|Oracle® Fusion Middleware Administrator's Guide for Oracle Unified Directory
11g Release 2 (11.1.2)
Part Number E22648-05
|PDF · Mobi · ePub|
This chapter provides an overview of Oracle Unified Directory and explains some of the unique features of Oracle Unified Directory.
This chapter contains the following topics:
Oracle Unified Directory is a comprehensive next generation directory service. It is designed to address large deployments and to provide high performance, and is highly extensive. Oracle Unified Directory is easy to deploy, manage, and monitor.
This section contains the following topics:
Oracle Unified Directory includes:
LDAP directory server, used for storing data
For more information about directory server, see Section 1.2, "Overview of Directory Server."
Proxy server, where the server acts as an interface between the client and the directory server that contains the data
For more information about proxy server, see Section 1.3, "Overview of Proxy Server."
Replication gateway between Oracle Unified Directory and Oracle Directory Server Enterprise Edition
For more information about replication gateway, see Section 1.4, "Overview of the Replication Gateway."
For more information about which Oracle Unified Directory server mode you should use, see Section 1.1.2, "Oracle Unified Directory Installation Types."
The mode in which the Oracle Unified Directory server runs depends on how you install the software based on your requirement.
You can choose one of the following installation types when installing Oracle Unified Directory:
If you want to create an LDAP directory server that contains directory data, then install Oracle Unified Directory as a directory server. For more information, see Setting Up the Directory Server chapter in Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
If you want the server to act as an interface between the client and the directory server containing the data, then install Oracle Unified Directory as a proxy server. The proxy server does not contain any data. It handles client requests through load balancing or data distribution. For more information about setting up the proxy server, see Setting Up the Proxy Server chapter in Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
If you want the Oracle Unified Directory server to replicate information between Oracle Unified Directory and Oracle Directory Server Enterprise Edition, then install Oracle Unified Directory as a replication gateway. For more information, see Setting Up the Replication Gateway chapter in Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
You can synchronize Oracle Unified Directory with other directories using Oracle Directory Integration Platform.
You can obtain Oracle Directory Integration Platform by installing Oracle Identity Management release 126.96.36.199.0 or above.
Oracle Directory Integration Platform consists of a set of services and interfaces that facilitates synchronization and provisioning solutions between the directory and other repositories.
If you want to use Directory Integration Platform to enable synchronization for Oracle Unified Directory, you need to enable the Oracle Unified Directory changelog. For more information about how to enable the changelog in Oracle Unified Directory, see Section 26.5, "Using the External Change Log."
Directory Integration Platform synchronization can be described as follows:
Oracle Directory Integration Platform 188.8.131.52 and higher supports synchronization between Oracle Internet Directory and Oracle Unified Directory. For more information about the synchronization procedure, see the chapter "Integrating with Oracle Directory Server Enterprise Edition" in the Directory Integration Platform Administrator's guide. Oracle Directory Server Enterprise Edition was formerly known as the Sun Java System Directory Server. You need to replace all references of
SJSDS in the guide to
OUD for synchronization to work accurately. You can obtain Oracle Directory Integration Platform by installing Oracle Identity Management release 184.108.40.206.0 or above.
To enable synchronization of data between Oracle Unified Directory and third-party directories, you need to integrate Oracle Directory Integration Platform with Oracle Unified Directory. You can obtain Oracle Directory Integration Platform by installing Oracle Identity Management release 220.127.116.11.0 or above.
This section provides a brief overview of the directory server component of Oracle Unified Directory server.
The Oracle Unified Directory server is an LDAPv3 compliant directory server written entirely in Java. The directory server includes the following high-level functionality:
Full LDAPv3 compliance (RFC 4510-4519) with support for numerous standard and experimental extensions
High performance and space effective data storage
Ease of configuration and administration
A highly extensible administrative framework that enables you to customize most of the features listed below.
An administration connector that manages all administration traffic to the server. The administration connector enables the separation of user traffic and administration traffic to simplify logging and monitoring, and to ensure that administrative commands take precedence over commands that manipulate user data.
A graphical control panel that displays server status information and enables you to perform basic server and data administration.
Several command-line utilities to assist with configuration, administration tasks, basic monitoring, and data management. The main configuration utility (
dsconfig) provides an interactive mode that walks you through most configuration tasks.
An advanced replication mechanism
Enhanced multi-master replication across directory server instances
An assured replication feature that ensures high availability of data and immediacy of data availability for specific deployment requirements
Fractional replication capabilities
Support for an external change log that publicizes all changes that have occurred in a directory server database
An extensible security model
Support for various levels of authentication and confidentiality
Access to resources based on privileges
An advanced access control mechanism
Multi-faceted monitoring capabilities
Rich user management functionality
Account status notification
This section provides a brief overview of the proxy component of Oracle Unified Directory. The section covers the following topics:
The Oracle Unified Directory proxy is an LDAPv3 compliant server that does not store data but routes LDAP requests from clients to the directory servers that are spread across an enterprise.
The proxy is the entry point to a directory service deployment spread over multiple directory servers and/or multiple data centers. All client requests are routed by the proxy to the appropriate remote LDAP server. The Oracle Unified Directory proxy component can be used with any LDAP v3-compliant directory server, such as the Oracle Unified Directory server or Oracle Directory Server Enterprise Edition.
In order to route data requests to the remote LDAP servers, the proxy component can be configured to use either load balancing or data distribution, or both.
You can deploy the Oracle Unified Directory proxy in very simple configurations, or in more complex, replicated scenarios, using
oud-proxy-setup. Some simple deployments are detailed in Chapter 3, "Example Deployments Using the Proxy Server."
The proxy component cannot be used directly as a datastore.
As the interface between the client and the remote LDAP server, the proxy provides a number of security features, to ensure secure connection if and when required. For more information about security, see Chapter 21, "Configuring Security Between the Proxy and the Data Source."
For an in-depth presentation of the elements that constitute the Oracle Unified Directory proxy, see Chapter 11, "Understanding the Proxy Functionality."
The proxy manages all the connections between a client and a data source (be it a single server, replicated server, or data center). As such, it centralizes all the rules for client connections, including handling load balancing, data distribution and security with the data source.
When you deploy the proxy for load balancing, all requests that the proxy receives are routed to one of the remote LDAP servers based on the load balancing algorithm set during deployment. This enables you to identify the back-end directory servers that the proxy should communicate with and specify the percentage of total client load each directory server should receive. Once configured, the proxy automatically distributes client queries to different directory servers conforming to the load criteria defined in the configuration.
To deploy a highly available directory service, you must have at least two replicated directory servers. To ensure that requests that fail to the first server are treated by the backup server, you must ensure that all the clients know the addresses for both data sources, and are coded to treat a failure on the primary server by re-sending the request to the backup server. The proxy handles the failover and load balancing of requests, thereby simplifying high availability and scalability.
Typically, if your deployment used only one server to store all the data, you would have performance issues if your data store was too large. You could resolve this issue by replacing the single server with several servers, and splitting the data across these servers. In this case, each client application would need to know which server to search for its data. With the proxy, there is no need to replicate the distribution information for each application, because the proxy manages the distribution of requests to the appropriate data source. Instead, the client application sends a request to the proxy. The proxy knows which partition holds the requested data and handles the request using distribution.
By including the proxy in your deployment, you ease the configuration and management of client applications. The proxy centralizes and handles all requests, ensuring load balancing and/or distribution of requests.
The proxy also provides a single access point for managing security in a directory service. You can use the proxy to authorize or restrict access to remote directory servers. In addition, if you want to perform maintenance or back up an LDAP server, you can simply modify your proxy deployment to avoid service interruption.
For a description of sample deployments, see Chapter 3, "Example Deployments Using the Proxy Server."
This section provides a brief overview of the replication gateway component of Oracle Unified Directory and covers the following topics:
For information about deploying the replication gateway in a migration scenario, see Section 26.11, "Replicating Between Oracle Directory Server Enterprise Edition and Oracle Unified Directory".
Replication is the mechanism that propagates a change made on one directory server to multiple different directories in a replication topology. The replication gateway translates and propagates replication information effectively between directory servers from Oracle Directory Server Enterprise Edition and directory servers from Oracle Unified Directory. Translations are managed "on the fly" without storing any data on disk.
The main purpose of the replication gateway is to facilitate migration from an existing Oracle Directory Server Enterprise Edition deployment to an Oracle Unified Directory topology. The minimum version for this migration to succeed is Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1).
The replication gateway translates the synchronization mechanism specific to each version of the directory, offering two-way replication between the disparate topologies. The replication gateway can be regarded as a pipe that propagates updates between heterogeneous replicated topologies.
The following example shows how you can transition an existing Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) deployment to an Oracle Unified Directory topology by using the replication gateway between the two topologies.
The replication gateway is responsible for propagating changes made on the disparate servers to the entire replication topology.
Within the overall replication topology, the replication gateway acts as a two-way forwarding server. It propagates modifications from the Oracle Directory Server Enterprise Edition servers to the Oracle Unified Directory replication topology, and from the Oracle Unified Directory servers to the Oracle Directory Server Enterprise Edition replication topology. In each instance, the replication gateway propagates both ways. You can disable changes from being propagated from the Oracle Unified Directory servers to the Oracle Directory Server Enterprise Edition replication topology, according to your transition scenario.
For high availability, two replication gateway servers are deployed in every transition scenario.
The replication gateway does not manage the following aspects:
Data initialization. Total update is not supported through the replication gateway. To initialize an Oracle Directory Server Enterprise Edition topology with data from an Oracle Unified Directory server, the data must be exported from the Oracle Unified Directory server and then imported to an Oracle Directory Server Enterprise Edition master server.
Schema coherency. The replication gateway does not ensure that schema is coherent across the disparate servers. The administrator must define coherent schema.
Feature translation. The replication gateway does not translate features between the disparate servers, and assumes that the topologies are heterogeneous, with regard to features. The best way to handle incompatible features (for example, macro ACIs, CoS, password policies) is to filter out the affected object classes and attribute types before replication occurs.
The replication gateway does provide a filtering option, for replication from Oracle Directory Server Enterprise Edition to Oracle Unified Directory. This option enables you to filter out object classes and attribute types that do not apply to Oracle Unified Directory servers. The default values that are configured for filtering take into account differences in CoS, roles, password policies and conflict resolution.
Replication Conflict Resolution. In the case of single-valued attributes, if different values are added simultaneously to the same single-valued attribute, the Oracle Directory Server Enterprise Edition server and the Oracle Unified Directory server handle the conflict in different ways. The Oracle Directory Server Enterprise Edition server retains the value of the last modify/add operation while the Oracle Unified Directory server retains the oldest value. These values may not always be the same.