Creating and Managing Oracle Virtual Directory Listeners 11-3

11.3 Configuring Oracle Virtual Directory to Listen on Privileged Ports

Perform the following steps to enable Oracle Virtual Directory 11g Release 1 11.1.1.2.0 and higher on UNIXLinux platforms to listen on privileged ports, that is, port numbers less than 1024: 1. As the same user that installed Oracle Virtual Directory, create the cap.ora file as follows: echo `id -ng`: bind tmpcap.ora 2. Using the Oracle Process Manager and Notification Server OPMN control command, stop all components: ORACLE_INSTANCEbinopmnctl stopall 3. Change to root user permissions: su root 4. Update the ORACLE_HOMEbinhasbind file by performing the following steps: a. Change ownership of the file to root: chown root ORACLE_HOMEbinhasbind b. Change the permissions on the file as follows: chmod 4755 ORACLE_HOMEbinhasbind 5. Copy the cap.ora file you created in step 1 to the etc directory: cp tmpcap.ora etccap.ora 6. Change the permissions on the etccap.ora file as follows: chmod 644 etccap.ora 7. As the same user that installed Oracle Virtual Directory, start Oracle Virtual Directory and enable it to listen on privileged ports by using the following command: ORACLE_HOMEbinhasocket ORACLE_INSTANCEbinopmnctl startall After performing the steps in this procedure, Oracle Virtual Directory listeners can listen on privileged ports. You can create new listeners and enter privileged port numbers, or edit existing listeners to use privileged port numbers.

11.4 Creating and Managing Listeners Using Fusion Middleware Control

This topic explains how to create and manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections: ■ Creating LDAP Listeners ■ Creating HTTP Listeners ■ Managing Listeners Note: To enable Oracle Virtual Directory to listen on privileged ports, you must start it using only this command. 11-4 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory

11.4.1 Creating LDAP Listeners

Perform the following steps to create an LDAP Listener using Oracle Enterprise Manager Fusion Middleware Control. Typically, when running secure and non-secure LDAP, there are at least two Listeners configured; one for regular LDAP default port is 6501 and one for secure LDAP using SSL default port is 7501.

1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to

the Oracle Virtual Directory target where you want to create the LDAP Listener.

2. Select Administration and then Listeners from the Oracle Virtual Directory menu.

The Listeners screen appears.

3. Click the Create button. The Add Listener screen appears.

4. Select LDAP from the Listener Type list and set values for the LDAP Listener

configuration parameters as described in Table 11–1 : Table 11–1 LDAP Listener Configuration Parameters Type Parameter Description Basic Listener Name Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported. In addition, do no use the following characters in a listener name: | ; , \ ` ~ { } [ ] = + space or tab Listener Host Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting. If you set this parameter to an IP address or host, the Listener uses that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real. Listener Port The port number on which the Listener provides service. Only one Listener per server can be active on a port at any given time. If Oracle Virtual Directory is installed on the same server as an existing server, for example, an Active Directory domain controller, enter a port that does not conflict with the existing service. Threads The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. Listener Enabled Enables selected and disables not selected the Listener for service. Creating and Managing Oracle Virtual Directory Listeners 11-5

5. Click the OK button on the Add Listener screen to save the LDAP Listener.

LDAP Options Anonymous Bind Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Allow permits anonymous authentication; Deny prevents anonymous operations; and DenyDNOnly prevents empty password authentication. Note : According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard. Work Queue Capacity Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with DSA is busy error. The default value is 1024. Allow StartTLS Determines whether LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. Socket Options Backlog Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128. Read Timeout Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a nonzero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0. Reuse Address Determines whether the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. TCP Keep Alive Determines whether the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. TCP No Delay Determines whether the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. Table 11–1 Cont. LDAP Listener Configuration Parameters Type Parameter Description