Edit D:\rfid\database\database\doc\win.112\e10845\active_dir.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <meta http-equiv="Content-Language" content="en" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <meta name="robots" content="all" scheme="http://www.robotstxt.org/" /> <meta name="generator" content="Oracle DARB XHTML Converter (Mode = document) - Version 5.1" /> <meta name="Date" content="2010-03-05T15:45:38Z" /> <meta name="doctitle" content="Oracle® Database Platform Guide 11g Release 2 (11.2) for Microsoft Windows" /> <meta name="partno" content="E10845-01" /> <meta name="docid" content="NTQRF" /> <link rel="Start" href="../../index.htm" title="Home" type="text/html" /> <link rel="Copyright" href="../../dcommon/html/cpyr.htm" title="Copyright" type="text/html" /> <link rel="Stylesheet" href="../../dcommon/css/blafdoc.css" title="Default" type="text/css" /> <script type="text/javascript" src="../../dcommon/js/doccd.js"> </script> <link rel="Contents" href="toc.htm" title="Contents" type="text/html" /> <link rel="Index" href="index.htm" title="Index" type="text/html" /> <link rel="Glossary" href="glossary.htm" title="Glossary" type="text/html" /> <link rel="Prev" href="pki.htm" title="Previous" type="text/html" /> <link rel="Next" href="specs.htm" title="Next" type="text/html" /> <link rel="alternate" href="../e10845.pdf" title="PDF version" type="application/pdf" /> <title>Using Oracle Database with Microsoft Active Directory</title> </head> <body> <div class="header"> <div class="zz-skip-header"><a name="top" id="top" href="#BEGIN">Skip Headers</a></div> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"><b>Oracle® Database Platform Guide<br /> 11<i>g</i> Release 2 (11.2) for Microsoft Windows</b><br /> Part Number E10845-01</td> <td valign="bottom" align="right"> <table class="icons oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="245"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img width="24" height="24" src="../../dcommon/gifs/doclib.gif" alt="Go to Documentation Home" /><br /> <span class="icon">Home</span></a></td> <td align="center" valign="top"><a href="../../nav/portal_booklist.htm"><img width="24" height="24" src="../../dcommon/gifs/booklist.gif" alt="Go to Book List" /><br /> <span class="icon">Book List</span></a></td> <td align="center" valign="top"><a href="toc.htm"><img width="24" height="24" src="../../dcommon/gifs/toc.gif" alt="Go to Table of Contents" /><br /> <span class="icon">Contents</span></a></td> <td align="center" valign="top"><a href="index.htm"><img width="24" height="24" src="../../dcommon/gifs/index.gif" alt="Go to Index" /><br /> <span class="icon">Index</span></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img width="24" height="24" src="../../dcommon/gifs/feedbck2.gif" alt="Go to Feedback page" /><br /> <span class="icon">Contact Us</span></a></td> </tr> </table> </td> </tr> </table> <hr /> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="98"> <tr> <td align="center" valign="top"><a href="pki.htm"><img width="24" height="24" src="../../dcommon/gifs/leftnav.gif" alt="Go to previous page" /><br /> <span class="icon">Previous</span></a></td> <td align="center" valign="top"><a href="specs.htm"><img width="24" height="24" src="../../dcommon/gifs/rightnav.gif" alt="Go to next page" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </td> <td align="right" valign="top" style="font-size: 90%"><a href="../e10845.pdf">View PDF</a></td> </tr> </table> <a name="BEGIN" id="BEGIN"></a></div> <div class="IND"><!-- End Header --><a id="BGBEIIDH" name="BGBEIIDH"></a><a id="NTQRF270" name="NTQRF270"></a> <h1 class="chapter"><span class="secnum">13</span> Using Oracle Database with Microsoft Active Directory</h1> <p>This chapter describes how to configure and use Microsoft Active Directory as the LDAP directory.</p> <p>This chapter contains these topics:</p> <ul> <li> <p><a href="#CDEFFHAD">Microsoft Active Directory Support</a></p> </li> <li> <p><a href="#CDEJEBFF">Oracle Components That Integrate with Active Directory</a></p> </li> <li> <p><a href="#CDECHCBC">Requirements for Using Oracle Database with Active Directory</a></p> </li> <li> <p><a href="#CDEHBHIG">Configuring Oracle Database to Use Active Directory</a></p> </li> <li> <p><a href="#CDEFGFAC">Testing Connectivity</a></p> </li> <li> <p><a href="#CDEJFHDG">Access Control List Management for Oracle Directory Objects</a></p> </li> </ul> <a id="CDEFFHAD" name="CDEFFHAD"></a><a id="NTQRF364" name="NTQRF364"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Microsoft Active Directory Support</h2> <p>This section describes how Microsoft Active Directory is used as an LDAP directory server by Oracle Database.</p> <p>This section contains these topics:</p> <ul> <li> <p><a href="#CDEGAJEF">About Microsoft Active Directory</a></p> </li> <li> <p><a href="#BGBGIJCC">Accessing Active Directory</a></p> </li> </ul> <a id="CDEGAJEF" name="CDEGAJEF"></a><a id="NTQRF365" name="NTQRF365"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">About Microsoft Active Directory</h3> <p>Active Directory is the LDAP-compliant directory server included with Windows server operating systems. Active Directory stores all Windows operating system information, including users, groups, and policies. Active Directory also stores information about network resources (such as databases) and makes this information available to application users and network administrators. Active Directory enables users to access network resources with a single login. The scope of Active Directory can range from storing all the resources of a small computer network to storing all the resources of several wide areas networks (WANs).</p> </div> <!-- class="sect2" --> <a id="BGBGIJCC" name="BGBGIJCC"></a><a id="NTQRF366" name="NTQRF366"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Accessing Active Directory</h3> <p>When using Oracle features that support Active Directory, ensure that the Active Directory computer can be successfully reached using all possible TCP/IP host name forms to reach the domain controller. For example, if the host name of the domain controller is <code>server1</code> in the domain <code>example.com</code>, then ensure that you can ping that computer using all of the following:</p> <ul> <li> <p><code>server1.example.com</code></p> </li> <li> <p><code>example.com</code></p> </li> <li> <p><code>server1</code></p> </li> </ul> <p>Active Directory often issues referrals back to itself in one or more of these forms, depending upon the operation being performed. If any of the forms cannot reach the Active Directory computer, then some LDAP operations may fail.</p> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="CDEJEBFF" name="CDEJEBFF"></a><a id="NTQRF367" name="NTQRF367"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Oracle Components That Integrate with Active Directory</h2> <p>The following Oracle Database features support or have been specifically designed to integrate with Active Directory:</p> <ul> <li> <p><a href="#CDECEIGE">Directory Naming</a></p> </li> <li> <p><a href="#CDECDBHF">Automatic Discovery of Directory Servers</a></p> </li> <li> <p><a href="#CDEIJECD">Integration with Windows Tools</a></p> </li> <li> <p><a href="#CDEEEEBE">User Interface Extensions for Oracle Net Directory Naming</a></p> </li> <li> <p><a href="#CDEFFCFG">Enhancement of Directory Object Type Descriptions</a></p> </li> <li> <p><a href="#CDEEDCBG">Integration with Windows Login Credentials</a></p> </li> <li> <p><a href="#CDEBGIFJ">Oracle Directory Objects in Active Directory</a></p> </li> </ul> <a id="CDECEIGE" name="CDECEIGE"></a><a id="NTQRF368" name="NTQRF368"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Directory Naming<a id="sthref489" name="sthref489"></a></h3> <p>Oracle Database provides Oracle Net Services directory naming, which makes use of a directory server. This feature has been enabled to work with Microsoft Active Directory. Directory Naming enables clients to connect to the database making use of information stored centrally in an LDAP-compliant directory server such as Active Directory. For example, any net service name previously stored in the <code>tnsnames.ora</code> file can now be stored in Active Directory.</p> </div> <!-- class="sect2" --> <a id="CDECDBHF" name="CDECDBHF"></a><a id="NTQRF369" name="NTQRF369"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Automatic Discovery of Directory Servers<a id="sthref490" name="sthref490"></a><a id="sthref491" name="sthref491"></a><a id="sthref492" name="sthref492"></a></h3> <p>Oracle Net Configuration Assistant provides automatic discovery of directory servers. When you select Active Directory as the directory server type, Oracle Net Configuration Assistant automatically discovers the directory server location and performs related tasks.</p> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <a href="#CDEHBHIG">"Configuring Oracle Database to Use Active Directory"</a> for more information on Active Directory configuration</div> </div> <!-- class="sect2" --> <a id="CDEIJECD" name="CDEIJECD"></a><a id="NTQRF370" name="NTQRF370"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Integration with Windows Tools<a id="sthref493" name="sthref493"></a></h3> <p>Oracle Database services, net service names, and enterprise role entries in Active Directory can be displayed and tested in two Windows tools:</p> <ul> <li> <p>Windows Explorer</p> </li> <li> <p>Active Directory Users and Computers</p> </li> </ul> <p>Windows Explorer displays the hierarchical structure of files, directories, and local and network drives on your computer. It can display and test Oracle Database service and net service name objects.</p> <p>Active Directory Users and Computers is an administrative tool installed on Windows servers configured as domain controllers. This tool enables you to add, modify, delete, and organize Windows accounts and groups, and publish resources in the directory of your organization. Like Windows Explorer, it can display and test Oracle Database service and net service name objects. Additionally, it can manage access control.</p> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <ul> <li> <p><a href="#CDEEBFDE">"Testing Connectivity from Microsoft Tools"</a></p> </li> <li> <p><a href="#CDEJFHDG">"Access Control List Management for Oracle Directory Objects"</a></p> </li> </ul> </div> </div> <!-- class="sect2" --> <a id="CDEEEEBE" name="CDEEEEBE"></a><a id="NTQRF371" name="NTQRF371"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2"><a id="sthref494" name="sthref494"></a><a id="sthref495" name="sthref495"></a><a id="sthref496" name="sthref496"></a><a id="sthref497" name="sthref497"></a>User Interface Extensions for Oracle Net Directory Naming<a id="sthref498" name="sthref498"></a></h3> <p>The property menus of Oracle Database service and net service name objects in Windows Explorer and Active Directory Users and Computers have been enhanced. When you right-click these Oracle directory objects, you now see two new options for testing connectivity:</p> <ul> <li> <p>Test</p> </li> <li> <p>Connect with SQL*Plus</p> </li> </ul> <p>The Test option tests whether the username, password, and net service name you initially entered can actually connect to Oracle Database. The Connect with SQL*Plus option starts SQL*Plus, which enables you to perform database administration, run scripts, and so on.</p> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <a href="#CDEEBFDE">"Testing Connectivity from Microsoft Tools"</a></div> </div> <!-- class="sect2" --> <a id="CDEFFCFG" name="CDEFFCFG"></a><a id="NTQRF372" name="NTQRF372"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Enhancement of Directory Object Type Descriptions</h3> <p>Oracle directory object type descriptions in Active Directory have been enhanced to make them easier to understand. In the right pane of <a href="#CDEEBGIA">Figure 13-1</a>, for example, the Type column reveals that <code>sales</code> is an Oracle Net Service name.</p> </div> <!-- class="sect2" --> <a id="CDEEDCBG" name="CDEEDCBG"></a><a id="NTQRF373" name="NTQRF373"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Integration with Windows Login Credentials</h3> <p>Oracle database and configuration tools can use the login credentials of the Windows user currently logged on to connect to Active Directory without having to re-enter the login credentials. This feature has the following benefits:</p> <ul> <li> <p>Oracle clients and databases can securely connect to Active Directory and retrieve the net service name.</p> </li> <li> <p><a id="sthref499" name="sthref499"></a><a id="sthref500" name="sthref500"></a>Oracle configuration tools can connect automatically to Active Directory and configure Oracle Database and net service name objects. The enabled tools include Oracle Net Configuration Assistant and Database Configuration Assistant.</p> </li> <li> <p>In Oracle Database 11<span class="italic">g,</span> enhancements are made to make secure access over the internet to avoid anonymous binds to the directory. The enhanced security enables the sites to restrict access to Database Service by setting access control (ACL) on Database Service DN in Directory Server. The enhancement gives clients the option to use authenticated binds for LDAP name lookup. Clients will have access to Database Service object if the object (DN of Database Service Entry) has been configured with restrictive access control.</p> </li> </ul> <a id="NTQRF374" name="NTQRF374"></a> <p class="subhead2">Configuration on machines that require authenticated name lookups</p> <p>Add the following entry in <code>sqlnet.ora</code> to enable authenticated name lookup:</p> <pre xml:space="preserve" class="oac_no_warn">names.ldap_authenticate_bind = TRUE </pre></div> <!-- class="sect2" --> <a id="CDEBGIFJ" name="CDEBGIFJ"></a><a id="NTQRF376" name="NTQRF376"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2"><a id="sthref501" name="sthref501"></a><a id="sthref502" name="sthref502"></a>Oracle Directory Objects in Active Directory</h3> <p>If Oracle Database and Oracle Net Services are installed and configured to access Active Directory, then Active Directory Users and Computers displays Oracle directory objects, as illustrated in <a href="#CDEEBGIA">Figure 13-1</a>:</p> <div class="figure"><a id="CDEEBGIA" name="CDEEBGIA"></a><a id="NTQRF377" name="NTQRF377"></a> <p class="titleinfigure">Figure 13-1 Oracle Directory Objects in Active Directory Users and Computers</p> <img width="630" height="395" src="img/adusrext.gif" alt="Description of Figure 13-1 follows" title="Description of Figure 13-1 follows" longdesc="img_text/adusrext.htm" /><br /> <a id="sthref503" name="sthref503" href="img_text/adusrext.htm">Description of "Figure 13-1 Oracle Directory Objects in Active Directory Users and Computers"</a><br /> <br /></div> <!-- class="figure" --> <p><a href="#BGBIAIHJ">Table 13-1</a> describes the Oracle directory objects appearing in <a href="#CDEEBGIA">Figure 13-1</a>.</p> <div class="tblformal"><a id="NTQRF378" name="NTQRF378"></a><a id="sthref504" name="sthref504"></a><a id="BGBIAIHJ" name="BGBIAIHJ"></a> <p class="titleintable">Table 13-1 Oracle Directory Objects</p> <table class="Formal" title="Oracle Directory Objects" summary="Rows are Oracle directory objects. Column one is the name of the object, and column two is its description." dir="ltr" border="1" width="100%" frame="hsides" rules="groups" cellpadding="3" cellspacing="0"> <col width="20%" /> <col width="*" /> <thead> <tr align="left" valign="top"> <th align="left" valign="bottom" id="r1c1-t5">Object</th> <th align="left" valign="bottom" id="r1c2-t5">Description</th> </tr> </thead> <tbody> <tr align="left" valign="top"> <td align="left" id="r2c1-t5" headers="r1c1-t5"> <p><code>oranet.dev</code></p> </td> <td align="left" headers="r2c1-t5 r1c2-t5"> <p>The domain in which you created your Oracle Context. This domain (also known as the administrative context) contains various Oracle entries to support directory naming. Oracle Net Configuration Assistant automatically discovers this information during Oracle Database integration with Active Directory.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r3c1-t5" headers="r1c1-t5"> <p><code>OracleContext</code></p> </td> <td align="left" headers="r3c1-t5 r1c2-t5"> <p>The top-level Oracle entry in the Active Directory tree. It contains Oracle Database service and net service name object information. All Oracle software information is placed in this folder.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r4c1-t5" headers="r1c1-t5"> <p><code>orcl</code></p> </td> <td align="left" headers="r4c1-t5 r1c2-t5"> <p>The Oracle Database service name used in this example.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r5c1-t5" headers="r1c1-t5"> <p><code>Products</code></p> </td> <td align="left" headers="r5c1-t5 r1c2-t5"> <p>Folder for Oracle product information.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r6c1-t5" headers="r1c1-t5"> <p><code>sales</code></p> </td> <td align="left" headers="r6c1-t5 r1c2-t5"> <p>The net service name object used in this example.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r7c1-t5" headers="r1c1-t5"> <p><code>Users</code></p> </td> <td align="left" headers="r7c1-t5 r1c2-t5"> <p>Folder for the Oracle security groups. See <a href="#CDEJFHDG">"Access Control List Management for Oracle Directory Objects"</a> for more information. Enterprise users and roles created with Oracle Enterprise Security Manager also appear in this folder.</p> </td> </tr> </tbody> </table> <br /></div> <!-- class="tblformal" --></div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="CDECHCBC" name="CDECHCBC"></a><a id="NTQRF379" name="NTQRF379"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Requirements for Using Oracle Database with Active Directory</h2> <p>To use Net Directory Naming with Active Directory, you must have certain Microsoft and Oracle software releases, and you must create Oracle schema objects and an Oracle Context. These requirements are discussed in the following sections:</p> <ul> <li> <p><a href="#CDEBFIHB">Directory Naming Software Requirements</a></p> </li> <li> <p><a href="#BGBBIAFB">Creating an OracleContext</a></p> </li> <li> <p><a href="#CDEFIICA">Oracle Schema Objects Creation</a></p> </li> </ul> <div class="infoboxnote"> <p class="notep1">Note:</p> <ul> <li> <p><a id="sthref505" name="sthref505"></a><a id="sthref506" name="sthref506"></a>The Oracle schema objects and Oracle Context can both be created by running Oracle Net Configuration Assistant.</p> </li> <li> <p>Regardless of the Oracle Database Client and Oracle Database releases you are using, you must be running in a Windows Server 2003, or Windows Server 2008, or Windows Server 2008 R2 (X64) domain to integrate Net Directory Naming with Active Directory.</p> </li> </ul> </div> <a id="CDEBFIHB" name="CDEBFIHB"></a><a id="NTQRF380" name="NTQRF380"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Directory Naming Software Requirements</h3> <p>For client computers from which you want to manage Oracle Database enterprise users, roles and domains, you must have Oracle8<span class="italic">i</span> Client release 8.1.6 or later and one of the supported Windows operating systems.</p> <p>For the database, you must have Oracle8<span class="italic">i</span> Database release 8.1.6 or later. This is required for registering the database service as an object in Active Directory. The database can use any of the supported Windows operating systems.</p> <p>Both the client computers and the database must be members of a Windows server domain.</p> <p>Directory Naming adaptor connects anonymously to directory by default.</p> </div> <!-- class="sect2" --> <a id="BGBBIAFB" name="BGBBIAFB"></a><a id="NTQRF381" name="NTQRF381"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Creating an OracleContext</h3> <p>You must create an Oracle Context to use net directory naming features with Active Directory. Oracle Context is the top-level Oracle entry in the Active Directory tree. It contains Oracle Database service and Oracle Net service name object information.</p> <ul> <li> <p>You can create only one Oracle Context for each Windows server domain (administrative context).</p> </li> <li> <p>You must have the right to create domain and enterprise objects to create the Oracle Context in Active Directory with Oracle Net Configuration Assistant.</p> </li> <li> <p>Use Oracle Net Configuration Assistant to create your Oracle Context. You can create the Oracle Context during or after Oracle Database Custom installation.</p> </li> </ul> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <ul> <li> <p><a class="olink NTDBI" href="../../install.112/e10843/toc.htm"><span class="italic">Oracle Database Installation Guide for Microsoft Windows</span></a> for installation procedures</p> </li> <li> <p><a class="olink NETAG" href="http://www.oracle.com/pls/db112/lookup?id=NETAG"><span class="italic">Oracle Database Net Services Administrator's Guide</span></a> for configuration procedures</p> </li> </ul> </div> <a id="NTQRF382" name="NTQRF382"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --><a id="sthref507" name="sthref507"></a> <h4 class="sect3">Network Configuration Assistant (NetCA)</h4> <p>Oracle Net Configuration Assistant (NetCA) is a graphical, wizard-based tool used to configure and manage Oracle Network configurations.</p> <p>Run the Network Configuration Assistant (NetCA).</p> <p>To start NetCA:</p> <ol> <li> <p>Click <span class="bold">Start,</span> then click <span class="bold">All Programs.</span></p> </li> <li> <p>Click <span class="bold">Oracle, Configuration and Migration Tools,</span> then <span class="bold">Net Configuration Assistant.</span></p> </li> <li> <p>Select the <span class="bold">Directory Usage Configuration</span> radio button, then click <span class="bold">Next.</span></p> </li> <li> <p>Select Directory Type <span class="bold">Microsoft Active Directory,</span> then click <span class="bold">Next.</span></p> <div class="infoboxnote"> <p class="notep1">Note:</p> The Microsoft Active Directory configuration option is only available in the Windows version of NetCA.</div> </li> <li> <p>Select the option to configure the directory for Oracle usage and create the Oracle Schema and Context, then click <span class="bold">Next.</span></p> </li> <li> <p>Enter the Active Directory host name, then click <span class="bold">Next.</span></p> </li> <li> <p>Select the option to upgrade the Oracle Schema, then click <span class="bold">Next.</span></p> <p>The next page should denote successful Directory configuration.</p> <pre xml:space="preserve" class="oac_no_warn">Directory usage configuration complete! The distinguished name of your default Oracle Context is: cn=OracleContext,DC=home,DC=com </pre></li> <li> <p>Click <span class="bold">Next,</span> then click <span class="bold">Finish.</span></p> </li> <li> <p>The earlier message may only denote partial success:</p> <pre xml:space="preserve" class="oac_no_warn">The Assistant is unable to create or upgrade the Oracle Schemafor the following reason: ConfigException: Oracle Schema creationwas successful, but Active Directory Display Specifier creationfailed.oracle.net.config.ConfigException; TNS-04420: Problemrunning LDAPMODIFY </pre> <p>Click <span class="bold">OK,</span> then click <span class="bold">Finish.</span></p> </li> <li> <p>If you receive the preceding error, disregard the message and re-run NetCA using the originally supplied values.</p> <p>The wizard should complete denoting successful Directory configuration:</p> <pre xml:space="preserve" class="oac_no_warn">Directory usage configuration complete! The distinguished name of your default Oracle Context is: cn=OracleContext,DC=home,DC=com </pre> <p>Click <span class="bold">Next,</span> then click <span class="bold">Finish.</span></p> </li> </ol> </div> <!-- class="sect3" --></div> <!-- class="sect2" --> <a id="CDEFIICA" name="CDEFIICA"></a><a id="NTQRF383" name="NTQRF383"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Oracle Schema Objects Creation</h3> <p>You must create Oracle schema objects to use net directory naming features with Active Directory. Schema objects are sets of rules for Oracle Net Services and Oracle Database entries and their attributes stored in Active Directory. The following restrictions apply to creating Oracle schema objects to use with Active Directory:</p> <ul> <li> <p>Only one Oracle schema object can be created for each forest.</p> </li> <li> <p>The Windows server domain controller must be the operations master that allows schema updates. See your operating system documentation for instructions.</p> </li> </ul> <p>To create an Oracle schema object:</p> <ol> <li> <p>Log in as a member of the Schema Administrator group. Domain administrators are in the Schema Administrator group by default.</p> </li> <li> <p>Use Oracle Net Configuration Assistant to create the Oracle schema object. You can create your schema object during or after database installation.</p> </li> </ol> <p>If the Active Directory display is not configured to accept all 24 default languages, then Oracle schema object creation can fail while Oracle Net Configuration Assistant is configuring Active Directory as the directory server. Before running Oracle Net Configuration Assistant to complete directory access configuration, verify that the display specifiers for all 24 languages are populated by entering the following at the command prompt:</p> <pre xml:space="preserve" class="oac_no_warn">ldifde -p OneLevel -d cn=DisplaySpecifiers,cn=Configuration,<span class="italic">domain</span> <span class="italic">context</span> -f <span class="italic">temp file</span> </pre> <p>where:</p> <ul> <li> <p><code><span class="codeinlineitalic">domain</span></code> <code><span class="codeinlineitalic">context</span></code> is the domain context for this Active Directory server.</p> <p>For example, <code>dc=example</code>,<code>dc=com</code>.</p> </li> <li> <p><code><span class="codeinlineitalic">temp</span></code> <code><span class="codeinlineitalic">file</span></code> is a file where you want to put the output.</p> </li> </ul> <p>If the command reports that fewer than 24 entries were found, then you can still use Oracle Net Configuration Assistant. However, the report will indicate that Oracle schema object creation failed, rather than simply reporting that display specifiers for some languages were not created.</p> <a id="NTQRF384" name="NTQRF384"></a> <p class="subhead2">Display Specifiers Not Created</p> <p>When Net Configuration Assistant creates the Oracle schema object in Active Directory, the display specifiers for Oracle entries are not created. This means you cannot view Oracle database entries in Active Directory interfaces.</p> <p>You can manually add these entries into Active Directory after the Oracle schema object has been created by doing the following, using the same Windows user identification you used when creating the Oracle schema object with Net Configuration Assistant:</p> <ol> <li> <p>Open a command shell.</p> </li> <li> <p>Change directory to <code><span class="codeinlineitalic">ORACLE_HOME</span></code><code>\ldap\schema\ad</code>.</p> </li> <li> <p>Copy <code>adDisplaySpecifiers_us.sbs</code> to <code>adDisplaySpecifiers_us.ldif</code>.</p> </li> <li> <p>Copy <code>adDisplaySpecifiers_other.sbs</code> to <code>adDisplaySpecifiers_other.ldif</code>.</p> </li> <li> <p>Edit each of these <code>.ldif</code> files, replacing all occurrences of <code>%s_AdDomainDN%</code> with the domain DN for the specific Active Directory into which you want to load the display specifiers (for example, <code>dc=example,dc=com</code>).</p> </li> <li> <p>Run the following commands:</p> <pre xml:space="preserve" class="oac_no_warn">ldapmodify -h <ad hostname> -Z -f adDisplaySpecifiers_us.ldif ldapmodify -h <ad hostname> -Z -f adDisplaySpecifiers_other.ldif </pre> <p>where <code><ad hostname></code> is the host name of the Active Directory domain controller to which you want to load the display specifiers.</p> </li> </ol> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <a href="#CDECDBHF">"Automatic Discovery of Directory Servers"</a></div> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="CDEHBHIG" name="CDEHBHIG"></a><a id="NTQRF385" name="NTQRF385"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Configuring Oracle Database to Use Active Directory<a id="sthref508" name="sthref508"></a><a id="sthref509" name="sthref509"></a><a id="sthref510" name="sthref510"></a><a id="sthref511" name="sthref511"></a><a id="sthref512" name="sthref512"></a><a id="sthref513" name="sthref513"></a><a id="sthref514" name="sthref514"></a></h2> <p>Oracle Net Configuration Assistant enables you to configure client computers and Oracle Database to access a directory server. When you choose directory access configuration from Oracle Net Configuration Assistant, it then prompts you to specify a directory server type to use. When you select Active Directory as the directory server type, the Automatic Discovery of Directory Servers feature of Oracle Net Configuration Assistant automatically:</p> <ul> <li> <p>Discovers the Active Directory server location</p> </li> <li> <p>Configures access to the Active Directory server</p> </li> <li> <p>Creates the Oracle context (also known as your domain)</p> </li> </ul> <p>If the Active Directory server already has an Oracle Context, then select the following nondefault radio button:</p> <ul> <li> <p>Select the directory server you want to use, and configure the directory server for Oracle usage. (Create or upgrade Oracle schema objects and Oracle Context as necessary.)</p> </li> </ul> <p>Oracle Net Configuration Assistant will report that the Oracle Context does not exist. Ignore this and choose to create the Oracle Context anyway. Directory access configuration will complete without trying to re-create the existing Oracle Context.</p> <div class="infoboxnote"> <p class="notep1">Note:</p> Regardless of the Oracle Database Client and Oracle Database releases you are using, you must be running in a Windows Server 2003 domain, or Windows Server 2003 R2 domain, or Windows Server 2008 domain, or Windows Server 2008 R2 domain, to take advantage of the automatic directory server discovery features of Oracle Net Configuration Assistant. Oracle Net Configuration Assistant does not automatically discover your directory server, and instead prompts you for additional information, such as the Active Directory location.</div> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <ul> <li> <p><a href="#CDEFIICA">"Oracle Schema Objects Creation"</a> for information about possible failures during configuration</p> </li> <li> <p><a href="#CDECHCBC">"Requirements for Using Oracle Database with Active Directory"</a></p> </li> <li> <p><a href="#CDECDBHF">"Automatic Discovery of Directory Servers"</a></p> </li> <li> <p><a class="olink NETAG" href="http://www.oracle.com/pls/db112/lookup?id=NETAG"><span class="italic">Oracle Database Net Services Administrator's Guide</span></a> for configuration procedures</p> </li> </ul> </div> </div> <!-- class="sect1" --> <a id="CDEFGFAC" name="CDEFGFAC"></a><a id="NTQRF386" name="NTQRF386"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1"><a id="sthref515" name="sthref515"></a><a id="sthref516" name="sthref516"></a><a id="sthref517" name="sthref517"></a><a id="sthref518" name="sthref518"></a><a id="sthref519" name="sthref519"></a><a id="sthref520" name="sthref520"></a><a id="sthref521" name="sthref521"></a><a id="sthref522" name="sthref522"></a><a id="sthref523" name="sthref523"></a><a id="sthref524" name="sthref524"></a>Testing Connectivity</h2> <p>This section describes how to connect to an Oracle Database server through Active Directory.</p> <p>This section contains these topics:</p> <ul> <li> <p><a href="#CDEJFFGI">Testing Connectivity from Client Computers</a></p> </li> <li> <p><a href="#CDEEBFDE">Testing Connectivity from Microsoft Tools</a></p> </li> </ul> <a id="CDEJFFGI" name="CDEJFFGI"></a><a id="NTQRF387" name="NTQRF387"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Testing Connectivity from Client Computers</h3> <p>When using Oracle Net directory naming, client computers connect to a database by specifying the database or net service name entry that appears in the Oracle Context. For example, if the database entry under the Oracle Context in Active Directory is <code>orcl</code>, and the client and the database are in the same domain, then a user connects to the database through SQL*Plus by entering the following connect string:</p> <pre xml:space="preserve" class="oac_no_warn">SQL> CONNECT <span class="italic">username</span>@orcl Enter password: <span class="italic">password</span> </pre> <p>If the client and the database are in different domains, then a user connects to the database through SQL*Plus by entering:</p> <pre xml:space="preserve" class="oac_no_warn">SQL> CONNECT <span class="italic">username</span>@orcl.<span class="italic">domain</span> Enter password: <span class="italic">password</span> </pre> <p>where <code><span class="codeinlineitalic">domain</span></code> is the domain in which the Oracle Database server is located.</p> <p>The LDAP naming adapter has an internal function which we call <span class="bold">simplified naming,</span> which will attempt to translate a DNS-style name into an x500 (LDAP) style name (DN) based on the naming convention used in <code>ldap.ora:DEFAULT_ADMIN_CONTEXT.</code></p> <p>It relies on <code>ldap.ora:default_admin_context</code> using either an <span class="bold">org</span> form or a <span class="bold">domain component (dc)</span> form. This cues the mechanism to use either of the following conventions to convert the domain name to an x500 DN:</p> <ul> <li> <p>'dc=, dc='</p> </li> <li> <p>'ou=, o='</p> </li> <li> <p>'ou=, o=, c='</p> </li> </ul> <p>For example,</p> <pre xml:space="preserve" class="oac_no_warn">SQL> CONNECT SCOTT@hr.example.com Enter password: <span class="italic">password</span> </pre> <p>The following values for default_admin_context will result in the associated DN:</p> <pre xml:space="preserve" class="oac_no_warn">DEFAULT_ADMIN_CONTEXT="o=stdev" </pre> <p>The resulting DN is</p> <pre xml:space="preserve" class="oac_no_warn">cn=HR,cn=OracleContext,ou=EXAMPLE,o=COM DEFAULT_ADMIN_CONTEXT="dc=oracle, dc=com" </pre> <p>The resulting DN is</p> <pre xml:space="preserve" class="oac_no_warn">cn=HR,cn=OracleContext,dc=EXAMPLE,dc=COM DEFAULT_ADMIN_CONTEXT="o=oracle,c=us" </pre> <p>The resulting DN is</p> <pre xml:space="preserve" class="oac_no_warn">cn=HR,cn=OracleContext,o=EXAMPLE,c=COM </pre> <div class="infoboxnote"> <p class="notep1">Note:</p> The value of the <code>default_admin_context</code> is not used literally, since the queried-name is given in a fully qualified form. The <code>default_admin_context</code> determines which style DN is produced, or which left-hand-side to use when converting each domain in the given DN component.</div> <p>DNS-style conventions enable client users to access an Oracle Database server through a directory server by entering minimal connection information, even when the client computer and Oracle Database server are in separate domains. Names following the X.500 convention are longer, especially when the client and Oracle Database server are located in different domains (also known as administrative contexts).</p> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <ul> <li> <p>"Configuration Management Concepts" in <a class="olink NETAG" href="http://www.oracle.com/pls/db112/lookup?id=NETAG"><span class="italic">Oracle Database Net Services Administrator's Guide</span></a> for more information about X.500 naming conventions</p> </li> <li> <p>"Unlocking and Changing Passwords" in <a class="olink NTDBI" href="../../install.112/e10843/toc.htm"><span class="italic">Oracle Database Installation Guide for Microsoft Windows</span></a></p> </li> </ul> </div> </div> <!-- class="sect2" --> <a id="CDEEBFDE" name="CDEEBFDE"></a><a id="NTQRF388" name="NTQRF388"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Testing Connectivity from Microsoft Tools</h3> <p>Oracle directory objects in Active Directory are integrated with two Microsoft tools:</p> <ul> <li> <p>Windows Explorer</p> </li> <li> <p>Active Directory Users and Computers</p> </li> </ul> <p>You can test connectivity to an Oracle Database server from within these Microsoft tools by actually connecting to it, or you can just test the connection with actually connecting. To test connectivity:</p> <ol> <li> <p>Start Windows Explorer or Active Directory Users and Computers.</p> <p>To start Windows Explorer:</p> <ol> <li> <p>From the <span class="bold">Start</span> menu, select <span class="bold">Programs</span>, then select <span class="bold">Accessories</span> and then select <span class="bold">Windows Explorer</span>.</p> </li> <li> <p>Expand <span class="bold">My Network Places</span>.</p> </li> <li> <p>Expand <span class="bold">Entire Network</span>.</p> </li> <li> <p>Expand <span class="bold">Directory</span>.</p> </li> </ol> <p>To start Active Directory Users and Computers:</p> <p>From the <span class="bold">Start</span> menu, select <span class="bold">Programs</span>, then select <span class="bold">Administrative Tools</span>, and then select <span class="bold">Active Directory Users and Computers</span>.</p> <div class="infoboxnote"> <p class="notep1">Note:</p> All clients accessing an Oracle Database server through Active Directory require read access on all net service name objects in the Oracle Context. If Oracle Net will not be configured to require authentication for name lookup, then clients must be able to authenticate anonymously with Active Directory. With Windows Server 2003, Windows Server 2003 R2, and Windows Server 2008 domain, this will require changing the Active Directory default setting so that anonymous access will be allowed. If anonymous access is not going to be allowed to this directory the clients must be configured to authenticate and net service objects must have access control definitions which allow clients to read them as appropriate.</div> <div class="infoboxnotealso"> <p class="notep1">See also:</p> <a class="olink NETAG" href="http://www.oracle.com/pls/db112/lookup?id=NETAG"><span class="italic">Oracle Database Net Services Administrator's Guide</span></a> for more information</div> </li> <li> <p>Expand the domain in which your Oracle Context is located.</p> </li> <li> <p>Expand your Oracle Context.</p> </li> <li> <p>Right-click a database service or Oracle Net Service name object.</p> <p>A menu appears with several options. This section covers only the <span class="bold">Test</span> and <span class="bold">Connect with SQL*Plus</span> options.</p> <img width="634" height="478" src="img/adtest.gif" alt="Description of adtest.gif follows" title="Description of adtest.gif follows" longdesc="img_text/adtest.htm" /><br /> <a id="sthref525" name="sthref525" href="img_text/adtest.htm">Description of the illustration adtest.gif</a><br /> <br /></li> <li> <p>If you want to test the database connection without actually connecting to it, then choose <span class="bold">Test</span>. A status message appears describing the status of your connection attempt.</p> <img width="413" height="287" src="img/adtstcon.gif" alt="Description of adtstcon.gif follows" title="Description of adtstcon.gif follows" longdesc="img_text/adtstcon.htm" /><br /> <a id="sthref526" name="sthref526" href="img_text/adtstcon.htm">Description of the illustration adtstcon.gif</a><br /> <br /></li> <li> <p>If you want to test the database connection by actually connecting to it, then choose <span class="bold">Connect with SQL*Plus</span>. The Oracle SQL*Plus Logon dialog appears.</p> <img width="284" height="204" src="img/adsqlpls.gif" alt="Description of adsqlpls.gif follows" title="Description of adsqlpls.gif follows" longdesc="img_text/adsqlpls.htm" /><br /> <a id="sthref527" name="sthref527" href="img_text/adsqlpls.htm">Description of the illustration adsqlpls.gif</a><br /> <br /></li> <li> <p>Enter your username and password, then click <span class="bold">OK</span>. A status message appears describing the status of your connection attempt.</p> </li> </ol> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="CDEJFHDG" name="CDEJFHDG"></a><a id="NTQRF389" name="NTQRF389"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1"><a id="sthref528" name="sthref528"></a><a id="sthref529" name="sthref529"></a><a id="sthref530" name="sthref530"></a><a id="sthref531" name="sthref531"></a>Access Control List Management for Oracle Directory Objects</h2> <p>This section identifies security groups specific to Oracle directory objects within Active Directory and explains how to add and delete security group members.</p> <p>This section contains these topics:</p> <ul> <li> <p><a href="#BGBDCDDF">Security Groups</a></p> </li> <li> <p><a href="#BGBCHHCC">Adding and Deleting Security Group Members</a></p> </li> </ul> <a id="BGBDCDDF" name="BGBDCDDF"></a><a id="NTQRF390" name="NTQRF390"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Security Groups</h3> <p>Security groups are automatically created when the Oracle Context is created in Active Directory. The user configuring access (and thus creating the Oracle Context) is automatically added to each group. The relevant groups are:</p> <ul> <li> <p><a href="#CDEBCHDG">OracleDBCreators</a></p> </li> <li> <p><a href="#CDEFEIAG">OracleNetAdmins</a></p> </li> <li> <p><a href="#BGBBFGBE">NetService Objects</a></p> </li> </ul> <a id="CDEBCHDG" name="CDEBCHDG"></a><a id="NTQRF391" name="NTQRF391"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --> <h4 class="sect3"><a id="sthref532" name="sthref532"></a>OracleDBCreators</h4> <p>The <code>OracleDBCreators</code> group is for the person registering the Oracle Database server. The domain administrator is automatically a member of this group. Users in this group can:</p> <ul> <li> <p>Create new Oracle Database objects in the Oracle Context.</p> </li> <li> <p>Modify the Oracle Database objects that they create.</p> </li> <li> <p>Read, but not modify, the membership for this group.</p> </li> </ul> </div> <!-- class="sect3" --> <a id="CDEFEIAG" name="CDEFEIAG"></a><a id="NTQRF392" name="NTQRF392"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --> <h4 class="sect3"><a id="sthref533" name="sthref533"></a>OracleNetAdmins</h4> <p>Users in the <code>OracleNetAdmins</code> group can:</p> <ul> <li> <p>Create, modify, and read Oracle Net Services objects and attributes.</p> </li> <li> <p>Read the group membership of this group.</p> </li> </ul> </div> <!-- class="sect3" --> <a id="BGBBFGBE" name="BGBBFGBE"></a><a id="NTQRF393" name="NTQRF393"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --> <h4 class="sect3">NetService Objects</h4> <p>In 11<span class="italic">g,</span> directory clients may optionally be configured to authenticate with the directory while resolving DB names to connect strings. This makes it possible for NetService objects to be protected using ACLs.</p> <p>There are many ways in which the identities of users may be defined in the directory, and how those users or certain groups of users may be given access to some or all Net Services. Oracle supplies no pre-defined groups, and has no procedures in the config tools for defining read-access restrictions on this data, so administrators must use standard object management tools from their directory system to manually create any necessary groups and ACLs. Existing identity structures may be referred to by Net Service ACLs.</p> <p>Because the access definitions for objects are complex and may involve security properties which are inherited from parent nodes in the Directory Information Tree (DIT), Oracle recommends that the administrators should refer to the relevant tools and documentation for the directory system they are using, and formulate or integrate access management for NetService objects into a directory-wide policy and security implementation.</p> <div class="infoboxnote"> <p class="notep1">Note:</p> Pre-11g clients can only bind to the directory as <span class="bold">anonymous,</span> so any ACL protection on NetServices will disable older clients. Access Control can only be implemented if all clients requiring access to these objects are 11<span class="italic">g</span> or later.</div> </div> <!-- class="sect3" --></div> <!-- class="sect2" --> <a id="NTQRF394" name="NTQRF394"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --><a id="sthref534" name="sthref534"></a> <h3 class="sect2">Setting ACLs on NetService Entries</h3> <p>Use <code>Dsacls</code> tool to set ACLs on Directory Object.</p> <p><code>Dsacls.exe</code> command-line tool displays and changes permissions (access control entries) in the access control list (ACL) of objects in Active Directory. This command-line tool will be included in Support Tools on the product media.</p> <p>Examples:</p> <p>To enable anonymous generic read on <code>orcl</code> service, run the following command:</p> <pre xml:space="preserve" class="oac_no_warn">dsacls "CN=orcl,CN=OracleContext,OU=Example,O=Com" /G "anonymous logon":GR </pre> <p>To enable generic read on <code>orcl</code> service for the user <code>scott</code> in EXAMPLE domain, run the following command:</p> <pre xml:space="preserve" class="oac_no_warn">dsacls "CN=orcl,CN=OracleContext,OU=Example,O=Com" /G example\scott:GR </pre> <p>To disable anonymous generic read on <code>orcl</code> service, run following command:</p> <pre xml:space="preserve" class="oac_no_warn">dsacls "CN=orcl,CN=OracleContext,OU=Example,O=Com" /R "anonymous logon" </pre> <p>To disable generic read on <code>orcl</code> service for the user <code>scott</code> in EXAMPLE domain, run the following command:</p> <pre xml:space="preserve" class="oac_no_warn">dsacls "CN=orcl,CN=OracleContext,OU=Example,O=com" /R example\scott </pre> <div class="infoboxnotealso"> <p class="notep1">See Also:</p> <code><a href="http://support.microsoft.com/kb/281146">http://support.microsoft.com/kb/281146</a></code> for complete description of the dsacls tool</div> </div> <!-- class="sect2" --> <a id="BGBCHHCC" name="BGBCHHCC"></a><a id="NTQRF395" name="NTQRF395"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2"><a id="sthref535" name="sthref535"></a><a id="sthref536" name="sthref536"></a><a id="sthref537" name="sthref537"></a>Adding and Deleting Security Group Members</h3> <p>You can add or remove users in the security groups with Active Directory Users and Computers.</p> <div class="infoboxnote"> <p class="notep1">Note:</p> Use Active Directory Users and Computers to perform the procedures described in this section. Windows Explorer does not provide the necessary functionality.</div> <p>To add or remove users:</p> <ol> <li> <p>From the <span class="bold">Start</span> menu, select <span class="bold">Programs</span>, then select <span class="bold">Administrative Tools</span>, and then select <span class="bold">Active Directory Users and Computers</span>.</p> </li> <li> <p>Choose <span class="bold">Advanced Features</span> from the <span class="bold">View</span> main menu.</p> <p>This enables you to view and edit information that is normally hidden.</p> </li> <li> <p>Expand the domain (administrative context) in which your Oracle Context is located.</p> </li> <li> <p>Expand <span class="bold">Users</span>.</p> <p>The security groups appear in the right window pane.</p> <img width="595" height="395" src="img/adsecgrp.gif" alt="Description of adsecgrp.gif follows" title="Description of adsecgrp.gif follows" longdesc="img_text/adsecgrp.htm" /><br /> <a id="sthref538" name="sthref538" href="img_text/adsecgrp.htm">Description of the illustration adsecgrp.gif</a><br /> <br /></li> <li> <p>Right-click the Oracle security group that you want to view or modify.</p> <p>A menu appears with several options.</p> </li> <li> <p>Choose <span class="bold">Properties</span>.</p> </li> <li> <p>Choose the <span class="bold">Members</span> tab.</p> <p>The Properties dialog for the group you selected appears (in this example, <code>OracleDBCreators</code>).</p> <img width="512" height="448" src="img/admembrs.gif" alt="Description of admembrs.gif follows" title="Description of admembrs.gif follows" longdesc="img_text/admembrs.htm" /><br /> <a id="sthref539" name="sthref539" href="img_text/admembrs.htm">Description of the illustration admembrs.gif</a><br /> <br /></li> <li> <p>To add users, click <span class="bold">Add</span>.</p> <p>The Select Users, Contacts, Computers, or Groups dialog appears.</p> </li> <li> <p>Select the users or groups you want to add and click <span class="bold">Add</span>.</p> <p>Your selections appear in the Select Users, Contacts, Computers, or Groups dialog.</p> </li> <li> <p>To remove a user, select the user name from the Members list and click <span class="bold">Remove</span>.</p> </li> <li> <p>When you are finished adding and removing users, click <span class="bold">OK</span>.</p> </li> </ol> </div> <!-- class="sect2" --></div> <!-- class="sect1" --></div> <!-- class="ind" --> <div class="footer"> <hr /> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="33%" /> <col width="*" /> <col width="33%" /> <tr> <td align="left"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="98"> <tr> <td align="center" valign="top"><a href="pki.htm"><img width="24" height="24" src="../../dcommon/gifs/leftnav.gif" alt="Go to previous page" /><br /> <span class="icon">Previous</span></a></td> <td align="center" valign="top"><a href="specs.htm"><img width="24" height="24" src="../../dcommon/gifs/rightnav.gif" alt="Go to next page" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </td> <td style="font-size: 90%" align="center" class="copyrightlogo"><img width="144" height="18" src="../../dcommon/gifs/oracle.gif" alt="Oracle" /><br /> Copyright © 1996, 2010, Oracle and/or its affiliates. All rights reserved.<br /> <a href="../../dcommon/html/cpyr.htm">Legal Notices</a></td> <td align="right"> <table class="icons oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="245"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img width="24" height="24" src="../../dcommon/gifs/doclib.gif" alt="Go to Documentation Home" /><br /> <span class="icon">Home</span></a></td> <td align="center" valign="top"><a href="../../nav/portal_booklist.htm"><img width="24" height="24" src="../../dcommon/gifs/booklist.gif" alt="Go to Book List" /><br /> <span class="icon">Book List</span></a></td> <td align="center" valign="top"><a href="toc.htm"><img width="24" height="24" src="../../dcommon/gifs/toc.gif" alt="Go to Table of Contents" /><br /> <span class="icon">Contents</span></a></td> <td align="center" valign="top"><a href="index.htm"><img width="24" height="24" src="../../dcommon/gifs/index.gif" alt="Go to Index" /><br /> <span class="icon">Index</span></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img width="24" height="24" src="../../dcommon/gifs/feedbck2.gif" alt="Go to Feedback page" /><br /> <span class="icon">Contact Us</span></a></td> </tr> </table> </td> </tr> </table> </div> <noscript> <p>Scripting on this page enhances content navigation, but does not change the content in any way.</p> </noscript> </body> </html>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de