constructs the client DN, adds a proxy authorization control with this client DN to the request, then passes the request to the back-end LDAP server. The LDAP server authenticates the request using the Oracle Virtual Directory Proxy DN, and processes the operation using the client user identity specified in the proxy authorization control without requiring any changes to the client application. When you configure the Proxy Authorization Support plug-in, you must configure the directory to support the proxy control you are going to pass.

4.2.18.1 Configuration Parameters

The following is a list and description of the Proxy Authorization Support plug-in configuration parameters: remoteBase An optional parameter used as parent DN to construct the user authorization DN to pass in Proxy Authorization Control. Defaults to the same value as the adapters remoteBase. directoryType An optional parameter used to indicate the directory types. Allowable values are OID and SunOne. SunOne is the default value, and only this value is supported in this release.

4.2.19 UserManagement Plug-In

The UserManagement plug-in provides data mapping of Oracle Identity Manager attributes to LDAP directory servers.

4.2.19.1 Configuration Parameters

The UserManagement plug-in has the following configuration parameters: oimLanguages Comma separated list of language codes to be used in attribute language subtypes. This parameter is functional only when the directoryType parameter is set to ActiveDirectory. oamEnabled True or False: Indicates whether Oracle Access Manager is deployed with Oracle Identity Manager. By default, Oracle Access Manager is not deployed, therefore the default setting for this parameter is false. Note: The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values. 4-28 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory directoryType Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID. ssladapter The ssladapter parameter, which is operational only when the directoryType parameter is set to ActiveDirectory, identifies the name of the adapter to which the UserManagement plug-in routes requests when userPassword or unicodePwd is contained in requests. If unicodePwd is contained in the request, the request must also contain the useraccountControl attribute with a proper value. The adapter identified by the ssladapter parameter must have: ■ The same local base as the adapter the UserManagement plug-in is configured on ■ Its Routing Visibility set to Internal If no value is set for ssladapter, the current adapter is used by default. mapAttribute Defines the attribute translation in the form of OVD-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes. mapPassword True or False. When the directoryType configuration parameter is set to ActiveDirectory, the mapPassword parameter controls whether to convert the user password to the unicodePwd attribute. The default value is false. mapRDNAttribute Defines the RDN attribute translation in the form of OVD-RDNattribute=OIM-RDNattribute, for example: uid=cn. pwdMaxFailure Identifies the maximum number of failed logins the source LDAP directory server requires to lock an account as defined by the password policy effective on the user entries being exposed through the adapter on which this plug-in is deployed. mapObjectclass Defines the objectclass value translation in the form of OVD-objectclass=OIM-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses. addAttribute In the form of attribute=value pairs, this parameter identifies attributes to be added before returning the get operation result. You can prefix the attribute name with objectclass, to add the attribute and value to a specific objectclass. You can also surround a value with to reference other attributes. For example, specifying the value user,samaccountname=cn assigns the value of cn to samaccountname Note: The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values. Note: The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.