Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: question on creating LDAP user in OID

Re: question on creating LDAP user in OID

From: Laurenz Albe <invite_at_spam.to.invalid>
Date: 14 Apr 2006 09:06:44 GMT
Message-ID: <1145005603.304574@proxy.dienste.wien.at> 





steve <stevenoyle1_at_yahoo.com> wrote:


> Thanks Laurenz. Makes sense but why when logging in to orcladmin, I do

> not have to specify the full DN for that user? I can also have more

> than one orcladmin user created in different "directories." 




The OID directory superuser is something special, different from other
users.



Let me rant a little, sorry if I am too detailed.



To be precise, there is no such thing as a 'user' in LDAP.
In real life, think of a user as an entry of objectclass=person.
Such entries have encrypted passwords stored along with them, and you can
look at them in the Entry Management page of oidadmin.



You will notice that you cannot find an entry cn=orcladmin.
This user is peculiar and for reasons unknown to me Oracle chose to
implement the superuser in a different way.



The superuser is determined by two attributes of the root entry:
The attribute "orclsuname" contains the name of the superuser, and
the attribute "orclsupassword" contains the encrypted superuser password.
You cannot view the root entry directly with oidadmin, but you can use
ldapsearch to retrieve it.



After installation, the name of the superuser is set to 'cn=orcladmin'.



By trial and error I found the following:
- When you log into oidadmin, and the username has no commas and does
  not start with 'cn=', the 'cn=' will be magically prepended.
- However, if you want to login as cn=randomuser,dc=mydom,dc=com, you
  have to specify the full name with the leading 'cn='



The bottom line: When you login as 'orcladmin' you will always be the
superuser and NOT any of the other users with the same common name.



When you login at the OIDDAS self service console web application,
things are quite different.


The user is identified by the 'uid' attribute there, which happens
to be 'orcladmin' for the user 'cn=orcladmin,cn=Users,dc=yourdomain,dc=com'
which is automatically created with your Identity Management Realm.



I hope I didn't confuse you.



Yours,


Laurenz Albe
Received on Fri Apr 14 2006 - 04:06:44 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US