Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
![]() Previous |
![]() Next |
This appendix briefly lists different schema elements supported by Oracle Internet Directory. Most of these elements are used as defined by the ldapext and ASID working groups of the Internet Engineering Task Force (IETF).
See Also: The following URLs on the World Wide Web:
|
This appendix contains these topics:
Oracle Internet Directory enforces the following Requests for Comments (RFCs) of the Internet Engineering Task Force (IETF), each of which is available on the IETF Web site at: http://www.ietf.org
.
Table B-1 RFCs Enforced by Oracle Internet Directory
RFC | Title |
---|---|
1777 | Lightweight Directory Access Protocol |
1778 | The String Representation of Standard Attribute Syntaxes |
1779 | A String Representation of Distinguished Names |
1960 | A String Representation of LDAP Search Filters |
2079 | Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs) |
2247 | Using Domains in LDAP/X.500 Distinguished Names |
2251 | Lightweight Directory Access Protocol (v3) |
2252 | Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions |
2253 | Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names |
2254 | The String Representation of LDAP Search Filters |
2255 | The LDAP URL Format |
2256 | A Summary of the X.500(96) User Schema for use with LDAPv3 |
Oracle Internet Directory enforces the following two drafts of the IETF, each of which is available on the IETF Web site at: http://www.ietf.org
.
"Definition of the inetOrgPerson LDAP Object Class"
"Referrals and Knowledge References in LDAP Directories"
The schema elements common to Oracle components include attributes and object classes in these categories:
Attributes for Oracle Application Server Integration and Provisioning
Oracle Internet Directory Server Manageability Schema Elements
In addition, Oracle Internet Directory installation includes schema elements that enable specific Oracle products to use Oracle Internet Directory. For information about these schema elements, see the documentation for the specific Oracle product.
Table B-4 Attributes in Integration Profiles for Third-Party Directories
Attribute | Description |
---|---|
General Information | - |
Profile Name (orclodipAgentName )
|
Name of the profile for the particular third-party directory you are integrating with. This attribute is mandatory. |
Synchronization Mode (orclodipSynchronizationMode )
|
Direction of synchronization between Oracle Internet Directory and the connected directory.
|
ProfileStatus (orclOdipAgentControl )
|
Indicator whether the profile is enabled or disabled. The default is DISABLE. You must set this value to ENABLE. |
Profile Password (orclodipProfilePassword )
|
The password used by the profile to bind to Oracle Internet Directory. In case of import, the changes are made with the profile name as the identity. The default value is welcome .
Note: For security reasons, change this password. |
Scheduling Interval (orclODIPSchedulingInterval )
|
Time interval in seconds after which a connected directory is synchronized with Oracle Internet Directory. The default is 600 .
This attribute can be modified. |
Maximum Number of Retries (orclodipSyncRetryCount )
|
Maximum number of times Oracle directory integration and provisioning server tries to run the third-party directory connector in the event of a failure. The default is 5 .
|
Profile Version | Version of Oracle Directory Integration and Provisioning with which this profile was created.The default value is 1.0 . This value cannot be modified.
|
Debug Level
( |
Identifier indicating the level of debugging required for any profile.
Set this attribute to 63 for the maximum debug level. See Also: The section about setting debug logging levels in Oracle Internet Directory Administrator's Guide |
Execution Information | - |
Agent Execution Command (orclodipAgentExeCommand )
|
Connector executable name and argument list used by the directory integration and provisioning server. It can be passed as a command-line argument when the connector is invoked.
See Also:Oracle Directory Integration and Provisioning for typical usage of passing it in the command-line |
Connected Directory Account (orclodipConDirAccessAccount )
|
Valid user account in the connected directory to be used by the connector for synchronization. The value is specific to the connected directory with which you are integrating. For instance, for the SunONE synchronization connector, it is the valid bind DN in the SunONE Directory Server. For the Human Resources Connector, it is a valid user identifier in the Oracle Human Resources database. For other connectors, it can be passed as a command-line argument when the connector is invoked.
See Also: Oracle Directory Integration and Provisioning for typical usage of passing it in the command-line |
Connected Directory Account Password (orclodipConDirAccessPassword )
|
Password to be used by the user specified in the orclOdipConDirAccessAccount attribute to connect to the connected directory. The value is specific to the third-party directory with which you are integrating. For instance, for the SunONE synchronization connector, it is the valid bind password in the SunONE Directory Server. For the Human Resources Agent, it is the Oracle Human Resources database password.
|
Additional Config Info (orclodipAgentConfigInfo )
|
Any configuration information that you want the connector to store in Oracle Internet Directory. It is passed by the directory integration and provisioning server to the connector at time of connector invocation. The information is stored as an attribute and the directory integration and provisioning server does not have any knowledge of its content. When the connector is scheduled for execution, the value of the attribute is stored in the file, $ ORACLE_HOME /ldap/odi/conf/ profile_name.cfg that can be processed by the connector.
Upload the file by using either the Directory Integration and Provisioning Assistant or the See Also: Information about the Directory Integration and Provisioning Assistant (dipassistant) Syntax inOracle Directory Integration and Provisioning |
Connected Directory URL (orclOdipConDirURL )
|
Connect details required to connect to the connected directory. This parameter refers to the host name and port number as host : port : sslmode .
To connect by using SSL, enter Make sure the certificate to connect to the directory is stored in the wallet, the location of which is specified in the file Note: To connect to SunONE Directory Server by using SSL, the server certificate needs to be loaded into the wallet. See Also: The chapter on Oracle Wallet Manager in Oracle Advanced Security Administrator's Guide |
Interface Type (orclodipInterfaceType )
|
The data format or protocol used in synchronization. Supported values are:
|
Mapping Information | - |
Mapping Rules (orclodipAttributeMappingRules )
|
Attribute for storing the mapping rules. Store the mapping rules in a file by using the Directory Integration and Provisioning Assistant or the ldapuploadagentfile.sh tool.
See Also:
|
Connected Directory Matching Filter (orclodipConDirMatchingFilter )
|
This attribute specifies the filter to apply to the third-party directory change log. It is used in the import profile. The filter must be set in the import profile when both the import and export integration profiles are enabled, as follows:
This prevents the same change from being exchanged between the two directories indefinitely. To avoid confusion, make this account specific to synchronization. See Also: Oracle MetaLink Note 280474.1, "Setting Up Filtering in a DIP Synchronization Profile" available at Oracle MetaLink at |
OID Matching Filter (orclOdipOIDMatchingFilter )
|
In export profiles, this attribute specifies the filter to apply to the Oracle Internet Directory change log container. It is used in the export profile. It must be set in the export profile when both the import and export integration profiles are enabled, as in the following example:
This prevents the same change from being exchanged between the two directories indefinitely. In import profiles, this attribute specifies a key for mapping entries between Oracle Internet Directory and the connected directory. This is useful when the DN cannot be used as the key. |
Status Information | - |
OID Last Applied Change Number (orclLastAppliedChangeNumber )
|
For export operations, the last change from Oracle Internet Directory that was applied to the connected directory. The default value is 0 . Set this to the value of the lastchangenumber attribute of Oracle Internet Directory. If you have used the Directory Integration and Provisioning Assistant for bootstrapping using LDAP, then this is set automatically at the end of the bootstrapping process.
This is valid only in the export profile. |
Last Execution Time (orclodipLastExecutionTime)
|
Status attribute set to the last time the integration profile was executed successfully by the Oracle directory integration and provisioning server. Its format is dd-mon-yyyy hh:mm:ss , where hh is the time of day in 24-hour format. This attribute is initialized during profile creation.
|
Last Successful Execution Time (orclodipLastSuccessfulExecution Time)
|
Status attribute set to the last time the integration profile was executed successfully by the Oracle directory integration and provisioning server. The format is dd-mon-yyyy hh:mm:ss , where hh is the hour in 24-hour format.
|
Synchronization Status | Synchronization status of the last execution: Success or failure. (orclodipSynchronizationStatus ) Initially, this attribute has the value Yet to be executed . It is a read-only attribute
|
Synchronization Errors (orclodipSynchronizationErrors )
|
Messages explaining errors if the last execution failed. This parameter is updated by Oracle directory integration and provisioning server. It is a read-only attribute. |
Last Applied Change Number (orclodipConDirLastAppliedChgNum )
|
For import operations, the last change from the connected directory that was applied to Oracle Internet Directory. The default value is 0 . Set this to the value of the lastchangenumber attribute of Oracle Internet Directory. If you have used the Directory Integration and Provisioning Assistant for bootstrapping using LDAP, then this is set automatically at then end of the bootstrapping process.
This is valid only in the import profile. |
See Also: The section on integration with SunONE Directory Server in Oracle Identity Management Integration Guide. |
In order to identify objects that are synchronized from Microsoft Active Directory, Oracle Internet Directory contains the schema elements listed in Table B-5, which correspond to Microsoft Active Directory-specific attributes.
Table B-5 Oracle Internet Directory Schema Elements that Correspond to Microsoft Active Directory-Specific Attributes
Schema Element | Description |
---|---|
orclADGroup
|
Represents the object class for groups synchronized from Active Directory. Contains the orclObjectGuid , orclObjectSid , and the orclSAMAccountName elements.
|
orclADUser
|
Represents the object class for users synchronized from Active Directory. Contains the orclObjectGuid , orclObjectSid , and the orclSAMAccountName elements.
|
orclObjectGuid
|
Stores Active Directory's OBJECTGUID attribute.
|
orclObjectSid
|
Stores Active Directory's OBJECTSID attribute.
|
orclSAMAccountName
|
Stores Active Directory's SAMAccountName attribute. In Oracle Internet Directory, this attribute is defined as a Directory String type. However, in Active Directory this attribute cannot accept any special or non-printable characters. If any entry is added in Oracle Internet Directory with this attribute, it can only contain a simple text string or synchronization from Oracle Internet Directory to Active Directory will fail.
|
Table B-6 Attribute Uniqueness Constraint Entry
The following table lists and describes the entire set of configuration set entry attributes that are used to configure an instance of the directory server.
Table B-7 Configuration Set Entry Attributes
Table B-8 Debug Logging Schema Elements
Attribute | Description |
---|---|
orcldebugforceflush
|
Specifies whether debug messages are to be written to the log file when a message is logged by the directory server. To enable it, set its value to 1 . To disable it set it to 0 , which is its default value.
See Also: "Force Flushing the Trace Information to a Log File" |
orcldebugop
|
To make logging more focused, limits logged information to particular directory server operations by specifying the debug dimension to those operations.
See Also: "Setting the Operation Debug Dimension" |
Table B-9 lists and describes the attributes of the orclDynamicGroup
object class
Table B-9 orclDynamicGroup Attributes for "Connect By" Assertions
Attribute | Description |
---|---|
orclConnectByAttribute
|
The attribute that you want to use as the filter for the query—for example, manager
|
orclConnectByStartingValue
|
The DN of the attribute you specified in the orclConnectByAttribute attribute—for example, Anne Smith
|
Table B-10 Garbage Collection Configuration Parameters
Attribute | Description | Mandatory? | Default Value |
---|---|---|---|
orclPurgeBase
|
The base DN of DIT where the garbage collection task is applied. This attribute value is reserved for each garbage collector and it must not be modified. | Yes | RDN of garbage collector configuration entry DN |
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is |
No | NULL |
orclpurgetargetage
|
The age of the target objects eligible to be purged in hours. That is, garbage objects older than the age specified by this attribute are purged. A value of NULL is equivalent to a value of 0. | No | NULL |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run. The default value is NULL. A value of NULL is equivalent to a value of 24.
|
No | 24 |
orclpurgetransize
|
Number of objects to be purged in one commit transaction. | No | 1000 |
orclpurgenow
|
Indicator that the submitted job is to be executed immediately whenever this attribute is added or modified. After the garbage collector runs, the attribute is reset to NULL. That is, it is removed. | No | N/A |
orclPurgeEnable
|
Flag to enable or disable garbage collectors | No | 1 |
orclPurgeDebug
|
Flag to enable or disable collection of debugging messages | No | 0 |
orclpurgefilename
|
Name of file that stores garbage collection logging messages | No | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved | No | . (period) |
Schema Elements for Predefined Garbage Collectors
Oracle Internet Directory provides several predefined garbage collectors that, together, clean up all unwanted data in the directory server. These predefined garbage collectors are:
Audit Log Garbage Collector
Audit log garbage collector cleans up unwanted entries created for auditing the directory server.
Table B-11 Attributes for the Audit Log Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=auditlog
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age of the target objects in hours. All the objects older than the age specified by this attribute are purged. | 12 hours |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log
|
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
Change Log Garbage Collector
Change log garbage collector cleans up the consumed change log entries in the directory.
Table B-12 Attributes of the Change Log Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=changelog
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age, in hours, of the target objects eligible to be purged. Garbage objects older than the age specified by this attribute are purged. A NULL value is equivalent to 0. If the value is NULL or 0, time-based purging is enabled. That is, change logs are purged regardless of any enabled changelog subscribers' change log processing status. If the value is an integer greater than zero, change number-based purged is enabled. That is, the change log garbage collector will respect the change log processing status of any enabled changlog subscribers. | NULL (That is, time-based purging with purged target age equivalent to 0) |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
General Statistics Garbage Collector
The General Statistics garbage collector cleans up unwanted general statistical entries created for the directory server.
Table B-13 Attributes of the General Statistics Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=orclgeneralstats,cn=orclsm
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is yyyymmddhhmmss. |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age of the target objects in hours. All the objects older than the age specified by this attribute are purged. | 12 hours |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
Health Statistics Garbage Collector
The Health Statistics garbage collector cleans up unwanted health statistics entries created for the directory server.
Table B-14 Attributes of the Health Statistics Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=orclhealthstats, cn=orclsm
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is yyyymmddhhmmss. |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age of the target objects in hours. All the objects older than the age specified by this attribute are purged. | 12 hours |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run.
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
Security and Refresh Events Garbage Collector
The Security and Refresh Events garbage collector cleans up the unwanted entries created for monitoring the security and refresh events of the directory server.
Table B-15 Attributes of the Security and Refresh Events Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=orclsecrefreshevents,cn=orclsm
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is yyyymmddhhmmss. |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age of the target objects in hours. All the objects older than the age specified by this attribute are purged. | 12 hours |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run.
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
System Resource Events Garbage Collector
The System Resource Events garbage collector cleans up unwanted entries created for monitoring system resources events of the directory server.
Table B-16 Attributes of the System Resource Events Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=orclsysresourceevents, cn=orclsm
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is yyyymmddhhmmss. |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age of the target objects in hours. All the objects older than the age specified by this attribute are purged. | 12 hours |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run.
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
Tombstone Garbage Collector
The Tombstone garbage collector cleans up unwanted entries marked as deleted.
Table B-17 Attributes of the Tombstone Garbage Collector
Attribute | Description | Default Value |
---|---|---|
orclPurgeBase
|
The base DN of the naming context to which the garbage collection task is to be applied. This attribute value is reserved and must not be modified. | cn=tombstone
|
orclpurgestart
|
Time in seconds when the garbage collector starts to run.
The format is yyyymmddhhmmss. |
NULL (12:00 a.m. of the day Oracle Internet Directory is installed) |
orclpurgetargetage
|
The age of the target objects in hours. All the objects older than the age specified by this attribute are purged. | 12 hours |
orclPurgeInterval
|
Time interval in hours that the garbage collection job is executed again. This can be measured from either the point in time specified in the orclpurgestart attribute or from the last time it was run.
|
NULL (24 hours) |
orclpurgetransize
|
The number of objects to be purged in one commit transaction. | 1000 |
orclpurgenow
|
Every time this attribute is added or modified, then the submitted job is executed immediately. | N/A |
orclPurgeEnable
|
Flag to enable/disable garbage collectors | 1 |
orclPurgeDebug
|
Flag to enable/disable debugging messages collecting | 0 |
orclpurgefilename
|
File name that saves garbage collection logging messages | oidgc001.log |
orclpurgefileloc
|
Absolute file directory where the log file is saved. | . (period) |
Oracle Internet Directory Plug-In for Garbage Collection
The garbage collection framework relies on the Oracle Internet Directory plug-in framework to trigger the garbage collection engine. This section tells you the attribute value pairs that the garbage collection plug-in uses for various operations.
Attributes for Creating a Garbage Collector
To create a garbage collector, the garbage collection plug-in uses the attribute value pairs listed in Table B-18.
Table B-18 Attribute Value Pairs for Creating a Garbage Collector
Attribute | Value |
---|---|
orclpluginname
|
PurgeAdmin |
orclplugintype
|
operational |
orclplugintiming
|
post |
orclpluginldapoperation
|
ldapadd |
orclpluginsubscriberdnlist
|
cn=purgeconfig,cn=subconfigsubentry
|
Attributes for Modifying a Garbage Collector
To modify a garbage collector, the garbage collection plug-in uses the attribute value pairs listed in Table B-19.
Table B-19 Attribute Value Pairs for Modifying a Garbage Collector
Attribute | Value |
---|---|
orclpluginname
|
PurgeAdmin |
orclplugintype
|
operational |
orclplugintiming
|
post |
orclpluginldapoperation
|
ldapmodify |
orclpluginsubscriberdnlist
|
cn=purgeconfig,cn=subconfigsubentry
|
Attributes for Deleting a Garbage Collector
To delete a garbage collector, the garbage collection plug-in uses the attribute value pairs listed in Table B-20.
The following are optional attributes from the orclUserV2
object class:
Table B-21 Attributes in the orclUserV2 Object Class
Attribute | Description |
---|---|
OrclPassword
|
Identifies an Oracle-specific password for custom authentication schemes like O3Logon for the database server |
OrclHireDate
|
Specifies the date on which an employee starts working for a company |
OrclDefaultProfileGroup
|
Holds the name (DN) of the group to designate a default group for a user such that a default profile can be built for the user based on this attribute value. |
OrclPasswordHint
|
Specifies the question set by a user for administering password on behalf of a user |
OrclPasswordHintAnswer
|
Specifies the answer set for orclPasswordHint
|
OrclTimeZone
|
Indicates the geographical time zone of a user based on his office location.Valid values are the three letter time zone values—for example, EST, PST, GMT |
OrclIsVisisble
|
Specifies whether the user entry should be displayed in people search applications |
OrclDisplayPersonalInfo
|
Specifies if the user personal information should be displayed in white pages queries |
OrclWorkflowNotificationPref
|
Specifies the preferred notification mechanism for Oracle Workflow. |
OrclMaidenName
|
Specifies the maiden name of an individual |
OrclDateOfBirth
|
Specifies the date on which an individual was born |
orclActiveStartDate
|
Specifies the date on which the user can successfully begin to authenticate to the Oracle Application Server Single Sign-On server. Values are represented in Universal Time format. |
orclActiveEnddate
|
Specifies the date after which the user can no longer authenticate to the Oracle Application Server Single Sign-On server. Values are represented in Universal Time format. |
Table B-22 Oracle Internet Directory Configuration Parameters
Table B-23 Attributes for Oracle Internet Directory Server Manageability
Attribute | Description |
---|---|
orclStatsFlag
|
Indicate whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to 1 . To disable, set it to 0 .
|
orclStatsPeriodicity
|
Specify how often you want to gather sample statistics—that is, the number of minutes in the interval. Set this to 1 or more minutes.
If |
OrclEventLevel
|
Specify critical events related to security and system resources that you want recorded. The default is 0 —that is, no critical events are recorded.
For events other than super user, proxy user, and replication login, set the value of the See Also: "Configuring Critical Events" for a list of critical events that can be monitored |
OrclStatsLevel
|
Specify the level of statistics collection for users. There is only one valid value in this release, namely, 1 . Specifying this value collects the number of bind and compare operations against the directory and the user who performed each one.
|
OrclMaxTcpIdleConnTime
|
Specifies maximum TCP connection time in minutes for an idle connection to be recorded as idle. Its default value is 120 minutes (2 hours). Please note that the value of this attribute should be less than that of the DSA Configuration Set attribute orclLDAPconnTimeOut .
|
The pwdPolicy
object class is an auxiliary object class containing the password policy information for a set of users in a given DIT. It contains attributes that define the password policy information for the entire directory.
Table B-24 lists and describes the attributes of the pwdPolicy
object class. The default value for each of these attributes is 0 (zero). These attributes are single-valued, except orclpwdIllegalValues
, which is multi-valued.
Table B-24 Attributes of the pwdPolicy Object Class
Attribute | Policy | Description |
---|---|---|
orclpwdAlphaNumeric
|
Number of Numeric Characters in Password | Number of numeric characters required in a password. By default, one numeric character is required. That is, the default value is 1. |
orclpwdencryptionenable
|
Enable reversible user password encryption | If the value is 1 , then the user password is stored in reversible encrypted form.
|
orclpwdIllegalValues
|
Illegal Values | Multivalued attribute containing the common words and attribute types whose values cannot be used as a valid password. By default, all words are acceptable password values. |
orclpwdipmaxfailure
|
IP Lockout Maximum Failure | Specify the maximum number of failed logins from a specific IP address after which the account is locked. |
orclpwdToggle
|
|
Do not use. Use pwdInHistory to enforce policies disabling reuse of previously-chosen passwords.
|
orlcpwdiplockout
|
IP Lockout | Specify whether you want to enforce account lockout for a specific IP address. A value of TRUE enforces the lockout. The default is FALSE .
|
pwdCheckSyntax
|
Check Password Syntax | Specification for whether syntax checking is enforced. If 1, then syntax checking is enforced. The default is enabled. |
pwdCheckSyntax
|
Check Password Syntax | Indicator of whether syntax checking is enforced. If 1, then syntax checking is enforced. The default value is 1.
By default, password syntax checking is turned on, and user passwords must contain one numeric character. |
orclpwdpolicyenable
|
Enable/disable Password Policy | Enalbed=1
Disabled= |
pwdExpireWarning
|
Password Expiration Warning | The number of seconds before password expiration that the directory server sends the user a warning. If password expiration is enabled, then, by default, the directory server sends a warning before the password expires.
The directory server sends the warning at each logon. If the user does not modify the password before it expires, the user is locked out until the password is changed by the administrator. For this feature to work, the client application must support it. The default is 0, which means no warnings are sent. Example: If |
pwdFailureCountInterval
|
Password Failure Count Interval | The number of seconds after which the password failure times are purged from the user entry. If this attribute is not present, or if it has a value of 0 , then failure times are never purged. The default is 0.
|
pwdGraceLoginLimit
|
Number of Grace Logins after Password Expiration | Maximum number of grace logins allowed after a password expires. By default, no grace logins.are allowed. The default value is 3. |
pwdInHistory
|
Number of Password History | How many of a user's previous passwords the directory server is to store. If a user attempts to reuse one of the passwords the directory server has stored, then the password is rejected. The directory server does not maintain a password history by default. |
pwdLockout
|
Password Lockout | Specification for whether users are locked out of the directory after the number of consecutive failed bind attempts specified by pwdmaxFailure . If the value of this policy attribute is 1, then users are locked out. If this attribute is not present, or if the value is 0, then users are not locked out and the value of pwdMaxFailure is ignored. By default, account lockout is enforced. The account is locked after three consecutive login failures.
|
pwdLockoutDuration
|
Lockout Duration | The number of seconds a user is locked out of the directory if both of the following are true:
You can set user lockout for a specific duration, or until the administrator resets the user's password. A default value of |
pwdMaxAge
|
Password Expiry Time | The maximum length of time, in seconds, that a given password is valid. If this attribute is not present, or if the value is 0 (zero), then the password does not expire. By default, the passwords expire in 60 days.
|
pwdMaxFailure
|
Password Maximum Failure | The number of consecutive failed bind attempts after which a user account is locked. If this attribute is not present, or if the value is 0 (zero), then the account is not locked due to failed bind attempts, and the value of the password lockout policy is ignored. The default is 4.
|
pwdMinLength
|
Minimum Number of Characters of Password | The minimum number of characters required in a password. By default, the minimum length is 5; however, the value for this attribute must be at least 1 .
|
pwdMustChange
|
Password Change after Reset | Indicator of whether users must change their passwords after the first login, or after the password is reset by the administrator. Enabling this option requires users to change their passwords even if user-defined passwords are disabled. By default, users need not change their passwords after reset. |
orclpwdIPLockoutDuration
|
IP Lockout Duration | The number of seconds you want to enforce account lockout for a specific IP address. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password. |
pwdsafemodify
|
Need to Supply Old Password When Modifying Password | Indicator of whether user must supply old password with new one when modifying password. By default, the old password is not required. |
In addition to the pwdpolicysubentry
mentioned earlier, the object class top
contains these operational attributes to maintain the user-password state information for each user entry.
Table B-25 Password Policy Operational Attributes of the Top Object Class
Attribute | Description |
---|---|
orclrevpwd
|
Reversible encrypted value of the user password. This attribute is generated only if the attribute orclpwdencryptionenable in the password policy entry is set to 1 . The orclrevpwd attribute can be queried only by using the SSL one-way and two-way authentication mechanisms. This attribute cannot be queried over non-SSL sessions.
See Also: "Storing and Managing Password Verifiers for Authenticating to Oracle Internet Directory" |
orclpwdipaccountlockedtime
|
The time at which a user was locked out of a specific IP address |
pwdAccountLockedTime
|
The time at which the user account was locked |
pwdChangedtime
|
The timestamp of the user password creation or modification |
pwdExpirationWarned
|
The time at which the first password expiration warning is been sent to the user |
pwdFailuretime
|
The timestamp of consecutive failed login attempts by the user |
pwdGraceUseTime
|
The time stamps of each grace login by the user |
pwdHistory
|
A history of user's previously used passwords |
pwdReset
|
Indicator that the password has been reset and must be changed by the user on first authentication |
Both the directory and Oracle components store the user password in the user entry, but in different attributes. Whereas the directory stores user passwords in the userPassword
attribute, Oracle components store user password verifiers in the authPassword
, orclPasswordVerifier
, or orclpassword
attribute. Table B-26 describes each of the attributes used by Oracle components.
Table B-26 Attributes for Storing Password Verifiers in User Entries
Attribute | Description |
---|---|
authPassword
|
Attribute for storing a password to an Oracle component when that password is the same as that used to authenticate the user to the directory, namely, userpassword . The value in this attribute is synchronized with that in the userpassword attribute.
Several different applications can require the user to enter the same clear text password used for the directory, but each application may hash it with a different algorithm. In this case, the same clear text password can become the source of several different password verifiers. This attribute is multivalued and can contain all the other verifiers that different applications use for this user's clear text password. If the |
orclPasswordVerifier
|
Attribute for storing a password to an Oracle component when that password is different from that used to authenticate the user to the directory, namely, userpassword . The value in this attribute is not synchronized with that in the userpassword attribute.
Like |
orclPassword
|
Attribute for storing only the 03LOGON verifier for enterprise users. The 03LOGON verifier is synchronized with the userpassword attribute, and it is generated by default for all user entries associated with the orcluserv2 object class.
When Oracle Internet Directory is installed, a database security profile entry is created by default in the Root Oracle Context. The presence of this entry triggers the generation of 03LOGON verifiers for user entries associated with the |
Each of these attribute types has appID
as an attribute subtype. This attribute subtype uniquely identifies a particular application. For example, the appID
can be the ORCLGUID
of the application entry. This attribute subtype is generated during application installation.
The orclPluginConfig object class is a structural object class that must be associated with all plug-in entries. Its superclass is top
. Table B-27 lists and describes its attributes.
Table B-27 Plug-in Attribute Names and Values
Attribute Name | Attribute Value | Mandatory? |
---|---|---|
Cn
|
Plug-in entry name | Yes |
orclPluginAttributeList
|
A semicolon-separated attribute name list that controls whether the plug-in takes effect. If the target attribute is included in the list, the plug-in is invoked. | No |
orclPluginEnable
|
0 = disable (default)
1 = enable |
No |
orclPluginEntryProperties
|
An LDAP search filter type value need to be specified here. For example, if we specify orclPluginEntryProperties:(&(objectclass=inetorgperson)(sn=Cezanne)) , then plug-in will not be invoked if the target entry has objectclass equal to inetorgperson and sn equal to Cezanne .
|
No |
orclPluginIsReplace
|
For WHEN timing plug-in only
|
No |
orclPluginKind
|
PL/SQL | No |
orclPluginLDAPOperation
|
One of the following values:
ldapcompare ldapmodify ldapbind ldapadd ldapdelete ldapsearch |
Yes |
orclPluginName
|
Plug-in package name | Yes |
orclPluginRequestGroup
|
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can actually invoke the plug-in.
For example, if you specify |
No |
orclPluginRequestNegGroup
|
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can NOT invoke the plug-in. For example, if you specify orclpluginrequestneggroup: cn=security,cn=groups,dc=oracle,dc=com , when you register the plug-in, then the plug-in will not be invoked if the ldap request comes from the person who belongs to the group cn=security,cn=groups,dc=oracle,dc=com .
|
No |
orclPluginResultCode
|
An integer value to specify the ldap result code. If this value is specified, then plug-in will be invoked only if the ldap operation is in that result code scenario.
This is only for the POST plug-in type. |
No |
orclPluginSASLCallBack
|
Controls type of bind used when we use LDAP_PLUGIN package to connect back to the same Oracle Internet Directory server.
1= SASL bind (default). 0= Simple bind. |
No |
orclPluginSearchNotFound
|
A PRE search plug-in to bring in the external entries if it is not found in Oracle Internet Directory in the first place. This attribute will provide additional plug-in invocation checking and ensure that plug-in will only be invoked when this entry is not present in Oracle Internet Directory. | No |
orclPluginShareLibLocation
|
File location of the dynamic linking library. If this value is not present, then Oracle Internet Directory server assumes the plug-in language is PL/SQL. | No |
orclPluginSubscriberDNList
|
A semicolon-separated DN list that controls if the plug-in takes effect. For example:
orclPluginSubscriberDNList= dc=COM,c=us; dc=us,dc=oracle,dc=com; dc=org,dc=us; o=IMC,c=US If the target DN of an LDAP operation is included in the list, then the plug-in is invoked. |
No |
orclPluginTiming
|
One of the following values:
pre when post See Also: "About Directory Server Plug-ins" for explanations of these values |
No |
orclPluginType
|
operationalSee Also: The chapter about the Oracle Internet Directory server plug-in framework in Oracle Identity Management Application Developer's Guide |
Yes |
orclPluginVersion
|
Supported plug-in version number | No |
This section lists and describes the attributes for:
Resource access descriptors (RADs)
Resource type information
The resource access descriptor object contains the attributes listed and described in.
Table B-28 Resource Access Descriptor (RAD) Attributes
Attribute | Description |
---|---|
orclResourceName
|
Specifies the name of the resource for which the connection information is being maintained. |
orclOwnerGlobalID
|
Specifies the user or a group for which the preferences are being stored. The value of the attribute is same as the GUID (orclGlobalID ) attribute value in the user or group entry. This attribute helps in abstracting the self-administrative access policies as a generic policy and also for querying the preferences given a user's GUID.
For example, suppose that user John Doe from Acme Corporation needs to store his extended preferences. His actual user entry contains mostly white-pages information about the user and his authentication credentials. The user entry additionally has |
orclApplicationGUID
|
Specifies the global identifier of the application entity for which the user-preferences are being stored. The value of the attribute is same as the GUID (orclGUID ) attribute value for the application entity. This attribute is useful when application-specific resource access information for a user is stored under the user's container object as shown in Figure 2-10.
|
orclResourceTypeName
|
Specifies the name of the resource—for example, database, XMLPDS, JDBCPDS |
displayName
|
Specifies the display name associated with the resource |
description
|
Specifies the description associated with orclResourceTypeName .
|
orclUserIDAttribute
|
Specifies the user identifier value to access the resource. |
orclPasswordAttribute
|
Specifies the password value to access the resource. |
orclFlexAttribute1
|
Specifies the additional information if required by the resource type. |
orclFlexAttribute2
|
Specifies the additional information if required by the resource type. |
orclFlexAttribute3
|
Specifies the additional information if required by the resource type. |
OrclUserModifiable
|
Specifies if the data is modifiable by the user that this RAD entry is created for |
Table B-29 Attributes for Resource Type Information
Attribute | Description |
---|---|
orclResourceTypeName
|
Specifies the name of the resource—for example, database, XMLPDS, JDBCPDS |
displayName
|
Specifies the display name associated with the orclResourceTypeName
|
description
|
Specifies the description associated with orclResourceTypeName
|
javaClassName
|
Specifies the fully qualified class name used by the product to perform user authentication—DBAuth, XMLPDSAuth, JDBCPDSAuth |
orclUserIDAttribute
|
Specifies the user identifier attribute in the encoded resource access data. |
orclPasswordAttribute
|
Specifies the password attribute in the encoded resource access data. |
orclConnectionFormat
|
Specifies the format used to construct the connect string associated with the resource. |
OrclFlexAttribute1
|
Specifies the GUL label for storing extra information if required for a particular resource type. |
OrclFlexAttribute2
|
Specifies the GUL label for storing extra information if required for a particular resource type. |
OrclFlexAttribute3
|
Specifies the GUL label for storing extra information if required for a particular resource type. |
Table B-30 Replication Schema Elements
Replication Server Configuration Parameters
Table B-31 lists and describes the attributes of the replication server configuration set entry, which has the following DN: cn=configset0,cn=osdrepld,cn=subconfigsubentry
.
Table B-31 Directory Replication Server Configuration Parameters
Replica Subentry Attributes
Table B-32 Attributes of the Replica Subentry
Attribute | Description |
---|---|
OrclReplicaID
|
Naming attribute for the replica subentry. Its value is unique to each directory server node that is initialized at installation. The value of this attribute, assigned during installation, is unique to each directory node, and matches that of the orclreplicaID attribute at the root DSE. You cannot modify this value.
|
orclReplicaURI
|
Contains information in ldapURI format that can be used to open a connection to this replica. |
orclReplicaSecondaryURI
|
Contains the set of ldapURI format addresses that can be used if the orclReplicaURI values cannot be used.
|
orclReplicaType
|
Defines the type of replica such as read-only or read/write.
Possible values:
|
orclReplicaState
|
Defines the state of the replica such as bootstrap, online, and so on. Possible values:
|
OrclReplicaVersion
|
Oracle Internet Directory version of the replica. |
Replication Agreement Entry Attributes
Table B-33 Attributes of the Replication Agreement Entry
Attribute | Description |
---|---|
orclagreementID
|
Naming attribute for the replication agreement entry. You cannot modify this attribute. |
OrclReplicaDN
|
For LDAP-based replication only. It is required to specify the DN of the replica to identify a consumer in the replication agreement. You cannot modify this attribute. |
OrclReplicationProtocol
|
Define the replication protocol for change propagation to replica. Values:
You cannot modify this attribute. |
OrclDirReplGroupDSAs
|
For Advanced Replication-based groups, the orclreplicaid values of all the nodes in this replication group. This list must be identical on all nodes in the group. You can modify this attribute.
This attribute is not applicable for LDAP-based agreement. |
OrclUpdateSchedule
|
Replication update interval for new changes and those being retried. The value is in minutes. You can modify this attribute. |
OrclHIQSchedule
|
The interval, in minutes, at which the directory replication server repeats the change application process. You can modify this attribute. |
OrclLDAPConnKeepAlive
|
Attribute determining whether the connections from the directory replication server to the directory server is kept active or established every time the changelog processing is done based on various schedules. You can modify this field. |
Orcllastappliedchangenumber
|
This attribute indicates the status of the consumer replica with respect to the supplier in an LDAP-based replication agreement. This attribute is not applicable to Advanced Replication-based agreements.
You cannot modify this attribute. |
orclexcludednamingcontexts
|
For Advanced Replication-based agreements, the value for this multivalued attribute specifies one or more subtrees to be excluded from replication.
You can modify this attribute. |
Replication Naming Context Objects
The container for replication naming context objects is an entry with the RDN cn=replication namecontext
. It is created below the orclagreementID
entry at installation. The cn=replication namecontext
entry has the attributes listed and described in Table B-34.
Table B-34 Attributes of the Replication Naming Context Entry
Attribute | Description |
---|---|
orclincludednamingcontexts
|
The naming context included in a partial replica.
This is a single valued attribute. For each naming context object, you can specify only one unique subtree. In partial replication, except for subtrees listed in the Note: Only LDAP-based replication agreements respect this attribute to define one or more partial replicas. If this attribute contains any values in an Advanced Replication-based replication agreement, then it is ignored. You can modify this attribute. |
orclexcludednamingcontexts
|
In LDAP-based replication, the value for this attribute specifies the root of a subtree, located within the included naming context, to be excluded from replication.
This is a multivalued attribute. From within the naming context specified in the You can modify this attribute. |
orclexcludedattributes
|
Within the included naming context, an attribute to be excluded from replication.
This is a multivalued attribute. Note: This attribute is for partial replication only. |
Note: These attribute values are stored as part of configuration entries. |
The SSL attributes are: orclsslAuthentication, orclsslEnable, orclsslWalletURL, orclsslPort, orclsslVersion
See Also:
|
The following system operational attributes are modifiable.
Table B-35 Modifiable System Operational Attributes
Attribute | Description |
---|---|
namingContexts
|
Topmost DNs for the naming contexts contained in this server. You must have super user privileges to publish a DN as a naming context.
There is no default. |
orclCryptoScheme
|
Hash algorithm for encrypting the password. Options are:
The default is MD4. |
orclSizeLimit
|
Maximum number of entries to be returned by a search |
orclServerMode
|
Specification as to whether data can be written to the server. Valid values are:
The default is |
orclTimeLimit
|
Maximum amount of time, in seconds, allowed for a search to be completed. The default is 3600. |
orclecacheenabled
|
Specification as to whether entry caching, described in "Entry Caching", is enabled. The value for enabled is 1; the value for disabled is 0 . The default is 1.
|
orclecachemaxentrysize
|
Maximum size in bytes of the entry that can be cached in the entry cache. Any entry with size greater than orclecachemaxentrysize is not cached. If you have an entry with many binary attributes, or member or uniquemember attributes, and need to cache, then increase orclecachemaxentrysize to the appropriate value.
The default is 1 MB This attribute is in the entry To change this value:
|
orclecachemaxsize
|
Maximum number of bytes of RAM that the entry cache can use. The default is 100M. |
orclecachemaxentries
|
Maximum number of entries that can be present in the entry cache. The default is 25,000. |
orclDIPRepository
|
Used by the directory replication server, and indicates whether change logs are to be generated in the consumer node for the Oracle directory integration and provisioning server to consume.
The default is FALSE. |
orclEnableGroupCache
|
The cache of privilege groups and ACL groups in the directory server. Using this cache improves the performance of access control evaluation for users when privilege and ACP groups are used in ACI.
Use the group cache when a privilege group membership does not change frequently. If a privilege group membership does change frequently, then it is best to turn off the group cache. This is because, in such a case, computing a group cache increases overhead. The default is 1. |
orclMatchDNEnabled
|
If the base DN of a search request is not found, then the directory server returns the nearest DN that matches the specified base DN. Whether the directory server tries to find the nearest match DN is controlled by this attribute. If set to 1, then match DN processing is enabled. If set to 0 , then match DN processing is disabled. The default is 1.
|
Orclanonymousbindsflag
|
Specification as to whether anonymous binds are allowed or not. If set to 1, then anonymous binds are allowed. If set to 0 (zero), then they are not allowed. The default is 1. |
orclStatsPeriodicity
|
Specification as to how often you want to gather sample statistics—that is, the number of minutes in the interval. Set this to 1 or more minutes. The default is 60. |
orclStatsFlag
|
Indicates whether you want to enable or disable the Oracle Internet Directory Server Manageability framework. To enable, set this to 1 . To disable, set it to 0 . The default is 0.
|
orclLDAPconnTimeOut
|
Specifies maximum connection time in minutes for an idle LDAP connection to be closed by the directory server. This is a DSA configuration set (DN: "cn=dsaconfig,cn=configsets,cn=oracle internet directory" ) attribute and its value can be set by using ldapmodify. The default is 0.
|
OrclEventLevel
|
Specifies critical events related to security and system resources that you want recorded. The default is 0—that is, no critical events are recorded
Please note that for events other than super user, proxy and replication login, the value of the See Also: "Configuring Critical Events" for a list of critical events that can be monitored |
orclpkimatchingrule
|
This is a DSA configuration set attribute (DN: "cn=dsaconfig,cn=configsets,cn=oracle internet directory" ).
Specifies how a certificate bind is performed.
Use ldapmodify to choose one of these values. The value of |
Note: If you have multiple directory server instances connecting to the same database, or multiple server processes in the same directory server instance, then entry caching is automatically disabled. This is irrespective of the value of theorclecacheenabled attribute.
|
Syntax defines the type of values that an attribute can hold. Oracle Internet Directory recognizes most of the syntax specified in RFC 2252, that is, it enables you to associate most of the syntax described in that document with an attribute. In addition to recognizing most LDAP syntax, Oracle Internet Directory enforces some LDAP syntax.
This section covers topics in the following subsections:
Commonly Used LDAP Syntax Recognized by Oracle Internet Directory
Additional LDAP Syntax Recognized by Oracle Internet Directory
Oracle Internet Directory enforces LDAP syntax for the following:
DN
Facsimile Telephone Number
OID (object identifier)
Telephone Number
Note: The values you specify for these attributes must conform to the syntax specified in RFC 2252. |
The following LDAP syntax is more commonly used:
Attribute Type Description
Numeric String
Boolean
Object Class Description
Certificate
Octet String
Directory String
OID
DN
Presentation Address
Facsimile Telephone Number
Printable String
INTEGER
Telephone Number
JPEG
UTC Time
Name And Optional UID
In addition to the commonly used LDAP syntax defined in the previous section, Oracle Internet Directory recognizes LDAP syntax for the following:
Access Point
LDAP Schema Description
ACI Item
LDAP Syntax Description
Audio
Mail Preference
Binary
Master And Shadow Access Points
Bit String
Matching Rule
Certificate List
Matching Rule Use Description
Certificate Pair
MHS OR Address
Country String
Modify Rights
Data Quality Syntax
Name Form Description
Delivery Method
Object Class Description
DIT Content Rule Description
Octet String
DIT Structure Rule Description
Other Mailbox
DL Submit Permission
Postal Address
DSA Quality Syntax
Protocol Information
DSE Type
Substring Assertion
Enhanced Guide
Subtree Specification
Fax
Supplier And Consumer
Generalized Time
Supplier Information
Guide
Supplier Or Consumer
IA5 String
Supported Algorithm
LDAP Schema Definition
Teletex TerminalIdentifier
Telex Number
Syntax does not put any specific size constraint on attribute values. You can, however, use syntax to specify the size of the attribute value. Oracle Internet Directory does not enforce the 'len' characteristics on the attribute.
For example, to limit an attribute foo to a size of 64, you would define the attribute as follows:
(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 'object_identifier_of_syntax{64}')
See Also: Section 4.1.6 f of RFC2251 for more information on Attribute Value. You can find this RFC at the following URL:http://www.ietf.org .
|
Oracle Internet Directory recognizes the following matching rules definitions in the schema.
orclpkimatchingrule
Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:
A user is represented by using the following object classes: OrclUser
, OrclUserV2
, in addition to inetOrgPerson
. Table B-36 describes the attribute names.
Table B-36 User Attributes
Attribute Name | Mandatory or Optional | Description |
---|---|---|
OrclGUID
|
Optional | Specifies a Unique Global ID to identify the user. |
Cn
|
Mandatory | Specifies user's first name, common nickname, or both. |
Sn
|
Mandatory | Specifies a user's last name or surname. |
GivenName
|
Optional | Specifies a user's given name. |
MiddleName
|
Optional | Specifies a user's middle name, if any. |
DisplayName
|
Optional | Specifies the name used by GUI tools for display purposes. |
OrclMaidenName
|
Optional | Specifies a user's maiden name, if any. |
OrclDateOfBirth
|
Optional | Specifies a user's birth date, includes year in yyyymmdd format. |
Street
|
Optional | Specifies the street and location associated with a user's office address. |
L
|
Optional | Specifies the city for a user's office address. |
PostalCode
|
Optional | Specifies the postal code associated with a user's office address. |
St
|
Optional | Specifies the state associated with a user's office address. |
C
|
Optional | Specifies the country associated with a user's office address. |
EmployeeNumber
|
Optional | Specifies a user's employee number, if applicable. |
O
|
Optional | Specifies the organization for which a user works. |
Title
|
Optional | Specifies a user's designation. |
Manager
|
Optional | Specifies the DN of a user's manager. |
OrclHireDate
|
Optional | Specifies the date on which a user was hired by the organization. |
Mail
|
Optional | Specifies a user's e-mail address. |
JpegPhoto
|
Optional | Specifies a photograph of a user. |
TelephoneNumber
|
Optional | Specifies a user's office or work telephone number. |
Mobile
|
Optional | Specifies a user's mobile phone number. |
Pager
|
Optional | Specifies a user's pager number. |
FacsimileTelephone Number
|
Optional | Specifies a user fax number. |
HomePostalAddress
|
Optional | Specifies the complete residential postal address of a user. The value is specified as $-separated values for different address components. For example, XYZ Avenue Apt. 2 $ San Francisco CA $ 92345 $ USA |
HomePhone
|
Optional | Specifies a user's residential phone number. |
UserPassword
|
Optional | Specifies a password to be used for authenticating a user. |
OrclActiveStartDate
|
Optional | Specifies the time from which the user should be allowed to authenticate. The value is represented in Universal Coordinated Time (UTC) format. If the attribute is missing, then the user is allowed to authenticate immediately. |
OrclActiveEndDate
|
Optional | Specifies the date beyond which a user should not be allowed to authenticate. The value is represented in UTC time format. |
OrclPasswordHint
|
Optional | Specifies the hint to use if a user forgets their password. |
OrclPasswordHint Answer
|
Optional | Specifies the answer to the password hint question. |
OrclIsEnabled
|
Optional | Specifies if a user is currently enabled to authenticate. Valid values are ENABLED (or attribute not present in the user entry) and DISABLED. A user can successfully authenticate only if a user is enabled or the attribute is not present in the entry. |
PreferredLanguage
|
Optional | Specifies the preferred language for communication with a user. |
OrclTimeZone
|
Optional | Specifies the time zone applicable for a user location. |
OrclDefaultProfile Group
|
Optional | Specifies the DN of the group to use as default for a user's profile. |
OrclIsVisible
|
Optional | Specifies if a user should display in a regular user search. Valid values are TRUE (or not present) and FALSE. If the attribute is not present, then a user record is visible. |
OrclDisplayPersonal Information
|
Optional | Specifies if a user chooses to display personal information in a user search. Valid values are TRUE (or not present) and FALSE. |
OrclWorkflow Notification Preference
|
Optional | Specifies the preferred delivery mechanism for sending workflow notification to a user. |
As an LDAP Version 3 directory, Oracle Internet Directory extends the standard LDAP operations by using controls. These are extra pieces of information carried along with existing operations, altering the behavior of the operation. When a client application passes a control along with the standard LDAP command, the behavior of the commanded operation is altered accordingly.
Table B-37 Controls Supported by Oracle Internet Directory
Object Identifier of Control | Description |
---|---|
2.16.840.1.113730.3.4.2 | ManageDAS control. Used to manage referrals and dynamic group entries. When a client passes this control to the directory server, the server returns referral objects as regular entries and not as referrals. This enables you to view the referral object as it is stored in the directory. The same applies to dynamic group s: The server returns only the dynamic group object without computing the dynamic membership of the group.This is used for administration of dynamic groups.
|
2.16.840.1.113894.1.8.1 | Used to perform a proxy switch of an identity on an established LDAP connection. For example, suppose that Application A connects to the directory server and then wishes to switch to Application B. It can simply do a rebind by supplying the credentials of Application B. However, there are times when the proxy mechanism for the application to switch identities could be used even when the credentials are not available. With this control, Application A can switch to Application B provided Application A has the privilege in Oracle Internet Directory to proxy as Application B. |
2.16.840.1.113894.1.8.2 | Sent by applications which require Oracle Internet Directory to check for account lockout before sending the verifiers of the end user of that application. If Oracle Internet Directory detects this control in the verifier search request and the user account is locked, then Oracle Internet Directory will not send the verifiers to the application but an appropriate password policy error is sent. |
2.16.840.1.113894.1.8.3 | Specifies the attribute used to build an implicit hierarchy. For example, (manager=cn=john doe,o=foo ) specifies the query for all people reporting directly or indirectly to John Doe. The implicit hierarchy is based on the manager attribute. The base of the search is ignored for such queries.
See Also: "Hierarchies" |
2.16.840.1.113894.1.8.4 | Intended for a client to send the end user IP address if IP lockout is to be enforced by Oracle Internet Directory. |
2.16.840.1.113894.1.8.5 | Used with dynamic groups. Directs the directory server to read the specific attributes of the members rather than the membership lists.
See Also: "Dynamic Groups" |
2.16.840.1.113894.1.8.6 | Password policy control. Request control that the client sends to get a response from the server.
See Also: "Password Policy Controls" |
2.16.840.1.113894.1.8.7 | Password policy control. Response control that the server sends when the pwdExpireWarning attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration.
See Also: "Password Policy Controls" |
2.16.840.1.113894.1.8.8 | Password policy control. The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins
See Also: "Password Policy Controls" |
2.16.840.1.113894.1.8.9 | Password policy control. The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control.
See Also: "Password Policy Controls" |
2.16.840.1.113894.1.8.23 | Certificate search control. The request control that the client sends to specify how to search for a user certificate.
See Also: Appendix I, "Searching the Directory for User Certificates" |
This section contains these topics:
Table B-38 lists and describes the password policy controls.
Table B-38 Password Policy Controls
The LDAP controls described in Table B-39 are used to create dynamic password verifiers and to transmit related error messages.
Table B-39 Controls for Dynamic Password Verifiers
Object Identifier | Name | Description |
---|---|---|
2.16.840.1.113894.1.8.14 | OID_DYNAMIC_VERIFIER_REQUEST_CONTROL | The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier. |
2.16.840.1.113894.1.8.15 | OID_DYNAMIC_VERIFIER_RESPONSE_CONTROL | The response control that the server sends to the client when an error occurs. The response control contains the error code. |