Understanding Oracle Virtual Directory Adapters 2-21 Figure 2–4 Example Virtual Directory Structure The virtual directory in Figure 2–4 requires the following adapters: ■ an LDAP Adapter ■ a Database Adapter ■ a Local Store Adapter The following list describes how the adapters are configured in Figure 2–5 to create the virtual directory: ■ Adapter 0: Local Store Adapter This adapter forms the base of the directory and holds entries that are not proxied. In this case, the directory entries under Groups are stored in the local directory. ■ Adapter 1: LDAP Adapter This adapter specifies a remote LDAP directory and a remote base which is mapped into the virtual directory tree. In this case, all entries under o=Airius.com in the remote server are made to appear as if they were ou=Airius,o=YourCompany,c=US in the virtual directory. ■ Adapter 2: Database Adapter This Database adapter is a database connection specifying that two tables are used to form entries in the directory. In this case, records from the joined queries of two Airius People People Groups Organizational Role Group Your Company Country User2 User1 Oracle Virtual Directory Oracle 2-22 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory tables is used to form user objects in the namespace ou=People,o=YourCompany,c=US in the virtual directory. Figure 2–5 Adapters Configured for Example Virtual Directory As shown in Figure 2–5 , Oracle Virtual Directory and its adapters allow different portions of the directory tree to be sourced from different repositories. In planning your virtual directory information tree structure, be sure you do not have two adapter Groups Organizational Role Group JDBC Database Connection Adapter 1 LDAP Adapter 2 DB Regld Region Description Address Regions Database First Last Empld Title Regld Employees Your Company Local Directory Entries Division A Windows Active Directory Adapter Local Store People User2 LDAP Proxy Connections Oracle Virtual Directory Oracle Understanding Oracle Virtual Directory Adapters 2-23 roots that occupy the same root node. However, you may have an adapter appear to be a child node of another adapter.

2.7.2 Example of a Virtual Directory Using the Join View Adapter

Figure 1–2 in Chapter 1, Understanding Oracle Virtual Directory, shows an example of an enterprise application used by all employees in a company. The application accesses directory information from three different sources and each contains a separate population of users. The topology in Figure 2–6 and in Figure 1–2 is the same; however, all three directory sources on the right side of Figure 2–6 contain the same user population. Figure 2–6 Directory Virtualization with the Same User Population Figure 2–6 shows a main enterprise directory which contains the main source of enterprise directory information for all users. For example, imagine for each user in the enterprise directory you want to match them to a corresponding account in Microsoft Active Directory for user-authentication purposes. Also, to gain access to personnel related application information in the corporate database, you must associate each user in the enterprise directory with a table entry in the enterprise database. To address the requirements in Figure 2–6 , you would configure Oracle Virtual Directory with the following four adapters: ■ Adapter 0 is for local application storage and to hold the root position in the tree. ■ Adapter 1 is defined to proxy to Active Directory. ■ Adapter 2 proxies to the Enterprise LDAP directory. ■ Adapter 3 is a Database Adapter that maps in the appropriate user records within the corporate RDBMS. Corporate Database Enterprise Application Oracle Oracle Virtual Directory User Enterprise Directory Microsoft Active Directory Domain DCs 2-24 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ Adapter 4 is a Join View Adapter. In this case, Adapter 2 for the Enterprise Directory, is used as the primary adapter and therefore all entries displayed by Adapter 4 exactly mirror the entries in Adapter 2. With nothing else defined, the Join View Adapter is a carbon copy of Adapter 2. After configuring the adapters you must define join relationships. In this situation you define two join relationships: one to Active Directory and one to the corporate RDBMS. For the Active Directory join, you define a Simple Join in Adapter 4 to Adapter 2—note that you are really joining with the primary adapter, Adapter 1. To complete the join, specify unique criteria that joins entries in Active Directory to the primary adapter. As shown in Figure 2–7 , use uid=userprincipalname where uid is in Adapter 1 and userprincipalname is in Adapter 2 Active Directory. For the second join, you join with Adapter 3 using a Simple Join and use uid=userid to achieve a unique match. Figure 2–7 Specifying Unique Criteria Between Joins Lastly, because you want to use Adapter 1 for authentication rather than the primary adapter Adapter 2, you set the bindadapter setting to 1, causing the Join View Adapter to test authentication against the joined adapter rather than the primary adapter. Note: If you wanted users to match multiple RDBMS records for example, a privilege table, you could specify a OneToMany Join such as approle=priv. In this case approle would be an attribute in the enterprise directory. The approle attribute matches up with a series of privileges in the RDBMS. By performing the join in this example, you would translate a simple role into a series of privileges. AppView Adapter 0 Groups Application People People userPrincipleName = uid Joined Users Adapter 4 RDBMS Data Adapter 3 = userid Enterprise Directory Adapter 2 Active Directory Adapter 1 Understanding Oracle Virtual Directory Adapters 2-25 After Adapter 4 is configured, you can hide Adapters 1, 2, and 3 from end users by setting Routing Visibility on each of these adapters to Internal. This results in a directory that appears to have a single ou=People,o=AppView branch. As you browse the directory below ou=People, you are querying Adapter 4, the Join View Adapter. When the Join View Adapter receives queries, it automatically transforms and passes them on to the other three hidden adapters. Ultimately the application perceives that there is only a single entry for each person.

2.8 Understanding Adapter Namespaces

Figure 2–8 shows a source directory tree structure where there are four separate directories. The goal is to combine all four separate directories into one new directory tree design. The most basic directory tree design you can implement with Oracle Virtual Directory is with no translation so the source directory structure with four separate directory trees is valid within Oracle Virtual Directory and it is operating as a pure directory proxy using no translation features. Figure 2–8 Example Source Directory Tree Structure with Four Separate Directories Figure 2–9 shows that two external companies were added as descendants to o=YourCompany, c=US. In this example, Adapter 1 and Adapter 2 occupy subtree entry positions relative to Adapter 0. At the same time, Adapter 3 is left occupying a separate namespace, which could represent a third-party company that provides administrative network services and may not participate in the business application of the other three organizations. In this is the case, it may be best to keep the ISP directory entries separated. Partner London San Francisco User Airius.com User User Baltimore Adapter 0 People Your Company User User Contractors Adapter 2 Adapter 1 UK US Service Provider Administrators User2 Adapter 3 UK2 2-26 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Figure 2–9 Example Source Directory Tree Structure with Two Additions Figure 2–10 shows the directory structure after it was redesigned so that all partner users are under the ou=People branch. This requirement may be due to a limitation in an application for example, it only authenticates users from a single base of ou=People, o=YourCompany, c=US. Notice that YourCompanys people entries are directly under ou=People while the partner directories are contained within organization units under ou=People. Keeping the organization unit allows for easier creation of access control groups and roles specific to users of those partners and avoids namespace conflicts. Notice also that only one adapter may occupy any particular node in the tree. Adapter 0 People Your Company User4 Contractor User5 Administrators Service Provider User Adapter 3 London Partner User3 Adapter 1 Baltimore San Francisco User User2 Adapter 2 Airius.com US UK Understanding Oracle Virtual Directory Adapters 2-27 Figure 2–10 Redesigned Source Directory Tree Example Figure 2–11 shows an example where two problems were created due to conflicts between entries stored in Adapter 0 and the root entry of Adapters 1 and 3. During search operations, Oracle Virtual Directory searches the overlapping namespace and return matches from all adapters. However, during modify operations, Oracle Virtual Directory only processes entries in the adapter that are matched first walking up the tree from the entry in this example, Adapters 1 and 3 because Adapter 0 is further up the tree. Adapter 0 Adapter 1 People Contractors Your Company London Airius.com San Francisco Baltimore Airius User Airius User User Partner User Adapter 2 Service Provider Administrators User User Adapter 3 US 2-28 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Figure 2–11 Example of an Overlapping Directory Structure Traditionally, the overlapped directory structure would be unacceptable, however, Oracle Virtual Directory supports routing filters that control how it handles operations to overlapping namespaces.

2.9 Understanding Adapter Templates

Oracle Virtual Directory includes adapter templates to help simplify the process for configuring adapters. When you create an adapter, the New Adapter screen contains Adapter 3 Adapter 0 Adapter 1 Contractors Administrators People Your Company User London London Airius.com Local Admin User Service Provider Admin User San Francisco Baltimore Airius User Airius User2 User Partner User Adapter 2 Administrators US Understanding Oracle Virtual Directory Adapters 2-29 an Adapter Template list that displays the available templates for each adapter. After selecting an adapter template, Oracle Directory Services Manager automatically populates default values for some adapter settings. You should alter these default settings according to your environment. The following sections list and describe the adapter templates: ■ Default Template ■ LDAP Adapter Templates ■ Local Store Adapter Templates ■ Database Adapter Templates

2.9.1 Default Template

The Default template is a general template available for all adapter types and is not specific to any one vendors directory. You should use the Default template if no other template satisfies your needs.

2.9.2 LDAP Adapter Templates

The following sections describe the LDAP Adapter templates: ■ Active_Directory ■ CA_eTrust ■ Changelog_LDAP-TYPE ■ EUS_ActiveDirectory ■ EUS_OID ■ EUS_Sun ■ EUS_eDirectory ■ General_LDAP_Directory ■ IBM_Directory ■ Novell_eDirectory ■ OAMAD Adapter with Mapper ■ OAMAD Adapter with SSL, Mapper ■ OAMAD Adapter with Script ■ OAMADAM Adapter with Mapper ■ OAMADAM Adapter with SSL, Mapper ■ OAMADAM Adapter with Script ■ OAMSunOne Adapter with Mapper ■ OAMSunOne Adapter with Script ■ ONames_LDAP-TYPE ■ Oracle_Internet_Directory ■ Siemens_DirX ■ SunOne_Directory