19-22 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
Applies To All Attributes
Grant Search and Read
Access Public
Target DN cn=OracleSchemaVersion
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN cn=OracleSchemaVersion
Scope subtree
Applies To All Attributes
Grant Search and Read
Access Public
Target DN dc=com
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN dc=com
Scope subtree
Applies To All Attributes
Grant Search and Read
Access Public
Target DN dc=com
Scope subtree
Applies To authpassword
Deny All operations
Access Public
Note: The following ACL must be the last ACL in the ACL list for
dc=com.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-23
2.
Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:
3. Set the ACLs in the external directory to protect the data under
cn=OracleContext,YOUR DOMAIN.
4. Give write permission to the
cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN
group.
19.2.4 Configuring Oracle Virtual Directory to Support Multiple Enterprise User Security Domains
Perform the following steps to configure Oracle Virtual Directory to allow Enterprise User Security users contained in multiple domains to authenticate to a database:
1. Configure the first domain using the instructions in
Integrating Oracle Virtual Directory with External Directories
on page 19-4. Target DN
dc=com Scope
subtree Applies To
authpassword Grant
Search and Read Access
Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.
Note : Replace dc=dbdemo,dc=orion,dc=com with the DN
of your namespace
Target DN cn=OracleContext,YOUR DOMAIN
Scope subtree
Applies To Entry
Grant All
Access Group with DN of:
cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN Target DN
cn=OracleContext,YOUR DOMAIN Scope
subtree Applies To
All Attributes Grant
All Access
Group with DN of: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN
19-24 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
2.
If it does not already exist, add the realm root for the second domain by performing the following steps:
a.
Create an LDIF file using the following example. Replace the VARIABLES with the appropriate DN and orclsubscriberfullname of the second domain:
dn:
DN_OF_SECOND_DOMAIN
dc:
DC_OF_SECOND_DOMAIN
o:
O_OF_SECOND_DOMAIN objectclass: domain
objectclass: organization objectclass: orclSubscriber
orclsubscriberfullname:
ORCLSUBSCRIBERFULLNAME_OF_SECOND_DOMAIN orclVersion: 90400
Where DN_OF_SECOND_DOMAIN is the domain DN of the second domain that you want to see in Oracle Virtual Directory.
b.
Update Oracle Virtual Directory with the new LDIF file. For example: ORACLE_HOME
binldapadd -h Oracle_Virtual_Directory_Host –p Port \ -D bindDN -q -v -f LDIF_File
3. Create a new LDAP Adapter for the second domain using the EUS_
Directory-Type
adapter template that is specific to the directory type. Enter the host name, port number, proxy DN, and password of the second domain. Be sure
to configure the Remote Base and Mapped Namespace where the namespace is the DN_OF_SECOND_DOMAIN from the previous step. Refer to
Creating LDAP Adapters
on page 12-3 for information about creating LDAP Adapters.
4.
Configure the Mappings for the second domain LDAP Adapter by clicking the Create Mapping
button on the Plug-Ins tab for the adapter. The Mapping you use depends on the type of directory you are using.
■
Use EUS_EDir.py for Novell eDirectory
■
Use EUS_ActiveDirectory.py for Active Directory
■
Use EUS_Sun.py for Oracle Directory Server Enterprise Edition
5.
Update Access Control Lists to protect the user entry and to allow the database account to access the password. You may skip this step if the Access Control Lists
that were configured for the first domain cover the second domains mapped namespace.
a.
Create the following ACLs. Refer to Creating Access Control Lists Using
Oracle Directory Services Manager on page 16-1 for information on creating
ACLs:
Note: If you are not using Enterprise Roles, you may use any
directory server for the first domain. However, if you plan to use Enterprise Roles, Oracle recommends using Oracle Internet Directory
as the first domain. Microsoft Active Directory and Novell eDirectory have DN syntax validation and if the second domains DN does not
exist in the first domain, you cannot complete this configuration.
Note: Do not configure a Mapping if you are using Oracle Internet
Directory.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-25
Note: In the following ACLs, Mapped Namespace for second domain is
the DN you used for the Oracle Virtual Directory Mapped Namespace in step 3.
Target DN Mapped Namespace for second domain
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN Mapped Namespace for second domain
Scope subtree
Applies To All Attributes
Grant Search and Read
Access Public
Target DN Mapped Namespace for second domain
Scope subtree
Applies To orclaccountstatusevent
Deny All operations
Access Public
Target DN Mapped Namespace for second domain
Scope subtree
Applies To orclaccountstatusevent
Grant Write
Access Group with DN of
cn=EUSDBGroup,dc=dbdemo,dc=or ion,dc=com.
Note : Replace
dc=dbdemo,dc=orion,dc=com with the DN of your first domain
Target DN Mapped Namespace for second domain
Scope subtree
Applies To authpassword
Deny All operations
Access Public
19-26 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
6.
Update the Oracle Context with the newly added namespace by performing the following steps:
a.
Create an LDIF file like the following example and replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain:
dn: cn=Common,cn=Products,cn=OracleContext,dc=dbdemo,dc=orion,dc=com changetype: modify
add: orclcommonusersearchbase orclcommonusersearchbase: Mapped_Namespace_for_Second_Domain
b.
Update Oracle Virtual Directory using the LDIF file. For example: ORACLE_HOME
binldapmodify -h Oracle_Virtual_Directory_Host –p Port \ -D bindDN -q -v -f LDIF_File
7.
Repeat steps 2-6 to support additional domains.
19.2.5 Enabling User Account Lockout
LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Enterprise User Security integration can use this lockout feature and
enforce the back-end LDAP servers password lockout policy as follows:
■
An incorrect login to the Oracle Database records a login failure to the back-end LDAP server
■
A correct login to the Oracle Database resets the login failure count in the back-end LDAP server
Note: The following ACL must be the last ACL in the ACL list for
the Mapped Namespace for second domain.
Target DN Mapped Namespace for second domain
Scope subtree
Applies To authpassword
Grant Search and Read
Access Group with DN of:
cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.
Note : Replace dc=dbdemo,dc=orion,dc=com with the DN
of your first domain.
Note: To login to the database as an enterprise user from any of these
additional domains, you must create the User-Schema Mappings for the additional user containers from Enterprise Security Manager or
Enterprise Manager.
Refer to Oracle® Database Enterprise User Security Administrators Guide for instructions.
Note: This functionality is not available for integrations that use
Active Directory.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-27
■
A locked user account cannot be used to log in to the Oracle Database After performing the Oracle Virtual Directory-Enterprise User Security integration,
you can enable user account lockout by performing the following steps:
1.
Create and configure the euslockout plug-in for the Enterprise User Security integration LDAP Adapter by referring to
Managing Adapter Plug-ins on
page 13-1. When you configure the euslockout plug-in, you must:
■
Create a directoryType parameter with a value according to your back-end LDAP server, such as ActiveDirectory for Active Directory, iPlanet for Oracle
Directory Server Enterprise Edition, or eDirectory for Novell eDirectory.
■
Create a namespace using the name of your user container.
2.
If you are using Oracle Directory Server Enterprise Edition as a back-end LDAP server, you must configure an additional plug-in parameter on the Enterprise User
Security integration LDAP Adapter. If you are using Novell eDirectory as a back-end LDAP server, go to step 3.
a.
Query the Oracle Directory Server Enterprise Edition to determine its passwordMaxFailure value. For example:
ORACLE_HOME binldapsearch -h Sun_Java_System_Directory_Server_Name \
-D bindDN -q -s base -b cn=password policy,cn=config objectclass= passwordmaxfailure
b. Set the passwordMaxFailure parameter in the EUSiPlanet plug-in using the
value returned from the query. Click the EUSiPlanet plug-in, then click the Create New Parameter
button. Select passwordMaxFailure and enter the value in the Parameter field. Click OK.
3.
Create the following Access Control Lists. Refer to Creating Access Control Lists
Using Oracle Directory Services Manager on page 16-1 for information on
creating ACLs:
Note: If you are using Oracle Internet Directory as the back-end
LDAP server, skip steps 1 and 2 in the following procedure.
Target DN Your_User_Container
Scope subtree
Applies To orclaccountstatusevent
Deny All operations
Access Public
Target DN Your_User_Container
Scope subtree
Applies To orclaccountstatusevent
Grant Write
Access Group with DN of:
cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com.
Note : Replace dc=dbdemo,dc=orion,dc=com with the DN
of your namespace.
19-28 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
4.
For Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory, ensure the proxy user configured for the Enterprise User
Security LDAP Adapter has permission to modify the account lockout related attributes.
19.2.6 Integration Limitations
The following is a list of Oracle Virtual Directory-Enterprise User Security integration known limitations:
■
The following functionality is not supported in the integration:
– DN mapping between Microsoft Active Directory and Oracle Virtual Directory
if the Active Directory domain containing the domain DN is mapped to Oracle Virtual Directory. For example, if the Active Directory DN is
dc=us,dc=oracle,dc=com and you try to map it to dc=oracle,dc=com in Oracle Virtual Directory, this type of DN mapping is not supported.
– Administrative Groups except for OracleContextAdmins
– Enterprise Security Manager console to Oracle Internet Directory Delegated
Administration Services
– Password Policy
– Client certificate authentication
– Kerberos authentication when integrating for use with Oracle Directory Server
Enterprise Edition and Oracle Internet Directory
– User Migration Utility UMU
– Multiple Domain environments
– JDBC Thin Driver—you must use the OCI driver
– Combined Microsoft Active Directory and Oracle Directory Server Enterprise
Edition environments
■
Resetting the account lockout counter after a correct login is not available for Oracle Virtual Directory-Enterprise User Security integrations with Active
Directory. Alternatively, Active Directory can reset the account lockout counter after a specified period has elapsed. You can use this option to prevent the lockout
counter from accumulating indefinitely.
■
In the Enterprise Security Manager interface:
– Listed databases may sometimes include an Active Directory tombstone entry.
– Database and Oracle Internet Directory version information is not available.
19.3 Integrating with Oracle’s Net Services
This topic describes how to integrate Oracle Virtual Directory with Oracle Database Net Services to centralize name services with Oracle Internet Directory, Microsoft
Active Directory, and Oracle Directory Server Enterprise Edition. This topic contains the following sections:
■
Overview
■
Starting the Integration
■
Integrating for Use with Microsoft Active Directory
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-29
■
Integrating for Use with Oracle Directory Server Enterprise Edition
■
Integrating for Use with Oracle Internet Directory
19.3.1 Overview
Oracle Virtual Directory can be integrated with Oracles Net Services database product. Integrating Oracle Virtual Directory and Net Services enhances and simplifies
your name service capabilities by allowing you to leverage service entries stored in an external LDAP repository without any additional synchronization.
19.3.2 Starting the Integration
This section lists the common steps required for all Oracle Virtual Directory-Net Services integrations. Perform the steps in this section first to start the integration, then
proceed to a subsequent section specific to Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. Different steps are
presented depending on whether you are integrating Oracle Virtual Directory with Net Services for use with Oracle Internet Directory, Microsoft Active Directory, or
Oracle Directory Server Enterprise Edition. Only perform the steps appropriate for your environment.
Perform the following steps to start the Oracle Virtual Directory-Net Services integration process:
1.
Create a back-up copy of the ORACLE_HOMEovdeus directory.
2.
Create the subschemasubentry plug-in as global server plug-in. Refer to Managing Global Server Plug-ins
on page 13-4 for steps on creating server plug-ins.
19.3.3 Integrating for Use with Microsoft Active Directory
Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Microsoft Active Directory. Perform these only after you have completed the
steps in the Starting the Integration
section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Microsoft Active Directory includes
the following tasks:
■
Configuring Active Directory for the Integration
■
Configuring Oracle Virtual Directory for the Integration
19.3.3.1 Configuring Active Directory for the Integration
Perform the following steps to configure Active Directory for the integration:
1.
Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up
image enables you to restore all your changes if required.
2.
Load the Net Services required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You
can use the java executable in the ORACLE_HOMEjdkbin directory.
java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
–AD Active_Directory_Domain_DN
19-30 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
19.3.3.2 Configuring Oracle Virtual Directory for the Integration
Perform the following steps to configure Oracle Virtual Directory for the integration:
1. Start the Oracle Virtual Directory server, then start Oracle Directory Services
Manager, and then connect to the Oracle Virtual Directory server.
2. Create two new Local Store Adapters using the following settings. Refer to
Creating Local Store Adapters on page 12-23 for information on creating Local
Store Adapters.
■
Use the Local_Storage_Adapter template for each adapter.
■
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be
cn=OracleSchemaVersion.
■
The Database File and Backup File fields for each of the adapters must be unique.
3. Update and load the entries into the Local Store Adapters by extending the Oracle
Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and
schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME
ovdeus directory. ORACLE_HOME
binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif
4. Create an LDAP Adapter for Net Services using the following settings and by
entering the Active Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped
Namespace. Refer to Creating LDAP Adapters
on page 12-3 for information on creating LDAP Adapters.
■
Use the ONames_ActiveDirectory adapter template.
■
Select the BindOnly Pass Through Credential option. 5.
Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust
the following ACL settings to include your customizations.
a. Create the following ACLs. Refer to
Creating Access Control Lists Using Oracle Directory Services Manager
on page 16-1 for information on creating ACLs:
Note: An example of a valid Active Directory domain DN is:
dc=oracle,dc=com
Target DN cn=OracleContext
Scope subtree
Applies To Entry
Grant Browse DN and Return DN
Access Public
Target DN cn=OracleContext
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-31
b. Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins
administrative group as follows: Scope
subtree Applies To
All Attributes Grant
Search and Read Access
Public Target DN
cn=OracleSchemaVersion Scope
subtree Applies To
All Attributes Grant
Search and Read Access
Public Target DN
Your Mapped Namespace in Oracle Virtual Directory, for
example: dc=example,dc=com Scope
subtree Applies To
Entry Grant
Browse DN and Return DN Access
Public Target DN
Your Mapped Namespace in Oracle Virtual Directory, for
example: dc=example,dc=com Scope
subtree Applies To
All Attributes Grant
Search and Read Access
Public
Target DN cn=OracleContext,YOUR MAPPED ORACLE VIRTUAL DIRECTORY
NAMESPACE Scope
subtree Applies To
Entry Grant
All Access
Group with DN of: cn=OracleNetAdmins,cn=OracleContext,YOUR MAPPED ORACLE
VIRTUAL DIRECTORY NAMESPACE
Target DN cn=OracleContext,YOUR MAPPED ORACLE VIRTUAL DIRECTORY
NAMESPACE Scope
subtree
19-32 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
6.
Create an LDAP Adapter for the OracleNetAdmins administrative group using the following settings and by entering the Active Directory host information,
including port number, proxy DN, and password. Refer to Creating LDAP
Adapters on page 12-3 for information on creating LDAP Adapters.
■
Use the Active_Directory adapter template.
■
Enter cn=OracleNetAdmins,cn=users, YOUR Active_Directory_ Domain_DN
as the Remote Base.
■
Enter cn=OracleNetAdmins,cn=OracleContext,YOUR MAPPED DOMAIN DN in Oracle Virtual Directory
as the Mapped Namespace.
7.
Configure a mapping and plug-in for the OracleNetAdmins administrative group adapter by performing the following steps:
a. Click the Advanced tab, then click Active_Directory_to_inetOrg, and then
click the Apply button to deploy the mapping. b.
Click the Adapter tab, then click the adapter for the OracleNetAdmins administrative group, then click the Plug-ins tab, then click the Create
Mapping
button, then select Active_Directory_to_inetOrg.py, then enter a unique mapping name, and then click OK.
c. Click the Create Plug-in button, then click the Select button, then select the
EUSMemberDNMapping plug-in, then click OK, then enter a unique plug-in
name, then create the localDomainDN and remoteDomainDN parameters, and then click OK. Note that the localDomainDN and remoteDomainDN
may be different if you have DN mapping configured.
d. Click the Apply button.
The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Microsoft Active Directory are complete. Continue the integration process
and configure Oracle Net Services by referring to the Oracle Database Net Services Administrators Guide.
19.3.4 Integrating for Use with Oracle Directory Server Enterprise Edition
Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition. Perform these only after you have
completed the steps in the Starting the Integration
section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Oracle Directory
Server Enterprise Edition includes the following tasks:
■
Configuring Oracle Directory Server Enterprise Edition for the Integration Applies To
All Attributes Grant
All Access
Group with DN of: cn=OracleNetAdmins,cn=OracleContext,YOUR MAPPED ORACLE
VIRTUAL DIRECTORY NAMESPACE
Note: You may not see the group membership changes immediately
after your changes in Active Directory. This is because of Active Directory’s group membership refresh interval configuration.
Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-33
■
Configuring Oracle Virtual Directory for the Integration
19.3.4.1 Configuring Oracle Directory Server Enterprise Edition for the Integration
Perform the following steps to configure Oracle Directory Server Enterprise Edition for the integration:
1. Extend the iPlanet LDAP attribute and objectclass using the following command:
ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \
-D cn=directory manager -q -v -a -f .iPlanetSchema.ldif
2. Create a realm in iPlanet by performing the following steps:
a. Open the realmiPlanet.ldif file and replace all instances of the
dc=us,dc=oracle,dc=com string with the name of your domain.
b. Run the following command to create a realm in iPlanet using the
realmiPlanet.ldif file: ORACLE_HOME
binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .realmiPlanet.ldif
3. Configure the user and group containers by either creating new user and group
containers, or by using existing user and group containers.
Creating New User and Group Containers a.
Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.
b. Run the following command to create user and group containers in iPlanet
using the iPlanetContainers.ldif file: ORACLE_HOME
binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .iPlanetContainers.ldif
Using Existing User and Group Containers a.
Open the useiPlanetContainers.ldif file.
b. Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string
with the name of your user container.
c.
Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.
d. Run the following command to create a realm in iPlanet using the
useiPlanetContainers.ldif file: ORACLE_HOME
binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .useiPlanetContainers.ldif
19.3.4.2 Configuring Oracle Virtual Directory for the Integration
Perform the following steps to configure Oracle Virtual Directory for the integration:
Note: Make sure the user and group containers are in the same
domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then
ou=people,dc=ultrademo,dc=org is not a valid user container.
19-34 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
1.
Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server.
2.
Create two new Local Store Adapters using the following settings. Refer to Creating Local Store Adapters
on page 12-23 for information on creating Local Store Adapters.
■
Use the Local_Storage_Adapter template for each adapter.
■
The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be
cn=OracleSchemaVersion.
■
The Database File and Backup File fields for each of the adapters must be unique.
3.
Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following
command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the
ORACLE_HOME
ovdeus directory. ORACLE_HOME
binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif
4.
Create an LDAP Adapter for Net Services using the following settings and by entering the Oracle Directory Server Enterprise Edition host information,
including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to
Creating LDAP Adapters
on page 12-3 for information on creating LDAP Adapters.
■
Use the ONames_Sun adapter template.
■
Select the BindOnly Pass Through Credential option. 5.
Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust
the following ACL settings to include your customizations.
a.
Create the following ACLs. Refer to Creating Access Control Lists Using
Oracle Directory Services Manager on page 16-1 for information on creating
ACLs: Target DN
cn=OracleContext Scope
subtree Applies To
Entry Grant
Browse DN and Return DN Access
Public Target DN
cn=OracleContext Scope
subtree Applies To
All Attributes Grant
Search and Read Access
Public