12-6 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ Select Never to use the Proxy DN credentials for all operations. ■ Select BindOnly to pass user credentials to the proxied LDAP server for bind only and use the default server credentials for all other operations. ■ Select Always to pass user credentials presented to Oracle Virtual Directory to the proxied LDAP server for all operations.

14. Select the Use Kerberos option to configure the LDAP Adapter to perform LDAP

bind operations using the Kerberos protocol. Oracle recommends using Java 1.6 or higher if you enable the Use Kerberos setting to resolve many known issues with the Microsoft Active Directory version of Kerberos. If you enable the Use Kerberos option: ■ The Pass Through option must be set to BindOnly because the Kerberos authentication can only be used to validate credentials and not passed to the back-end server for any other operation. ■ The RDN value must be the same as the Kerberos principal name, for example, sAMAccountName in Active Directory. This may mean that the bind DN for a Kerberos bind is not the actual user DN. For example, if the user DN is cn=Jane Doe,cn=users,dc=mycompany,dc=com but the sAMAccountName is jdoe, the bind DN with the Use Kerberos option enabled is cn=jdoe,cn=users,dc=mycompany,dc=com. ■ You must create a krb5.conf file and place it in the Oracle Virtual Directorys configuration folder. The krb5.conf has the following properties: Note: In some situations when pass-through mode is set to Always, the LDAP Adapter may still use the Proxy DN. This occurs when the user credential cannot be mapped, for example, from another adapter namespace, or if it is the root account. If defining multiple adapters to different domain controllers within a Microsoft Active Directory forest, you can program the LDAP Adapter to proxy credentials from other adapters that is, two or more adapters pointing to the same Active Directory forest by using the Routing Bind-Include setting. Table 12–2 Properties in the krb5.conf File Property Description default_realm The default domain used if not supplied by the mapping. For example, if a user binds as uid=jsmith,ou=people,dc=myorg,dc=com, this will be treated as jsmithmyorg.com. If the mapped namespace does not include a domain component dc based root, this value is substituted instead. domain_realm Defines a mapping between a domain and a realm definition. For example: .oracle.com = ORACLE.COM realms Defines one or more realms, for example: ORACLE.COM = {...} kdc The DNS name of the server running the Kerberos service for a particular realm definition.