SubschemaSubentry Plug-In Understanding the Enterprise User Security and Oracle Net Services Plug-Ins

Understanding Oracle Virtual Directory Plug-Ins 4-39 ■ Active Directory Ranged Attributes Plug-In ■ InetAD Plug-In

4.4.1 ActiveDirectory Password Plug-In

Active Directory and ADAM have special rules about how the password of a user may be updated by using LDAP, including: ■ Passwords may only be updated through a secure SSL connection ■ If a user is updating their own password, the original password must be included in a modify delete with the new password being a modify add in the same modify operation. ■ Only an administrator may reset the password of a user without knowing the previous password. ■ Active Directory does not use the userPassword attribute—it uses the unicodePwd attribute, which is in Unicode format. The ActiveDirectory Password plug-in helps administrators with the Active Directory’s password update rules when an application is not designed to use them and it is not advantageous to connect to Active Directory or ADAM through SSL for all operations. By configuring the ActiveDirectory Password plug-in on a non-SSL enabled adapter and pointing the plug-in to an SSL-enabled adapter, this plug-in allows a password update on Active Directory to work as a password update on an inetOrgPerson directory would.

4.4.1.1 Configuration Parameters

The ActiveDirectory Password plug-in has the following configuration parameter: adapter The name of the adapter to which the ActiveDirectory Password plug-in reroutes requests if they contain a userPassword attribute. The adapter identified must have its virtual root be the same as the current adapter and its Routing Visibility setting must be set as Internal. If the adapter parameter is not defined, the current adapter is used. mapPassword Indicates whether the password must be converted to the unicodePwd attribute true, or not false. Supported values are true or false. The default value is true.

4.4.2 Active Directory Ranged Attributes Plug-In

Attributes in Active Directory and ADAM with more then 1000 values are returned 1000 at a time with a name that includes the range of values that were returned or 1500 for Windows 2003. The range is returned to the client in the following format: member;1-1000: somevalue To get the next thousand entries, the client application must know to repeat the query and request the attribute member;1001-2000. This requires applications to handle Active Directory in a unique method when compared to other directory products. Important: The ActiveDirectory plug-in must be configured only on an LDAP Adapter, typically against Microsoft Active Directory.