Skip Headers
Oracle® Identity Management Application Developer's Guide
10
g
Release 2 (10.1.2)
B14087-02
Home
Solution Area
Index
Next
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in the SDK?
New Features in the Release 10.1.2 SDK
New Features in the Release 9.0.4 SDK
Part I Programming for Oracle Identity Management
1
Developing Applications for Oracle Identity Management
1.1
Benefits of Integrating with Oracle Identity Management
1.2
Oracle Identity Management Services Available for Application Integration
1.3
Integrating Existing Applications with Oracle Identity Management
1.4
Integrating New Applications with Oracle Identity Management
1.5
Oracle Internet Directory Programming: An Overview
1.5.1
Programming Languages Supported by the Oracle Internet Directory SDK
1.5.2
Oracle Internet Directory SDK Components
1.5.3
Application Development in the Oracle Internet Directory Environment
1.5.3.1
Architecture of a Directory-Enabled Application
1.5.3.2
Oracle Internet Directory Interactions During the Application Life Cycle
1.5.3.3
Services and APIs for Integrating Applications with Oracle Internet Directory
1.5.3.4
Integrating Existing Applications with Oracle Internet Directory
1.5.3.5
Integrating New Applications with Oracle Internet Directory
1.5.4
Other Components of Oracle Internet Directory
2
Developing Applications with Standard LDAP APIs
2.1
Sample Code
2.2
History of LDAP
2.3
LDAP Models
2.3.1
Naming Model
2.3.2
Information Model
2.3.3
Functional Model
2.3.4
Security Model
2.3.4.1
Authentication
2.3.4.2
Access Control and Authorization
2.3.4.3
Data Integrity
2.3.4.4
Data Privacy
2.3.4.5
Password Policies
2.4
About the Standard LDAP APIs
2.4.1
API Usage Model
2.4.2
Getting Started with the C API
2.4.3
Getting Started with the DBMS_LDAP Package
2.4.4
Getting Started with the Java API
2.5
Initializing an LDAP Session
2.5.1
Initializing the Session by Using the C API
2.5.2
Initializing the Session by Using DBMS_LDAP
2.5.3
Initializing the Session by Using JNDI
2.6
Authenticating an LDAP Session
2.6.1
Authenticating an LDAP Session by Using the C API
2.6.2
Authenticating an LDAP Session by Using DBMS_LDAP
2.7
Searching the Directory
2.7.1
Program Flow for Search Operations
2.7.2
Search Scope
2.7.3
Filters
2.7.4
Searching the Directory by Using the C API
2.7.5
Searching the Directory by Using DBMS_LDAP
2.8
Terminating the Session
2.8.1
Terminating the Session by Using the C API
2.8.2
Terminating the Session by Using DBMS_LDAP
3
Developing Applications with Oracle Extensions to the Standard APIs
3.1
Sample Code
3.2
Using Oracle Extensions to the Standard APIs
3.3
Creating an Application Identity in the Directory
3.3.1
Creating an Application Identity
3.3.2
Assigning Privileges to an Application Identity
3.4
Managing Users
3.5
Managing Groups
3.6
Managing Realms
3.7
Discovering a Directory Server
3.7.1
Benefits of Oracle Internet Directory Discovery Interfaces
3.7.2
Usage Model for Discovery Interfaces
3.7.3
Determining Server Name and Port Number From DNS
3.7.3.1
Mapping the DN of the Naming Context
3.7.3.2
Search by Domain Component of Local Machine
3.7.3.3
Search by Default SRV Record in DNS
3.7.4
Environment Variables for DNS Server Discovery
3.7.5
Programming Interfaces for DNS Server Discovery
3.8
SASL Authentication
3.8.1
SASL Authentication by Using the DIGEST-MD5 Mechanism
3.8.1.1
Steps Involved in SASL Authentication by Using DIGEST-MD5
3.8.2
SASL Authentication by Using External Mechanism
3.9
Proxying on Behalf of End Users
3.10
Creating Dynamic Password Verifiers
3.10.1
Request Control for Dynamic Password Verifiers
3.10.2
Syntax for DynamicVerifierRequestControl
3.10.3
Parameters Required by the Hashing Algorithms
3.10.4
Configuring the Authentication APIs
3.10.4.1
Parameters Passed If ldap_search Is Used
3.10.4.2
Parameters Passed If ldap_compare Is Used
3.10.5
Response Control for Dynamic Password Verifiers
3.10.6
Obtaining Privileges for the Dynamic Verifier Framework
4
Using the Java API Extensions to JNDI
4.1
Sample Code
4.2
Installing the Java Extensions
4.3
Using the oracle.java.util Package to Model LDAP Objects
4.4
The Classes PropertySetCollection, PropertySet, and Property
4.5
Managing Users
4.6
Authenticating Users
4.7
Creating Users
4.8
Retrieving User Objects
4.9
Retrieving Objects from Realms
4.10
Discovering a Directory Server
4.11
Examples: Java API for Discovering a Directory Server
4.12
Using DIGEST-MD5 to Perform SASL Authentication
5
Using the API Extensions in PL/SQL
5.1
Sample Code
5.2
Installing the PL/SQL Extensions
5.3
Using Handles to Access Directory Data
5.4
Managing Users
5.5
Authenticating Users
5.6
Dependencies and Limitations of the PL/SQL LDAP API
6
Developing Provisioning-Integrated Applications
7
Developing Directory Plug-ins
7.1
Plug-in Prerequisites
7.2
Plug-in Benefits
7.3
What Is the Plug-in Framework?
7.4
Operation-Based Plug-ins Supported by the Directory
7.4.1
Pre-Operation Plug-ins
7.4.2
Post-Operation Plug-ins
7.4.3
When-Operation Plug-ins
7.5
Designing, Creating, and Using Plug-ins
7.5.1
Designing Plug-ins
7.5.1.1
Types of Plug-in Operations
7.5.1.2
Naming Plug-ins
7.5.2
Creating Plug-ins
7.5.2.1
Package Specifications for Plug-in Module Interfaces
7.5.3
Compiling Plug-ins
7.5.3.1
Dependencies
7.5.3.2
Recompiling Plug-ins
7.5.4
Registering Plug-ins
7.5.4.1
The orclPluginConfig Object Class
7.5.4.2
Adding a Plug-in Configuration Entry by Using Command-Line Tools
7.5.4.3
Example 1
7.5.4.4
Example 2
7.5.5
Managing Plug-ins
7.5.5.1
Modifying Plug-ins
7.5.5.2
Debugging Plug-ins
7.5.6
Enabling and Disabling Plug-ins
7.5.7
Exception Handling
7.5.7.1
Error Handling
7.5.7.2
Program Control Handling between Oracle Internet Directory and Plug-ins
7.5.8
Plug-in LDAP API
7.5.9
Plug-ins and Replication
7.5.10
Plug-in and Database Tools
7.5.11
Security
7.5.12
Plug-in Debugging
7.5.13
Plug-in LDAP API Specifications
7.5.14
Database Limitations
7.6
Examples of Plug-ins
7.6.1
Example 1: Search Query Logging
7.6.2
Example 2: Synchronizing Two DITs
7.7
Binary Support in the Plug-in Framework
7.7.1
Binary Operations with ldapmodify
7.7.2
Binary Operations with ldapadd
7.7.3
Binary Operations with ldapcompare
7.8
Database Object Types Defined
7.9
Specifications for Plug-in Procedures
8
Integrating with Oracle Delegated Administration Services
8.1
What Is Oracle Delegated Administration Services?
8.1.1
How Applications Benefit from Oracle Delegated Administration Services
8.2
Integrating Applications with the Delegated Administration Services
8.2.1
Integration Profile
8.2.2
Integration Methodology and Considerations
8.3
Java APIs Used to Access URLs
9
Developing Applications for Single Sign-On
9.1
What Is mod_osso?
9.2
Protecting Applications Using mod_osso: Two Methods
9.2.1
Protecting URLs Statically
9.2.2
Protecting URLs with Dynamic Directives
9.3
Developing Applications Using mod_osso
9.3.1
Developing Statically Protected PL/SQL Applications
9.3.2
Developing Statically Protected Java Applications
9.3.3
Developing Java Applications That Use Dynamic Directives
9.3.3.1
Java Example #1: Simple Authentication
9.3.3.2
Java Example #2: Single Sign-Off
9.3.3.3
Java Example #3: Forced Authentication
9.3.4
A Word About Non-GET Authentication
9.3.5
Global Inactivity Timeout and Dynamic Directives
9.4
Security Issues
9.4.1
Single Sign-Off and Application Logout
9.4.1.1
Application Login: Code Examples
9.4.1.2
Application Logout: Recommended Code
9.4.2
Secure Transmission of mod_osso Cookies
10
Integrating J2EE Applications and Oracle Internet Directory
10.1
Standard J2EE Security APIs
10.2
OC4J Security APIs
10.3
JAAS Policy Management APIs
10.3.1
JAAS Policy Management
10.3.2
Retrieving User Policies and Permissions using Standard JAAS APIs
Part II Oracle Internet Directory Programming Reference
11
C API Reference
11.1
About the Oracle Internet Directory C API
11.1.1
Oracle Internet Directory SDK C API SSL Extensions
11.1.1.1
SSL Interface Calls
11.1.1.2
Wallet Support
11.2
Functions in the C API
11.2.1
The Functions at a Glance
11.2.2
Initializing an LDAP Session
11.2.2.1
ldap_init and ldap_open
11.2.3
LDAP Session Handle Options
11.2.3.1
ldap_get_option and ldap_set_option
11.2.4
Authenticating to the Directory
11.2.4.1
ldap_sasl_bind, ldap_sasl_bind_s, ldap_simple_bind, and ldap_simple_bind_s
11.2.5
SASL Authentication Using Oracle Extensions
11.2.5.1
ora_ldap_create_cred_hdl, ora_ldap_set_cred_props, ora_ldap_get_cred_props, and ora_ldap_free_cred_hdl
11.2.6
SASL Authentication
11.2.6.1
ora_ldap_init_SASL
11.2.7
Working With Controls
11.2.8
Closing the Session
11.2.8.1
ldap_unbind, ldap_unbind_ext, and ldap_unbind_s
11.2.9
Performing LDAP Operations
11.2.9.1
ldap_search_ext, ldap_search_ext_s, ldap_search, and ldap_search_s
11.2.9.2
Reading an Entry
11.2.9.3
Listing the Children of an Entry
11.2.9.4
ldap_compare_ext, ldap_compare_ext_s, ldap_compare, and ldap_compare_s
11.2.9.5
ldap_modify_ext, ldap_modify_ext_s, ldap_modify, and ldap_modify_s
11.2.9.6
ldap_rename and ldap_rename_s
11.2.9.7
ldap_add_ext, ldap_add_ext_s, ldap_add, and ldap_add_s
11.2.9.8
ldap_delete_ext, ldap_delete_ext_s, ldap_delete, and ldap_delete_s
11.2.9.9
ldap_extended_operation and ldap_extended_operation_s
11.2.10
Abandoning an Operation
11.2.10.1
ldap_abandon_ext and ldap_abandon
11.2.11
Obtaining Results and Peeking Inside LDAP Messages
11.2.11.1
ldap_result, ldap_msgtype, and ldap_msgid
11.2.12
Handling Errors and Parsing Results
11.2.12.1
ldap_parse_result, ldap_parse_sasl_bind_result, ldap_parse_extended_result, and ldap_err2string
11.2.13
Stepping Through a List of Results
11.2.13.1
ldap_first_message and ldap_next_message
11.2.14
Parsing Search Results
11.2.14.1
ldap_first_entry, ldap_next_entry, ldap_first_reference, ldap_next_reference, ldap_count_entries, and ldap_count_references
11.2.14.2
ldap_first_attribute and ldap_next_attribute
11.2.14.3
ldap_get_values, ldap_get_values_len, ldap_count_values, ldap_count_values_len, ldap_value_free, and ldap_value_free_len
11.2.14.4
ldap_get_dn, ldap_explode_dn, ldap_explode_rdn, and ldap_dn2ufn
11.2.14.5
ldap_get_entry_controls
11.2.14.6
ldap_parse_reference
11.3
Sample C API Usage
11.3.1
C API Usage with SSL
11.3.2
C API Usage Without SSL
11.3.3
C API Usage for SASL-Based DIGEST-MD5 Authentication
11.4
Required Header Files and Libraries for the C API
11.5
Dependencies and Limitations of the C API
12
DBMS_LDAP PL/SQL Reference
12.1
Summary of Subprograms
12.2
Exception Summary
12.3
Data Type Summary
12.4
Subprograms
12.4.1
FUNCTION init
12.4.2
FUNCTION simple_bind_s
12.4.3
FUNCTION bind_s
12.4.4
FUNCTION unbind_s
12.4.5
FUNCTION compare_s
12.4.6
FUNCTION search_s
12.4.7
FUNCTION search_st
12.4.8
FUNCTION first_entry
12.4.9
FUNCTION next_entry
12.4.10
FUNCTION count_entries
12.4.11
FUNCTION first_attribute
12.4.12
FUNCTION next_attribute
12.4.13
FUNCTION get_dn
12.4.14
FUNCTION get_values
12.4.15
FUNCTION get_values_len
12.4.16
FUNCTION delete_s
12.4.17
FUNCTION modrdn2_s
12.4.18
FUNCTION err2string
12.4.19
FUNCTION create_mod_array
12.4.20
PROCEDURE populate_mod_array (String Version)
12.4.21
PROCEDURE populate_mod_array (Binary Version)
12.4.22
PROCEDURE populate_mod_array (Binary Version. Uses BLOB Data Type)
12.4.23
FUNCTION get_values_blob
12.4.24
FUNCTION count_values_blob
12.4.25
FUNCTION value_free_blob
12.4.26
FUNCTION modify_s
12.4.27
FUNCTION add_s
12.4.28
PROCEDURE free_mod_array
12.4.29
FUNCTION count_values
12.4.30
FUNCTION count_values_len
12.4.31
FUNCTION rename_s
12.4.32
FUNCTION explode_dn
12.4.33
FUNCTION open_ssl
12.4.34
FUNCTION msgfree
12.4.35
FUNCTION ber_free
12.4.36
FUNCTION nls_convert_to_utf8
12.4.37
FUNCTION nls_convert_to_utf8
12.4.38
FUNCTION nls_convert_from_utf8
12.4.39
FUNCTION nls_convert_from_utf8
12.4.40
FUNCTION nls_get_dbcharset_name
13
Java API Reference
14
DBMS_LDAP_UTL PL/SQL Reference
14.1
Summary of Subprograms
14.2
Subprograms
14.2.1
User-Related Subprograms
14.2.1.1
Function authenticate_user
14.2.1.2
Function create_user_handle
14.2.1.3
Function set_user_handle_properties
14.2.1.4
Function get_user_properties
14.2.1.5
Function set_user_properties
14.2.1.6
Function get_user_extended_properties
14.2.1.7
Function get_user_dn
14.2.1.8
Function check_group_membership
14.2.1.9
Function locate_subscriber_for_user
14.2.1.10
Function get_group_membership
14.2.2
Group-Related Subprograms
14.2.2.1
Function create_group_handle
14.2.2.2
Function set_group_handle_properties
14.2.2.3
Function get_group_properties
14.2.2.4
Function get_group_dn
14.2.3
Subscriber-Related Subprograms
14.2.3.1
Function create_subscriber_handle
14.2.3.2
Function get_subscriber_properties
14.2.3.3
Function get_subscriber_dn
14.2.3.4
Function get_subscriber_ext_properties
14.2.4
Property-Related Subprograms
14.2.5
Miscellaneous Subprograms
14.2.5.1
Function normalize_dn_with_case
14.2.5.2
Function get_property_names
14.2.5.3
Function get_property_values
14.2.5.4
Function get_property_values_len
14.2.5.5
Procedure free_propertyset_collection
14.2.5.6
Function create_mod_propertyset
14.2.5.7
Function populate_mod_propertyset
14.2.5.8
Procedure free_mod_propertyset
14.2.5.9
Procedure free_handle
14.2.5.10
Function check_interface_version
14.2.5.11
Function get_property_values_blob
14.2.5.12
Procedure property_value_free_blob
14.3
Function Return Code Summary
14.4
Data Type Summary
15
DAS_URL Interface Reference
15.1
Directory Entries for the Service Units
15.2
Service Units and Corresponding URL Parameters
15.3
DAS URL API Parameter Descriptions
15.4
Search-and-Select Service Units for Users or Groups
15.4.1
Invoking Search-and-Select Service Units for Users or Groups
15.4.2
Receiving Data from the User or Group Search-and-Select Service Units
16
Centralized User Provisioning Java API Reference
16.1
Application Configuration
16.1.1
Application Registration and Provisioning Configuration
16.1.1.1
Application Registration
16.1.1.2
Provisioning Configuration
16.1.2
Application Configuration Classes
16.2
User Management
16.2.1
Creating a User
16.2.2
Modifying a User
16.2.3
Deleting a User
16.2.4
Looking Up a User
16.3
Debugging
16.4
Sample Code
17
Provisioning Integration PL/SQL API Reference
17.1
Versioning of Provisioning Files and Interfaces
17.2
Extensible Event Definition Configuration
17.3
Inbound and Outbound Events
17.4
PL/SQL Bidirectional Interface (Version 3.0)
17.5
PL/SQL Bidirectional Interface (Version 2.0)
17.6
Provisioning Event Interface (Version 1.1)
17.6.1
Predefined Event Types
17.6.2
Attribute Type
17.6.3
Attribute Modification Type
17.6.4
Event Dispositions Constants
17.6.5
Callbacks
17.6.5.1
GetAppEvent()
17.6.5.2
PutAppEventStatus()
17.6.5.3
PutOIDEvent()
Part III Appendixes
A
Java Plug-ins for User Provisioning
A.1
Plug-in Types and Their Purpose
A.2
Plug-in Requirements
A.3
Data Entry Plug-in
A.3.1
Pre–Data-Entry Plug-in
A.3.2
Post–Data-Entry Plug-in
A.4
Data Access Plug-in
A.5
Event Delivery Plug-in
A.6
Plug-in Return Status
A.7
Configuration Template
A.8
Sample Code
B
DSML Syntax
B.1
Capabilities of DSML
B.2
Benefits of DSML
B.3
DSML Syntax
B.3.1
Top-Level Structure
B.3.2
Directory Entries
B.3.3
Schema Entries
B.4
Tools Enabled for DSML
Glossary
Index