Oracle Internet Directory Administrator's Guide Release 9.0.2 Part Number A95192-01 |
|
Many Oracle components use Oracle Internet Directory for a variety of purposes. In doing this, they rely on a consolidated Oracle Internet Directory schema and a default Directory Information Tree (DIT). This chapter:
This chapter contains these topics:
Oracle Internet Directory enables Oracle components to:
This chapter considers two general types of environment:
Directory schema and DIT requirements are defined with enough flexibility to accommodate both deployment models.
To make it easy for you to start using Oracle components that use the directory, Oracle Universal Installer creates a default schema and directory information tree (DIT) during Oracle Internet Directory installation. This default DIT framework is the same for both hosted and non-hosted environments. It is flexible; you can modify it to suit the needs of your deployment.
During Oracle Internet Directory installation, the Oracle Universal Installer creates:
The root Oracle context includes:
Figure 15-1 shows the organization of the root Oracle context.
Some of the discovery-related information stored at the root Oracle context includes:
orclSubscriberSearchBase
)
This attribute identifies the node in the DIT under which all the subscribers are placed. This attribute becomes particularly important in the hosted scenario because it provides a common point for all the products to locate a subscriber. For example, in Figure 15-1, Subscriber
serves as the search base for locating a subscriber. In a non-hosted environment, the value of this attribute points to the parent of the default subscriber.
orclSubscriberNickNameAttribute
)
This attribute identifies the nickname attribute to be used when searching for a subscriber under the subscriber search base. For example, because a subscriber is typically represented as an organization, the attribute o can be used as the nickname attribute.
orclDefaultSubscriber
)
This attribute points to the default subscriber node in the DIT.
In both hosted and non-hosted scenarios, a component finds the correct node in the DIT by using the orclSubscriberSearchBase
and orclSubscriberNickNameAttribute
attributes. Once the component finds the appropriate subtree, it obtains the subscriber-specific information it needs from the Oracle context in that subtree.
For example, Oracle9iAS Single Sign-On uses this framework for authenticating a user in a hosted scenario. When a user logs in, Oracle9iAS Single Sign-On prompts the user for a subscriber. Then, when it looks for an entry, the Oracle9iAS Single Sign-On server finds the correct subscriber node in the DIT by using the orclSubscriberSearchBase
& orclSubscriberNickName
attributes. Once it learns where the subscriber-specific information resides, it then looks in the subscriber-specific Oracle context to find the location of the user.
If a client does not specify a subscriber, then Oracle Internet Directory assumes that the user is looking for information in the default subscriber subtree.
A subscriber-specific Oracle context includes:
Figure 15-2 shows the organization of a subscriber-specific Oracle context.
Figure 15-2 shows subscriber-wide information in the directory for an Oracle component and information common to all components. It illustrates two aspects:
The Common entry in the subscriber-specific Oracle context contains information for locating users and groups. Specifically, it includes:
orclCommonUserSearchBase)
This attribute specifies the node in the subscriber DIT under which all the users are placed. For example, in Figure 15-2, users
serves as the search base while searching for a user in a subscriber.
orclCommonUserNickNameAttribute)
This attribute specifies the nickname attribute to be used when searching for a user under the user search base. For example, when a user logs in, Oracle9iAS Single Sign-On prompts the user for the value of this attribute.
orclCommonGroupSearchBase)
This attribute specifies the node in the subscriber DIT under which all the groups can be found.
orclUserObjectClass)
This attribute specifies a list of object classes to be used when creating user entries under the subscriber tree--for example, person
, organizationalPerson
, inetOrgPerson
, orclUser
, and so on. For example, the Delegated Administration Service uses this attribute in configuring users.
In a hosted scenario, you might dedicate a particular instance of a component to multiple subscribers. For example, each subscriber might have its own instance of the Oracle9iAS Portal component. In this case, the instance information and other data required by each individual subscriber is stored in each subscriber's Oracle context. General information required by all subscribers is stored in the root Oracle context.
In Figure 15-2, the dotted line between the user and the subscriber shows some of the flexibility with which you can organize a subscriber subtree. You can create and store user data in different ways--for example, you can store it:
As Figure 15-3 shows, you are not required to create a subscriber's users under the subscriber node itself. The orclCommonUserSearchBase
attribute in the Common entry for each subscriber-specific Oracle context points to the node containing the user data--in Figure 15-3, it is dc=myCompany,dc=com
. This enables subscribers to keep the DNs they may already have, without having to migrate them to a different DIT structure.
Figure 15-4 shows the DIT for a default subscriber in a non-hosted environment.
During an Oracle Internet Directory installation, Oracle Universal Installer determines the domain information for the site where it is installing Oracle Internet Directory. It establishes the default DIT structure based on this information. For example, if Oracle Internet Directory is installed at My_Company.com
, then Oracle Universal Installer creates the following nodes in the DIT:
Com
in the above figure
User
and Group
containers under the default subscriber node--in this example, My_Company.com
If you use the default DIT for your enterprise, then you do not need to configure anything at the root Oracle context. Instead, depending on the structure of the subtree that your deployment uses, you simply do the following:
Common
container under cn=Products,cn=Oracle Context,o=GM
.
Users
container, and group entries in the Groups
container, both of which reside immediately below the default subscriber node.
In a hosted environment, you would create subscribers at the same level in the DIT as the default subscriber node itself.
As part of Default DIT Creation a seed user is also created to help bootstrap using the Delegated Administration Service and other tools. The user is identified by the following DN: cn=orclAdmin,cn=users,cn=my_company, dc=com
. The initial password for the user is the same as the Oracle Internet Directory super user (cn=orcladmin
) password. By default, this user is allowed to create, delete, and edit users under the cn=Users
container or create, delete, and edit groups under the cn=Groups
container.
The user also has permission to change the Delegated Administration Service configuration in Oracle Internet Directory. By using this seed user identity, the administrator can use the Delegated Administration Service to create users and groups, and thereby bootstrap the entire directory environment.
|
Copyright © 1999, 2002 Oracle Corporation. All Rights Reserved. |
|