Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section contains these topics:
Installing and Enabling the Windows NT External Authentication and Provisioning Plug-ins
Managing the Windows NT External Authentication and Provisioning Plug-ins
The SQL script oidspnti.sql installs the plug-ins that enable Oracle Internet Directory for external authentication against the Microsoft Windows primary domain controller and auto-provisioning.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
To install the script:
Verify that the Oracle Internet Directory server is running.
Run the script by entering the following commands:
cd $ORACLE_HOME/ldap/admin
sh oidspnti.sh
Enter the Oracle Internet Directory host name and port number. The default port number is 389.
Enter the password of the Oracle administrator (orcladmin
), the directory super user.
Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container is then authenticated against the Microsoft Windows NT domain. Note that this need not necessarily be the user search base supplied in the Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the Microsoft Windows NT domain. If more than one value is specified, then use semi-colons (;
) to separate them.
Enter the plug-in request group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext
. If you enter this value for the plug-in request group DN, then only the requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, should be specified.
Choose Auto Registration. The default is Yes. Upon registration, each entry is assigned the object class orclNTUser
.
At the completion of these steps, the plug-ins are installed.
This section tells you how to:
Enable and disable the plug-ins
Enable and disable auto-provisioning
Remove the plug-ins
Debug the Windows NT external authentication plug-in
To enable external authentication, enter these two commands:
ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF dn: cn=ntwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF dn: cn=ntwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable the external authentication plug-ins, set the value of the attribute orclpluginenable to 0 in each of the preceding command.
To enable auto provisioning, enter the following command:
ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF dn: cn=ntpostsearch,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable auto provisioning, use the previous command, but set the value of the attribute orclpluginenable
to 0
.
To remove external authentication and auto-provisioning, delete the two plug-in entries from Oracle Internet Directory:
ldapdelete -h host -p port D cn=orcladmin -w password "cn=ntwhencompare,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port D cn=orcladmin -w password "cn=ntwhenbind,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port D cn=orcladmin -w password "cn=ntpostsearch,cn=plugin,cn=subconfigsubentry"
If you are experiencing unknown errors, then you can enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$
ORACLE_HOME
/ldap/admin/oidspdon.pls
To check the plug-in debugging log:
sqlplus ods/ods select * from plg_debug_log order by id;
To delete the plug-in debugging log:
sqlplus ods/ods truncate table plg_debug_log
To disable plug-in debugging:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
Note: If you need to change the Windows NT external authentication plug-in setup—that is, the information you entered in the installation steps—then rerun the installation script. Before you rerun the script, remove the Windows NT external authentication plug-ins by following the preceding instructions. |