3-2 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory operations and keeps partners from seeing queries that are not related to their own directory. The Oracle Virtual Directory routing process analyzes LDAP client search filters in addition to traditional adapter suffix comparison and further refines eligible adapters for processing. Routing Example Consider the example virtual directory structure shown in Figure 3–1 that has the following four adapters configured: ■ Adapter 0 forms the root of the directory tree and maps to o=AppView. This adapter holds the virtual root of the tree and local entries such as access control groups. ■ Adapters 1-3 map each directory source to positions beneath the ou=People branch of the new application tree. Figure 3–1 Example Virtual Directory Structure For example, say an application that uses the directory in Figure 3–1 has little intelligence regarding a directory service and it was originally designed for a single business and does not understand that multiple business user groups may be using the same application. Instead of expecting a varied and diverse directory tree structure, the application only searches the directory from one common directory hierarchy point or one common base. For this example, say the application only searches the directory from ou=People,o=AppView. When a user enters a login credential such as jim.smithdivisionB.com, the application issues the following search: ■ base : ou=People,o=AppView ■ scope : subtree ■ filter : uid=jim.smithdivisionb.com After receiving this query, Oracle Virtual Directory automatically selects all adapters eligible for this query. Since the query is at the base of the tree, all adapters are selected, leading to a performance problem to examine. If all the other companies exist lower in the directory structure for example, ou=DivisionB, ou=People,o=AppView, then by default, all directory sources are searched because their branches are below the parent ou=People,o=AppView. AppView Adapter 0 Groups Application People External Users C Adapter 3 Division B Adapter 2 Division A Adapter 1 Understanding Oracle Virtual Directory Routing 3-3 To resolve this issue, Oracle Virtual Directory provides routing inclusion and exclusion filters. You can use these filters to filter traffic for any particular partner directory. In this example, the administrator can set up the following Routing Include filters: ■ Division A Adapter : uid=divisiona.com ■ Division B Adapter : uid=divisionb.com ■ Division C Adapter : uid=divisionc.com Even though the base of the LDAP client search would normally have selected all directories, the filters specify that the search for uid=jim.smithdivisionb.com should go only to the Division B directory. Figure 3–2 shows the three shaded adapters that would normally be selected, while the dotted area shows that after filter processing, only Division B’s data is searched. Figure 3–2 Example of Adapter Search With Filters In addition to filtering queries, Oracle Virtual Directory also lets you assign priorities to each adapter. The adapter with the lower priority number is always queried first. Adapters with the same priority number are searched in order of definition in the configuration file. When conflicts occur, for example, two entries with the same DN, Oracle Virtual Directory always accepts only the response from the lower numbered adapter in priority or configuration. When routing filters fail to select a single adapter, potential conflicts are resolved by priority selection.

3.2 Understanding Routing Settings

After you create an adapter, you can configure the routing for that adapter using the adapters Routing tab in Oracle Directory Services Manager. This topic describes the adapter routing settings available on the Routing tab and includes the following sections: ■ Priority ■ Filters to Include and Filters to Exclude ■ DN Matching ■ Levels ■ Attribute Flow Settings AppView Adapter 0 Groups Application People External Users C Adapter 3 Division B Adapter 2 Division A Adapter 1 3-4 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ Visibility ■ Bind Support ■ Criticality ■ Views ■ Include Binds From and Exclude Binds From

3.2.1 Priority

Sometimes it may be necessary to constrain Oracle Virtual Directory to process certain adapters before others, for example, when two or more adapters have overlapping namespaces. This situation can occur when bringing new directories into service while the existing directories must remain online. The Priority setting determines the priority with which the adapter is to be treated relative to other adapters. 1 is the highest priority, 100 is the lowest priority, and 50 is the default setting. In the example situation described above when bringing new directories into service while the existing directories must remain online, the Priority setting of the newer, more significant adapter should be set to a higher priority—that is, a number lower than the default 50 and also lower in respect to the existing adapter whose namespace overlaps with it. Priority is used as the last chance selector when all other routing parameters have been processed. Given two otherwise equal candidates, the adapter with the higher priority, meaning lower number, is processed first. Adapters with the same priority number are searched in order of definition in the configuration file. When conflicts occur for a search operation, for example, two adapters that support the same DN, Oracle Virtual Directory uses the adapter with the lowest priority number in the configuration first. During modify operations, Oracle Virtual Directory only processes entries within the adapter that are matched first moving up the tree from the entry.

3.2.2 Filters to Include and Filters to Exclude

The Filters to Include and Filters to Exclude settings are essentially filters of a filter and apply to the LDAP search filters specified by a client. If a client search filter fulfills the logical requirements defined in the Filters to Include setting, that adapter is selected for inclusion in the set of adapters used in the search. Similarly, for the Filters to Exclude setting, if the logical requirements are met, that adapter is deselected from the set of adapters used in the client search. The format for the Filters to Include and Filters to Exclude fields is a standard LDAP search filter followed by a scope term— either base, one, or sub. The scope indicates at what scope level the filter should be applied. For example, filters using the Note: Click the Apply button on an adapter’s Routing tab to apply changes you made to the adapter’s Routing settings. Click the Revert button to revert go back to the Routing settings that were configured before you made changes. You cannot revert the settings after clicking Apply . Note: For maximum precision, Oracle recommends using the Filters to Include, Filters to Exclude, and DN Matching settings to arbitrate in configurations where multiple adapters may be selected.