External Accounts Integration  Locate

During database installation or by employing the Setup tool, you may choose to use accounts from external repositories. This chapter describes how to integrate accounts from an LDAP server and from non-LDAP user stores into Oracle Service Registry.

An LDAP server can be integrated with Oracle Service Registry with these scenarios:

This chapter also contains the following configuration examples:

[Note]Note

Oracle Service Registry treats external stores as read-only. User account properties stored in these external stores cannot be modified by Oracle Service Registry.

[Important]Important

The Administrator account must not be stored in the LDAP. We strongly recommend that users stored in account_list.xml (by default, only administrator) should not be in the LDAP. If you really need to have users from LDAP in the file account_list.xml, delete password items from the file and change of all the accounts' properties according to the LDAP. The account_list.xml file contains a list of users that can be logged into a registry without connection to the database.

To integrate external accounts from another repository, either:

Figure 26. Setup Select Authentication Account Provider

Setup Select Authentication Account Provider

For more information on the Setup tool, please see Reconfiguring After Installation.

LDAP  Locate

Select LDAP on the Account Provider panel.

Enter the following settings:

Figure 27. LDAP Service

LDAP Service

Oracle Service Registry uses a JNDI interface to connect to LDAP servers. The following JNDI properties must be known to the server. (The default properties are noted in parentheses.)

Java naming provider URL

A URL string for configuring the service provider specified by the "Java naming factory initial" property. (ldap://hostname:389).

Initial Naming Factory

Class name of the initial naming factory. (com.sun.jndi.ldap.LdapCtxFactory).

Security Principal

The name of the principal for anonymous read access to the directory service.

Password

Password of security principal.

Security Protocol

Name of the security protocol. (simple)

Figure 28. LDAP Usage Scenarios

LDAP Usage Scenarios

You can select the following LDAP usage scenarios:

LDAP with a single search base

The scenario is very simple. There is only one LDAP server in this scenario. All identities are stored under a single search base.

LDAP with multiple search bases

In this scenario there is also only one LDAP server, but it has multiple search bases mapped to a domain. The domain is a specified part of user's login name (that is, DOMAIN/USERNAME). All users must specify the domain name in the login dialog. During the managing with accounts or groups it is recommended to use DOMAIN/USERNAME because of performance. If no domain is set then search is performed across all domains.

Domains can be specified dynamically or statically. For dynamic settings it is necessary to specify, for example, a domain prefix or postfix. Static domains are set during the installation directly and so they must be known in time of installation.

Multiple LDAP services

More than one LDAP service are used in this scenario. The correct LDAP service is chosen via DNS. As in the previous scenario, users must specify a domain name during login. When managing accounts or groups users have to set domain name. If domain name is not specified then no domain is processed.

[Note]Note

Automatic discovery of the LDAP service using the URL's distinguished name is supported only in Java 2 SDK, versions 1.4.1 and later, so be sure of the Java version you are using.

The automatic discovery of LDAP servers allows you not to hardwire the URL and port of the LDAP server. For example, you can use ldap:///o=JNDITutorial,dc=example,dc=com as a URL and the real URL will be deduced from the distinguished name o=JNDITutorial,dc=example,dc=com.

Oracle Service Registry integration with LDAP uses the JNDI API. For more information, see http://java.sun.com/products/jndi/tutorial/ldap/connect/create.html and http://java.sun.com/j2se/1.4.2/docs/guide/jndi/jndi-dns.html#URL

LDAP with a Single Search Base  Locate

The installation consists of the following steps:

  1. Specify user/account search properties as shown in Figure 29.

  2. Map Registry user properties to LDAP properties as shown in Figure 30.

  3. Specify group search properties as shown in Figure 31.

  4. Map Registry group properties to LDAP properties as shown in Figure 32.

Figure 29. User Search Properties

User Search Properties

Field description:

Search Filter

The notation of the search filter conforms to the LDAP search notation. You can specify the LDAP node property that matches the user account.

Search Base

LDAP will be searched from this base including the current LDAP node and all possible child nodes.

Search Scope

Here you can specify how deep the LDAP tree structure's data will be searched.

  • Object Scope - Only the search base node will be searched.

  • One-level Scope - Only direct sub-nodes of the search base (entries one level below the search base) will be searched. The base entry is not included in the scope.

  • Subtree Scope - Search base and all its sub-nodes will be searched.

Results Limit

Number of items returned when searching LDAP.

Figure 30. User Properties Mapping

User Properties Mapping

You can specify mapping between Oracle Service Registry user account properties and LDAP properties. You can add rows by clicking Add. To edit an entry, double click on the value you wish to edit.

The following user account properties can be mapped from an LDAP server:

java.lang.String loginName
java.lang.String email
java.lang.String fullName
java.lang.String languageCode
java.lang.String password
java.lang.String description
java.lang.String businessName
java.lang.String phone
java.lang.String alternatePhone
java.lang.String address
java.lang.String city
java.lang.String stateProvince
java.lang.String country
java.lang.String zip
java.util.Date expiration
java.lang.Boolean expires
java.lang.Boolean external
java.lang.Boolean blocked
java.lang.Integer businessesLimit
java.lang.Integer servicesLimit
java.lang.Integer bindingsLimit
java.lang.Integer tModelsLimit
java.lang.Integer assertionsLimit
java.lang.Integer subscriptionsLimit

[Important]Important

The Registry account property dn specifies the LDAP distinguished name. The value depends on the LDAP vendor.

  • On the Sun ONE Directory Server, the value is entryDN

  • On Microsoft Active Directory, the value is distinguishedName

If an optional property (such as email) does not exist in the LDAP, then the property's value is set according to the default account. The default account is specified in the config file whose name is account_core.xml.

[Note]Note

User account properties that you specify at the Figure 30 will be treated as read-only from Registry Control and registry APIs.

For more information, please see Developer's Guide, userAccount data structure .

Figure 31. Group Search Properties

Group Search Properties

Field description:

Search Filter

The notation of the search filter conforms to LDAP search notation. You can specify the LDAP node property that matches the group.

Search Base

LDAP, including the current LDAP node and possible all child nodes, will be searched from this base.

Search Scope

Here you can specify how deep the LDAP tree structure data will be searched.

  • Object Scope - Only the search base node will be searched.

  • One-level Scope - Search base and its direct sub-nodes will be searched.

  • Subtree Scope - Search base and all its sub-nodes will be searched.

Figure 32. Group Properties Mapping

Group Properties Mapping

You can specify mapping between Oracle Service Registry group properties and LDAP properties. You can add rows by clicking Add. To edit an entry, double click on the value you wish to edit.

If a property (such as description) does not exist in the LDAP then property value is set according to the default group. The default group (groupInfo) is specified in the config file whose name is group.xml.

For more information, please see Developer's Guide, group data structure

LDAP with Multiple Search Bases  Locate

The installation consists of the following steps:

  1. Specify the domain delimiter, domain prefix and postfix as shown in Figure 33.

  2. Enable/Disable domains as shown in Figure 34.

  3. Specify User Search properties as shown in Figure 29.

  4. Map Registry user properties to LDAP properties as shown in Figure 30.

  5. Specify group search properties as shown in Figure 31.

  6. Map Registry group properties to LDAP properties as shown in Figure 32

Figure 33. Domain Delimiter

Domain Delimiter

Field descriptions:

Domain Delimiter

Specifies the character that delimits domain and user name. When left empty, users are searched from all domains.

Domain Prefix, Domain Postfix

Domains are searched using the following pattern: {domain prefix}domain_name{domain postfix}{search base}

where {domain prefix} is value of property whose name is domain prefix, {domain postfix} is value of property whose name is domain postfix and {searchbase} is value of property whose name is searchbase.

Figure 34. Enable/Disable Domains

Enable/Disable Domains
Enable Domains

Left column: domain name that users will be using during login. Right column: distinguished domain name.

Disable Domains

Enter distinguished domain name of domains you wish to disable.

Multiple LDAP Services  Locate

The correct LDAP service is chosen via DNS. The installation consists of the following steps:

  1. Specify user/account search properties as shown in Figure 29.

  2. Map Registry user properties to LDAP properties as shown in Figure 30.

  3. Specify group search properties as shown in Figure 31.

  4. Map Registry group properties to LDAP properties as shown in Figure 32.

LDAP over SSL/TLS  Locate

It is only a matter of configuration to setup LDAP over SSL (or TLS) with a directory server of your choice. We recommend that you first install Oracle Service Registry with a connection to LDAP that does not use SSL. You can then verify the configuration by logging in as a user defined in this directory before configuring use of SSL.

The configuration procedure assumes that you have already installed Oracle Service Registry with an LDAP account provider. Oracle Service Registry must not be running.

LDAP over SSL Without Client Authentication  Locate

In this case only LDAP server authentication is required. This is usually the case.

Edit the REGISTRY_HOME/app/uddi/conf/directory.xml file in one of the following ways depending on the version of Java used to run Oracle Service Registry:

  • If Oracle Service Registry will always be running with Java 1.4.2 or later:

    1. Change the java.naming.provider.url property to use the ldaps protocol and the port on which the directory server accepts SSL/TLS connections. For example ldaps://sranka.in.idoox.com:636;

  • Otherwise, if Oracle Service Registry may be run with a Java version less than 1.4.2:

    1. Change the java.naming.provider.url property to the appropriate URL using the ldap protocol. For example ldap://sranka.in.idoox.com:636;

    2. Add a new property, after the java.naming.provider.url property, with name java.naming.security.protocol and value ssl;

This is shown in the following example:

Example 1. Directory configuration

<config name="directory" savingPeriod="5000">
  <directory>
    <!-- LDAP over (SSL/TLS) unprotected connection -->
    <!--
    <property name="java.naming.provider.url" value="ldap://hostname:47361"/>
    -->
    <!-- LDAP over SSL/TLS for Java 1.4.2 and later -->
    <!--
    <property name="java.naming.provider.url" value="ldaps://hostname:636"/>
    -->
    <!-- LDAP over SSL/TLS for Java where LDAP over SSL is supported -->
    <property name="java.naming.provider.url" value="ldap://hostname:636"/>
    <property name="java.naming.security.protocol" value="ssl"/>
    ...
    ...
    ...
  </directory>
</config>

In both cases, be sure that the hostname specified in the java.naming.provider.url property matches the name that is in the directory server certificate's subject common name (CN part of certificate's Subject). Otherwise you will get an exception during startup of Oracle Service Registry. It will inform you of a hostname verification error. The stacktrace contains the hostname that you must use.

LDAP over SSL With Mutual Authentication  Locate

Oracle Service Registry does not support LDAP over SSL with mutual authentication.

Ensuring Trust of the LDAP Server  Locate

The client that connects to the SSL/TLS server must trust the server certificate in order to establish communication with that server. The configuration of LDAPS explained above inherits the default rule for establishing trust from JSSE (the Java implementation of SSL/TLS). This is based on trust stores.

When a trust store is needed to verify a client/server certificate, it is searched for in the following locations in order:

  1. The file specified by the javax.net.ssl.trustStore system property, if defined;

  2. Otherwise the file JAVA_HOME\jre\lib\security\jssecacerts if it exists;

  3. Otherwise the file JAVA_HOME\jre\lib\security\cacerts if it exists;

It is recommended to use the first option to define a trust store specifically for the application you are running. In this case, you have to change the command that starts the registry (or the JVM environment of the ported registry) to define the following Java system properties:

PropertyDescription

javax.net.ssl.trustStore

Absolute path of your trust store file.

javax.net.ssl.trustStorePassword

Password for the trust store file.

To ensure that the server certificate is trusted, you have to:

  1. Contact the administrator of the LDAP server and get the certificate of the server or the certificate of the authority that signed it;

  2. Import the certificate into the trust store of your choice using the Java keytool:

    keytool -import -trustcacerts -alias alias -file file -keystore keystore -storepass storepass
                            

    where the parameters are as follows:

    alias

    A mandatory, unique alias for the certificate in the trust store;

    The file containing the certificate (usually with .crt extension);

    The keystore file of your choice;

    A password designed to protect the keystore file from tampering. Java level keystores (cacerts and jssecacerts) usually require the password changeit;

    file

    The file containing the certificate (usually with .crt extension);

    The keystore file of your choice;

    A password designed to protect the keystore file from tampering. Java level keystores (cacerts and jssecacerts) usually require the password changeit;

    keystore

    The keystore file of your choice;

    A password designed to protect the keystore file from tampering. Java level keystores (cacerts and jssecacerts) usually require the password changeit;

    storepass

    A password designed to protect the keystore file from tampering. Java level keystores (cacerts and jssecacerts) usually require the password changeit;

LDAP Configuration Examples  Locate

Oracle Internet Directory with Single Search Base  Locate

In this example, we show how to configure an Oracle Internet Directory under the LDAP Single Search Base scenario.

Oracle Internet Directory with Single Search Base shows user properties that are stored in the LDAP server.

Figure 35. User Properties in LDAP

User Properties in LDAP

Oracle Internet Directory with Single Search Base shows group properties that are stored in the LDAP server.

Figure 36. Group Properties in LDAP

Group Properties in LDAP

The following table shows how to configure Oracle Service Registry using this scenario.

Config PropertyConfig ValueSee
Java naming provider URLldap://localhost:389Figure 27
Initial Naming Factorycom.sun.jndi.ldap.LdapCtxFactoryFigure 27
Security Principalcn=Joe Patroni,cn=Users,ou=uddi,dc=in,dc=idoox,dc=comFigure 27
Security ProtocolsimpleFigure 27
User Properties   
Search FilterobjectClass=personFigure 29
Search Basecn=Users,dc=in,dc=idoox,dc=comFigure 29
Search ScopeSubtree ScopeFigure 29
Result Limit100Figure 29
telephoneNumberphoneFigure 30
uidloginNameFigure 30
cnfullNameFigure 30
mailemailFigure 30
Group Properties   
Search FilterobjectClass=groupofuniquenamesFigure 31
Search Basecn=Groups,dc=in,dc=idoox,dc=comFigure 31
Search ScopeSubtree ScopeFigure 31
Result Limit100Figure 31
creatorsNameownerFigure 32
descriptiondescriptionFigure 32
uniqueMembermemberFigure 32
cnnameFigure 32
SUN One with Single Search Base  Locate

In this example, we show how to configure a Sun One Directory Server 5.2 under the LDAP Single Search Base scenario.

SUN One with Single Search Base shows user properties that are stored in the LDAP server.

Figure 37. User Properties in LDAP

User Properties in LDAP

SUN One with Single Search Base shows group properties that are stored in the LDAP server.

Figure 38. Group Properties in LDAP

Group Properties in LDAP

The following table shows how to configure Oracle Service Registry using this scenario.

Config PropertyConfig ValueSee
Java naming provider URLldap://localhost:389Figure 27
Initial Naming Factorycom.sun.jndi.ldap.LdapCtxFactoryFigure 27
Security Principaluid=JPatroni,ou=people,dc=in,dc=idoox,dc=comFigure 27
Security ProtocolsimpleFigure 27
User Properties   
Search FilterobjectClass=personFigure 29
Search Baseou=people,dc=in,dc=idoox,dc=comFigure 29
Search ScopeSubtree ScopeFigure 29
Result Limit100Figure 29
telephoneNumberphoneFigure 30
uidloginNameFigure 30
cnfullNameFigure 30
mailemailFigure 30
Group Properties   
Search FilterobjectClass=groupofuniquenamesFigure 31
Search Baseou=groups,dc=in,dc=idoox,dc=comFigure 31
Search ScopeSubtree ScopeFigure 31
Result Limit100Figure 31
creatorsNameownerFigure 32
descriptiondescriptionFigure 32
uniqueMembermemberFigure 32
cnnameFigure 32
Sun One with Multiple Search Bases  Locate

In this example, we show how to configure Sun One Directory Server 5.2 with multiple search bases. In Figure 40, you can see users and domains that are stored on the LDAP server. We want to configure the LDAP integration with Oracle Service Registry in this way:

  • Only users from domain1 and domain10 can log into Oracle Service Registry. LDAP domain2 will be disabled.

  • LDAP domain10 will be mapped to the domain3 user group in Oracle Service Registry.

Figure 40 shows how users from LDAP are mapped to Oracle Service Registry

Figure 39. LDAP Users and Groups

LDAP Users and Groups

Figure 40. Registry Users

Registry Users

The following table shows how to configure Oracle Service Registry using this scenario.

Config PropertyConfig valueSee
Java naming provider URLldap://localhost:1000Figure 27
Initial Naming Factorycom.sun.jndi.ldap.LdapCtxFactoryFigure 27
Security Principaluid=JPatroni,ou=people,dc=in,dc=idoox,dc=comFigure 27
Security ProtocolsimpleFigure 27
uddi.ldap.domain.delimiter/Figure 33
uddi.ldap.domain.prefixou=Figure 33
uddi.ldap.domain.postfixleave emptyFigure 33
Enable domains  
domain namedomain3Figure 34
Distinguished nameou=domain10,ou=example,dc=in,dc=idoox,dc=comFigure 34
Disable domains  
Distinguished nameou=domain2,ou=example,dc=in,dc=idoox,dc=comFigure 34
User Properties   
Search FilterobjectClass=personFigure 29
Search Baseou=people,dc=in,dc=idoox,dc=comFigure 29
Search ScopeSubtree ScopeFigure 29
Result Limit100Figure 29
telephoneNumberphoneFigure 30
uidloginNameFigure 30
cnfullNameFigure 30
mailemailFigure 30
Group Properties   
Search FilterobjectClass=groupofuniquenamesFigure 31
Search Baseou=groups,dc=in,dc=idoox,dc=comFigure 31
Search ScopeSubtree ScopeFigure 31
Result Limit100Figure 31
creatorsNameownerFigure 32
descriptiondescriptionFigure 32
uniqueMembermemberFigure 32
cnnameFigure 32
Active Directory with Single Search Base   Locate

In this example, we show how to configure an Active Directory with a single search base. Figure 41 shows group properties that are stored in the Active Directory. These group properties will be mapped to Oracle Service Registry as shown in Figure 42.

Figure 41. LDAP User Group

LDAP User Group

Figure 42. User Group in Oracle Service Registry

User Group in Oracle Service Registry

Figure 43 shows user properties that are stored in the Active Directory. These user properties will be mapped to Oracle Service Registry as shown in Figure 42.

Figure 43. LDAP User Properties

LDAP User Properties

Figure 44. User Properties in Oracle Service Registry

User Properties in Oracle Service Registry

The following table shows how to configure Oracle Service Registry using this scenario.

Config PropertyConfig valueSee
Java naming provider URLldap://localhost:389Figure 27
Initial Naming Factorycom.sun.jndi.ldap.LdapCtxFactoryFigure 27
Security PrincipalCN=userx,OU=root,DC=registry,DC=in,DC=mycompany,DC=comFigure 27
Security ProtocolDIGEST-MD5Figure 27
User Properties   
Search FilterobjectClass=personFigure 29
Search Baseou=example,dc=registry,dc=in,dc=mycompany,dc=comFigure 29
Search ScopeSubtree ScopeFigure 29
Result Limit100Figure 29
sAMAccountNameloginNameFigure 30
cnfullNameFigure 30
mailemailFigure 30
telephoneNumberphoneFigure 30
Group Properties   
Search FilterobjectClass=groupFigure 31
Search Baseou=example,dc=registry,dc=in,dc=mycompany,dc=comFigure 31
Search ScopeSubtree ScopeFigure 31
Result Limit100Figure 31
membermemberFigure 32
cnnameFigure 32
uniqueMembermemberFigure 32
cnnameFigure 32

Custom (Non-LDAP)  Locate

Select External on the Advanced Account Settings panel.

External accounts require implementation of the interface org.systinet.uddi.account.ExternalBackendApi.