19.2 Installing and Configuring Windows NT External Authentication and Auto-Provisioning Plug-ins

19.2.1 Installing and Enabling the Windows NT External Authentication and Provisioning Plug-ins

The SQL script oidspnti.sql installs the plug-ins that enable Oracle Internet Directory for external authentication against the Microsoft Windows primary domain controller and auto-provisioning.

To install the script:

1. Verify that the Oracle Internet Directory server is running.

2. Run the script by entering the following commands:

   cd $ORACLE_HOME/ldap/admin
   sh oidspnti.sh
   
   

3. Enter the Oracle Internet Directory host name and port number. The default port number is 389.

4. Enter the password of the Oracle administrator (orcladmin), the directory super user.

5. Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container is then authenticated against the Microsoft Windows NT domain. Note that this need not necessarily be the user search base supplied in the Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the Microsoft Windows NT domain. If more than one value is specified, then use semi-colons (;) to separate them.

6. Enter the plug-in request group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext. If you enter this value for the plug-in request group DN, then only the requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, should be specified.

7. Choose Auto Registration. The default is Yes. Upon registration, each entry is assigned the object class orclNTUser.

At the completion of these steps, the plug-ins are installed.

19.2.2 Managing the Windows NT External Authentication and Provisioning Plug-ins

This section tells you how to:

• Enable and disable the plug-ins

• Enable and disable auto-provisioning

• Remove the plug-ins

• Debug the Windows NT external authentication plug-in

ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF
dn: cn=ntwhencompare,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF
dn: cn=ntwhenbind,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

ldapmodify -h host -p port -D cn=orcladmin -w password <<EOF
dn: cn=ntpostsearch,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

ldapdelete -h host -p port D cn=orcladmin -w password
"cn=ntwhencompare,cn=plugin,cn=subconfigsubentry"

ldapdelete -h host -p port D cn=orcladmin -w password
"cn=ntwhenbind,cn=plugin,cn=subconfigsubentry"

ldapdelete -h host -p port D cn=orcladmin -w password
"cn=ntpostsearch,cn=plugin,cn=subconfigsubentry"

sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls

sqlplus ods/ods
select * from plg_debug_log order by id;

sqlplus ods/ods
truncate table plg_debug_log

sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls