Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
![]() Previous |
![]() Next |
This chapter explains how to integrate Oracle Identity Management with Microsoft Windows NT 4.0. It contains these topics:
Microsoft Windows NT domain users can be integrated with Oracle Identity Management. Microsoft Windows NT groups are not synchronized to Oracle Internet Directory, nor is information about the members of those groups. In this case, each of the Microsoft Windows NT domains can be mapped to a domain object or an organization unit object in Oracle Internet Directory. Typical mapping of Microsoft Windows NT domains to domain containers in the Oracle Internet Directory directory information tree is shown in Figure 17-1.
Figure 17-1 Integration of Oracle Internet Directory DIT with Microsoft Windows NT Domains
Microsoft Windows NT domains are integrated with Oracle Internet Directory so that a minimal user footprint is automatically created in Oracle Internet Directory.
If a user entry exists in Microsoft Windows NT but not in Oracle Internet Directory, then, when that user tries to log in to use the Oracle Application Server components, the auto-registration plug-in creates a shadow entry with minimal footprint information in Oracle Internet Directory. This entry remains in Oracle Internet Directory for the next time the same user tries to log in.
External authentication, with Microsoft Windows NT acting as the external repository, is supported by the use of plug-ins. Ongoing synchronization with the Microsoft Windows NT environment is not supported.
This section contains these topics:
Installing and Enabling the Windows NT External Authentication and Provisioning Plug-ins
Managing the Windows NT External Authentication and Provisioning Plug-ins
The SQL script oidspnti.sql installs the plug-ins that enable Oracle Internet Directory for external authentication against the Microsoft Windows primary domain controller and auto-provisioning.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
To install the script:
Verify that the Oracle Internet Directory server is running.
Run the script by entering the following commands:
cd $ORACLE_HOME/ldap/admin
sh oidspnti.sh
Enter the Oracle Internet Directory host name and port number. The default port number is 389.
Enter the password of the Oracle administrator (orcladmin
), the directory super user.
Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container is then authenticated against the Microsoft Windows NT domain. Note that this need not necessarily be the user search base supplied in the Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the Microsoft Windows NT domain. If more than one value is specified, then use semi-colons (;
) to separate them.
Enter the plug-in request group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext
. If you enter this value for the plug-in request group DN, then only the requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, should be specified.
Choose Auto Registration. The default is Yes. Upon registration, each entry is assigned the object class orclNTUser
.
At the completion of these steps, the plug-ins are installed.
This section tells you how to:
Enable and disable the plug-ins
Enable and disable auto-provisioning
Remove the plug-ins
Debug the Windows NT external authentication plug-in
To enable external authentication, enter these two commands:
ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF dn: cn=ntwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF dn: cn=ntwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable the external authentication plug-ins, set the value of the attribute orclpluginenable to 0 in each of the preceding command.
To enable auto provisioning, enter the following command:
ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF dn: cn=ntpostsearch,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable auto provisioning, use the previous command, but set the value of the attribute orclpluginenable
to 0
.
To remove external authentication and auto-provisioning, delete the two plug-in entries from Oracle Internet Directory:
ldapdelete -h host -p port D cn=orcladmin -w password "cn=ntwhencompare,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port D cn=orcladmin -w password "cn=ntwhenbind,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port D cn=orcladmin -w password "cn=ntpostsearch,cn=plugin,cn=subconfigsubentry"
If you are experiencing unknown errors, then you can enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$
ORACLE_HOME
/ldap/admin/oidspdon.pls
To check the plug-in debugging log:
sqlplus ods/ods select * from plg_debug_log order by id;
To delete the plug-in debugging log:
sqlplus ods/ods truncate table plg_debug_log
To disable plug-in debugging:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
Note: If you need to change the Windows NT external authentication plug-in setup—that is, the information you entered in the installation steps—then rerun the installation script. Before you rerun the script, remove the Windows NT external authentication plug-ins by following the preceding instructions. |