Developing with the User and Role API 25-9 Run-time Configuration Properties Properties set at runtime affect all subsequent operations executed by the provider and control the behavior of the IdentityStore instance of the provider. Runtime properties are configured by specifying the appropriate parameters and values for the StoreConfiguration object obtained from the IdentityStore instance. All runtime properties have default values when the IdentityStore instance is created, and can be subsequently changed. Table 25–3 lists the run-time configuration properties: ST_GROUP_NAME_ATTR The attribute used to determine the role name in the identity repository. ST_USER_LOGIN_ATTR The attribute used to determine the login ID of the user in the identity repository. ST_SECURITY_PRINCIPAL The user principal. ST_SECURITY_ CREDENTIALS The credentials necessary to log in to the identity repository. ST_LDAP_URL The URL of the identity repository. ST_MAX_SEARCHFILTER_ LENGTH The maximum length of the search filter allowed by the LDAP server. ST_LOGGER The logger object that is to be used by the API. ST_SUBSCRIBER_NAME The base DN of operations in the LDAP server. This property is specified while creating the IdentityStore instance and is used to determine default values for remaining properties. This property must be specified while creating the IdentityStore instance; however, subsequent changes to its value have no effect on IdentityStore behavior. ST_CONNECTION_POOL_ CLASS The fully-qualified Connection Pool implementation class name. ST_INITIAL_CONTEXT_ FACTORY The fully-qualified class name of the initial context factory that will create the initial context. Table 25–4 Runtime Identity Provider Configuration Properties Property Name Description RT_USER_OBJECT_ CLASSES array of object classes required to create a user in the LDAP server RT_USER_MANDATORY_ ATTRS attribute names that must be specified while creating a user RT_USER_CREATE_BASES Base DNs in the LDAP server where a new user can be created RT_USER_SEARCH_BASES RT_USER_SEARCH_BASES the base DNs in the LDAP server that can be searched for users RT_USER_FILTER_ OBJECT_CLASSES array of object classes to use when searching for a user in the LDAP server RT_GROUP_OBJECT_ CLASSES array of object classes required to create a role in the LDAP server RT_GROUP_ MANDATORY_ATTRS attribute names that must be specified when creating a role Table 25–3 Cont. Start-time Identity Provider Configuration Properties Property Name Description 25-10 Oracle Fusion Middleware Application Security Guide

25.3.5.2 ECID Propagation

By default, ECID support is disabled in the User and Role API. When initializing the API, set the ST_ECID_ENABLED property to true for ECID support, as illustrated in the following example: factEnv.putOVDIdentityStoreFactory.ST_ECID_ENABLED, true;

25.3.5.3 When to Pass Configuration Values

You can specify configuration data: ■ when creating a factory instance RT_GROUP_CREATE_ BASES the base DNs in the LDAP server where a new role can be created RT_GROUP_SEARCH_ BASES the base DNs in the LDAP server that can be searched for a role RT_GROUP_MEMBER_ ATTRS An array of member attributes in a role. All members of a role have values for the attributes. RT_GROUP_FILTER_ OBJECT_CLASSES an array of object classes to use when searching for a role in the LDAP server RT_USER_SELECTED_ CREATE_BASE The currently selected user create base. The user will be created in this base DN upon execution of the createUser call. If the selected create base is null and the ST_SUBSCRIBER_NAME is not specified, the first supplied value of the RT_USER_ CREATE_BASE is used. If the ST_SUBSCRIBER_NAME is specified, the default value is relative to the subscriber name based on the identity store type. RT_GROUP_SELECTED_ CREATE_BASE The currently selected role create base. This role will be created in this base DN upon execution of the createRole call. If the selected create base is null and the ST_SUBSCRIBER_NAME is not specified, the first supplied value of the RT_GROUP_ CREATE_BASE is used. If the ST_SUBSCRIBER_NAME is specified, the default value is relative to the subscriber name based on the identity store type. RT_GROUP_GENERIC_ SEARCH_BASE A generic role search base to use in searching the roles related to a given identity. For example while searching all granted roles for a user, or all managed roles for a user, we need a search base under which all the required groups would reside; this helps in optimizing the searches. This search base is usually a common parent. By default, in all LDAP providers this value is set to the subscriber name if provider, else it uses the first group search base. RT_SEARCH_TYPE determines whether a search on the LDAP server should be of type SIMPLE, PAGED, or VIRTUAL_LIST_VIEW Note: This action is necessary only if either Oracle Internet Directory or Oracle Virtual Directory is used as the back-end identity store. It is not necessary if using other repositories such as Microsoft Active Directory or Novell eDirectory. Table 25–4 Cont. Runtime Identity Provider Configuration Properties Property Name Description