Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of an Oracle Database.
This chapter contains these topics:
Among its more significant benefits, Oracle Internet Directory provides scalability, high availability, security, and tight integration with the Oracle environment.
Scalability—Oracle Internet Directory exploits the strengths of an Oracle Database, enabling support for terabytes of directory information. In addition, such technologies as shared LDAP servers and database connection pooling enable it to support thousands of concurrent clients with subsecond search response times.
Oracle Internet Directory also provides data management tools, such as Oracle Directory Manager and a variety of command-line tools, for manipulating large volumes of LDAP data.
High Availability—Oracle Internet Directory is designed to meet the needs of a variety of important applications. For example, it supports full multimaster replication between directory servers: If one server in a replication community becomes unavailable, then a user can access the data from another server. Information about changes to directory data on a server is stored in special tables on the Oracle Database. These are replicated throughout the directory environment by Oracle Database Advanced Replication, a robust replication mechanism.
Oracle Internet Directory also takes advantage of all the availability features of the Oracle Database. Because directory information is stored securely in the Oracle Database, it is protected by Oracle's backup capabilities. Additionally, the Oracle Database, running with large data stores and heavy loads, can recover from system failures quickly.
Security—Oracle Internet Directory offers comprehensive and flexible access control. An administrator can grant or restrict access to a specific directory object or to an entire directory subtree. Moreover, Oracle Internet Directory implements three levels of user authentication: anonymous, password-based, and certificate-based using Secure Sockets Layer (SSL) Version 3 for authenticated access and data privacy.
Integration with the Oracle Environment—Through Oracle Directory Integration Platform, Oracle Internet Directory provides a single point of integration between the Oracle environment and other directories such as NOS directories, third-party enterprise directories, and application-specific user repositories.
Oracle components use Oracle Internet Directory for easier administration, tighter security, and simpler integration between multiple directories.
Features of Oracle Internet Directory include:
As of Oracle Application Server 10g (10.1.4.0.1), you can manage Oracle Internet Directory with Identity Management Grid Control Plug-in, which uses the features of Oracle Enterprise Manager 10g Grid Control.
See Also: The "Identity Management Grid Control Plug-in" chapter in Oracle Identity Management Infrastructure Administrator's Guide. |
If you enable Referential Integrity, whenever you update an entry in the directory, the server also updates other entries that refer to that entry.
This feature enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration.
Oracle Internet Directory is integrated with several Oracle products, including the following:
Oracle Virtual Directory can use Oracle Internet Directory as one of its target repositories.
Oracle Access Manager uses Oracle Internet Directory to provide scalable, highly available back end identity storage.
Oracle Identity Federation can use Oracle Internet Directory as an identity repository. It uses Oracle Internet Directory to create SAML assertions when running as an identity provider.
Oracle Identity Manager uses Oracle Internet Directory as an LDAP target system to which it can provision identities and from which it can reconcile identity changes.
Oracle Web Services Manager uses Oracle Internet Directory as a repository of identity information which can be used to drive authentication and authorization.
OracleAS Portal enables self-service, integrated enterprise portals to store common user and group attributes in Oracle Internet Directory. The Oracle Portal administration tool also leverages the Oracle Delegated Administration Services for certain tasks.
Oracle Collaboration Suite uses Oracle Internet Directory for:
Centralized management of information about users and groups
Provisioning Oracle Collaboration Suite components—that is, notifying them whenever changes of interest are applied to data in Oracle Internet Directory
Centralized integration for enterprises connecting other directories with any Oracle Collaboration Suite component
Integrating Oracle Internet Directory and Oracle Collaboration Suite provides a common framework for user management and provisioning across all Oracle products.
Oracle Net Services uses Oracle Internet Directory to store and resolve database services and the simple names, called net service names, that can be used to represent them.
Database Enterprise User Security allows customers to easily manage database access for thousands of enterprise users. Database Enterprise users are stored in the directory together with authentication and authorization information, including database roles and privileges. When a user accesses an Oracle database, the database retrieves the user's information from Oracle Internet Directory and uses it to set the security context of the user's session on that server. Such centralized administration of database access makes it easy for administrators to control all access.
Oracle E-Business Suite is integrated with Oracle Internet Directory to provide a common framework for user management and provisioning across all Oracle products.
Oracle Secure Enterprise Search (SES) provides uniform search capabilities over multiple repositories. Oracle Internet Directory provides the basic infrastructure for SES user authentication and authorization. All users and roles defined in the Access Control Lists used by SES are stored in Oracle Internet Directory.
Oracle Internet Directory is a key element of the Oracle Identity Management Infrastructure. This enables you to deploy multiple Oracle components to work against a shared instance of Oracle Internet Directory and associated infrastructure pieces. This sharing allows an enterprise to simplify security management across all applications.
In addition to the role it plays in the Oracle Identity Management infrastructure, Oracle Internet Directory provides many powerful features for protecting information.
These security features within Oracle Internet Directory itself include:
Data integrity: Ensuring that data is not tampered with during transmission
Data privacy: Ensuring that data is not inappropriately observed during transmission between Oracle Internet Directory and other components in the network.
Authentication: Ensuring that the identities of users, hosts, and clients are correctly validated
Authorization: Ensuring that a user reads or updates only the information for which that user has privileges
Password policies: Establishing and enforcing rules for how passwords are defined and used
Password protection: Ensuring that passwords are not easily discovered by others
You can use all these features to enforce a uniform security policy for multiple applications enabled for Oracle Internet Directory, and do so in either an enterprise or hosted environment. You do this by deploying the directory for administrative delegation. This deployment allows, for example, a global administrator to delegate to department administrators access to the metadata of applications in their departments. These department administrators can then control access to their department applications.
Oracle Internet Directory follows LDAP Version 3 internationalization (I18N) standards. These standards require that the database storing directory data use Unicode Transformation Format 8-bit (UTF-8) character set. With Oracle9i, Oracle added a new UTF-8 character set called AL32UTF8. This database character set supports the latest version of Unicode (3.2), including the latest supplementary characters. This allows Oracle Internet Directory to store the character data of almost any language supported by Oracle Globalization Support. Moreover, although several different application program interfaces are involved in the Oracle Internet Directory implementation, Oracle Internet Directory ensures that the correct character encoding is used with each API.
Although an online directory is logically centralized, it can be physically distributed onto several servers. This distribution reduces the work a single server would otherwise have to do, and enables the directory to accommodate a larger number of entries.
A distributed directory can be either replicated or partitioned. When information is replicated, the same naming contexts are stored by more than one server. When information is partitioned, one or more unique, non-overlapping naming contexts are stored on each directory server. In a distributed directory, some information may be partitioned and some may be replicated.
This section includes the following topics:
Oracle Internet Directory includes:
Oracle directory server, which responds to client requests for information about people and resources, and to updates of that information, by using a multitiered architecture directly over TCP/IP
Oracle directory replication server, which replicates LDAP data between Oracle directory servers
Directory administration tools, which include:
Oracle Directory Manager, which simplifies directory administration through a Java-based graphical user interface
A variety of command-line administration and data management tools invoked from LDAP clients
Directory server management tools within Oracle Enterprise Manager 10g Application Server Control Console. These tools enable you to:
Monitor real-time events and statistics from a normal browser
Start the process of collecting such data into a new repository
Oracle Internet Directory Software Developer's Kit
See Also: Oracle Identity Management Application Developer's Guide for information about the Oracle Internet Directory Software Developer's Kit. |
An Oracle Internet Directory node consists of one or more directory server instances connected to the same directory store. The directory store, that is, the repository of the directory data, is an Oracle Database.
Oracle directory server runs as an application on an Oracle Database. It communicates with the database by using Oracle Net Services, Oracle's operating system-independent database connectivity solution. The database may or may not be on the same host. Figure 3-1 shows these relationships. It shows Oracle Internet Directory running as a server application. LDAP clients and the directory administration client connect to the Oracle directory server by using LDAP. The Oracle directory server connects to the Oracle database by using Oracle Net Services.
Figure 3-2 shows the various directory server components and their relationships running on a single node.
Oracle Net Services is used for all connections between the Oracle database server and:
The object class
The Oracle directory server instance 1 non-SSL port 389
The Oracle directory server instance 2 SSL-enabled port 636
The OID Monitor
LDAP is used for connections between directory server instance 1 on non-SSL port 389 and:
Oracle Directory Manager
Oracle directory replication server
The two Oracle directory server instances and the Oracle directory replication server connect to OID Monitor by way of the operating system.
As shown in Figure 3-2, an Oracle Internet Directory node includes the following major components:
Table 3-1 Components of an Oracle Internet Directory Node
The Oracle directory replication server uses LDAP to communicate with an Oracle directory (LDAP) server instance. To communicate with the database, all components use OCI/Oracle Net Services. Oracle Directory Manager and the command-line tools communicate with the Oracle directory servers over LDAP.
Each Oracle directory server instance, also called an LDAP server instance, looks similar to what Figure 3-3 illustrates.
Figure 3-3 Oracle Directory Server Instance Architecture
One instance comprises one dispatcher process and one or more server processes. By default, there is one server process for each instance, but you can increase this number. Oracle Internet Directory dispatcher and server processes can use multiple threads to distribute the load.LDAP clients send LDAP requests to an Oracle Internet Directory listener/dispatcher process listening for LDAP commands at its port.
The Oracle Internet Directory listener/dispatcher sends the request to the Oracle directory server which, in turn creates server processes. A server process handles an LDAP operation request and connects to the Oracle database instance to access the directory store. The directory server handles the client request by generating one server process for each operation.
Multiple server processes enable Oracle Internet Directory to take advantage of multiple processor systems. The number of server processes created is determined by the configuration parameter ORCLSERVERPROCS. The default is 1 (one).
Database connections from each server process are spawned as needed, depending on the value set for the configuration parameter ORCLMAXCC. The number of database connections spawned by each server is equal to ORCLMAXCC + (ORCLMAXCC/2) + 1. The default value of ORCLMAXCC in configset0 is 2. The server processes communicate with the data server by way of Oracle Net Services. an Oracle Net Services Listener/Dispatcher relays the request to the Oracle Database.