2-30 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ User_LDAP-TYPE

2.9.2.1 Active_Directory

Use the Active_Directory template when connecting to a Microsoft Active Directory or Active Directory Application Mode target and you do not want to map Active Directory objects to InetOrgPerson objects.

2.9.2.2 CA_eTrust

Use the CA_eTrust template when connecting to a Computer Associates CA eTrust directory.

2.9.2.3 Changelog_LDAP-TYPE

Use the Changelog_LDAP-TYPE templates when you require the source LDAP directory’s changelog information to be standardized into a suitable format. Oracle Virtual Directory includes adapter templates for Microsoft Active Directory Changelog_ActiveDirectory, Oracle Internet Directory Changelog_OID, and Oracle Directory Server Enterprise Edition Changelog_SunOne. Each Changelog_LDAP-Type template deploys the Changelog plug-in.

2.9.2.4 EUS_ActiveDirectory

Use the EUS_ActiveDirectory template for an Oracle Virtual Directory-Enterprise User Security integration that uses Active Directory. The EUS_ActiveDirectory simplifies the integration by deploying the following plug-ins: Note: Some adapter templates use Python mapping scripts. The template configures the mapping script with the adapters information, but the template does not deploy the mapping script. If you use an adapter template that uses a mapping script, you must explicitly deploy the mapping script to the Oracle Virtual Directory server after configuring the adapter. Note: If you are connecting to a Microsoft Active Directory or Active Directory Application Mode target and you do want to map Active Directory objects to InetOrgPerson objects, use the OAMAD Adapter with Mapper template even if you are not integrating with Oracle Access Manager. Note: Table 2–1 is deprecated in Oracle Virtual Directory release 11.1.1.4.0. The adapter templates noted in this table will not work in Oracle Virtual Directory release 11.1.1.4.0. Table 2–1 Changelog Adapter Templates Source LDAP Directory Adapter Template Plug-In Deployed by Adapter Template Oracle Internet Directory Changelog_OID oidchangelog Microsoft Active Directory Changelog_ActiveDirectory adchangelog Oracle Directory Server Enterprise Edition Changelog_SunOne sunonechangelog Understanding Oracle Virtual Directory Adapters 2-31 ■ Objectclass Mapper : Maps certain Oracle attributes and object classes so they can be managed in Active Directory. ■ Active Directory Password : Allows storage of database password into Active Directory when database registers with the directory. ■ EUSActiveDirectory : Converts certain Active Directory attributes, such as GUID, into a format that Enterprise User Security can use.

2.9.2.5 EUS_OID

Use the EUS_OID template for an Oracle Virtual Directory-Enterprise User Security integration that uses Oracle Internet Directory. The EUS_OID simplifies the integration by deploying the EUSOID plug-in, which converts certain attributes to a consistent format for use with Enterprise User Security.

2.9.2.6 EUS_Sun

Use the EUS_Sun template for an Oracle Virtual Directory-Enterprise User Security integration that uses Oracle Directory Server Enterprise Edition. The EUS_Sun simplifies the integration by deploying the following plug-ins: ■ Objectclass Mapper : Maps certain Oracle attributes and object classes so they can be managed in Oracle Directory Server Enterprise Edition. ■ EUSSun : Converts certain Oracle Directory Server Enterprise Edition attributes, such as GUID, into a format that Enterprise User Security can use.

2.9.2.7 EUS_eDirectory

Use the EUS_eDirectory template for Oracle Virtual Directory-Enterprise User Security integrations that use Novell eDirectory. The EUS_eDirectory simplifies the integration by deploying the following plug-ins: ■ Objectclass Mapper : Maps certain Oracle attributes and object classes so they can be managed in eDirectory. ■ EUSeDirectory : Converts certain eDirectory attributes into a format that Enterprise User Security can use.

2.9.2.8 General_LDAP_Directory

The General_LDAP_Directory template is identical to the Default Template .

2.9.2.9 IBM_Directory

Use the IBM_Directory template when connecting to an IBM Directory Server.

2.9.2.10 Novell_eDirectory

Use the Novell_eDirectory template when connecting to a Novell eDirectory.

2.9.2.11 OAMAD Adapter with Mapper

Oracle suggests using this template for an Oracle Virtual Directory-Oracle Access Manager integration that uses Microsoft Active Directory, though other applications can benefit from using this template. The OAMAD Adapter with Mapper template simplifies the LDAP Adapters interaction with Active Directory by deploying the following plug-ins: 2-32 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ Active Directory Ranged Attributes : converts ranged attributes, which are attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request. ■ ObjectClass Mapper : maps Active Directory UserGroup objects into InetOrgPersonGroupOfUniqueName objects. ■ ActiveDirectory Password : converts the standard userPassword attribute into Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the Active Directory adapter connected to Active Directory over SSL. ■ Dump Before : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log before passing data to plug-ins. ■ Dump After : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log after passing data to plug-ins.

2.9.2.12 OAMAD Adapter with SSL, Mapper

Configures an LDAP Adapter to connect to an Active Directory target over SSL for password change operations only in an Oracle Virtual Directory-Oracle Access Manager integration. By default, the adapters Visibility routing setting is set to internal, hiding the adapter to clients and making it accessible only through plug-ins like the Active Directory Password plug-in.

2.9.2.13 OAMAD Adapter with Script

Similar to the OAMAD Adapter with Mapper template except that it uses the OblixADMapping Python mapping script to do attribute renaming instead of the ObjectClass mapper. The OAMAD Adapter with Script template simplifies the LDAP Adapters interaction with Active Directory by deploying the following plug-ins: ■ Active Directory Ranged Attributes : converts ranged attributes, which are attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request. ■ ActiveDirectory Password : converts the standard userPassword attribute into Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the Active Directory adapter connected to Active Directory over SSL. ■ Dump Before : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log before passing data to plug-ins. Note: The OAMAD Adapter with Mapper template is similar to the OAMAD Adapter with Script template but it does not require you to deploy an additional mapping script like the OAMAD Adapter with Script template does. Understanding Oracle Virtual Directory Adapters 2-33 ■ Dump After : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log after passing data to plug-ins. The OAMAD Adapter with Script template also configures the OblixADMapping script using the adapters information. The OblixADMapping script is similar to ObjectClass mapper which maps Active Directory UserGroup objects into InetOrgPersonGroupOfUniqueName objects.

2.9.2.14 OAMADAM Adapter with Mapper

Oracle suggests using this template for an Oracle Virtual Directory-Oracle Access Manager integration that uses Microsoft Active Directory Application Mode, though other applications can benefit from using this template. The OAMADAM Adapter with Mapper template simplifies the LDAP Adapters interaction with Active Directory Application Mode by deploying the following plug-ins: ■ Active Directory Ranged Attributes : converts ranged attributes, which are attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request. ■ ObjectClass Mapper : maps Active Directory UserGroup objects into InetOrgPersonGroupOfUniqueName objects. ■ ActiveDirectory Password : converts the standard userPassword attribute into Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the Active Directory adapter connected to Active Directory over SSL. ■ Dump Before : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log before passing data to plug-ins. ■ Dump After : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log after passing data to plug-ins. Note: You must explicitly deploy the OblixADMapping mapper script to the Oracle Virtual Directory server after configuring the adapter with the OAMAD Adapter with Script template. If you can use either the OAMAD Adapter with Script template or the OAMAD Adapter with Mapper template to obtain equal results, you may want to use the OAMAD Adapter with Mapper template because the OAMAD Adapter with Script template requires you to explicitly deploy the OblixADMapping mapper script to the Oracle Virtual Directory server after configuring the adapter and the OAMAD Adapter with Mapper template does not. Note: The OAMADAM Adapter with Mapper template is similar to the OAMADAM Adapter with Script template, but it does not require you to deploy an additional mapping script like the OAMADAM Adapter with Script template does. 2-34 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory

2.9.2.15 OAMADAM Adapter with SSL, Mapper

Configures an LDAP Adapter to connect to an Active Directory Application Mode target over SSL for password change operations only in an Oracle Virtual Directory-Oracle Access Manager integration. By default, the adapters Visibility routing setting is set to internal, hiding the adapter to clients and making it accessible only through plug-ins like the Active Directory Password plug-in.

2.9.2.16 OAMADAM Adapter with Script

Similar to the OAMADAM Adapter with Mapper template except that it uses the OblixADMapping Python mapping script to do attribute renaming instead of the ObjectClass mapper. The OAMADAM Adapter with Script template simplifies the LDAP Adapters interaction with Active Directory Application Mode by deploying the following plug-ins: ■ Active Directory Ranged Attributes : converts ranged attributes, which are attributes with several multi-valued values that Active Directory splits into multiple requests, often confusing clients, into a single request. ■ ActiveDirectory Password : converts the standard userPassword attribute into Microsofts unicodePWD attribute. Additionally, to have the adapter connect to Active Directory over a non-SSL port, this plug-in can route password updates to a different adapter instance that connects to the Active Directory server over SSL because Active Directory requires password changes over LDAP to use SSL. If the adapter is set to use SSL, remove the host name from the plug-in configuration. If the adapter is set not to use SSL, set the plug-in host name to the name of the Active Directory Application Mode adapter connected to Active Directory over SSL. ■ Dump Before : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log before passing data to plug-ins. ■ Dump After : a version of the Dump Transaction plug-in that dumps the values of the operation to vde.log after passing data to plug-ins. The OAMADAM Adapter with Script template also configures the OblixADMapping script using the adapters information. The OblixADMapping script is similar to ObjectClass mapper which maps Active Directory UserGroup objects into InetOrgPersonGroupOfUniqueName objects.

2.9.2.17 OAMSunOne Adapter with Mapper

Configures an LDAP Adapter to connect to a SunOne directory target in an Oracle Virtual Directory-Oracle Access Manager integration and converts SunOne attributes for use with Oracle Access Manager. The OAMSunOne Adapter with Mapper Note: You must explicitly deploy the OblixADMapping mapper script to the Oracle Virtual Directory server after configuring the adapter with the OAMADAM Adapter with Script template. If you can use either the OAMADAM Adapter with Script template or the OAMADAM Adapter with Mapper template to obtain equal results, you may want to use the OAMADAM Adapter with Mapper template because the OAMADAM Adapter with Script template requires you to explicitly deploy the OblixADMapping mapper script to the Oracle Virtual Directory server after configuring the adapter and the OAMADAM Adapter with Mapper template does not. Understanding Oracle Virtual Directory Adapters 2-35 template simplifies the LDAP Adapters interaction with SunOne by deploying the following plug-ins: ■ ObjectClass Mapper : Filters out the nsaccountlock attribute and marks the directory type as SunOne. ■ Dump SunOne : Dumps output of plug-in activity to vde.log.

2.9.2.18 OAMSunOne Adapter with Script

Similar to the OAMSunOne Adapter with Mapper template except that it uses the OblixSunOneMapping Python mapping script to do attribute renaming instead of the ObjectClass mapper. Oracle suggests using the OAMSunOne Adapter with Mapper template instead of the OAMSunOne Adapter with Script template for first and fresh installations. The OAMSunOne Adapter with Script template simplifies the LDAP Adapters interaction with SunOne by deploying the Dump Transactions plug-in, which dumps output of plug-in and mapping activity to vde.log. The OAMSunOne Adapter with Script template also configures the OblixSunOneMapping script using the adapters information. The OblixSunOneMapping is similar to ObjectClass mapper which filters out the nsaccountlock attribute and marks the directory type as SunOne.

2.9.2.19 ONames_LDAP-TYPE

Use the ONames_LDAP-TYPE adapter templates only when integrating Oracle Virtual Directory with Oracle Net Services. Oracle Virtual Directory includes ONames adapter templates for Microsoft Active Directory ONames_ActiveDirectory, Oracle Internet Directory ONames_OID, and Oracle Directory Server Enterprise Edition ONames_ Sun. Each ONames_LDAP-TYPE template deploys only the ONames plug-in, which removes entries that are specific to the source LDAP directory to facilitate the Oracle Virtual Directory-Oracle Net Services integration.

2.9.2.20 Oracle_Internet_Directory

Use the Oracle_Internet_Directory template when connecting to an Oracle Internet Directory OID.

2.9.2.21 Siemens_DirX

Use the Siemens_DirX template when connecting to a Siemens DirX directory. Note: You must explicitly deploy the OblixSunOneMapping mapper script to the Oracle Virtual Directory server after configuring the adapter with the OAMSunOne Adapter with Script template. If you can use either the OAMSunOne Adapter with Script template or the OAMSunOne Adapter with Mapper template to obtain equal results, you may want to use the OAMSunOne Adapter with Mapper template because the OAMSunOne Adapter with Script template requires you to explicitly deploy the OblixSunOneMapping mapper script to the Oracle Virtual Directory server after configuring the adapter and the OAMSunOne Adapter with Mapper template does not. 2-36 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory

2.9.2.22 SunOne_Directory

Use the SunOne_Directory template when connecting to any directory in the Netscape family of directories, including Netscape, Sun Microsystems, and Fedora.

2.9.2.23 User_LDAP-TYPE

Use the User_LDAP-TYPE adapter templates for Oracle Virtual Directory-Oracle Identity Manager integrations that require data mapping of Oracle Identity Manager attributes to LDAP directory servers. Oracle Virtual Directory includes adapter templates for Microsoft Active Directory User_ActiveDirectory, Oracle Internet Directory User_OID, and Oracle Directory Server Enterprise Edition User_SunOne. Each User_LDAP-TYPE template deploys the UserManagement plug-in.

2.9.3 Local Store Adapter Templates

The following sections describe the Local Store Adapter templates: ■ Local_Storage_Adapter

2.9.3.1 Local_Storage_Adapter

The Local_Storage_Adapter template is identical to the Default Template .

2.9.4 Database Adapter Templates

The following section describes the Database Adapter templates: ■ OAMDB Adapter with Script

2.9.4.1 OAMDB Adapter with Script

Configures a Database Adapter to connect to a database target in an Oracle Virtual Directory-Oracle Access Manager integration and uses a Python mapping script handle business logic. The OAMDB Adapter with Script template simplifies the Database Adapters interaction with Oracle Access Manager by deploying the following plug-ins: ■ DumpDB1 : a version of the Dump Transaction plug-in that dumps the output of operations to vde.log before passing data to plug-ins and mappings. ■ DumpDB2 : a version of the Dump Transaction plug-in that dumps the output of operations to vde.log after passing data to plug-ins and mappings. The OAMDB Adapter with Script template also configures the Oblix_OAMMapping script using the adapters information. The Oblix_OAMMapping script provides business logic for the Oracle Access Manager integration, such as removing Oracle Access Manager specific objectclasses that must be removed before entries can be added. Note: You must explicitly deploy the Oblix_OAMMapping mapper script to the Oracle Virtual Directory server after configuring the adapter with the OAMDB Adapter with Script template. 3 Understanding Oracle Virtual Directory Routing 3-1 3 Understanding Oracle Virtual Directory Routing This chapter describes Oracle Virtual Directory routing and includes the following topics: ■ What is Routing? ■ Understanding Routing Settings 3.1 What is Routing? In a traditional directory server, multiple databases are defined and each are responsible for part of the directory tree namespace and selection is determined strictly on namespace comparison. In a virtual directory, since it is possible to have multiple adapters sharing the same namespace, selection is more complex—yet more controllable. Routing is the process by which Oracle Virtual Directory decides which adapter should be selected for an LDAP operation. Routing is applied to all adapters regardless of type and serves several purposes, including: ■ limiting the number of adapters selected to just the ones which contain the requested client data and are relevant to the current LDAP operation. ■ enabling you to design for complex environments. ■ enabling you to tune Oracle Virtual Directory to implement a more secure, higher-performing configuration by reducing the number of adapters for a particular transaction. Routing controls adapter selection by examining not just the basic DN namespace, but also other aspects of transaction information including DN pattern matching, LDAP filters, attributes filters, and query filters. At its most basic level, Oracle Virtual Directory can select adapters through a process of adapter suffix comparison. The adapter suffix comparison involves looking at any particular search base or entry DN, such as with add, modify, delete, and rename, and then comparing it with the suffix root of each adapter. Depending on the scope, Oracle Virtual Directory can determine if one or more adapters was impacted by any particular query. Adapter suffix comparison works well with a small number of adapters, however, more flexible decisions are usually required—where routing is explicitly important. Routing lets administrators teach Oracle Virtual Directory about proxied data sources in the form of routing intelligence. Routing allows Oracle Virtual Directory to further qualify directory operations and send them to the specific places where they are needed, which helps keep existing directories from being overloaded with irrelevant