17-8 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform components still may be unable to access users and groups in Oracle Internet Directory. To illustrate how you might configure the user search base and group search base: In the example in Figure 16–2 on page 16-7, the value of usersearchbase should be set to cn=users,dc=us,dc=MyCompany,dc=com or one of its parents. Similarly, assuming there is a subtree named groups in the DIT, the multivalued groupsearchbase attribute should be set to both of the following: ■ cn=groups,dc=us,dc=MyCompany,dc=com or one of its parents ■ cn=users,dc=us,dc=MyCompany,dc=com To configure the user search base and group search base, use the Oracle Internet Directory Self-Service Console. 4. Set up the usercreatebase and groupcreatebase values in Oracle Internet Directory. These values indicate to the various Oracle components where users and groups can be created. They are set to default values during installation. To illustrate how to configure the user create base and group create base: In the example in Figure 16–2 on page 16-7, the value of usercreatebase should be set to cn=users,dc=us,dc=MyCompany,dc=com or one of its parents. Similarly, the groupcreatebase should be set to cn=groups,dc=us, dc=MyCompany,dc=com or one of its parents. To configure the user create base and group create base, use the Oracle Internet Directory Self-Service Console.

17.3.2 Customizing Access Control Lists

This section discusses how to customize ACLs for import profiles, export profiles, and for other Oracle components. It contains these topics: ■ Customizing ACLs for Import Profiles ■ Customizing ACLs for Export Profiles ■ ACLs for Other Oracle Components

17.3.2.1 Customizing ACLs for Import Profiles

The import profile is the identity used by the Oracle Directory Integration Platform to access Oracle Internet Directory. ACLs must enable the import profile to add, modify, and delete objects in either the users and groups containers or the subtree where entries are accessed. By default, import profiles are part of the Realm Administrators group cn=RealmAdministrators, cn=groups,cn=OracleContext,realm_ DN in the default realm. This group has privileges to perform all operations on any entry under the DN of the default realm. You should not need to customize the ACLs for import synchronization with the default realm that is installed with Oracle Internet Directory Release 11g Release 1 11.1.1. If you are upgrading from an earlier version of Oracle Internet Directory, or if the synchronization is with a nondefault Oracle Internet Directory realm, then be sure that the necessary privileges in the proper subtree or containers are granted to the import profiles handling the synchronization. See Also: The section about modifying configuration settings for an identity management realm in Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management