|Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory
11g Release 1 (11.1.1)
Part Number E10029-02
This section provides a brief description of new features introduced with the latest releases of Oracle Internet Directory, and points you to more information about each one. It contains these topics:
WebLogic Server Integration: Oracle Internet Directory in 11g Release 1 (11.1.1) is a system component that can use the WebLogic Administrative Domain for management services.
Fusion Middleware Control: You can manage Oracle Internet Directory by using a graphical user interface called Oracle Enterprise Manager Fusion Middleware Control
Oracle Directory Services Manager: The old graphical user interface for managing directories, Oracle Directory Manager, has been replaced by this web-based administration tool. Use it to manage Oracle Internet Directory and Oracle Virtual Directory. You can invoke it directly or from Oracle Enterprise Manager Fusion Middleware Control.
LDAP-Based Multimaster Replication: You can now use LDAP-based replication for multimaster directory replication groups. You no longer need Oracle Database Advanced Replication-based replication for this purpose. If you want to replicate Oracle Single Sign-On, however, you still must use Oracle Database Advanced Replication-based replication.
Improved Replication Manageability: You can set up and manage LDAP-based replication by using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control. A separate Replication page enables you to adjust attributes that control the replication server.
Sizing and Tuning Wizard: You can obtain recommendations for tuning and sizing by running the Sizing and Tuning wizard in Oracle Enterprise Manager Fusion Middleware Control.
Integration with Common Auditing Infrastructure: Oracle Internet Directory is now integrated with the Oracle Fusion Middleware common audit framework. You can configure auditing from the command line or by using Oracle Enterprise Manager Fusion Middleware Control.
See Also:Chapter 21, "Managing Auditing"
Improvements to Referential Integrity: Referential Integrity has been completely reimplemented. You can configure it from the command line or by using Oracle Enterprise Manager Fusion Middleware Control.
Updates to Password Policy Controls and Error Messages: New controls and error messages were added to the LDAP API.
"Password Policies" in the "Extensions to the LDAP Protocol" chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
Configuration Parameter Changes: Most configuration attributes for the LDAP server now reside in two entries. Instance-specific attributes are in the instance-specific configuration entry and shared attributes are in the DSA Configuration entry. You can manage most of these from the command line or by using Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory Services Manager.
Improvements to Attribute and Entry Alias Support: Oracle Internet Directory now supports several different options for dereferencing aliases in a search.
See Also:Chapter 16, "Managing Alias Entries"
Extensible Matching in Search Filters: Oracle Internet Directory now supports search filters of the form:
attr:dn:=value. With this filter,
dn attributes are considered part of the entry for search purposes. Oracle Internet Directory does not support extensible matching using matching rules specified in the filter.
While Oracle Internet Directory supports extensible filters,
ldapsearch and the Oracle LDAP API do not. You must use a different API, such as JNDI, to use this type of filter.
See Also:"Developing Applications with Standard LDAP APIs" in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
Support for Oracle Single Sign-On and Oracle Delegated Administration Services 10g (10.1.4.3.0) or later: Oracle Fusion Middleware 11g Release 1 (11.1.1) does not include Oracle Single Sign-On or Oracle Delegated Administration Services. Oracle Internet Directory 11g Release 1 (11.1.1), however, is compatible with Oracle Single Sign-On and Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.
Links to Procedural Information: This document contains a table of links to important tasks.
Identity Management Grid Control Plug-in: This new interface enables you to monitor and manage Oracle Internet Directory, Oracle Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration Platform, using the features of the Oracle Enterprise Manager 10g Grid Control Console.
Improved Bulk Tools: The following bulk tools have been converted into C executables:
Examples and descriptions in this document and in Oracle Fusion Middleware User Reference for Oracle Identity Management have been updated to reflect the new features of these tools.
The chapter on Oracle Internet Directory server administration tools in Oracle Fusion Middleware User Reference for Oracle Identity Management
Application-Specific Schema Containers: A product that adds schema to Oracle Internet Directory can have its own
Support for Attribute Aliases: You can create user-friendly aliases for attribute names.
Caching of Dynamic Groups: Dynamic group members are computed when the dynamic group is added, and the member list is kept consistent when the dynamic group is later modified.
Optimizing Searches for Large Group Entries: There is an additional technique for optimizing searches by increasing the size of the entry cache instead of disabling the entry cache.
Referential Integrity: If you enable Referential Integrity, whenever you update an entry in the directory, the server also updates other entries that refer to that entry.
New Monitoring Capabilities for Server Manageability: You can enable additional health statistics, user statistics, and security events tracking.
New Password Policy Features: You can apply a password policy to any subtree, or even a single entry. There are also more password policy attributes to choose from.
See Also:Chapter 27, "Managing Password Policies"
Server Chaining: This feature enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration.
Paging and Sorting of LDAP Search Results: The
ldapsearch command now has a
-T option for sorting and a
-j option for paging.
ldapsearch command-line reference in Oracle Fusion Middleware User Reference for Oracle Identity Management
The chapter on extensions to the LDAP protocol in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
New Replication Features: Oracle Internet Directory Replication has been enhanced with the following features:
Two-way LDAP-Based Replication: This feature enables you to deploy fan-out replication groups where replication flows in both directions and updates at any node are replicated to the whole group.
Replication Failover: Failover of LDAP replicas from one supplier to another is supported, with administrator intervention.
Oracle Internet Directory Comparison and Reconciliation Tool: A new
oidcmprec command, with improved functionality, replaces the old
oidcmprec command-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity Management
Java Server Plug-ins: The Oracle Internet Directory Plug-in Framework now supports plug-ins written in Java and in PL/SQL.
The following chapters have been moved to Oracle Fusion Middleware High Availability Guide:
"High Availability And Failover Considerations"
"Oracle Application Server Cluster (Identity Management) Configurations"
"Oracle Application Server Cold Failover Cluster (Identity Management)"
"The Directory in an Oracle Real Application Clusters Environment"
The following appendixes have been rewritten as chapters in Oracle Fusion Middleware User Reference for Oracle Identity Management:
"Syntax for LDIF and Command-Line Tools"
"Oracle Internet Directory Schema Elements"
Improved integration with other components: New features provide better integration with components such as Oracle Collaboration Suite. These features include service-to-service authentication, the service registry, and verifier generation using dynamic parameters.
Support for Certificate Matching Rule: External authentication using certificates can now take either of two forms: an exact match, in which the subject DN of the client certificate is used to authenticate the user, or a certificate hash, in which the client certificate is hashed and is then compared with a certificate hash stored in the directory.
See Also:"Direct Authentication"
Ease of deployment for Replication: Replication is now much easier to install, configure, and manage.
Ease of deployment for Clusters: Cluster configurations are now much easier to install, configure, and manage.
Enforcing access control for Oracle Internet Directory superuser: The superuser is now subject to access control policies like any other user. New ACL keywords allow you to restrict superuser access through privileged groups.
Oracle Internet Directory Server Diagnostic Tool: The OID Diagnostic Tool collects diagnostic information that helps triage issues reported on Oracle Internet Directory.
oiddiagcommand-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity Management
Integration with the Microsoft Windows environment: You can integrate the Oracle Application Server infrastructure with the Microsoft Windows Operating System—including Microsoft Active Directory and Microsoft Windows. This integration is achieved by using the Active Directory Connector in Oracle Directory Integration Platform and plug-ins.
See Also:The chapter on integration with Microsoft Windows in the Oracle Identity Management Integration Guide
External authentication support: You can store user security credentials in a repository other than Oracle Internet Directory—for example, a database or another LDAP directory such as Microsoft Active Directory or SunONE Directory Server. You can then use these credentials for user authentication.
The chapter on considerations for integrating with third-party connected directories in Oracle Identity Management Integration Guide
Dynamic groups: You can create and use dynamic groups whose membership, rather than being maintained in a list, is computed on the fly, based on assertions that you specify.
Query optimization: In searches, some attributes have very different response times depending on their values. You can uniform the response times of search operations for such attributes to enhance performance.
Garbage collection framework: A garbage collector is a background database process that removes obsolete data from the directory. The Oracle Internet Directory garbage collection framework provides a default set of garbage collectors, and enables you to modify them.
Simple Authentication Security Layer (SASL) support: Oracle Internet Directory supports the use of SASL, a method for adding authentication support to connection-based protocols. To use it, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.
See Also:"Introduction to Authentication"
Logging enhancements: This release of Oracle Internet Directory provides the following enhancements to logging and tracing:
Object-based tracing for operations associated with thread and connection identifiers. This facilitates non-interleaved and coherent logging for each LDAP operation in a multithreaded environment.
Selective tracing for chosen operations by using the operation dimension.
Structured, meaningful trace messages with additional information including thread identifier and criticality.
See Also:Chapter 22, "Managing Logging"
OID Migration Tool (ldifmigrator) enhancements: You can use this tool to reconcile data with that in an existing directory, and to directly load data into Oracle Internet Directory.
ldifmigrator command-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity Management
Client side referral caching: This new feature enables clients to cache referral information and use it to speed up referral processing.
The material on the
ldap_set_option and the
ldap_get_option in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
Fan-out and partial replication support: Oracle Internet Directory now supports:
Partial replication: that is, propagation of one or more naming contexts, rather than the entire DIT, to another node
Fan-out replication, in which a consumer, having received changes from a supplier, can then replicate those changes to one or more other consumers. Fan-out replication can be either full or partial.
See Also:Chapter 37, "Setting Up Replication"
Password policy enhancements: New password policy capabilities in Oracle Internet Directory include:
Unlocking of accounts
Forced password change upon first login
Self-resetting of password in case of account lockout or forgotten passwords
Superuser account lockout requiring reset.
IP-based account lockout
Password policy enablement or disablement by using a single attribute in the password policy entry
See Also:Chapter 27, "Managing Password Policies"
Security credential storage enhancements: New security credential storage capabilities in Oracle Internet Directory include:
Generation of O3logon verifier for enterprise users
Generation of a default set of verifiers for application bootstrapping
Generation of SASL/MD5 verifiers for directory authentication
Replication Environment Management Tool: This tool ensures that Oracle Advanced Replication is properly configured for directory replication. In the event of a directory replication failure, this tool looks for common problems and seeks to rectify them. If it cannot solve the problem, then it gives you a report of the nature of the problem and points you to a possible solution.
remtoolcommand-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity Management
Server discovery by using DNS: This feature enables the location of a directory server in a distributed environment to be discovered dynamically by using the domain name system (DNS). Rather than storing server location information statically in an
ldap.ora file on the client, that information is stored and managed in a central domain name server. The client, at request processing time, retrieves this information from the domain name server.
Bulkload tool enhancements: You can now use bulkload to add a large volume of entries to a non-empty directory. For example, you can add one million entries to a directory that has one million entries already. You can also incrementally add a medium-size number of entries to a large directory. For example, you can add 50,000 entries at a time to a directory that has five million entries already.
bulkloadcommand-line tool reference in Oracle Fusion Middleware User Reference for Oracle Identity Management
Oracle Application Server Cluster (Identity Management) directory server configuration support: This configuration provides high availability of a directory server by running multiple directory server instances on different hardware nodes. The directory servers are connected to the same underlying data store, which is an Oracle Database.
Two-way provisioning between Oracle Internet Directory and other application directories: The Oracle Directory Provisioning Integration Service can send notification of provisioning events bidirectionally between Oracle Internet Directory and other applications.
Integration of provisioning data with the Oracle E-Business Suite: You can synchronize user accounts and other user information from the Oracle E-Business Suite to Oracle Internet Directory by using the Oracle Directory Provisioning Integration Service.
See Also:The chapter on integration with the Oracle E-Business Suite in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform
Installation of Oracle Internet Directory on Oracle Real Application Clusters: You can install Oracle Internet Directory on Oracle Real Application Clusters. When you do this, both the software and schema for Oracle Internet Directory are installed on the primary node, while only the software is installed on the secondary nodes.
See Also:The installation documentation for this release of Oracle Internet Directory
Oracle Directory Manager enhancements: Oracle Directory Manager now enables you to manage the following:
Debug logging to a finer degree than previously
Enhancement of ACLs
Oracle Internet Directory Self-Service Console enhancements: Oracle Internet Directory Self-Service Console, a graphical administrative tool built with Oracle Delegated Administration Services units, enables you to manage the following:
Oracle Internet Directory Self-Service Console also enables you to view your organization chart, and users to edit their own profiles.
See Also:The chapter about the Oracle Internet Directory Self-Service Console in Oracle Identity Management Guide to Delegated Administration
See Also:Oracle Fusion Middleware Upgrade Planning Guide for information about upgrading from an earlier version of Oracle Internet Directory
This section describes an important new feature employing the capabilities of Oracle Internet Directory. It also explains changes in Oracle Internet Directory since Release 9.0.2.
User Migration Utility for bulk-migrating database users to Oracle Internet Directory: This utility, released with Oracle Advanced Security Release 2 (9.2), enables you to migrate users from a local or external database to Oracle Internet Directory. Use it to store and centrally manage thousands of users in Oracle Internet Directory.
Beginning with Oracle Internet Directory Release 9.2, the Oracle Delegated Administration Services and tools built on it are components of Oracle Application Server and not the Oracle Database. To ensure that you have the self-management tools for administering Web and Oracle Application Server applications, and that those tools are well-integrated with your middle-tier environment, Oracle recommends that you use the version of Oracle Internet Directory that is included with the Oracle Application Server. To develop and deploy tools based on the Oracle Delegated Administration Services, Oracle recommends that you use the Java and security infrastructure of Oracle Application Server.
Oracle Internet Directory Release 9.2 does not include Enterprise Manager integration for performing system diagnostics on Oracle Internet Directory instances.
This section describes the new features introduced with Oracle Internet Directory Release 9.0.2.
Server-side entry caching: This feature reduces directory query latency for LDAP clients. By configuring a server-side entry cache based on naming context, identity of client, or other available parameters, Oracle Internet Directory ensures that previously retrieved entries and their attributes are stored in shared memory, and are thus available to subsequent data requestors. Queries that conform to the configured parameters then need only retrieve a small subset of data—internal globally unique identifiers (GUIDs)—for filter-matching entries from the directory. These returned GUIDs are then used as a fast lookup mechanism into the cached entry and attribute data, which is then returned to the client.
New directory integration capabilities: Oracle Internet Directory Release 9.0.2 introduces new kinds of connectivity with other applications and repositories, both Oracle-built and otherwise. The new Oracle Directory Provisioning Integration Service and Oracle Directory Synchronization Service are built upon Oracle Directory Integration Platform (introduced with Oracle Internet Directory v126.96.36.199 in the Oracle8i Release 3 time frame).
Oracle Directory Provisioning Integration Service: Provisioning is the process of granting or revoking a user's access to application resources based on business rules. The user may be either a human end user or an application.
The Oracle Directory Provisioning Integration Service ensures that subscribing applications or business entities are alerted to updates in Oracle Internet Directory for keeping local repositories in synch. It enables you to synchronize local, application-specific information by using Oracle Internet Directory as a source of truth.
Oracle Directory Synchronization Service and the LDAP connector: The Oracle Directory Synchronization Service enables near-complete leveraging of previously-deployed infrastructure, including but not limited to ERP and CRM systems, third-party LDAP directories, and NOS user repositories. It enables you to synchronize information between enterprise directories and Oracle Internet Directory. This allows for centralized administration, thereby reducing administrative costs. It ensures that data is consistent and up-to-date across the enterprise.
Enterprise password policy management enhancements: You can now construct password policies to ensure:
Minimum password lengths
Approved password syntaxes and retry limits
Lockout of those attempting to gain illicit access to the directory service after a certain number of failed attempts
You can now use salted SHA as a hashing algorithm. You can now select from these available hashing algorithms:
MD4: A one-way hash function that produces a 128-bit hash
MD5: An improved, and more complex, version of MD4
SHA-1: Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
You can also use salted SHA. A salt is a random number added to and stored with the hash value. It prevents pre-computed dictionary attacks by making it extremely expensive to recover the value that was originally hashed.
UNIX Crypt: The UNIX encryption algorithm
Attribute uniqueness: In the prior Oracle Internet Directory architecture, the only way to enforce attribute uniqueness was to make an attribute a part of your DN. This worked well with the user identifier (if used as the RDN), but it was not always appropriate and easy to configure. Within a level of a branch of the tree, it was guaranteed to be unique. For example, if your DN was
uid=dlin,ou=people, o=oracle, then the RDN
dlin would be unique directly under
ou=people,o=oracle. However, you could have the same user identifier in another branch: for example,
uid=dlin, ou=others, o=oracle. In short, attribute uniqueness was guaranteed only under a given branch, and only within one level.
Attributes other than
dn can be used as unique keys of applications synchronizing with Oracle Internet Directory. The ability of Oracle Internet Directory to enforce attribute uniqueness enables all applications to have their own notions of "user," and to synchronize their user base with a user repository stored in an enterprise Oracle Internet Directory server.
Multiple password verifier support: Oracle Internet Directory can now store passwords for multiple applications and protocols. For example, four-digit Personal Identification Numbers (PINs) for voicemail can sit alongside longer alphanumeric single sign-on passwords and X.509 v3 digital certificates for the same user. This new feature gives the application developer far greater flexibility for directory-enabling their product stack.
Expanded proxy user capabilities: This new feature enables a developer to exploit the power of the middle tier more effectively. Users no longer need to establish independent, unrelated sessions with the directory. If a middle-tier from Oracle Application Server or elsewhere invokes the proxy user bind method on behalf of numerous clients in succession, then Oracle Internet Directory respects each client's credential and privileges respectively, even though the agent doing the actual binding remains unchanged throughout.
Integration with Oracle Application Server components: Through the Oracle Directory Provisioning Integration Service, Oracle Internet Directory Release 9.0.2 serves as a central component of the Oracle Application Server. Every component of Oracle Application Server now uses Oracle Internet Directory for storing common cross-component metadata, such as valid user identifiers and their passwords.
Enterprise Manager integration: You can start, stop, and monitor Oracle Internet Directory instances by using the standard, newly-enhanced Enterprise Manager console. You can perform system diagnostics on running Oracle Internet Directory instances, and generate performance graphs to determine ongoing performance and peak load times.
Oracle Directory Manager enhancements: Oracle Internet Directory's standalone, 100% Java administration console, Oracle Directory Manager, has now evolved in many ways. You can use it to:
Construct password policies
Configure Oracle Directory Synchronization Service and Oracle Internet Directory connectors and agents
In general, any directory-specific configuration or maintenance task not available at the high-level Oracle Enterprise Manager GUI can now be done through Oracle Directory Manager and command-line interfaces supplied with Oracle Internet Directory.
Server-side plug-in framework: This new feature enables directory applications to roll out advanced capabilities such as referential integrity/cascading deletions of LDAP objects, external authentication of directory clients, brokered access, and synchronization with external relational tables. The plug-ins are executable before or after an LDAP command takes place, without the traditional risks of such technologies.
Entry alias dereferencing: The LDAP v3 standard requires that all entries in a directory have globally unique identifiers known as distinguished names. These are typically fairly long and cumbersome to use, so Oracle Internet Directory provides this new feature to automatically dereference IETF-standard alias objects used to point to a fully qualified LDAP distinguished name. For example, "DavesServer1" can be used as an entry alias or pointer to the actual directory entry named
dc=server1, dc=us, dc=oracle, dc=com. Oracle Internet Directory stores, parses, and chases all alias references for complete client-side transparency.
Delegated Administration Service
The Oracle Delegated Administration Services is a set of individual, pre-defined services—called Oracle Delegated Administration Services units—for performing directory operations on behalf of a user. It makes it easier to develop and deploy administration solutions for both Oracle directory-enabled applications and other directory-enabled applications that use Oracle Internet Directory.
Administrators can now use the Oracle Delegated Administration Services and its accompanying console to:
Create other regional or departmental administrators
Grant them specific, delegated permissions to administer users for a particular region or department
The Oracle Internet Directory Self-Service Console, a new component of the Oracle Delegated Administration Services, enables you to flexibly administer applications, realms, and end users either from a central team or through decentralization and delegation. It provides:
A unified resource for directory administrators, directory service subscribers, and end users
A view of an authorized end user's personalized preferences and the ability to update their Oracle Single Sign-On password
An intuitive user interface for searching for people and other directory-based resource information within Oracle Internet Directory.
You can use the Oracle Internet Directory Self-Service Console to configure the object classes, user groups, permissions, and other elements of directory information metadata stored in Oracle Internet Directory.
These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1. and release 3.0.1