Create the following ACLs. Refer to

19-24 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 2. If it does not already exist, add the realm root for the second domain by performing the following steps: a. Create an LDIF file using the following example. Replace the VARIABLES with the appropriate DN and orclsubscriberfullname of the second domain: dn: DN_OF_SECOND_DOMAIN dc: DC_OF_SECOND_DOMAIN o: O_OF_SECOND_DOMAIN objectclass: domain objectclass: organization objectclass: orclSubscriber orclsubscriberfullname: ORCLSUBSCRIBERFULLNAME_OF_SECOND_DOMAIN orclVersion: 90400 Where DN_OF_SECOND_DOMAIN is the domain DN of the second domain that you want to see in Oracle Virtual Directory. b. Update Oracle Virtual Directory with the new LDIF file. For example: ORACLE_HOME binldapadd -h Oracle_Virtual_Directory_Host –p Port \ -D bindDN -q -v -f LDIF_File

3. Create a new LDAP Adapter for the second domain using the EUS_

Directory-Type adapter template that is specific to the directory type. Enter the host name, port number, proxy DN, and password of the second domain. Be sure to configure the Remote Base and Mapped Namespace where the namespace is the DN_OF_SECOND_DOMAIN from the previous step. Refer to Creating LDAP Adapters on page 12-3 for information about creating LDAP Adapters. 4. Configure the Mappings for the second domain LDAP Adapter by clicking the Create Mapping button on the Plug-Ins tab for the adapter. The Mapping you use depends on the type of directory you are using. ■ Use EUS_EDir.py for Novell eDirectory ■ Use EUS_ActiveDirectory.py for Active Directory ■ Use EUS_Sun.py for Oracle Directory Server Enterprise Edition 5. Update Access Control Lists to protect the user entry and to allow the database account to access the password. You may skip this step if the Access Control Lists that were configured for the first domain cover the second domains mapped namespace. a. Create the following ACLs. Refer to Creating Access Control Lists Using Oracle Directory Services Manager on page 16-1 for information on creating ACLs: Note: If you are not using Enterprise Roles, you may use any directory server for the first domain. However, if you plan to use Enterprise Roles, Oracle recommends using Oracle Internet Directory as the first domain. Microsoft Active Directory and Novell eDirectory have DN syntax validation and if the second domains DN does not exist in the first domain, you cannot complete this configuration. Note: Do not configure a Mapping if you are using Oracle Internet Directory. Configuring Oracle Virtual Directory for Integrated Directory Solutions 19-25 Note: In the following ACLs, Mapped Namespace for second domain is the DN you used for the Oracle Virtual Directory Mapped Namespace in step 3. Target DN Mapped Namespace for second domain Scope subtree Applies To Entry Grant Browse DN and Return DN Access Public Target DN Mapped Namespace for second domain Scope subtree Applies To All Attributes Grant Search and Read Access Public Target DN Mapped Namespace for second domain Scope subtree Applies To orclaccountstatusevent Deny All operations Access Public Target DN Mapped Namespace for second domain Scope subtree Applies To orclaccountstatusevent Grant Write Access Group with DN of cn=EUSDBGroup,dc=dbdemo,dc=or ion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain Target DN Mapped Namespace for second domain Scope subtree Applies To authpassword Deny All operations Access Public 19-26 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory 6. Update the Oracle Context with the newly added namespace by performing the following steps: a. Create an LDIF file like the following example and replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain: dn: cn=Common,cn=Products,cn=OracleContext,dc=dbdemo,dc=orion,dc=com changetype: modify add: orclcommonusersearchbase orclcommonusersearchbase: Mapped_Namespace_for_Second_Domain b. Update Oracle Virtual Directory using the LDIF file. For example: ORACLE_HOME binldapmodify -h Oracle_Virtual_Directory_Host –p Port \ -D bindDN -q -v -f LDIF_File 7. Repeat steps 2-6 to support additional domains.

19.2.5 Enabling User Account Lockout

LDAP servers can lock a user account after several bind attempts fail. The Oracle Virtual Directory-Enterprise User Security integration can use this lockout feature and enforce the back-end LDAP servers password lockout policy as follows: ■ An incorrect login to the Oracle Database records a login failure to the back-end LDAP server ■ A correct login to the Oracle Database resets the login failure count in the back-end LDAP server Note: The following ACL must be the last ACL in the ACL list for the Mapped Namespace for second domain. Target DN Mapped Namespace for second domain Scope subtree Applies To authpassword Grant Search and Read Access Group with DN of: cn=EUSDBGroup,dc=dbdemo,dc=orion,dc=com. Note : Replace dc=dbdemo,dc=orion,dc=com with the DN of your first domain. Note: To login to the database as an enterprise user from any of these additional domains, you must create the User-Schema Mappings for the additional user containers from Enterprise Security Manager or Enterprise Manager. Refer to Oracle® Database Enterprise User Security Administrators Guide for instructions. Note: This functionality is not available for integrations that use Active Directory.