| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
Oracle Virtual Directory is an LDAPv3-enabled service that provides virtualized abstraction of one or more enterprise data sources into a single directory view. Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications.
This chapter contains the following sections:
Oracle Virtual Directory provides the following benefits:
Consolidates multiple directories—Oracle Virtual Directory can translate existing directory data to match application directory requirements, as shown in Figure 4-1. Oracle Virtual Directory communicates with multiple directory sources through its adapter architecture. It provides full schema and namespace translation services, ensuring that data presented to applications from multiple proxied sources has a common and consistent format.
Provides virtualization and distribution of directory services—As shown in Figure 4-2, an enterprise might have many directory sources in different formats and different geographies, and owned by different parties. Added to these traditional enterprise directories are LDAP enabled applications, relational databases and email systems. Oracle Virtual Directory provides a directory service integration layer to handle practical issues such as distributed security, routing, integration, and data-level federation.
Reduces administrative cost and improves security—Oracle Virtual Directory eliminates issues with updates from duplication, synchronization and replication. Data is up-to-date and consistent at all times.
Extends enterprise applications quickly—Oracle Virtual Directory supports enterprise directory applications and legacy data. Secure accurate data access is available for corporate resources, suppliers and customers.
Provides ubiquitous access to information—The software is fully LDAPv3 compliant. It works with most applications and is compatible with many directory products, tools, and applications.
Lowers cost of implementation—Oracle Virtual Directory is less expensive to acquire or implement than a custom or synchronization-based solution. Oracle Virtual Directory Server can be deployed tactically to solve a specific application integration issue, or strategically in an overall directory infrastructure architecture.
Features of the Oracle Virtual Directory Server include:
Oracle Virtual Directory Server acts as a directory gateway that processes client requests and dynamically re-routes them to one or more existing directories, regardless of format (LDAP, RDBMS, etc). Oracle Virtual Directory Server does this by presenting a virtual directory hierarchy to its clients and then assigning hierarchy branches of that tree to designated LDAP or RDBMS servers. Oracle Virtual Directory Server handles the issues of inter-directory security, protocol, and data translation so that LDAP-clients assume that all information comes from a single trusted LDAP directory, the Oracle Virtual Directory Server.
One of the least obvious but most important benefits of virtualization is data ownership. Directories are often set up by organizations with specific purposes and objectives in mind. When another organization wishes to access data owned by the first, questions arise as to who owns the data and who controls it. Politics can occur when different parties wish to use and share information. Everyone acknowledges the value in re-using existing data, but re-using data brings up many care and control issues. Many organizations that own data are very concerned when copies of their data go to other organizations or outside parties. Who is responsible for it? Who will ensure its accuracy? Who will ensure its security and confidentiality? If the information is copied, how does the owning organization assure itself about how the information is being used and controlled by the other party?
Virtualization through proxy technology solves many of these political problems by keeping data where it belongs – with the owner. At any time, the owner can restrict or cut off access to this data. Additionally, the owner is free to revise this information at will and can be assured that partners are always working with the latest relevant information. Most importantly, by keeping information with the owner, the use of that information can be continuously monitored and controlled by the owner. Oracle Virtual Directory Server supports this type of solution by not copying information. Information accessed by Oracle Virtual Directory Server occurs in real time. This assures the consumer and provider that the information is current, accurate, and authorized.
Oracle Virtual Directory Server supports an unlimited number of directory data connection components known as adapters. Each adapter is responsible for managing a particular namespace that is represented by a specific parent distinguished name (DN). Multiple adapters can be combined and overlapped to present a customized directory tree.
Oracle Virtual Directory Server supports the following adapter types:
LDAP Adapter—provides proxied access to LDAPv2/LDAPv3 directory servers such as Microsoft Active Directory, Novell® eDirectory™, Sun™ONE Directory, or IBM/Tivoli SecureWay® Directory as well other Oracle Virtual Directory Servers. The LDAP Proxy provides namespace translation as well as advanced connection pooling and operation level load-balancing.
Database Adapter—provides LDAP virtualization of relational database data. Almost any data structure can be mapped into a hierarchy of LDAP objects. DB Adapter also provides automatic schema mapping and attribute value translation.
Local Store Adapter—provides a local directory store that enables Oracle Virtual Directory Server to operate as a standalone directory server. The Standard Adapter supports single-master replication and is compatible with other directory servers (such as IBM/Tivoli SecureWay® or Netscape Directory) that support SLURPD replication.
Windows NTLM Adapter—provides LDAP virtualization of a Microsoft Windows domain (NOTE: available only on Win32 platform).
JoinView Adapter—provides real-time join capabilities between entries located in other Oracle Virtual Directory Server adapters. The JoinView Adapter provides an extendible API that allows the development of customer specific joiners. JoinView Adapter comes with three out-of-the-box Joiners: Simple, OneToMany, and Shadow. These joiners demonstrate the widely ranging capabilities of the Oracle Virtual Directory Server joiner and the different join functionalities that can be performed. More information on these joiners can be found later in the guide.
In addition to the listed adapters, Oracle Virtual Directory Server also supports the ability to create custom adapters using plug-ins that can connect to almost any data source with a defined API. For example, custom adapters can be used to abstract information available through Web services.
When deploying new business applications across multiple business organizations, identity and security can be complicated by the existence of multiple directory security infrastructures. As Microsoft Active Directory administrators know, having multiple windows infrastructures (forests) is great for administration and performance, but has a downside in that there is no automatic trust between forests and no inter-forest global catalogue.
|
See Also: Microsoft TechNet Paper: Design Considerations for Delegation of Administration in Active Directory,http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx. |
Oracle Virtual Directory Server is able to create a new transitive security context with fine-grained access controls built to support all IETF standards for access control, while supporting the IETF draft model for implementation. Oracle Virtual Directory Server is also designed to properly integrate with security restrictions from the source directories that it proxies. This results in a multi-layer or multi-domain security concept that gives administrators the ultimate security control.
Oracle Virtual Directory Server supports a wide array of authentication models. In addition to SSL/TLS (including StartTLS) and certificate-based authentication, Oracle Virtual Directory Server is able to use server-to-server authentication with proxied servers (authenticating itself), or alternatively is able to pass user context through to source directories. By providing user-context at the Oracle Virtual Directory Server and source directory, both directories can provide end-user contextual security control.
Oracle Virtual Directory Server offers standard features such as:
SSL/TLS—Oracle Virtual Directory Server offers SSL/TLS capabilities that provide for secure communication sessions with LDAP clients. This allows you greater security by allowing Oracle Virtual Directory Server to be the trusted transport mechanism.
Transaction Cleansing—Oracle Virtual Directory Server is based on a protocol conversion engine, which means that it deconstructs every query, recompiling and assessing validity before transmission to trusted proxied directory sources. This protects source LDAP servers from malformed or unauthorized queries. After cleaning the "garbage" requests, Oracle Virtual Directory Server is able to protect limited resources from exposure to huge loads from malicious attacks by providing the ability to set limits on items such as:
Maximum operations per connection
Maximum concurrent connections
Maximum total connections in a specified period for a particular subject
Maximum total connections in a specified period for a particular address
Oracle Virtual Directory Server implements its own access controls and provides filtered access to internal proxied directory data.
Oracle Virtual Directory provides the following high availability support:
Fault Tolerance and failover —Oracle Virtual Directory Servers provide fault tolerance in two forms:
they can be configured in fault tolerant configurations
they can manage flow to fault tolerant proxied sources
Multiple Oracle Virtual Directory Servers can be quickly deployed simply by copying, or even sharing configuration files. When combined with round-robin DNS, redirector, or cluster technology, Oracle Virtual Directory Server provides a complete fault-tolerant solution.
For each proxied directory source, Oracle Virtual Directory Server can be configured to access multiple hosts (replicas) for any particular source. It intelligently fails over between hosts and spreads the load between them. Flexible configuration options allow administrators to control percentages of a load to be directed toward specific replica nodes and to indicate whether a particular host is a read-only replica or a read/write server (master). This avoids unnecessary referrals resulting from attempts to write to a read-only replica.
Load-Balancing—Oracle Virtual Directory Server been designed with powerful load balancing features that allow it to spread load and manage failures between its proxied LDAP directory sources.
Oracle Virtual Directory Server's virtual directory tree capability allows large sets of directory information to be broken up into multiple distinct directory servers. Oracle Virtual Directory Server is able to recombine the separated data sets back into one virtual tree by simply "gluing" together the separate directory tree branches. In scenarios where either an application or the data doesn't support this, or the directory tree from separate directories needs to overlap, Oracle Virtual Directory Server supports "routing".
"Routing" means search filters can be included in addition to the search base to determine optimized search targets. In this mode, Oracle Virtual Directory Server automatically routes queries to the appropriate virtualized directory sources enabling the ability to work with many millions of directory entries.
A directory is only useful if the applications it serves can gain access to the data it needs, in a form that has consistent formats or schema. But the typical enterprise environment contains a myriad of directory repositories with different schema, namespace, and data designs. In addition to providing a secure bridge to existing directory information, Oracle Virtual Directory Server provides "meta-directory"-like functionality to translate and transform data on-the-fly. This functionality enables administrators to easily normalize differences in data found between different organizations and directory infrastructures.
The resulting virtualized directory view contains all the directory information an application needs to run, without needing drastic changes or integration technology to be built into the application.
Oracle Virtual Directory Server's management console, the Oracle Virtual Directory Manager, is a rich and extensible management environment based on the open source Eclipse platform. It simplifies deployment and management whether using a single Oracle Virtual Directory Server in a single environment, or in an environment with tens of servers in multiple data centers and at multiple stages of deployment.
Management can also be performed through a Web Services API with a published WSDL specification. This gives administrators the ability to script or otherwise programmatically access Oracle Virtual Directory Servers without walking through the GUI.
Oracle Virtual Directory Server provides 3 main areas of extensibility within the product. This allows customers and consultants to enhance the functionality of Oracle Virtual Directory Server to meet specific business or technical integration needs.
Oracle Virtual Directory Server Plug-ins—Oracle Virtual Directory Server provides a flexible plug-in framework modeled on Java Servlet Filters. Plug-ins can be used to provide custom logic as part of a transaction or simply to connect to a custom data source. Plug-ins can be inserted globally or only for specific adapters. The ordering of plug-ins can be changed and plug-ins can be isolated to particular types of transactions. Oracle Virtual Directory Server's management tools provide wizards for creating new plug-ins along with examples that can be used to get started quickly.
Custom Joiners—The Oracle Virtual Directory Server JoinView Adapter is based on an extensible model known as Joiners. Custom Joiners can be written providing different joiner behaviors. Joiners provide functions such as mapping, joining and pre/post/handler event handling. Joiners can be written to provide simple entry level joins, or can be extended to provide complex join logic, or transaction handling and rollback capability.
Web Gateway—Oracle Virtual Directory Server includes a customizable DSML/XSLT based gateway. This gateway provides basic Web server support based on the Apache Web server model that supports static HTML and XSLT rendered content. The gateway includes a directory-enabled interface allowing for queries as well as modification operations. Web server security enables custom delegated administration applications to be developed based on this interface.
Traditional directory integration solutions require complex LDAP provisioning and replication schemes and even synchronization to operate. These new directories then become yet another directory source that has to be maintained and managed.
As a light, real-time service, Oracle Virtual Directory Server improves efficiency by reusing existing directory infrastructure, rather than synchronizing and duplicating it. Oracle Virtual Directory Server extends the reach of existing enterprise directories and capitalizes on their value.
This section contains the following topics:
In Figure 4-3, Oracle Virtual Directory Server is used in several ways. In the bottom left corner, there is an internal end user (1) accessing an intranet based Web application (2).
During the access, the application (or policy service) requests the user's id and password. The application or policy service then accesses the Oracle Virtual Directory Server (3) using LDAPv3 to validate the credentials using an LDAP bind request. Oracle Virtual Directory Server in turn routes this request to the local directory server store (4) and validates the credentials. On validation, Oracle Virtual Directory Server returns the verified results to the application (2).
In a further request, the application requests the user's directory entry from Oracle Virtual Directory Server so that their application profile and rights can be retrieved. To do this, Oracle Virtual Directory Server performs a transparent join, bringing together attributes from both the local directory server (4), as well information from a RDBMS (5). Once collected, Oracle Virtual Directory Server merges the result into a single virtual entry and returns it to the Intranet Application.
|
Note: The application may or may not include a policy server as part of its own infrastructure. |
In the external identity example shown in Figure 4-3, we have an external organization or business partner user (1) accessing an extranet-based Web application (2). The application contacts Oracle Virtual Directory Server (3) using LDAPv3 to verify the user's credentials using an LDAP "bind".
At this stage, Oracle Virtual Directory Server recognizes that the credential maps to an external directory. Oracle Virtual Directory Server connects to the external Oracle Virtual Directory Server directory (4) at the business partner using an SSL encrypted link and uses it's own credentials to validate the interbusiness unit query. Once the business partner's Oracle Virtual Directory Server has validated the Oracle Virtual Directory Server (3), it recognizes the request and passes it on to the internal LDAPv3 directory (5). Oracle Virtual Directory Server applies the appropriate inter-business access control and returns the filtered results from the directory back to Oracle Virtual Directory Server, which is then able to validate the password of the business partner user and return success or failure to the application (2).
Finally, as in the Intranet Application example, the application might then query Oracle Virtual Directory Server for additional attributes about the user. Oracle Virtual Directory Server performs a join linking client-supplied information from the business partner directory (5) with locally stored information in the corporate database(6).
This scenario demonstrates capabilies across quite a complex scenario. We see Oracle Virtual Directory Server acting as an information router and joiner, brokering information from multiple secure sources to meet the needs of an application or security infrastructure. Not only can Oracle Virtual Directory Server bring together information from within a single intranet, it can also leverage information from business partners. This is particularly important because it allows business partners to use the extranet application without having to be provisioned or managed in the host business's directory. Business partner users are authenticated by their own local directory in real time.
Oracle Virtual Directory Server can also play an important role as an LDAP Proxy server. Oracle Virtual Directory Server may optionally be used by business partners to act as a directory firewall. Oracle Virtual Directory Server properly authenticates and authorizes external access to internal directory information. In the bottom right of the diagram we also see how Oracle Virtual Directory Server's own routing capabilities allow it to route to multiple internal directories or Windows Active Directory Forests keeping this information away from the client. As a firewall, Oracle Virtual Directory Server controls and limits access to information as seen by authorized external parties. As a virtual-directory component, Oracle Virtual Directory Server simplifies and restructures data for publication of data to be used by business partners.
