Skip Headers
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2)
B14013-02
  Go To Documentation Library
Library
Go To Product List
Product
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

7 Configuring the LDAP-Based Provider

This chapter discusses configuring OC4J to use the Oracle Internet Directory (OID) LDAP-based provider. It contains the following sections:

Some LDAP properties affect the entire OC4J instance; these properties are discussed in "Specifying OracleAS JAAS Provider Settings" .

Preparing to Use LDAP

You normally associate OC4J with infrastructure at the time of installation.However, you can also associate OC4J with infrastructure using Oracle Enterprise Manager 10g Application Server Control Console. See the Oracle Enterprise Manager 10g help topic "Application Server Infrastructure Page".

When you associate an OC4J instance with an Oracle Application Server Infrastructure (including the Oracle Internet Directory), your application can leverage the LDAP-based provider for central management of users.

Creating Administrative Users and Groups

Before using the LDAP-based provider, you must set up certain users, groups, and permissions in Oracle Delegated Administration Services, and then grant these users and groups the appropriate permissions.

If you specify the LDAP-based provider globally in the ORACLE_HOME/j2ee/instance_name/config/application.xml configuration file, then you must also create an anonymous user, as discussed in "Creating an anonymous User Using ldapmodify". Under normal conditions, you do not need to modify application.xml. The principal reason to do so is to configure the default application in an OC4J instance to use the LDAP-based provider as the user manager. The default application is a system application created by OC4J for internal use. (See the deployment and configuration overview in the Oracle Application Server Containers for J2EE Servlet Developer's Guide for information about the OC4J default application.)

Creating Users Using LoadOidData

You can set up the appropriate groups and users by using the tool oracle.security.jazn.util.LoadOidData, which is part of the jazncore library supplied in the ORACLE_HOME directory. You run the tool with the command line:

java -cp ./jazncore.jar oracle.security.jazn.util.LoadOidData 

The syntax for this tool is:

LoadOidData [-h ldaphost] [-p ldapport] [-D binddn] [-w passwd] 
            [-f filename [-oc4jAdminPwd passwd] [-ignoreError true|false]

The supported options are:

  • -h ldaphost for the LDAP host name

  • -p ldapport for the port of the LDAP server

  • -D binddn for the distinguished name for the Oracle Internet Directory administrator

  • -w password for the password of the Oracle Internet Directory administrator

  • -f filename for the file containing the entries to be loaded, which is the following:

    ORACLE_HOME/j2ee/instance_name/jazn/install/oidConfigForOc4j.sbs
    
    
  • -oc4jAdminPwd password for the password that will be assigned to OC4J administrator

  • -ignoreError boolean to specify whether the tool continues after reporting an error (if true) or stops as soon as it encounters an error (if false).

For example, assume the password for the Oracle database administrator is welcome1 and the password for the OC4J administrative user is welcome2. The command line (assuming $J2EE_HOME is ORACLE_HOME/j2ee/home) would be:

java -cp $J2EE_HOME/jazncore.jar oracle.security.jazn.util.LoadOidData 
     -h oidhost -p oidport -D cn=orcladmin -w welcome1 
     -f $J2EE_HOME/jazn/install/oidConfigForOc4j.sbs -oc4jAdminPwd welcome2 

After you run this tool, your default Oracle Identity Management realm will contain the following:

  • An administrators group

  • An administrative user that is a member of the administrators group

The administrators group will have the following permissions:

  • oracle.j2ee.server.AdministrationPermission ("administration")

  • oracle.j2ee.server.rmi.RMIPermission("login")

Finally, you must set the ldap.user property to admin and the ldap.password property to the appropriate password, as discussed in "Configuring LDAP SSL Properties".

Creating an anonymous User Using ldapmodify

You create an anonymous user by creating an LDIF (lightweight directory interchange format) file, then supplying the LDIF file as an input to the ldapmodify tool. An appropriate LDIF file is shown in Example 7-1. Note that you must replace yourDistinguishedName by the distinguished name of the default identity management realm.

Example 7-1 An anony.ldif file to Create anonymous User

dn: cn=anonymous, cn=Users, yourDistinguishedName
changetype: add
uid: anonymous
givenName: anonymous
cn: anonymous
sn: anonymous
description: This entry is used as the identification for unauthenticated users.
orclisenabled: disabled
objectClass: top
objectclass: person
objectclass: organizationalPerson
objectClass: inetorgperson
objectClass: orcluser
objectClass: orcluserV2

After you have created your anony.ldif file, use the ldapmodify command to add the anonymous user. The syntax for this command is:

ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w password -h hostname -p port \
                           -f anony.ldif

When you issue this command, replace password, hostname, and port with the password, host name, and port for your installation.


Note:

The anonymous account is a special user account created in the Oracle Internet Directory server for OC4J server usage purpose only. Because this account is created without a password, this account cannot be used by an end user to log in to the applications

LDAP-Based Provider Environment Variables

Before beginning development, you must ensure that the operating-system-specific environment variable controlling loading of dynamic libraries (for example, LD_LIBRARY_PATH in Solaris) is set appropriately. See Table 2-5, "Dynamic Library Path Settings" for details.

When you manage OC4J with Oracle Enterprise Manager, it sets this variable automatically.

Creating LDAP Users and Groups

To create users and groups when using the LDAP-based provider, you use the Oracle Delegated Administration Services tools. For details, see Oracle Identity Management Guide to Delegated Administration.