Skip Headers

Oracle® Application Server 10g Installation Guide
10g (9.0.4) for hp HP-UX PA-RISC (64-bit) and Linux x86
Part No. B10842-03
  Go To Documentation Library
Home		 Go To Table Of Contents
Contents		 Go To Index
Index
Previous Next  

8 Configuring Oracle Internet Directory for Oracle Application Server Installation Privileges

When you install certain middle tier or infrastructure components, the installer prompts you for a username to log in to Oracle Internet Directory. For the installation to complete successfully, this user must belong to certain groups in Oracle Internet Directory. The groups that are required depend on what you are installing.

By putting users into groups, you allow other users to perform installations. Users do not have to log in as the cn=orcladmin superuser to perform the installations.

Contents:

8.1 Default Users in Oracle Internet Directory

When you install Oracle Internet Directory, it has two users: cn=orcladmin and orcladmin:

8.2 Groups in Oracle Internet Directory

Groups in Oracle Internet Directory can be classified into these categories:

8.2.1 "Global" Groups

Table 8-1 describes the groups that affect all Oracle Application Server instances and components registered with Oracle Internet Directory.

Table 8-1 "Global" Groups

Group Description
IAS Admins

DN: cn=IASAdmins, cn=groups, cn=OracleContext

IAS Admins have the following privileges:

  • Install and register new metadata repositories. IAS Admins have no privileges to manage existing repositories already registered with Oracle Internet Directory.

  • Install middle tiers.

Trusted Application Admins

DN: cn=Trusted Application Admins, cn=groups, cn=OracleContext

To install Identity Management, OracleAS Portal, or OracleAS Wireless components, you must belong to several groups, one of which is the Trusted Application Admins group. Table 8-4 lists the required groups for each component.
User Management Application Admins

DN: cn=IAS & User Mgmt Admins, cn=groups, cn=OracleContext

To install OracleAS Portal or OracleAS Wireless, you must belong to several groups, one of which is the User Management Application Admins group. Table 8-4 lists the required groups for each component.

8.2.2 Groups for Each Metadata Repository

Each metadata repository registered with Oracle Internet Directory has its own groups, as described in Table 8-2. This enables you to assign different owners and users for each repository.

Table 8-2 Groups Associated with Each Metadata Repository Registered with Oracle Internet Directory

Group Description
Repository Owners The user who installs the metadata repository becomes a member of this group.

Repository Owners have the following privileges:

  • Add/remove users to/from this group.

  • De-register this repository.

  • Add/remove users to/from the Mid-Tier Admins group for this repository.

  • Add/remove middle tier instances to/from this repository.

  • All privileges of the Mid-Tier Administrators group.

Mid-Tier Administrators Mid-Tier Administrators have the following privileges:

  • Add/remove middle tier instances from the Associated Middle Tiers group for this repository. This is required to install a middle tier or to configure a middle tier component to use a different repository.

  • Access metadata for the repository database object.

Associated Middle Tiers Members of this group are middle tier instances associated with this metadata repository. The middle tier instances are added to this group during installation. You do not have to add the instances manually to this group.

Members of this group have the following privilege:

  • Access metadata for the repository database object and its schemas.


8.2.3 Groups for Each Component

Oracle Application Server components also have groups in Oracle Internet Directory. Each component has a Component Owners group and an Associated Middle Tiers group, as described in Table 8-3.

Table 8-3 Groups Associated with Each Component

Group Description
Component Owners Component Owners have the following privileges:

  • Add/remove owners for this component.

  • De-register this component.

  • Associate additional middle tiers with this component.

Associated Middle Tiers Members of this group are middle tier instances.

Figure 8-6 shows these groups for the Oracle Delegated Administration Services component.

8.3 Groups Required to Install Components

Table 8-4 shows the groups that a user needs to belong to in order to install Oracle Application Server components.

The user who installs the components becomes the owner of the components.

Table 8-4 Oracle Internet Directory Groups Required to Configure Components

To Configure This Component User Must Be a Member of ALL Listed Groups:
Infrastructure Components
Oracle Delegated Administration Services
  • Trusted Application Admins

  • iAS Admins

  • Mid-Tier Admins group for the metadata repository used by OracleAS Single Sign-On

    If you are unsure which metadata repository is used by OracleAS Single Sign-On, see "To Determine the Metadata Repository Used by OracleAS Single Sign-On".

  • Component Owners for the Oracle Delegated Administration Services component

    Note: This is required only if you are installing multiple instances of Oracle Delegated Administration Services. When you are installing the second and subsequent instances, then you need to belong to the Component Owners group. You do not need to be a member when you install the first Oracle Delegated Administration Services instance.

    See Section 8.8.1, "Using Oracle Directory Manager to Add Users to Groups" for steps on how to add users to groups.

OracleAS Single Sign-On You must install OracleAS Single Sign-On as the superuser (cn=orcladmin).
Oracle Directory Integration and Provisioning
  • iAS Admins

  • Trusted Application Admins

  • Admin for Oracle Directory Integration and Provisioning, which is identified by "cn=dipadmingrp,cn=odi,cn=oracle internet directory"

  • Mid-Tier Admins group for the metadata repository used by OracleAS Single Sign-On.

    If you are unsure which metadata repository is used by OracleAS Single Sign-On, see "To Determine the Metadata Repository Used by OracleAS Single Sign-On".

OracleAS Certificate Authority, configured against an existing OracleAS Metadata Repository
  • Trusted Application Admins

  • iAS Admins

  • Repository Owners group for the existing metadata repository

OracleAS Certificate Authority, configured against a new OracleAS Metadata Repository (that is, you are installing and configuring OracleAS Certificate Authority and OracleAS Metadata Repository in the same installation session)
  • Trusted Application Admins

  • iAS Admins

J2EE and Web Cache Middle Tier Features
Identity Management Access only
  • iAS Admins
Identity Management Access and OracleAS Cluster (Database-Based or File-Based)
  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository

Portal and Wireless, and Business Intelligence and Forms Middle Tier Components
OracleAS Portal
  • Trusted Application Admins

  • IAS and User Management Application Admins

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository

  • Component Owners group for the OracleAS Portal component

    Note: This group is applicable only when you are installing additional OracleAS Portal instances. It does not apply for the first OracleAS Portal installation. For subsequent OracleAS Portal installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. If you want to allow a different Oracle Internet Directory user to install OracleAS Portal, you have to add this user to the Component Owners group for the Portal application entity.

OracleAS Wireless
  • IAS and User Management Application Admins

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository

  • Component Owners group for the OracleAS Wireless component

    Note: This group is applicable only when you are installing additional OracleAS Wireless instances. It does not apply for the first OracleAS Wireless installation. For subsequent OracleAS Portal installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. If you want to allow a different Oracle Internet Directory user to install OracleAS Wireless, you have to add this user to the Component Owners group for the Wireless application entity.

OracleAS Reports Services

OracleAS Forms Services

OracleAS Personalization

OracleAS Discoverer

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository



To Determine the Metadata Repository Used by OracleAS Single Sign-On

  1. Run the following command (all on one line): 

    prompt> $ORACLE_HOME/bin/ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
 -b "orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,
      cn=oraclecontext"
 -s base "objectclass=*" seealso

    Values you need to provide:

    oidhostname - name of the computer running Oracle Internet Directory. Example: dbmachine.mydomain.com.

    oidport - port number on which Oracle Internet Directory is listening. Example: 389.

    passwd - password for the cn=orcladmin user.

  2. If the command in the preceding step does not return the name of the metadata repository, then run the following commands:

    1. Run this command first to get the "orclreplicaid" value, which you need for the second command. 

      prompt> $ORACLE_HOME/bin/ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
 -b "" -s base "objectclass=*" orclreplicaid

    2. Then run this command. 

      prompt> $ORACLE_HOME/bin/ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
 -b "orclreplicaid=value_from_previous_command,cn=replication configuration"
 -s base "objectclass=*" seealso

      This returns a "seealso" value in the format: cn=Metadata repository DB Name,cn=oraclecontext.

8.4 Groups Required to Install Middle Tiers

When you install middle tiers, the installer prompts you to log in to Oracle Internet Directory. Log in as a user who is a member of these groups:

8.4.1 Groups Required to Install Against the Desired Metadata Repository

To install middle tiers against a metadata repository, the user must belong to these groups:

  • IAS Admins group

  • Mid-Tier Admins group for the metadata repository to be used with the middle tier. When the installer prompts for the OracleAS Metadata Repository to use with this middle tier, the installer displays only the metadata repositories for which the user is a mid-tier admin. For example, in Figure 8-2, userA can see only the repository for asdb.oracle.com, and userB can see only the repository for asdb1.oracle.com.

8.4.2 Groups Required to Install Middle Tier Components

To install middle tier components, such as OracleAS Portal and OracleAS Wireless, the user must belong to additional groups. See Table 8-4 for a list of components and required groups.

8.4.3 Example

Figure 8-1 shows an Oracle Internet Directory with one metadata repository and one middle tier instance. userA can install middle tiers against the asdb metadata repository because userA belongs to the Mid-Tier Admins and the IAS Admins groups. userA can also install middle tier components because userA belongs to the Trusted Application Admins group, the IAS & User Management Application Admins group, and the Component Owners group for Wireless.

Figure 8-1 Contents of Oracle Internet Directory with One Infrastructure and One Middle Tier

Description of oid_infra_mt.gif follows
Description of the illustration oid_infra_mt.gif

8.5 Groups Required to Install Additional Metadata Repositories

To install additional metadata repositories, a user must be a member of the IAS Admins group. After installation, the user then becomes a member of the Repository Owners group for that metadata repository.

8.6 Example of Installation with Different Users

Figure 8-2 shows an Oracle Internet Directory with two metadata repositories and two middle tiers installed by different users.

Figure 8-2 Oracle Internet Directory with Two Metadata Repositories and Two Middle Tiers

Description of oid_infra2.gif follows
Description of the illustration oid_infra2.gif

The numbers in the figure correspond to these steps:


1. Install OracleAS Infrastructure 10g (including Oracle Internet Directory and OracleAS Metadata Repository)

This first installation creates an Oracle Internet Directory and a metadata repository.

The installer registers the metadata repository with Oracle Internet Directory by creating the "asdb.oracle.com" entry.

The orcladmin user becomes a member of the Repository Owners group and the Mid-Tier Admins group for this repository.


2. Install J2EE and Web Cache Middle Tier

userA was added to the following groups:

The installer registers this middle tier with Oracle Internet Directory by creating the "J2EE" entry. (The "J2EE" is the name of the middle tier instance, specified by userA.)

The middle tier becomes a member of the Associated Mid-Tiers group for "asdb.oracle.com".


3. Install OracleAS Infrastructure 10g (OracleAS Metadata Repository only)

userB was added to the iAS Admins group so that userB can perform this installation. See Section 8.5, "Groups Required to Install Additional Metadata Repositories".

The installer registers this new repository with Oracle Internet Directory by creating the "asdb1.oracle.com" entry.

userB becomes a member of the Repository Owners group and the Mid-Tier Admins group for the new repository.


4. Install Portal and Wireless Middle Tier

userB was added to these groups:

The installer registers this middle tier with Oracle Internet Directory by creating the "PW1" entry.

The middle tier becomes a member of the Associated Mid-Tiers group for "asdb1.oracle.com".

8.7 How to Create Users in Oracle Internet Directory

You can create users in Oracle Internet Directory using the Self-Service Console, which is part of the Oracle Delegated Administration Services. See the Oracle Internet Directory Administrator's Guide for details.


Note:

You cannot connect to Oracle Internet Directory as the cn=orcladmin superuser using the Oracle Delegated Administration Services consoles. To connect to Oracle Internet Directory as the superuser, use Oracle Directory Manager.

8.8 How to Add Users to Groups in Oracle Internet Directory

To add users to groups in Oracle Internet Directory, you can use these tools:

8.8.1 Using Oracle Directory Manager to Add Users to Groups

When you have to log in as the cn=orcladmin superuser to add users to groups, you have to use Oracle Directory Manager, instead of Oracle Delegated Administration Services.

To add users using Oracle Directory Manager:

  1. Start up Oracle Directory Manager. ORACLE_HOME refers to the home directory where Oracle Internet Directory is installed. 

    prompt> cd $ORACLE_HOME/bin
prompt> ./oidadmin

  2. In the Oracle Directory Manager Connect screen, enter the connect information for Oracle Internet Directory:

    • User: Enter cn=orcladmin.

    • Password: Enter the password for cn=orcladmin.

    • Server and Port: Click the icon at the right of the field to enter the name of the computer running Oracle Internet Directory and the port number on which Oracle Internet Directory is listening.

    • Click Login.

  3. On the left side, navigate to the group to which you want to add users. Select the group on the left side to display its attributes on the right side.

    To navigate to "global" groups, see Section 8.8.1.1, "Navigating to "Global" Groups".

    To navigate to metadata repository groups, see Section 8.8.1.2, "Navigating to Metadata Repository Groups".

    To navigate to component groups, see Section 8.8.1.3, "Navigating to Component Groups".

  4. Add new users to the group by adding the DNs of the users to the uniquemember attribute.

8.8.1.1 Navigating to "Global" Groups

The "global" groups are listed in Table 8-1.

The general navigation path is as follows. See Figure 8-3 for a screenshot.

  1. Expand the top-level entry, "Oracle Internet Directory Servers".

  2. Expand the specific Oracle Internet Directory.

  3. Expand "Entry Management".

  4. Expand "cn=OracleContext".

  5. Expand "cn=Groups".

  6. Click the group to which you want to add users. Figure 8-3 shows Oracle Directory Manager with the iASAdmins group selected.

Figure 8-3 Using Oracle Directory Manager to Add Users to "Global" Groups

Description of odm_iasadmins.jpg follows
Description of the illustration odm_iasadmins.jpg

8.8.1.2 Navigating to Metadata Repository Groups

The metadata repository groups are listed in Table 8-2.

The general navigation path is as follows. See Figure 8-4 for a screenshot.

  1. Expand the top-level entry, "Oracle Internet Directory Servers".

  2. Expand the specific Oracle Internet Directory.

  3. Expand "Entry Management".

  4. Expand "cn=OracleContext".

  5. Expand "cn=Products".

  6. Expand "cn=IAS".

  7. Expand "cn=IAS Infrastructure Databases".

  8. Expand "orclReferenceName=dbName", where dbName is the name of the metadata repository database.

  9. Click the group to which you want to add users. Figure 8-4 shows Oracle Directory Manager with the Repository Owners group for the asdb.us.oracle.com database selected.

Figure 8-4 Using Oracle Directory Manager to Add Users to Metadata Repository Groups

Description of odm_rep_owner.jpg follows
Description of the illustration odm_rep_owner.jpg

8.8.1.3 Navigating to Component Groups

The component groups are listed in Table 8-3.

The general navigation path is as follows. See Figure 8-5 for a screenshot.

  1. Expand the top-level entry, "Oracle Internet Directory Servers".

  2. Expand the specific Oracle Internet Directory.

  3. Expand "Entry Management".

  4. Expand "cn=OracleContext".

  5. Expand "cn=Products".

  6. Expand the particular component (for example, "cn=DAS" or "cn=Forms") whose groups you want to add users to.

  7. Expand "orclApplicationCommonName=appName", where appName is specific to the component and application server instance. If you have installed multiple instances of a component, you would see multiple instances of this entry.

  8. Click the group to which you want to add users. Figure 8-5 shows Oracle Directory Manager with the Component Owners group for Oracle Delegated Administration Services (DAS) selected.

Figure 8-5 Using Oracle Directory Manager to Add Users to the Component Users Group for the Oracle Delegated Administration Services Component

Description of odm_das.jpg follows
Description of the illustration odm_das.jpg

8.8.2 Using Deployment Delegation Console to Add Users to Groups

Using the Deployment Delegation Console, which is installed as part of Oracle Delegated Administration Services, you can add users to or remove users from the following groups:

  • Repository Owners

  • Mid-Tier Administrators

  • Component Owners


Note:

You can add users to these groups only if these groups have existing members other than the cn=orcladmin superuser. If the only member of these groups is the superuser, then you have to use Oracle Directory Manager to add users to these groups. See Section 8.8.1, "Using Oracle Directory Manager to Add Users to Groups".

To add users to these groups:

  1. Ensure that the Oracle Delegated Administration Services and Oracle Internet Directory are running.

  2. Display the Deployment Delegation Console page. The URL is: 

    http://hostname:port/oiddas/ui/oidinstallhome

    hostname specifies the name of the computer where you installed Oracle Delegated Administration Services.

    port specifies the port on which Oracle HTTP Server is listening.

  3. Click Login.

  4. Enter a username and password to log in to Oracle Internet Directory, and click Login. The login user must have sufficient privileges to allow you to add users to the desired group:

    To add users to this group: Log in as a user who belongs to:
    Repository Owners the same Repository Owners group.
    Mid-Tier Administrators the Repository Owners group for the same repository.
    Component Owners the same Component Owners group.

  5. Perform the steps to add the user to the desired group:

    To add the user to the Repository Owners group To add the user to the Mid-Tier Administrators group To add the user to the Component Owners group
    1. Click the Repository tab.

      This displays all the metadata repositories for which you are an owner.

    2. Select the metadata repository to which you want to add a user, and click Manage Owners.

    3. On the page that displays the current owners, click Add.

    4. Enter the first few characters of the user’s name in the Search field and click Go. If you leave the Search field empty and click Go, you would get a list of all users in Oracle Internet Directory.

    5. Select the user that you want to add to the Repository Owners group and click Select.

    6. Click Submit on the Manage Repository Owners page.

    1. Click the Repository tab.

      This displays all the metadata repositories for which you are an owner.

    2. Select the metadata repository to which you want to add a user, and click Manage Administrators.

    3. On the page that displays the current administrators, click Add.

    4. Enter the first few characters of the user’s name in the Search field and click Go. If you leave the Search field empty and click Go, you would get a list of all users in Oracle Internet Directory.

    5. Select the user that you want to add to the Mid-Tier Administrators group and click Select.

    6. Click Submit on the Manage Administrators page.

    1. Click the Components tab.

      This displays all the components for which you are an owner.

    2. Select the component to which you want to add a user, and click Manage Owners.

    3. On the page that displays the current component owners, click Add.

    4. Enter the first few characters of the user’s name in the Search field and click Go. If you leave the Search field empty and click Go, you would get a list of all users in Oracle Internet Directory.

    5. Select the user that you want to add to the Component Owners group and click Select.

    6. Click Submit on the Manage Component Owners page.


8.9 Contents of a New Oracle Internet Directory

When you install OracleAS Infrastructure 10g with Oracle Internet Directory, OracleAS Metadata Repository, and Oracle Delegated Administration Services, the Oracle Internet Directory contains the following objects (Figure 8-6):

Figure 8-6 Contents of a New Oracle Internet Directory

Description of oid_initial.gif follows
Description of the illustration oid_initial.gif

8.10 On the Specify Login for Oracle Internet Directory Screen, What Username and Realm Do I Enter?

The installer displays the Specify Login for Oracle Internet Directory screen:

This screen prompts you to enter a username and password to log in to Oracle Internet Directory.


Username

In the Username field, enter either the simple username or the user’s DN.

Simple username example: jdoe

DN example: cn=orcladmin

The user must belong to specific groups for installing and configuring certain components. See Table 8-4 for details.

If you want to specify the superuser, enter cn=orcladmin, not just orcladmin.


Realm

The Realm field appears only if your Oracle Internet Directory contains more than one realm. The username that you enter is authenticated against the specified realm. If you are unsure what the realm name is, contact your Oracle Internet Directory administrator.

Example 1: in a hosted deployment, the realm name could be similar to the name of the hosted company: XYZCorp.

Example 2: within an enterprise, you could have separate realms for internal users and external users. The realm name for the external users could be externalUsers.

  Previous Next
Oracle Logo
Copyright © 2003Oracle. All rights reserved.
  Go To Documentation Library
Home		 Go To Table Of Contents
Contents		 Go To Index
Index