19-22 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Applies To All Attributes Grant Search and Read Access Public Target DN cn=OracleSchemaVersion Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN cn=OracleSchemaVersion Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN dc=com Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN dc=com Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN dc=com Scope subtree Applies To authpassword Deny All operations Access Public Note: The following ACL must be the last ACL in the ACL list for dc=com. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-23 2. Set the ACLs in Oracle Virtual Directory to support the OracleContextAdmins administrative group as follows:

3. Set the ACLs in the external directory to protect the data under

cn=OracleContext,YOUR DOMAIN.

4. Give write permission to the

cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN group.

19.2.4 Configuring Oracle Virtual Directory to Support Multiple Enterprise User Security Domains

Perform the following steps to configure Oracle Virtual Directory to allow Enterprise User Security users contained in multiple domains to authenticate to a database:

1. Configure the first domain using the instructions in

Integrating Oracle Virtual Directory with External Directories on page 19-4. Target DN dc=com Scope subtree Applies To authpassword Grant Search and Read Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your namespace Target DN cn=OracleContext,YOUR DOMAIN Scope subtree Applies To Entry Grant All Access Group with DN of: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN Target DN cn=OracleContext,YOUR DOMAIN Scope subtree Applies To All Attributes Grant All Access Group with DN of: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,YOUR DOMAIN 19-24 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 2. If it does not already exist, add the realm root for the second domain by performing the following steps: a. Create an LDIF file using the following example. Replace the VARIABLES with the appropriate DN and orclsubscriberfullname of the second domain: dn: DN_OF_SECOND_DOMAIN dc: DC_OF_SECOND_DOMAIN o: O_OF_SECOND_DOMAIN objectclass: domain objectclass: organization objectclass: orclSubscriber orclsubscriberfullname: ORCLSUBSCRIBERFULLNAME_OF_SECOND_DOMAIN orclVersion: 90400 Where DN_OF_SECOND_DOMAIN is the domain DN of the second domain that you want to see in Oracle Virtual Directory. b. Update Oracle Virtual Directory with the new LDIF file. For example: ORACLE_HOME binldapadd -h Oracle_Virtual_Directory_Host –p Port \ -D bindDN -q -v -f LDIF_File

3. Create a new LDAP Adapter for the second domain using the EUS_

Directory-Type adapter template that is specific to the directory type. Enter the host name, port number, proxy DN, and password of the second domain. Be sure to configure the Remote Base and Mapped Namespace where the namespace is the DN_OF_SECOND_DOMAIN from the previous step. Refer to Creating LDAP Adapters on page 12-3 for information about creating LDAP Adapters. 4. Configure the Mappings for the second domain LDAP Adapter by clicking the Create Mapping button on the Plug-Ins tab for the adapter. The Mapping you use depends on the type of directory you are using. ■ Use EUS_EDir.py for Novell eDirectory ■ Use EUS_ActiveDirectory.py for Active Directory ■ Use EUS_Sun.py for Oracle Directory Server Enterprise Edition 5. Update Access Control Lists to protect the user entry and to allow the database account to access the password. You may skip this step if the Access Control Lists that were configured for the first domain cover the second domains mapped namespace. a. Create the following ACLs. Refer to Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs: Note: If you are not using Enterprise Roles, you may use any directory server for the first domain. However, if you plan to use Enterprise Roles, Oracle recommends using Oracle Internet Directory as the first domain. Microsoft Active Directory and Novell eDirectory have DN syntax validation and if the second domains DN does not exist in the first domain, you cannot complete this configuration. Note: Do not configure a Mapping if you are using Oracle Internet Directory. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-25 Note: In the following ACLs, Mapped Namespace for second domain is the DN you used for the Oracle Virtual Directory Mapped Namespace in step 3. Target DN Mapped Namespace for second domain Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN Mapped Namespace for second domain Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN Mapped Namespace for second domain Scope subtree Applies To orclaccountstatusevent Deny All operations Access Public Target DN Mapped Namespace for second domain Scope subtree Applies To orclaccountstatusevent Grant Write Access Group with DN of cn=EUSDBGroup,dc=dbdemo,dc=or ion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain Target DN Mapped Namespace for second domain Scope subtree Applies To authpassword Deny All operations Access Public 19-26 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 6. Update the Oracle Context with the newly added namespace by performing the following steps: a. Create an LDIF file like the following example and replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain: dn: cn=Common,cn=Products,cn=OracleContext,dc=dbdemo,dc=orion,dc=com changetype: modify add: orclcommonusersearchbase orclcommonusersearchbase: Mapped_Namespace_for_Second_Domain b. Update Oracle Virtual Directory using the LDIF file. For example: ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p Port \ -D bindDN -q -v -f LDIF_File 7. Repeat steps 2-6 to support additional domains.

19.2.5 Enabling User Account Lockout

LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Enterprise User Security integration can use this lockout feature and enforce the back-end LDAP servers password lockout policy as follows: ■ An incorrect login to the Oracle Database records a login failure to the back-end LDAP server ■ A correct login to the Oracle Database resets the login failure count in the back-end LDAP server Note: The following ACL must be the last ACL in the ACL list for the Mapped Namespace for second domain. Target DN Mapped Namespace for second domain Scope subtree Applies To authpassword Grant Search and Read Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain. Note: To login to the database as an enterprise user from any of these additional domains, you must create the User-Schema Mappings for the additional user containers from Enterprise Security Manager or Enterprise Manager. Refer to Oracle® Database Enterprise User Security Administrators Guide for instructions. Note: This functionality is not available for integrations that use Active Directory. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-27 ■ A locked user account cannot be used to log in to the Oracle Database After performing the Oracle Virtual Directory-Enterprise User Security integration, you can enable user account lockout by performing the following steps: 1. Create and configure the euslockout plug-in for the Enterprise User Security integration LDAP Adapter by referring to Managing Adapter Plug-ins on page 13-1. When you configure the euslockout plug-in, you must: ■ Create a directoryType parameter with a value according to your back-end LDAP server, such as ActiveDirectory for Active Directory, iPlanet for Oracle Directory Server Enterprise Edition, or eDirectory for Novell eDirectory. ■ Create a namespace using the name of your user container. 2. If you are using Oracle Directory Server Enterprise Edition as a back-end LDAP server, you must configure an additional plug-in parameter on the Enterprise User Security integration LDAP Adapter. If you are using Novell eDirectory as a back-end LDAP server, go to step 3. a. Query the Oracle Directory Server Enterprise Edition to determine its passwordMaxFailure value. For example: ORACLE_HOME binldapsearch -h Sun_Java_System_Directory_Server_Name \ -D bindDN -q -s base -b cn=password policy,cn=config objectclass= passwordmaxfailure

b. Set the passwordMaxFailure parameter in the EUSiPlanet plug-in using the

value returned from the query. Click the EUSiPlanet plug-in, then click the Create New Parameter button. Select passwordMaxFailure and enter the value in the Parameter field. Click OK. 3. Create the following Access Control Lists. Refer to Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs: Note: If you are using Oracle Internet Directory as the back-end LDAP server, skip steps 1 and 2 in the following procedure. Target DN Your_User_Container Scope subtree Applies To orclaccountstatusevent Deny All operations Access Public Target DN Your_User_Container Scope subtree Applies To orclaccountstatusevent Grant Write Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your namespace. 19-28 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 4. For Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory, ensure the proxy user configured for the Enterprise User Security LDAP Adapter has permission to modify the account lockout related attributes.

19.2.6 Integration Limitations

The following is a list of Oracle Virtual Directory-Enterprise User Security integration known limitations: ■ The following functionality is not supported in the integration: – DN mapping between Microsoft Active Directory and Oracle Virtual Directory if the Active Directory domain containing the domain DN is mapped to Oracle Virtual Directory. For example, if the Active Directory DN is dc=us,dc=oracle,dc=com and you try to map it to dc=oracle,dc=com in Oracle Virtual Directory, this type of DN mapping is not supported. – Administrative Groups except for OracleContextAdmins – Enterprise Security Manager console to Oracle Internet Directory Delegated Administration Services – Password Policy – Client certificate authentication – Kerberos authentication when integrating for use with Oracle Directory Server Enterprise Edition and Oracle Internet Directory – User Migration Utility UMU – Multiple Domain environments – JDBC Thin Driver—you must use the OCI driver – Combined Microsoft Active Directory and Oracle Directory Server Enterprise Edition environments ■ Resetting the account lockout counter after a correct login is not available for Oracle Virtual Directory-Enterprise User Security integrations with Active Directory. Alternatively, Active Directory can reset the account lockout counter after a specified period has elapsed. You can use this option to prevent the lockout counter from accumulating indefinitely. ■ In the Enterprise Security Manager interface: – Listed databases may sometimes include an Active Directory tombstone entry. – Database and Oracle Internet Directory version information is not available.

19.3 Integrating with Oracle’s Net Services

This topic describes how to integrate Oracle Virtual Directory with Oracle Database Net Services to centralize name services with Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. This topic contains the following sections: ■ Overview ■ Starting the Integration ■ Integrating for Use with Microsoft Active Directory Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-29 ■ Integrating for Use with Oracle Directory Server Enterprise Edition ■ Integrating for Use with Oracle Internet Directory

19.3.1 Overview

Oracle Virtual Directory can be integrated with Oracles Net Services database product. Integrating Oracle Virtual Directory and Net Services enhances and simplifies your name service capabilities by allowing you to leverage service entries stored in an external LDAP repository without any additional synchronization.

19.3.2 Starting the Integration

This section lists the common steps required for all Oracle Virtual Directory-Net Services integrations. Perform the steps in this section first to start the integration, then proceed to a subsequent section specific to Oracle Internet Directory, Microsoft Active Directory, and Oracle Directory Server Enterprise Edition. Different steps are presented depending on whether you are integrating Oracle Virtual Directory with Net Services for use with Oracle Internet Directory, Microsoft Active Directory, or Oracle Directory Server Enterprise Edition. Only perform the steps appropriate for your environment. Perform the following steps to start the Oracle Virtual Directory-Net Services integration process: 1. Create a back-up copy of the ORACLE_HOMEovdeus directory. 2. Create the subschemasubentry plug-in as global server plug-in. Refer to Managing Global Server Plug-ins on page 13-4 for steps on creating server plug-ins.

19.3.3 Integrating for Use with Microsoft Active Directory

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Microsoft Active Directory. Perform these only after you have completed the steps in the Starting the Integration section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Microsoft Active Directory includes the following tasks: ■ Configuring Active Directory for the Integration ■ Configuring Oracle Virtual Directory for the Integration

19.3.3.1 Configuring Active Directory for the Integration

Perform the following steps to configure Active Directory for the integration: 1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required. 2. Load the Net Services required schema into Active Directory using the Java classes included in Oracle Virtual Directory by executing the following command. You can use the java executable in the ORACLE_HOMEjdkbin directory. java extendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN 19-30 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory

19.3.3.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration:

1. Start the Oracle Virtual Directory server, then start Oracle Directory Services

Manager, and then connect to the Oracle Virtual Directory server.

2. Create two new Local Store Adapters using the following settings. Refer to

Creating Local Store Adapters on page 12-23 for information on creating Local Store Adapters. ■ Use the Local_Storage_Adapter template for each adapter. ■ The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion. ■ The Database File and Backup File fields for each of the adapters must be unique.

3. Update and load the entries into the Local Store Adapters by extending the Oracle

Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME ovdeus directory. ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif

4. Create an LDAP Adapter for Net Services using the following settings and by

entering the Active Directory host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to Creating LDAP Adapters on page 12-3 for information on creating LDAP Adapters. ■ Use the ONames_ActiveDirectory adapter template. ■ Select the BindOnly Pass Through Credential option. 5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations.

a. Create the following ACLs. Refer to

Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs: Note: An example of a valid Active Directory domain DN is: dc=oracle,dc=com Target DN cn=OracleContext Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN cn=OracleContext Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-31

b. Set the ACLs in Oracle Virtual Directory to support the OracleNetAdmins

administrative group as follows: Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN cn=OracleSchemaVersion Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN Your Mapped Namespace in Oracle Virtual Directory, for example: dc=example,dc=com Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN cn=OracleContext,YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE Scope subtree Applies To Entry Grant All Access Group with DN of: cn=OracleNetAdmins,cn=OracleContext,YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE Target DN cn=OracleContext,YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE Scope subtree 19-32 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 6. Create an LDAP Adapter for the OracleNetAdmins administrative group using the following settings and by entering the Active Directory host information, including port number, proxy DN, and password. Refer to Creating LDAP Adapters on page 12-3 for information on creating LDAP Adapters. ■ Use the Active_Directory adapter template. ■ Enter cn=OracleNetAdmins,cn=users, YOUR Active_Directory_ Domain_DN as the Remote Base. ■ Enter cn=OracleNetAdmins,cn=OracleContext,YOUR MAPPED DOMAIN DN in Oracle Virtual Directory as the Mapped Namespace. 7. Configure a mapping and plug-in for the OracleNetAdmins administrative group adapter by performing the following steps:

a. Click the Advanced tab, then click Active_Directory_to_inetOrg, and then

click the Apply button to deploy the mapping. b. Click the Adapter tab, then click the adapter for the OracleNetAdmins administrative group, then click the Plug-ins tab, then click the Create Mapping button, then select Active_Directory_to_inetOrg.py, then enter a unique mapping name, and then click OK.

c. Click the Create Plug-in button, then click the Select button, then select the

EUSMemberDNMapping plug-in, then click OK, then enter a unique plug-in name, then create the localDomainDN and remoteDomainDN parameters, and then click OK. Note that the localDomainDN and remoteDomainDN may be different if you have DN mapping configured.

d. Click the Apply button.

The steps to configure Oracle Virtual Directory for integration with Net Services and for use with Microsoft Active Directory are complete. Continue the integration process and configure Oracle Net Services by referring to the Oracle Database Net Services Administrators Guide.

19.3.4 Integrating for Use with Oracle Directory Server Enterprise Edition

Perform the following steps to integrate Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition. Perform these only after you have completed the steps in the Starting the Integration section. The procedure for integrating Oracle Virtual Directory with Net Services for use with Oracle Directory Server Enterprise Edition includes the following tasks: ■ Configuring Oracle Directory Server Enterprise Edition for the Integration Applies To All Attributes Grant All Access Group with DN of: cn=OracleNetAdmins,cn=OracleContext,YOUR MAPPED ORACLE VIRTUAL DIRECTORY NAMESPACE Note: You may not see the group membership changes immediately after your changes in Active Directory. This is because of Active Directory’s group membership refresh interval configuration. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-33 ■ Configuring Oracle Virtual Directory for the Integration

19.3.4.1 Configuring Oracle Directory Server Enterprise Edition for the Integration

Perform the following steps to configure Oracle Directory Server Enterprise Edition for the integration:

1. Extend the iPlanet LDAP attribute and objectclass using the following command:

ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .iPlanetSchema.ldif

2. Create a realm in iPlanet by performing the following steps:

a. Open the realmiPlanet.ldif file and replace all instances of the

dc=us,dc=oracle,dc=com string with the name of your domain.

b. Run the following command to create a realm in iPlanet using the

realmiPlanet.ldif file: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .realmiPlanet.ldif

3. Configure the user and group containers by either creating new user and group

containers, or by using existing user and group containers. Creating New User and Group Containers a. Open the iPlanetContainers.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

b. Run the following command to create user and group containers in iPlanet

using the iPlanetContainers.ldif file: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .iPlanetContainers.ldif Using Existing User and Group Containers a. Open the useiPlanetContainers.ldif file.

b. Replace all instances of the cn=users,dc=us,dc=oracle,dc=com string

with the name of your user container. c. Replace all instances of the cn=groups,dc=us,dc=oracle,dc=com string with the name of your group container.

d. Run the following command to create a realm in iPlanet using the

useiPlanetContainers.ldif file: ORACLE_HOME binldapmodify -h iPlanet_Host_Name -p iPlanet_Port \ -D cn=directory manager -q -v -a -f .useiPlanetContainers.ldif

19.3.4.2 Configuring Oracle Virtual Directory for the Integration

Perform the following steps to configure Oracle Virtual Directory for the integration: Note: Make sure the user and group containers are in the same domain and realm you are creating. For example, if your domain is dc=superdemo,dc=net, then ou=people,dc=ultrademo,dc=org is not a valid user container. 19-34 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 1. Start the Oracle Virtual Directory server, then start Oracle Directory Services Manager, and then connect to the Oracle Virtual Directory server. 2. Create two new Local Store Adapters using the following settings. Refer to Creating Local Store Adapters on page 12-23 for information on creating Local Store Adapters. ■ Use the Local_Storage_Adapter template for each adapter. ■ The Adapter Suffix for a Local Store Adapter must be cn=OracleContext and the Adapter Suffix for the other of the Local Store Adapters must be cn=OracleSchemaVersion. ■ The Database File and Backup File fields for each of the adapters must be unique. 3. Update and load the entries into the Local Store Adapters by extending the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Net Services queries. The loadOVD.ldif file is located in the ORACLE_HOME ovdeus directory. ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port \ -D bindDN -q -v -a -f loadOVD.ldif 4. Create an LDAP Adapter for Net Services using the following settings and by entering the Oracle Directory Server Enterprise Edition host information, including host name, non-SSL port number, proxy DN and password, and the appropriate Remote Base and Mapped Namespace. Refer to Creating LDAP Adapters on page 12-3 for information on creating LDAP Adapters. ■ Use the ONames_Sun adapter template. ■ Select the BindOnly Pass Through Credential option. 5. Update the Access Control Lists by performing the following steps. If you have customized your ACLs after installing Oracle Virtual Directory, you must adjust the following ACL settings to include your customizations. a. Create the following ACLs. Refer to Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs: Target DN cn=OracleContext Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN cn=OracleContext Scope subtree Applies To All Attributes Grant Search and Read Access Public