2-30 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
■
User_LDAP-TYPE
2.9.2.1 Active_Directory
Use the Active_Directory template when connecting to a Microsoft Active Directory or Active Directory Application Mode target and you do not want to map Active
Directory objects to InetOrgPerson objects.
2.9.2.2 CA_eTrust
Use the CA_eTrust template when connecting to a Computer Associates CA eTrust directory.
2.9.2.3 Changelog_LDAP-TYPE
Use the Changelog_LDAP-TYPE templates when you require the source LDAP directory’s changelog information to be standardized into a suitable format. Oracle
Virtual Directory includes adapter templates for Microsoft Active Directory Changelog_ActiveDirectory, Oracle Internet Directory Changelog_OID, and Oracle
Directory Server Enterprise Edition Changelog_SunOne.
Each Changelog_LDAP-Type template deploys the Changelog plug-in.
2.9.2.4 EUS_ActiveDirectory
Use the EUS_ActiveDirectory template for an Oracle Virtual Directory-Enterprise User Security integration that uses Active Directory. The EUS_ActiveDirectory simplifies
the integration by deploying the following plug-ins:
Note: Some adapter templates use Python mapping scripts. The
template configures the mapping script with the adapters information, but the template does not deploy the mapping script. If
you use an adapter template that uses a mapping script, you must explicitly deploy the mapping script to the Oracle Virtual Directory
server after configuring the adapter.
Note:
If you are connecting to a Microsoft Active Directory or Active Directory Application Mode target and you do want to map Active
Directory objects to InetOrgPerson objects, use the OAMAD Adapter
with Mapper template even if you are not integrating with Oracle
Access Manager.
Note: Table 2–1
is deprecated in Oracle Virtual Directory release 11.1.1.4.0. The adapter templates noted in this table will not work in
Oracle Virtual Directory release 11.1.1.4.0.
Table 2–1 Changelog Adapter Templates
Source LDAP Directory Adapter Template
Plug-In Deployed by Adapter Template
Oracle Internet Directory Changelog_OID
oidchangelog Microsoft Active Directory
Changelog_ActiveDirectory adchangelog Oracle Directory Server Enterprise
Edition Changelog_SunOne
sunonechangelog
Understanding Oracle Virtual Directory Adapters 2-31
■
Objectclass Mapper : Maps certain Oracle attributes and object classes so they can
be managed in Active Directory.
■
Active Directory Password : Allows storage of database password into Active
Directory when database registers with the directory.
■
EUSActiveDirectory : Converts certain Active Directory attributes, such as GUID,
into a format that Enterprise User Security can use.
2.9.2.5 EUS_OID
Use the EUS_OID template for an Oracle Virtual Directory-Enterprise User Security integration that uses Oracle Internet Directory. The EUS_OID simplifies the integration
by deploying the EUSOID plug-in, which converts certain attributes to a consistent format for use with Enterprise User Security.
2.9.2.6 EUS_Sun
Use the EUS_Sun template for an Oracle Virtual Directory-Enterprise User Security integration that uses Oracle Directory Server Enterprise Edition. The EUS_Sun
simplifies the integration by deploying the following plug-ins:
■
Objectclass Mapper : Maps certain Oracle attributes and object classes so they can
be managed in Oracle Directory Server Enterprise Edition.
■
EUSSun : Converts certain Oracle Directory Server Enterprise Edition attributes,
such as GUID, into a format that Enterprise User Security can use.
2.9.2.7 EUS_eDirectory
Use the EUS_eDirectory template for Oracle Virtual Directory-Enterprise User Security integrations that use Novell eDirectory. The EUS_eDirectory simplifies the integration
by deploying the following plug-ins:
■
Objectclass Mapper : Maps certain Oracle attributes and object classes so they can
be managed in eDirectory.
■
EUSeDirectory : Converts certain eDirectory attributes into a format that
Enterprise User Security can use.
2.9.2.8 General_LDAP_Directory
The General_LDAP_Directory template is identical to the Default Template
.
2.9.2.9 IBM_Directory
Use the IBM_Directory template when connecting to an IBM Directory Server.
2.9.2.10 Novell_eDirectory
Use the Novell_eDirectory template when connecting to a Novell eDirectory.
2.9.2.11 OAMAD Adapter with Mapper
Oracle suggests using this template for an Oracle Virtual Directory-Oracle Access Manager integration that uses Microsoft Active Directory, though other applications
can benefit from using this template. The OAMAD Adapter with Mapper template simplifies the LDAP Adapters interaction with Active Directory by deploying the
following plug-ins:
2-32 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
■
Active Directory Ranged Attributes : converts ranged attributes, which are
attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request.
■
ObjectClass Mapper : maps Active Directory UserGroup objects into
InetOrgPersonGroupOfUniqueName objects.
■
ActiveDirectory Password : converts the standard userPassword attribute into
Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a
different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If
the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the
Active Directory adapter connected to Active Directory over SSL.
■
Dump Before : a version of the Dump Transaction plug-in that dumps the values
of the operation to vde.log before passing data to plug-ins.
■
Dump After : a version of the Dump Transaction plug-in that dumps the values of
the operation to vde.log after passing data to plug-ins.
2.9.2.12 OAMAD Adapter with SSL, Mapper
Configures an LDAP Adapter to connect to an Active Directory target over SSL for password change operations only in an Oracle Virtual Directory-Oracle Access
Manager integration. By default, the adapters Visibility routing setting is set to internal, hiding the adapter to clients and making it accessible only through plug-ins
like the Active Directory Password plug-in.
2.9.2.13 OAMAD Adapter with Script
Similar to the OAMAD Adapter with Mapper template except that it uses the OblixADMapping Python mapping script to do attribute renaming instead of the
ObjectClass mapper. The OAMAD Adapter with Script template simplifies the LDAP Adapters interaction with Active Directory by deploying the following plug-ins:
■
Active Directory Ranged Attributes : converts ranged attributes, which are
attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request.
■
ActiveDirectory Password : converts the standard userPassword attribute into
Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a
different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If
the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the
Active Directory adapter connected to Active Directory over SSL.
■
Dump Before : a version of the Dump Transaction plug-in that dumps the values
of the operation to vde.log before passing data to plug-ins.
Note: The OAMAD Adapter with Mapper template is similar to the
OAMAD Adapter with Script template but it does not require you to deploy an additional mapping script like the OAMAD Adapter with
Script template does.
Understanding Oracle Virtual Directory Adapters 2-33
■
Dump After : a version of the Dump Transaction plug-in that dumps the values of
the operation to vde.log after passing data to plug-ins. The OAMAD Adapter with Script template also configures the OblixADMapping
script using the adapters information. The OblixADMapping script is similar to ObjectClass mapper which maps Active Directory UserGroup objects into
InetOrgPersonGroupOfUniqueName objects.
2.9.2.14 OAMADAM Adapter with Mapper
Oracle suggests using this template for an Oracle Virtual Directory-Oracle Access Manager integration that uses Microsoft Active Directory Application Mode, though
other applications can benefit from using this template. The OAMADAM Adapter with Mapper template simplifies the LDAP Adapters interaction with Active
Directory Application Mode by deploying the following plug-ins:
■
Active Directory Ranged Attributes : converts ranged attributes, which are
attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request.
■
ObjectClass Mapper : maps Active Directory UserGroup objects into
InetOrgPersonGroupOfUniqueName objects.
■
ActiveDirectory Password : converts the standard userPassword attribute into
Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a
different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If
the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the
Active Directory adapter connected to Active Directory over SSL.
■
Dump Before : a version of the Dump Transaction plug-in that dumps the values
of the operation to vde.log before passing data to plug-ins.
■
Dump After : a version of the Dump Transaction plug-in that dumps the values of
the operation to vde.log after passing data to plug-ins.
Note: You must explicitly deploy the OblixADMapping mapper
script to the Oracle Virtual Directory server after configuring the adapter with the OAMAD Adapter with Script template.
If you can use either the OAMAD Adapter with Script template or the OAMAD Adapter with Mapper template to obtain equal results,
you may want to use the OAMAD Adapter with Mapper template because the OAMAD Adapter with Script template requires you to
explicitly deploy the OblixADMapping mapper script to the Oracle Virtual Directory server after configuring the adapter and the
OAMAD Adapter with Mapper template does not.
Note:
The OAMADAM Adapter with Mapper template is similar to the OAMADAM Adapter with Script template, but it does not
require you to deploy an additional mapping script like the OAMADAM Adapter with Script template does.
2-34 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
2.9.2.15 OAMADAM Adapter with SSL, Mapper
Configures an LDAP Adapter to connect to an Active Directory Application Mode target over SSL for password change operations only in an Oracle Virtual
Directory-Oracle Access Manager integration. By default, the adapters Visibility routing setting is set to internal, hiding the adapter to clients and making it accessible
only through plug-ins like the Active Directory Password plug-in.
2.9.2.16 OAMADAM Adapter with Script
Similar to the OAMADAM Adapter with Mapper template except that it uses the OblixADMapping Python mapping script to do attribute renaming instead of the
ObjectClass mapper. The OAMADAM Adapter with Script template simplifies the LDAP Adapters interaction with Active Directory Application Mode by deploying the
following plug-ins:
■
Active Directory Ranged Attributes : converts ranged attributes, which are
attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request.
■
ActiveDirectory Password : converts the standard userPassword attribute into
Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a
different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If
the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the
Active Directory Application Mode adapter connected to Active Directory over SSL.
■
Dump Before : a version of the Dump Transaction plug-in that dumps the values
of the operation to vde.log before passing data to plug-ins.
■
Dump After : a version of the Dump Transaction plug-in that dumps the values of
the operation to vde.log after passing data to plug-ins. The OAMADAM Adapter with Script template also configures the OblixADMapping
script using the adapters information. The OblixADMapping script is similar to ObjectClass mapper which maps Active Directory UserGroup objects into
InetOrgPersonGroupOfUniqueName objects.
2.9.2.17 OAMSunOne Adapter with Mapper
Configures an LDAP Adapter to connect to a SunOne directory target in an Oracle Virtual Directory-Oracle Access Manager integration and converts SunOne attributes
for use with Oracle Access Manager. The OAMSunOne Adapter with Mapper
Note: You must explicitly deploy the OblixADMapping mapper
script to the Oracle Virtual Directory server after configuring the adapter with the OAMADAM Adapter with Script template.
If you can use either the OAMADAM Adapter with Script template or the OAMADAM Adapter with Mapper template to obtain equal
results, you may want to use the OAMADAM Adapter with Mapper template because the OAMADAM Adapter with Script template
requires you to explicitly deploy the OblixADMapping mapper script to the Oracle Virtual Directory server after configuring the adapter
and the OAMADAM Adapter with Mapper template does not.
Understanding Oracle Virtual Directory Adapters 2-35
template simplifies the LDAP Adapters interaction with SunOne by deploying the following plug-ins:
■
ObjectClass Mapper : Filters out the nsaccountlock attribute and marks the
directory type as SunOne.
■
Dump SunOne : Dumps output of plug-in activity to vde.log.
2.9.2.18 OAMSunOne Adapter with Script
Similar to the OAMSunOne Adapter with Mapper template except that it uses the OblixSunOneMapping Python mapping script to do attribute renaming instead of the
ObjectClass mapper. Oracle suggests using the OAMSunOne Adapter with Mapper template instead of the OAMSunOne Adapter with Script template for first and fresh
installations.
The OAMSunOne Adapter with Script template simplifies the LDAP Adapters interaction with SunOne by deploying the Dump Transactions plug-in, which dumps
output of plug-in and mapping activity to vde.log.
The OAMSunOne Adapter with Script template also configures the OblixSunOneMapping script using the adapters information. The
OblixSunOneMapping is similar to ObjectClass mapper which filters out the nsaccountlock attribute and marks the directory type as SunOne.
2.9.2.19 ONames_LDAP-TYPE
Use the ONames_LDAP-TYPE adapter templates only when integrating Oracle Virtual Directory with Oracle Net Services. Oracle Virtual Directory includes ONames adapter
templates for Microsoft Active Directory ONames_ActiveDirectory, Oracle Internet Directory ONames_OID, and Oracle Directory Server Enterprise Edition ONames_
Sun.
Each ONames_LDAP-TYPE template deploys only the ONames plug-in, which removes entries that are specific to the source LDAP directory to facilitate the Oracle
Virtual Directory-Oracle Net Services integration.
2.9.2.20 Oracle_Internet_Directory
Use the Oracle_Internet_Directory template when connecting to an Oracle Internet Directory OID.
2.9.2.21 Siemens_DirX
Use the Siemens_DirX template when connecting to a Siemens DirX directory.
Note: You must explicitly deploy the OblixSunOneMapping mapper
script to the Oracle Virtual Directory server after configuring the adapter with the OAMSunOne Adapter with Script template.
If you can use either the OAMSunOne Adapter with Script template or the OAMSunOne Adapter with Mapper template to obtain equal
results, you may want to use the OAMSunOne Adapter with Mapper template because the OAMSunOne Adapter with Script
template requires you to explicitly deploy the OblixSunOneMapping mapper script to the Oracle Virtual Directory server after configuring
the adapter and the OAMSunOne Adapter with Mapper template does not.
2-36 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory
2.9.2.22 SunOne_Directory
Use the SunOne_Directory template when connecting to any directory in the Netscape family of directories, including Netscape, Sun Microsystems, and Fedora.
2.9.2.23 User_LDAP-TYPE
Use the User_LDAP-TYPE adapter templates for Oracle Virtual Directory-Oracle Identity Manager integrations that require data mapping of Oracle Identity Manager
attributes to LDAP directory servers. Oracle Virtual Directory includes adapter templates for Microsoft Active Directory User_ActiveDirectory, Oracle Internet
Directory User_OID, and Oracle Directory Server Enterprise Edition User_SunOne.
Each User_LDAP-TYPE template deploys the UserManagement plug-in.
2.9.3 Local Store Adapter Templates
The following sections describe the Local Store Adapter templates:
■
Local_Storage_Adapter
2.9.3.1 Local_Storage_Adapter
The Local_Storage_Adapter template is identical to the Default Template
.
2.9.4 Database Adapter Templates
The following section describes the Database Adapter templates:
■
OAMDB Adapter with Script
2.9.4.1 OAMDB Adapter with Script
Configures a Database Adapter to connect to a database target in an Oracle Virtual Directory-Oracle Access Manager integration and uses a Python mapping script
handle business logic. The OAMDB Adapter with Script template simplifies the Database Adapters interaction with Oracle Access Manager by deploying the
following plug-ins:
■
DumpDB1 : a version of the Dump Transaction plug-in that dumps the output of
operations to vde.log before passing data to plug-ins and mappings.
■
DumpDB2 : a version of the Dump Transaction plug-in that dumps the output of
operations to vde.log after passing data to plug-ins and mappings. The OAMDB Adapter with Script template also configures the Oblix_OAMMapping
script using the adapters information. The Oblix_OAMMapping script provides business logic for the Oracle Access Manager integration, such as removing Oracle
Access Manager specific objectclasses that must be removed before entries can be added.
Note: You must explicitly deploy the Oblix_OAMMapping mapper
script to the Oracle Virtual Directory server after configuring the adapter with the OAMDB Adapter with Script template.
3
Understanding Oracle Virtual Directory Routing 3-1
3
Understanding Oracle Virtual Directory Routing
This chapter describes Oracle Virtual Directory routing and includes the following topics:
■
What is Routing?
■
Understanding Routing Settings
3.1 What is Routing?
In a traditional directory server, multiple databases are defined and each are responsible for part of the directory tree namespace and selection is determined
strictly on namespace comparison. In a virtual directory, since it is possible to have multiple adapters sharing the same namespace, selection is more complex—yet more
controllable.
Routing is the process by which Oracle Virtual Directory decides which adapter should be selected for an LDAP operation. Routing is applied to all adapters
regardless of type and serves several purposes, including:
■
limiting the number of adapters selected to just the ones which contain the requested client data and are relevant to the current LDAP operation.
■
enabling you to design for complex environments.
■
enabling you to tune Oracle Virtual Directory to implement a more secure, higher-performing configuration by reducing the number of adapters for a
particular transaction.
Routing controls adapter selection by examining not just the basic DN namespace, but also other aspects of transaction information including DN pattern matching, LDAP
filters, attributes filters, and query filters. At its most basic level, Oracle Virtual Directory can select adapters through a process of adapter suffix comparison. The
adapter suffix comparison involves looking at any particular search base or entry DN, such as with add, modify, delete, and rename, and then comparing it with the suffix
root of each adapter. Depending on the scope, Oracle Virtual Directory can determine if one or more adapters was impacted by any particular query.
Adapter suffix comparison works well with a small number of adapters, however, more flexible decisions are usually required—where routing is explicitly important.
Routing lets administrators teach Oracle Virtual Directory about proxied data sources in the form of routing intelligence. Routing allows Oracle Virtual Directory to further
qualify directory operations and send them to the specific places where they are needed, which helps keep existing directories from being overloaded with irrelevant