|
Oracle® Identity Management Application Developer's Guide
10g Release 2 (10.1.2) B14087-02 |
|
 Previous |
 Next |
|
Oracle® Identity Management Application Developer's Guide
10g Release 2 (10.1.2) B14087-02 |
|
|
Previous |
Next |
This chapter explains how to use the plug-in framework for Oracle Internet Directory to extend LDAP operations.
This chapter contains these topics:
To develop Oracle Internet Directory plug-ins, you should be familiar with the following:
Generic LDAP concepts
Oracle Internet Directory
Oracle Internet Directory integration with Oracle Application Server
SQL, PL/SQL, and database RPCs
To extend the capabilities of the Oracle Internet Directory server, you can write your own server plug-in. A server plug-in is a PL/SQL package, shared object or library, or a dynamic link library on Windows that contains your own functions. Oracle supports only PL/SQL plug-ins.
You can extend LDAP operations in the following ways:
You can validate data before the server performs an LDAP operation on the data
You can perform actions (that you define) after the server successfully completes an LDAP operation
You can define extended operations
You can be authenticated through external credential stores
You can replace an existing server module by defining your own server module
For the last one, you may, for example, implement your own password value checking and place it into the Oracle Internet Directory server.
On startup, the directory server loads your plug-in configuration and library. It calls your plug-in functions while processing various LDAP requests.
|
See Also: The chapter about the password policy plug-in in Oracle Internet Directory Administrator's Guide. The chapter contains an example of how to implement your own password value checking and place it into the Oracle Internet Directory server. |
The plug-in framework is the environment in which the plug-in user can develop, configure, and apply the plug-ins. Each individual plug-in instance is called a plug-in module.
The plug-in framework includes the following:
Plug-in configuration tools
Plug-in module interface
Plug-in LDAP API (ODS.LDAP_PLUGIN package)
Follow these steps to use the server plug-in framework:
Write a user-defined plug-in procedure. This plug-in module must be written in PL/SQL.
Compile the plug-in module against the same database that serves as the Oracle Internet Directory backend database.
Register the plug-in module through the configuration entry interface.
For operation-based plug-ins, there are pre-operation, post-operation, and when-operation plug-ins.
The server calls pre-operation plug-in modules before performing the LDAP operation. The main purpose of this type of plug-in is to validate data before the data can be used in the LDAP operation.
When an exception occurs in the pre-operation plug-in, one of the following occurs:
When the return error code indicates warning status, the associated LDAP request proceeds.
When the return code indicates failure status, the request does not proceed.
If the associated LDAP request fails later on, the directory does not roll back the committed code in the plug-in modules.
The Oracle Internet Directory server calls post-operation plug-in modules after performing an LDAP operation. The main purpose of this type of plug-in is to invoke a function after a particular LDAP operation is executed. For example, logging and notification are post-operation plug-in functions.
When an exception occurs in the post-operation plug-in, the associated LDAP operation is not rolled back.
If the associated LDAP request fails, the post plug-in is still executed.
The directory calls when-operation plug-in modules while performing standard LDAP operations. The main purpose of this type of plug-in is to augment existing operations within the same LDAP transaction. If either the LDAP request or the plug-in program fails, all the changes are rolled back.
There are different types of When-operation plug-ins.
Add-on
Replace
You can, for example, use both add-on and replace plug-ins with the ldapcompare operation. If you use the first type, the directory executes its server compare code and executes the plug-in module defined by the plug-in developer. If you use the second type, the directory does not execute its compare code. Instead it relies on the plug-in module to perform the comparison.
Replace plug-ins are supported only in ldapadd, ldapcompare, ldapdelete, ldapmodify, and ldapbind. Add-on plug-ins are supported in ldapadd, ldapdelete, and ldapmodify.
This section contains these topics:
Use the following guidelines when designing plug-ins:
Use plug-ins to guarantee that when a specific LDAP operation is performed, related actions are also performed.
Use plug-ins only for centralized, global operations that should be invoked for the program body statement, regardless of which user or LDAP application issues the statement.
Do not create recursive plug-ins. For example, creating a PRE_LDAP_BIND plug-in that itself issues an ldapbind (through the DBMS_LDAP PL/SQL API) statement, causes the plug-in to execute recursively until it has run out of resources.
|
Note: Use plug-ins on the LDAP PL/SQL API judiciously. They are executed for every LDAP request every time the event occurs on which the plug-in is created. |
Creating a plug-in module is like creating a PL/SQL package. Both have a specification part and a body part. The directory, not the plug-in, defines the plug-in specification because the specification serves as the interface between Oracle Internet Directory and the custom plug-in.
For security reasons and for the integrity of the LDAP server, you can compile plug-ins only in the ODS database schema. You must compile them in the database that serves as the backend database of Oracle Internet Directory.
Different plug-ins have different package specifications. As Table 7-1 shows, you can name the plug-in package. You must, however, follow the signatures defined for each type of plug-in procedure. See "Specifications for Plug-in Procedures" for details.
Table 7-1 Plug-in Module Interface
| Plug-in Item | User Defined | Oracle Internet Directory-Defined |
|---|---|---|
|
Plug-in Package Name |
X |
|
|
Plug-in Procedure Name |
|
X |
|
Plug-in Procedure Signature |
|
X |
Table 7-2 names the different plug-in procedures. In addition, it lists and describes the parameters that these procedures use.
Table 7-2 Operation-Based and Attribute-Based Plug-in Procedure Signatures
| Invocation Context | Procedure Name | IN Parameters | OUT Parameters |
|---|---|---|---|
|
Before |
PRE_BIND |
ldapcontext, Bind DN, Password |
return code, error message |
|
With |
WHEN_BIND_REPLACE |
ldapcontext, bind result, DN, userpassword |
bind result, return code, error message |
|
After |
POST_BIND |
ldapcontext, Bind result, Bind DN, Password |
return code, error message |
|
Before |
PRE_MODIFY |
ldapcontext, DN, Mod structure |
return code, error message |
|
With |
WHEN_MODIFY |
ldapcontext, DN, Mod structure |
return code, error message |
|
With |
WHEN_MODIFY_REPLACE |
ldapcontext, DN, Mod structure |
return code, error message |
|
After |
POST_MODIFY |
ldapcontext, Modify result, DN, Mod structure |
return code, error message |
|
Before |
PRE_COMPARE |
ldapcontext, DN, attribute, value |
return code, error message |
|
With |
WHEN_COMPARE_REPLACE |
ldapcontext, Compare result, DN, attribute, value |
compare result, return code, error message |
|
After |
POST_COMPARE |
ldapcontext, Compare result, DN, attribute, value |
return code, error message |
|
Before |
PRE_ADD |
ldapcontext, DN, Entry |
return code, error message |
|
With |
WHEN_ADD |
ldapcontext, DN, Entry |
return code, error message |
|
With |
WHEN_ADD_REPLACE |
ldapcontext, DN, Entry |
return code, error message |
|
After |
POST_ADD |
ldapcontext, Add result, DN, Entry |
return code, error message |
|
Before |
PRE_DELETE |
ldapcontext, DN |
return code, error message |
|
With |
WHEN_DELETE |
ldapcontext, DN |
return code, error message |
|
With |
WHEN_DELETE |
ldapcontext, DN |
return code, error message |
|
After |
POST_DELETE |
ldapcontext, Delete result, DN |
return code, error message |
|
Before |
PRE_SEARCH |
ldapcontext, Base DN, scope, filter |
return code, error message |
|
After |
POST_SEARCH |
Ldap context, Search result, Base DN, scope, filter |
return code, error message |
|
See Also:
|
Plug-ins are exactly the same as PL/SQL stored procedures. A PL/SQL anonymous block is compiled each time it is loaded into memory. Compilation consists of these stages:
Syntax checking: PL/SQL syntax is checked, and a parse tree is generated.
Semantic checking: Type checking and further processing on the parse tree.
Code generation: The pcode is generated.
If errors occur during the compilation of a plug-in, the plug-in is not created. You can use the SHOW ERRORS statement in SQL*Plus or Enterprise Manager to see any compilation errors when you create a plug-in, or you can SELECT the errors from the USER_ERRORS view.
All plug-in modules must be compiled in the ODS database schema.
To enable the directory server to call a plug-in at the right moment, you must register the plug-in with the directory server. Do this by creating an entry for the plug-in under cn=plugin,cn=subconfigsubentry.
A plug-in must have orclPluginConfig as one of its object classes. This is a structural object class, and its super class is top. Table 7-3 lists and describes its attributes.
Table 7-3 Plug-in Attribute Names and Values
| Attribute Name | Attribute Value | Mandatory? |
|---|---|---|
cn |
Plug-in entry name |
Yes |
orclPluginAttributeList |
A semicolon-separated list of attribute names that controls whether the plug-in takes effect. If the target attribute is included in the list, then the plug-in is invoked. Only for |
No |
orclPluginEnable |
|
No |
orclPluginEntryProperties |
An |
No |
orclPluginIsReplace |
For |
No |
orclPluginKind |
PL/SQL |
No |
orclPluginLDAPOperation |
One of the following values: ldapcompare ldapmodify ldapbind ldapadd ldapdelete ldapsearch |
Yes |
orclPluginName |
Plug-in package name |
Yes |
orclPluginRequestGroup |
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who can actually invoke the plug-in. For example, if you specify |
No |
orclPluginRequestNegGroup |
A semicolon-separated group list that controls if the plug-in takes effect. You can use this group to specify who cannot invoke the plug-in. For example, if you specify |
No |
orclPluginResultCode |
An integer value to specify the ldap result code. If this value is specified, then plug-in will be invoked only if the LDAP operation is in that result code scenario. This is only for the post plug-in type. |
No |
orclPluginShareLibLocation |
File location of the dynamic linking library. If this value is not present, then Oracle Internet Directory server assumes the plug-in language is PL/SQL. |
No |
orclPluginSubscriberDNList |
A semicolon separated DN list that controls if the plug-in takes effect. If the target DN of an LDAP operation is included in the list, then the plug-in is invoked. |
No |
orclPluginTiming |
One of the following values: pre when post |
No |
orclPluginType |
One of the following values: operational attribute password_policy syntax matchingrule See Also: "Operation-Based Plug-ins Supported by the Directory" |
Yes |
orclPluginVersion |
Supported plug-in version number |
No |
Plug-ins must be added to Oracle Internet Directory server so that the server is aware of additional operations that must be performed at the correct time.
When the plug-in successfully compiles against the Oracle Internet Directory backend database, create a new entry and place it under cn=plugin,cn=subconfigsubentry.
In the following examples, an entry is created for an operation-based plug-in called my_plugin1. The LDIF file, my_ldif_file.ldif, is as follows:
The following is an example LDIF file to create such an object:
cn=when_comp,cn=plugin,cn=subconfigsubentry objectclass=orclPluginConfig objectclass=top orclPluginName=my_plugin1 orclPluginType=operational orclPluginTiming=when orclPluginLDAPOperation=ldapcompare orclPluginEnable=1 orclPluginVersion=1.0.1 orclPluginIsReplace=1 cn=when_comp orclPluginKind=PLSQL orclPluginSubscriberDNList=dc=COM,c=us;dc=us,dc=oracle,dc=com;dc=org,dc=us;o=IMC ,c=US orclPluginAttributeList=userpassword
cn=post_mod_plugin, cn=plugin,cn=subconfigsubentry objectclass=orclPluginConfig objectclass=top orclPluginName=my_plugin1 orclPluginType=operational orclPluginTiming=post orclPluginLDAPOperation=ldapmodify orclPluginEnable=1 orclPluginVersion=1.0.1 cn=post_mod_plugin orclPluginKind=PLSQL
Add this file to the directory with the following command:
ldapadd -p 389 -h myhost -D binddn -w password -f my_ldif_file.ldif
|
Note: The plug-in configuration entry is not replicated. Replicating it would create an inconsistent state. |
This section explains how to modify and debug plug-ins.
Like a stored procedure, a plug-in cannot be explicitly altered. It must be replaced with a new definition.
When replacing a plug-in, you must include the OR REPLACE option in the CREATE PACKAGE statement. The OR REPLACE option enables a new version of an existing plug-in to replace an older version without having an effect on grants made for the original version of the plug-in.
Alternatively, the plug-in can be dropped using the DROP PACKAGE statement, and you can rerun the CREATE PACKAGE statement.
If the plug-in name (the package name) is changed, you must register the new plug-in again.
To turn the plug-in on or off, modify the value of orclPluginEnable in the plug-in configuration object. For example, modify the value of orclPluginEnable in cn=post_mod_plugin,cn=plugins,cn=subconfigsubentry to be 1 or 0.
Each of the procedures in a PL/SQL plug-in must have an exception handling block that handles errors intelligently and, if possible, recovers from them.
Oracle Internet Directory requires that the return code (rc) and error message (errmsg) be set correctly in the plug-in procedures.
Table 7-4 provides the values that are valid for the return code.
Table 7-4 Valid Values for the plug-in Return Code
| Error Code | Description |
|---|---|
0
|
Success |
|
Any number greater than zero |
Failure |
-1 |
Warning |
The errmsg parameter is a string value that can pass a user's custom error message back to Oracle Internet Directory server. The size limit for errmsg is 1024 bytes. Each time Oracle Internet Directory runs the plug-in program, it examines the return code to determine if it must display the error message.
If, for example, the value for the return code is 0, the error message value is ignored. If the value of the return code is -1 or greater than zero, the following message is either logged in the log file or displayed in standard output if the request came from LDAP command-line tools:
ldap addition info: customized error
Table 7-5 shows where plug-in exceptions occur and how the directory handles them.
Table 7-5 Program Control Handling when a Plug-in Exception Occurs
| Plug-in Exception Occurred in | Oracle Internet Directory Server Handling |
|---|---|
|
|
Depends on return code. If the return code is:
|
|
|
LDAP operation is completed. There is no rollback. |
|
|
Rollback the LDAP operation |
Table 7-6 shows how the directory responds when an LDAP operation fails.
Table 7-6 Program Control Handling when an LDAP Operation Fails
| LDAP Operation Fails in | Oracle Internet Directory Server Handling |
|---|---|
|
|
Pre-operation plug-in is completed. There is no rollback. |
|
|
Proceed with post-operation plug-in. The LDAP operation result is one of the |
|
|
When types of plug-in changes are rolled back. |
|
|
Changes made in the plug-in program body are rolled back. |
There are different methods for providing API access:
Enable a user to utilize the standard LDAP PL/SQL APIs. Note though that, if program logic is not carefully planned, an infinite loop in plug-in execution can result.
Oracle Internet Directory provides the Plug-in LDAP API. This plug-in does not cause a series of plug-in actions in the directory server if there are plug-ins configured and associated with the LDAP request.
In the Plug-in LDAP API, the directory provides APIs for connecting back to the directory server designated in the plug-in module. You must use this API if you want to connect to the server that is executing the plug-in. If you want to connect to an external server, you can use the DBMS_LDAP API.
Within each plug-in module, an ldapcontext is passed from the Oracle directory server. When the Plug-in LDAP API is called, ldapcontext is passed for security and binding purposes. When binding with this ldapcontext, Oracle Internet Directory recognizes that the LDAP request is coming from a plug-in module. For this type of plug-in bind, the directory does not trigger any subsequent plug-ins. It handles the plug-in bind as a super-user bind. Use this plug-in bind with discretion.
These cases can cause an inconsistent state in a replication environment:
Plug-in metadata replicated to other nodes
Changes to directory entries by plug-in programs or other LDAP operations
Plug-in installation on only some of the participating nodes
Implementation in the plug-in of extra checking that depends on the directory data
Some Oracle Internet Directory server plug-ins require that you supply the code that preserves tight security. For example, if you replace the directory's ldapcompare or ldapbind operation with your own plug-in module, you must ensure that your implementation of this operation does not omit any functionality on which security relies.
To ensure tight security, the following must be done:
Create the plug-in packages
Only the LDAP administrator can restrict the database user
Use the access control list (ACL) to set the plug-in configuration entries to be accessed only by the LDAP administrator
Be aware of the program relationship between different plug-ins
Use the plug-in debugging mechanism for Oracle Internet Directory to examine the process and content of plug-ins.The following commands control the operation of the server debugging process.
To set up plug-in debugging, run this command:
% sqlplus ods/password @$ORACLE/ldap/admin/oidspdsu.pls
To enable plug-in debugging, run this command:
% sqlplus ods/password @$ORACLE/ldap/admin/oidspdon.pls
After enabling plug-in debugging, you can use this command in the plug-in module code:
plg_debug('debuggingmessage');
The resulting debug message is stored in the plug-in debugging table.
To disable debugging, run this command:
% sqlplus ods/password @$ORACLE/ldap/admin/oidspdof.pls
To display the debug messages that you put in the plug-in module, run this command:
% sqlplus ods/password @$ORACLE/ldap/admin/oidspdsh.pls
To delete all of the debug messages from the debug table, run this command:
% sqlplus ods/password @$ORACLE/ldap/admin/oidspdde.pls
Here is the package specification that Oracle Internet Directory provides for the Plug-in LDAP API:
CREATE OR REPLACE PACKAGE LDAP_PLUGIN AS
SUBTYPE SESSION IS RAW(32);
-- Initializes the LDAP library and return a session handler
-- for use in subsequent calls.
FUNCTION init (ldappluginctx IN ODS.plugincontext)
RETURN SESSION;
-- Synchronously authenticates to the directory server using
-- a Distinguished Name and password.
FUNCTION simple_bind_s (ldappluginctx IN ODS.plugincontext,
ld IN SESSION)
RETURN PLS_INTEGER;
-- Get requester info from the plug-in context
FUNCTION get_requester (ldappluginctx IN ODS.plugincontext)
RETURN VARCHAR2;
END LDAP_PLUGIN;
Oracle Internet Directory10g Release 2 (10.1.2) can use several different versions of the Oracle Database for storing directory data. These include Oracle9i Database Server Release 2, v9.2.0.6 or later and Oracle Database 10g, v10.1.0.4 or later.
In Oracle Application Server 10g Release 2 (10.1.2), the following plug-in features are not supported in the directory server running against Oracle9i Database Server Release 2:
Windows Domain external authentication plug-in.
The simple_bind_s() function of the LDAP_PLUGIN package provided as the Oracle Internet Directory PL/SQL PLUGIN API for connecting back to the directory server as part of plug-in definitions.
This section presents two sample plug-ins. One logs all ldapsearch commands. The other synchronizes two directory information trees (DITs).
Situation: A user wants to know if it is possible to log all of the ldapsearch commands.
Solution: Yes. The user can use the post ldapsearch operational plug-in for this purpose. They can either log all of the requests or only those that occur under the DNs being searched.
To log all the ldapsearch commands:
Log all of the ldapsearch results into a database table. This log table has these columns:
timestamp
baseDN
search scope
search filter
required attribute
search result
Use this SQL script to create the table:
drop table search_log; create table search_log (timestamp varchar2(50), basedn varchar2(256), searchscope number(1); searchfilter varchar2(256); searchresult number(1)); drop table simple_tab; create table simple_tab (id NUMBER(7), dump varchar2(256)); DROP sequence seq; CREATE sequence seq START WITH 10000; commit;
Create the plug-in package specification.
CREATE OR REPLACE PACKAGE LDAP_PLUGIN_EXAMPLE1 AS PROCEDURE post_search (ldapplugincontext IN ODS.plugincontext, result IN INTEGER, baseDN IN VARCHAR2, scope IN INTEGER, filterStr IN VARCHAR2, requiredAttr IN ODS.strCollection, rc OUT INTEGER, errormsg OUT VARCHAR2 ); END LDAP_PLUGIN_EXAMPLE1; /
Create the plug-in package body.
CREATE OR REPLACE PACKAGE BODY LDAP_PLUGIN_EXAMPLE1 AS
PROCEDURE post_search
(ldapplugincontext IN ODS.plugincontext,
result IN INTEGER,
baseDN IN VARCHAR2,
scope IN INTEGER,
filterStr IN VARCHAR2,
requiredAttr IN ODS.strCollection,
rc OUT INTEGER,
errormsg OUT VARCHAR2
)
IS
BEGIN
INSERT INTO simple_tab VALUES
(to_char(sysdate, 'Month DD, YYYY HH24:MI:SS'), baseDN, scope, filterStr, result);
-- The following code segment demonstrate how to iterate
-- the ODS.strCollection
FOR l_counter1 IN 1..requiredAttr.COUNT LOOP
INSERT INTO simple_tab
values (seq.NEXTVAL, 'req attr ' || l_counter1 || ' = ' ||
requiredAttr(l_counter1));
END LOOP;
rc := 0;
errormsg := 'no post_search plug-in error msg';
COMMIT;
EXCEPTION
WHEN others THEN
rc := 1;
errormsg := 'exception: post_search plug-in';
END;
END LDAP_PLUGIN_EXAMPLE1;
/
Register the plug-in entry in Oracle Internet Directory.
cn=post_search,cn=plugin,cn=subconfigsubentry objectclass=orclPluginConfig objectclass=top orclPluginName=ldap_plugin_example1 orclPluginType=operational orclPluginTiming=post orclPluginLDAPOperation=ldapsearch orclPluginEnable=1 orclPluginVersion=1.0.1 cn=post_search orclPluginKind=PLSQL
Using the ldapadd command-line tool to add this entry:
% ldapadd –p port_number –h host_name –D bind_dn –w passwd –v \
–f register_post_search.ldif
Situation: There are two interdependent products under cn=Products, cn=oraclecontext. This interdependency extends down to the users in these products' containers. If a user in the first DIT (product 1) is deleted, the corresponding user in the other DIT (product 2) must be deleted.
Is it possible to set a trigger that, when the user in the first DIT is deleted, calls or passes a trigger to delete the user in the second DIT?
Solution: Yes, we can use the post ldapdelete operation plug-in to handle the second deletion occurring in the second DIT.
If the first DIT has the naming context of cn=DIT1,cn=products,cn=oraclecontext and the second DIT has the naming context of cn=DIT2,cn=products,cn=oraclecontext, the two users share the same ID attribute. Inside of the post ldapdelete plug-in module, we can use LDAP_PLUGIN and DBMS_LDAP APIs to delete the user in the second DIT.
We must set orclPluginSubscriberDNList to cn=DIT1,cn=products,cn=oraclecontext, so that whenever we delete entries under cn=DIT1,cn=products,cn=oraclecontext, the plug-in module is invoked.
|
Note: When you use a postldapmodify plug-in to synchronize changes between two Oracle Internet Directory nodes, you cannot push all the attributes from one node to the other. This is because the changes (mod structure) captured in the plug-in module include operational attributes. These operational attributes are generated on each node and cannot be modified by using the standard LDAP methods.
When writing your plug-in program, exclude the following operational attributes from synchronization: The following attributes are used the most in the deployment environment and should be excluded from synchronization first: |
Assume that the entries under both DITs have been added to the directory. For example, the entry id=12345,cn=DIT1,cn=products,cn=oraclecontext is in DIT1, and id=12345,cn=DIT2,cn=products,cn=oraclecontext is in DIT2.
Create the plug-in package specification.
CREATE OR REPLACE PACKAGE LDAP_PLUGIN_EXAMPLE2 AS PROCEDURE post_delete (ldapplugincontext IN ODS.plugincontext, result IN INTEGER, dn IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 ); END LDAP_PLUGIN_EXAMPLE2; /
Create the plug-in package body.
CREATE OR REPLACE PACKAGE BODY LDAP_PLUGIN_EXAMPLE2 AS
PROCEDURE post_delete
(ldapplugincontext IN ODS.plugincontext,
result IN INTEGER,
dn IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
)
IS
retval PLS_INTEGER;
my_session DBMS_LDAP.session;
newDN VARCHAR2(256);
BEGIN
retval := -1;
my_session := LDAP_PLUGIN.init(ldapplugincontext);
-- bind to the directory
retval := LDAP_PLUGIN.simple_bind_s(ldapplugincontext, my_session);
-- if retval is not 0, then raise exception
newDN := REPLACE(dn,'DIT1','DIT2');
retval := DBMS_LDAP.delete_s(my_session, newDN);
-- if retval is not 0, then raise exception
rc := 0;
errormsg := 'no post_delete plug-in error msg';
EXCEPTION
WHEN others THEN
rc := 1;
errormsg := 'exception: post_delete plug-in';
END;
END LDAP_PLUGIN_EXAMPLE2;
/
(ldapplugincontext IN ODS.plugincontext,
result IN INTEGER,
dn IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
)
IS
retval PLS_INTEGER;
my_session DBMS_LDAP.session;
newDN VARCHAR2(256);
BEGIN
retval := -1;
my_session := LDAP_PLUGIN.init(ldapplugincontext);
-- bind to the directory
retval := LDAP_PLUGIN.simple_bind_s(ldapplugincontext, my_session);
-- if retval is not 0, then raise exception
newDN := REPLACE(dn,'DIT1','DIT2');
retval := DBMS_LDAP.delete_s(my_session, newDN);
-- if retval is not 0, then raise exception
rc := 0;
errormsg := 'no post_delete plug-in error msg';
EXCEPTION
WHEN others THEN
rc := 1;
errormsg := 'exception: post_delete plug-in';
END;
END LDAP_PLUGIN_EXAMPLE2;
/
Register the plug-in entry with Oracle Internet Directory.
Construct the LDIF file register_post_delete.ldif:
cn=post_delete,cn=plugin,cn=subconfigsubentry objectclass=orclPluginConfig objectclass=top orclPluginName=ldap_plugin_example2 orclPluginType=operational orclPluginTiming=post orclPluginLDAPOperation=ldapdelete orclPluginEnable=1 orclPluginSubscriberDNList=cn=DIT1,cn=oraclecontext,cn=products orclPluginVersion=1.0.1 cn=post_delete orclPluginKind=PLSQL
Use the ldapadd command-line tool to add this entry:
% ldapadd –p port_number –h host_name –D bind_dn –w passwd –v –f register_ post_delete.ldif
Starting with release 10.1.2, object definitions in the Plug-in LDAP API enable ldapmodify, ldapadd, and ldapcompare plug-ins to access binary attributes in the directory database. Formerly, only attributes of type VARCHAR2 could be accessed. These object definitions do not invalidate plug-in code that precedes release 10.1.2. No change to this code is required. The new definitions appear in the section "Database Object Types Defined".
The section that you are reading now examines binary operations involving the three types of plug-ins. It includes examples of these plug-ins. The new object definitions apply to pre, post, and when versions of all three.
Note that the three examples use RAW functions and variables in place of LOBs.
The modobj object that the plug-in framework passes to an ldapmodify plug-in now holds the values of binary attributes as binvals. This variable is a table of binvalobj objects.
The plug-in determines whether a binary operation is being performed by examining the operation field of modobj. It checks whether any of the values DBMS_LDAP.MOD_ADD, DBMS_LDAP.MOD_DELETE, and DBMS_LDAP.MOD_REPLACE are paired with DBMS_LDAP.MOD_BVALUES. The pairing DBMS_LDAP.MOD_ADD+DBMS_LDAP.MOD_BVALUES, for example, signifies a binary add in the modify operation.
The example that follows shows a post ldapmodify plug-in modifying an entry in another directory. The plug-in is invoked after ldapmodify applies the same change to the same entry in the plug-in directory. The entry in the other directory appears under the DIT cn=users,dc=us,dc=acme,dc=com.
create or replace package moduser as
procedure post_modify(ldapplugincontext IN ODS.plugincontext,
result IN integer,
dn IN varchar2,
mods IN ODS.modlist,
rc OUT integer,
errormsg OUT varchar2);
end moduser;
/
show error
CREATE OR REPLACE PACKAGE BODY moduser AS
procedure post_modify(ldapplugincontext IN ODS.plugincontext,
result IN integer,
dn IN varchar2,
mods IN ODS.modlist,
rc OUT integer,
errormsg OUT varchar2)
is
counter1 pls_integer;
counter2 pls_integer;
retval pls_integer := -1;
user_session DBMS_LDAP.session;
user_dn varchar(256);
user_array DBMS_LDAP.mod_array;
user_vals DBMS_LDAP.string_collection;
user_binvals DBMS_LDAP.blob_collection;
ldap_host varchar(256);
ldap_port varchar(256);
ldap_user varchar(256);
ldap_passwd varchar(256);
begin
ldap_host :='backup.us.oracle.com';
ldap_port :='4000';
ldap_user :='cn=orcladmin';
ldap_passwd :='welcome';
plg_debug('START MODIFYING THE ENTRY');
-- Get a session
user_session := dbms_ldap.init(ldap_host, ldap_port);
-- Bind to the directory
retval := dbms_ldap.simple_bind_s(user_session, ldap_user,
ldap_passwd);
-- Create a mod_array
user_array := dbms_ldap.create_mod_array(mods.count);
-- Create a user_dn
user_dn := substr(dn,1,instr(dn,',',1,1))||'cn=users,dc=us,dc=acme,
dc=com';
plg_debug('THE CREATED DN IS'||user_dn);
-- Iterate through the modlist
for counter1 in 1..mods.count loop
-- Log the attribute name and operation
if (mods(counter1).operation > DBMS_LDAP.MOD_BVALUES) then
plg_debug('THE NAME OF THE BINARY ATTR. IS'||mods(counter1).type);
else
plg_debug('THE NAME OF THE NORMAL ATTR. IS'||mods(counter1).type);
end if;
plg_debug('THE OPERATION IS'||mods(counter1).operation);
-- Add the attribute values to the collection
for counter2 in 1..mods(counter1).vals.count loop
user_vals(counter2) := mods(counter1).vals(counter2).val;
end loop;
-- Add the attribute values to the collection
for counter2 in 1..mods(counter1).binvals.count loop
plg_debug('THE NO. OF BYTES OF THE BINARY ATTR. VALUE IS'
||mods(counter1).binvals(counter2).length);
user_binvals(counter2) := mods(counter1).binvals(counter2).binval;
end loop;
-- Populate the mod_array accordingly with binary/normal attributes
if (mods(counter1).operation >= DBMS_LDAP.MOD_BVALUES) then
dbms_ldap.populate_mod_array(user_array,mods(counter1).operation -
DBMS_LDAP.MOD_BVALUES,mods(counter1).type,user_binvals);
user_binvals.delete;
else
dbms_ldap.populate_mod_array(user_array,mods(counter1).operation,
mods(counter1).type,user_vals);
user_vals.delete;
end if;
end loop;
-- Modify the entry
retval := dbms_ldap.modify_s(user_session,user_dn,user_array);
if retval = 0 then
rc := 0;
errormsg:='No error occured while modifying the entry';
else
rc := retval;
errormsg :='Error code'||rc||' while modifying the entry';
end if;
-- Free the mod_array
dbms_ldap.free_mod_array(user_array);
plg_debug('FINISHED MODIFYING THE ENTRY');
exception
WHEN others THEN
plg_debug (SQLERRM);
end;
end moduser;
/
show error
exit;
The entryobj object that the plug-in framework passes to an ldapadd plug-in now holds binary attributes as binattr. This variable is a table of binattrobj objects. The example that follows shows a post-add plug-in propagating a change (an added user) in the plug-in directory to another directory. In the latter directory, the entry appears under the DIT cn=users,dc=us,dc=acme,dc=com.
create or replace package adduser as
procedure post_add(ldapplugincontext IN ODS.plugincontext,
result IN integer,
dn IN varchar2,
entry IN ODS.entryobj,
rc OUT integer,
errormsg OUT varchar2);
end adduser;
/
show error
CREATE OR REPLACE PACKAGE BODY adduser AS
procedure post_add(ldapplugincontext IN ODS.plugincontext,
result IN integer,
dn IN varchar2,
entry IN ODS.entryobj,
rc OUT integer,
errormsg OUT varchar2)
is
counter1 pls_integer;
counter2 pls_integer;
retval pls_integer := -1;
s integer;
user_session DBMS_LDAP.session;
user_dn varchar(256);
user_array DBMS_LDAP.mod_array;
user_vals DBMS_LDAP.string_collection;
user_binvals DBMS_LDAP.blob_collection;
ldap_host varchar(256);
ldap_port varchar(256);
ldap_user varchar(256);
ldap_passwd varchar(256);
begin
ldap_host :='backup.us.oracle.com';
ldap_port :='4000';
ldap_user :='cn=orcladmin';
ldap_passwd :='welcome';
plg_debug('START ADDING THE ENTRY');
-- Get a session
user_session := dbms_ldap.init(ldap_host, ldap_port);
-- Bind to the directory
retval := dbms_ldap.simple_bind_s(user_session, ldap_user, ldap_passwd);
-- Create a mod_array
user_array := dbms_ldap.create_mod_array(entry.binattr.count +
entry.attr.count);
-- Create a user_dn
user_dn := substr(dn,1,instr(dn,',',1,1))||'cn=users,dc=us,dc=acme,
dc=com';
plg_debug('THE CREATED DN IS'||user_dn);
-- Populate the mod_array with binary attributes
for counter1 in 1..entry.binattr.count loop
for counter2 in 1..entry.binattr(counter1).binattrval.count loop
plg_debug('THE NAME OF THE BINARY ATTR. IS'||
entry.binattr(counter1).binattrname);
s := dbms_lob.getlength(entry.binattr(counter1).
binattrval(counter2));
plg_debug('THE NO. OF BYTES OF THE BINARY ATTR. VALUE IS'||s);
user_binvals(counter2) := entry.binattr(counter1).
binattrval(counter2);
end loop;
dbms_ldap.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD,
entry.binattr(counter1).binattrname,user_binvals);
user_binvals.delete;
end loop;
-- Populate the mod_array with attributes
for counter1 in 1..entry.attr.count loop
for counter2 in 1..entry.attr(counter1).attrval.count loop
plg_debug('THE NORMAL ATTRIBUTE'||entry.attr(counter1).attrname||'
HAS THE VALUE'||entry.attr(counter1).attrval(counter2));
user_vals(counter2) := entry.attr(counter1).attrval(counter2);
end loop;
dbms_ldap.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD,
entry.attr(counter1).attrname,user_vals);
user_vals.delete;
end loop;
-- Add the entry
retval := dbms_ldap.add_s(user_session,user_dn,user_array);
plg_debug('THE RETURN VALUE IS'||retval);
if retval = 0 then
rc := 0;
errormsg:='No error occured while adding the entry';
else
rc := retval;
errormsg :='Error code'||rc||' while adding the entry';
end if;
-- Free the mod_array
dbms_ldap.free_mod_array(user_array);
retval := dbms_ldap.unbind_s(user_session);
plg_debug('FINISHED ADDING THE ENTRY');
exception
WHEN others THEN
plg_debug (SQLERRM);
end;
end adduser;
/
show error
exit;
The ldapcompare plug-in can use three new overloaded module interfaces to compare binary attributes. If you want to use these interfaces to develop a plug-in package that handles both binary and nonbinary attributes, you must include two separate procedures in the package. The package name for both procedures is the same because only one orclPluginName can be registered in the plug-in entry.
After updating an existing plug-in package to include a procedure that compares binary attributes, reinstall the package. Recompile packages that depend on the plug-in package.
The three new interfaces look like this:
PROCEDURE pre_compare (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN BLOB,
rc OUT INTEGER,
errormsg OUT VARCHAR2 );
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN BLOB,
rc OUT INTEGER,
errormsg OUT VARCHAR2 );
PROCEDURE post_compare (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN BLOB,
rc OUT INTEGER,
errormsg OUT VARCHAR2 );
The example that follows compares a binary attribute of an entry in the plug-in directory with a binary attribute of an entry in another directory. This package replaces the compare code of the server with the compare code of the plug-in. The package handles both binary and nonbinary attributes. As such it contains two separate procedures.
create or replace package compareattr as
procedure when_compare_replace(ldapplugincontext IN ODS.plugincontext,
result OUT integer,
dn IN varchar2,
attrname IN VARCHAR2,
attrval IN BLOB,
rc OUT integer,
errormsg OUT varchar2);
procedure when_compare_replace(ldapplugincontext IN ODS.plugincontext,
result OUT integer,
dn IN varchar2,
attrname IN VARCHAR2,
attrval IN varchar2,
rc OUT integer,
errormsg OUT varchar2);
end compareattr;
/
show error
CREATE OR REPLACE PACKAGE BODY compareattr AS
procedure when_compare_replace(ldapplugincontext IN ODS.plugincontext,
result OUT integer,
dn IN varchar2,
attrname IN VARCHAR2,
attrval IN varchar2,
rc OUT integer,
errormsg OUT varchar2)
is
pos INTEGER := 2147483647;
begin
plg_debug('START');
plg_debug('THE ATTRNAME IS'||attrname||' AND THE VALUE IS'||attrval);
plg_debug('END');
rc := 0;
errormsg :='No error!!!';
exception
WHEN others THEN
plg_debug ('Unknown UTL_FILE Error');
end;
procedure when_compare_replace(ldapplugincontext IN ODS.plugincontext,
result OUT integer,
dn IN varchar2,
attrname IN VARCHAR2,
attrval IN BLOB,
rc OUT integer,
errormsg OUT varchar2)
is
counter pls_integer;
retval pls_integer := -1;
cmp_result integer;
s integer;
user_session DBMS_LDAP.session;
user_entry DBMS_LDAP.message;
user_message DBMS_LDAP.message;
user_dn varchar(256);
user_attrs DBMS_LDAP.string_collection;
user_attr_name VARCHAR2(256);
user_ber_elmt DBMS_LDAP.ber_element;
user_vals DBMS_LDAP.blob_collection;
ldap_host varchar(256);
ldap_port varchar(256);
ldap_user varchar(256);
ldap_passwd varchar(256);
ldap_base varchar(256);
begin
ldap_host :='backup.us.oracle.com';
ldap_port :='4000';
ldap_user :='cn=orcladmin';
ldap_passwd :='welcome';
ldap_base := dn;
plg_debug('STARTING COMPARISON IN WHEN REPLACE PLUG-IN');
s := dbms_lob.getlength(attrval);
plg_debug('THE NUMBER OF BYTES OF ATTRVAL'||s);
-- Get a session
user_session := dbms_ldap.init(ldap_host, ldap_port);
-- Bind to the directory
retval := dbms_ldap.simple_bind_s(user_session, ldap_user, ldap_passwd);
-- issue the search
user_attrs(1) := attrname;
retval := DBMS_LDAP.search_s(user_session, ldap_base,
DBMS_LDAP.SCOPE_BASE,
'objectclass=*',
user_attrs,
0,
user_message);
-- Get the entry in the other OID server
user_entry := DBMS_LDAP.first_entry(user_session, user_message);
-- Log the DN and the Attribute name
user_dn := DBMS_LDAP.get_dn(user_session, user_entry);
plg_debug('THE DN IS'||user_dn);
user_attr_name := DBMS_LDAP.first_attribute(user_session,user_entry,
user_ber_elmt);
-- Get the values of the attribute
user_vals := DBMS_LDAP.get_values_blob(user_session, user_entry,
user_attr_name);
-- Start the binary comparison between the ATTRVAL and the attribute
-- values
if user_vals.count > 0 then
for counter in user_vals.first..user_vals.last loop
cmp_result := dbms_lob.compare(user_vals(counter),attrval,
dbms_lob.getlength(user_vals(counter)),1,1);
if cmp_result = 0 then
rc := 0;
-- Return LDAP_COMPARE_TRUE
result := 6;
plg_debug('THE LENGTH OF THE ATTR.'||user_attr_name||' IN THE
ENTRY IS'||dbms_lob.getlength(user_vals(counter)));
errormsg :='NO ERROR. THE COMPARISON HAS SUCCEEDED.';
plg_debug(errormsg);
plg_debug('FINISHED COMPARISON');
return;
end if;
end loop;
end if;
rc := 1;
-- Return LDAP_COMPARE_FALSE
result := 5;
errormsg :='ERROR. THE COMPARISON HAS FAILED.';
plg_debug('THE LENGTH OF THE ATTR.'||user_attr_name||' IN THE ENTRY IS'
||dbms_lob.getlength(user_vals(user_vals.last)));
plg_debug(errormsg);
plg_debug('FINISHED COMPARISON');
-- Free user_vals
dbms_ldap.value_free_blob(user_vals);
exception
WHEN others THEN
plg_debug (SQLERRM);
end;
end compareattr;
/
show error
exit;
This section defines the object types introduced in the Plug-in LDAP API. All of these definitions are in Oracle Directory Server database schema. Note that the API includes object types that enable plug-ins to extract binary data from the database.
create or replace type strCollection as TABLE of VARCHAR2(512); / create or replace type pluginContext as TABLE of VARCHAR2(512); / create or replace type attrvalType as TABLE OF VARCHAR2(4000); / create or replace type attrobj as object ( attrname varchar2(2000), attrval attrvalType ); / create or replace type attrlist as table of attrobj; / create or replace type binattrvalType as TABLE OF BLOB; / create or replace type binattrobj as object ( binattrname varchar2(2000), binattrval binattrvalType ); / create or replace type binattrlist as table of binattrobj; / create or replace type entryobj as object ( entryname varchar2(2000), attr attrlist, binattr binattrlist ); / create or replace type entrylist as table of entryobj; / create or replace type bvalobj as object ( length integer, val varchar2(4000) ); / create or replace type bvallist as table of bvalobj; / create or replace type binvalobj as object ( length integer, binval blob ); / create or replace type binvallist as table of binvalobj; / create or replace type modobj as object ( operation integer, type varchar2(256), vals bvallist, binvals binvallist ); / create or replace type modlist as table of modobj;
When you use the plug-ins, you must adhere to the signature defined for each of them. Each signature is provided here.
PROCEDURE pre_add (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2,
entry IN ODS.entryobj,
rc OUT INTEGER,
errormsg OUT VARCHAR2);
PROCEDURE when_add (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, entry IN ODS.entryobj, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE when_add_replace (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, entry IN ODS.entryobj, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE post_add (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER, dn IN VARCHAR2, entry IN ODS.entryobj, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE pre_modify (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, mods IN ODS.modlist, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE when_modify (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, mods IN ODS.modlist, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE when_modify_replace (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, mods IN ODS.modlist, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE post_modify (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER, dn IN VARCHAR2, mods IN ODS.modlist, rc OUT INTEGER, errormsg OUT VARCHAR2);
PROCEDURE pre_compare (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, attrname IN VARCHAR2, attrval IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE pre_compare (ldapplugincontext IN ODS.plugincontext, dn IN VARCHAR2, attrname IN VARCHAR2, attrval IN BLOB, rc OUT INTEGER, errormsg OUT VARCHAR2 ); PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER, dn IN VARCHAR2, attrname IN VARCHAR2, attrval IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 ); PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext, result OUT INTEGER, dn IN VARCHAR2, attrname IN VARCHAR2, attrval IN BLOB, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE post_compare (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER, dn IN VARCHAR2, attrname IN VARCHAR2, attrval IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 ); PROCEDURE post_compare (ldapplugincontext IN ODS.plugincontext, result IN INTEGER, dn IN VARCHAR2, attrname IN VARCHAR2, attrval IN BLOB, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE pre_delete (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE when_delete (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE when_delete_replace (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE post_delete (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER, dn IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE pre_search (ldapplugincontext IN ODS.plugincontext,
baseDN IN VARCHAR2, scope IN INTEGER, filterStr IN VARCHAR2, requiredAttr IN ODS.strCollection, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE post_search (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER, baseDN IN VARCHAR2, scope IN INTEGER, filterStr IN VARCHAR2, requiredAttr IN ODS.strCollection, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE pre_bind (ldapplugincontext IN ODS.plugincontext,
dn IN VARCHAR2, passwd IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER, dn IN VARCHAR2, passwd IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
PROCEDURE post_bind (ldapplugincontext IN ODS.plugincontext,
result IN INTEGER, dn IN VARCHAR2, passwd IN VARCHAR2, rc OUT INTEGER, errormsg OUT VARCHAR2 );
