|Oracle® Virtual Directory Product Manual
Release 10g (10.1.4.2.0)
This chapter introduces Oracle Virtual Directory and includes the following sections:
Welcome to the Oracle Virtual Directory, an LDAPv3-enabled service that provides virtualized abstraction of one or more enterprise data sources into a single directory view. Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications.
Oracle Virtual Directory provides three types of adapters that allow administrators to create a virtual directory suitable for the needs of one or more applications. The following is a list of the types of Oracle Virtual Directory adapters:
Windows NTLM Adapter
Local Store Adapter
Join View Adapter
Additionally, Oracle Virtual Directory supports the ability to create custom adapters using plug-ins that can connect to almost any data source with a defined API. For example, you can use custom adapters to abstract information available through web services.
Used in enterprise deployments, Oracle Virtual Directory provides the ability to translate existing directory data to match application directory requirements. Oracle Virtual Directory is particularly useful in virtually consolidating multiple directories in an existing environment to form a single virtual directory.
Oracle Virtual Directory can integrate multiple directories by using its ability to talk to multiple directory sources through its adapter architecture and provides full schema and namespace translation services. This ensures that data presented to applications from multiple proxied sources have a common and consistent format.
Intranet Identity Example
As shown in Figure 1-2, Oracle Virtual Directory can be used in several different ways. In the bottom left corner of the figure there is an internal end user (1) accessing an intranet based web application (2).
Note:The application may or may not include a policy server as part of its own infrastructure.
During the access, the application (or policy service) requests the user's id and password. The application or policy service then accesses the Oracle Virtual Directory (2) using LDAPv3 to validate the credentials using an LDAP ÒbindÓ request. Oracle Virtual Directory in turn routes this request to the local directory server store (4) and validates the credentials. On validation, Oracle Virtual Directory returns the verified results to the application (2).
In a further request, the application requests the user's directory entry from Oracle Virtual Directory so that their application profile and rights can be retrieved. To do this, Oracle Virtual Directory performs a transparent join, bringing together attributes from both the local directory server (4), as well information from a RDBMS (5). Once collected, Oracle Virtual Directory merges the result into a single ÒvirtualÓ entry and returns it to the Intranet Application.
Extranet Identity Example
Figure 1-2 also shows an example of Oracle Virtual Directory in an extranet identity deployment. There is an external organization or business partner user (A) accessing an extranet-based web application (B). The application contacts Oracle Virtual Directory (C) using LDAPv3 to verify the user's credentials using an LDAP bind.
At this stage, Oracle Virtual Directory recognizes that the credential maps to an external directory. Oracle Virtual Directory connects to the external Oracle Virtual Directory directory (D) at the business partner using an SSL encrypted link and uses it's own credentials to validate the inter-business unit query. Once the business partner's Oracle Virtual Directory has validated the Oracle Virtual Directory (C), it recognizes the request and passes it on to the internal LDAPv3 directory (E).Oracle Virtual Directory applies the appropriate inter-business access control and returns the filtered results from the directory back to Oracle Virtual Directory, which is then able to validate the password of the business partner user and return success or failure to the application (B).
Finally, as in the Intranet Application example, the application might then query Oracle Virtual Directory for additional attributes about the user. Oracle Virtual Directory performs a join linking client-supplied information from the business partner directory (E) with locally stored information in the corporate database (F).
The examples in Figure 1-2 demonstrate capabilites across a complex scenario. You see Oracle Virtual Directory acting as an information router and joiner, brokering information from multiple secure sources to meet the needs of an application or security infrastructure. Not only can Oracle Virtual Directory bring together information from within a single intranet, it can also leverage information from business partners. This is particularly important because it allows business partners to use the extranet application without having to be provisioned or managed in the host business's directory. Business partner users are authenticated by their own local directory in real time.
Oracle Virtual Directory can also play an important role as a LDAP Proxy server. Oracle Virtual Directory may optionally be used by business partners to act as a directory firewall. Oracle Virtual Directory properly authenticates and authorizes external access to internal directory information. In the bottom right of the diagram we also see how Oracle Virtual Directory's own routing capabilities allow it to route to multiple internal directories or Windows Active Directory Forests keeping this information away from the client. As a firewall, Oracle Virtual Directory controls and limits access to information as seen by authorized external parties. As a virtual-directory component, Oracle Virtual Directory simplifies and restructures data for publication of data to be used by business partners.
Oracle is the only vendor that provides a complete range of directory service solutions, including the following:
scalable local-store based directory server with Oracle Internet Directory
meta-directory with Directory Integration Platform
directory virtualization with Oracle Virtual Directory
Use Oracle Internet Directory when you need to store data in an LDAP server but do not have an existing directory server. Use Directory Integration Platform when you need to synchronize databases or other directory information to Oracle Internet Directory. You can also use Directory Integration Platform to synchronize data between Oracle Internet Directory and certain Oracle applications, like Oracle eBusiness Suite. Use Directory Virtualization to aggregate data from heterogeneous sources into a single directory service in real-time through direct data access.
You can use the Oracle Directory Services products independently of each other or with each other. For example, you can use Oracle Virtual Directory with Oracle Internet Directory to provide a DSML interface to Oracle Internet Directory data. You can use Oracle Internet Directory to provide scalable storage for information that you want to manage via Oracle Virtual Directory and that does not have an existing directory to leverage. Also, Directory Integration Platform with Oracle Internet Directory can use Oracle Virtual Directory to provide additional fault-tolerance support for existing virtualized data-stores. For example, if for some reason your primary enterprise directory becomes unavailable, Oracle Virtual Directory can use the Oracle Internet Directory store.
The following is a list of some of Oracle Virtual Directory's key features:
HTTP/XSLT Gateway support
Low-cost configuration and maintenance
Encryption and Strong Authentication with TLSv1 and SSLv3 support
Extremely small memory and hardware requirements
Available on any platform where Java is supported
Configurable Fail-Over and Intelligent Load-Balancing at the LDAP operation level
Granular Access Controls based on IETF's Access Control Implementation Internet Draft
Support for access to JNDI compliant directories and JDBC compliant databases
Dynamic mapping of information and schema in multiple directories
Intelligent Routing of LDAP Queries
Denial of Service protection
Overlapped namespace handling
Multiple types of adapters for various deployments
Extensible, meta-directory like, dynamic join features
Local schema support
Authentication of clients from joined directory (e.g. Active Directory or NT)
Today's directory servers are simply designed as specialized databases. By themselves, they do not provide enterprises with the tools needed to connect all possible applications into a single enterprise directory. With very few exceptions, no company has a single enterprise directory.
According to analysts, most companies have several (5 or more) directories that are intended to be used company-wide. And if the intent is to provide data to an application that is used by multiple business partners, then the number of directories increases by at least the number of business partners using the application. Oracle believes that most enterprises will need multiple tiers of directory services both internally and externally. Oracle Virtual Directory is one of the best ways to provide this requirement without duplicating data and without incurring large replicated infrastructure costs.
Typical directory and database technology fails to resolve issues that arise when corporations are made up of independent business units, divisions and partners. Today's directory server technology forces companies to build a single managed data infrastructure that requires huge political discussions on: what data it should contain, who will manage it, and more importantly who will fund it. Issues such as who should pay for directories and who should manage them become critical factors that affect the success of deploying what should be relatively simple database technology.
Figure 1-3 shows that there are a number of directory sources (bottom) in different formats and different geographies, and most importantly, owned by different parties. Added to these traditional enterprise directories are other directories such as relational databases and email systems.
The issues surrounding distribution of data are further complicated by the addition of LDAP-enabled applications such as Lotus Domino and Microsoft Exchange that have directory information but do not readily integrate into existing enterprise directories due to differing requirements in schema.
Developers have always been good at creating databases for specific purposes, because decision-making is driven by individual business managers sponsoring business-driven applications. The new trends of business-to-business web services and inter-business applications now means that the data sources within external partners must be considered in the creation of a directory services and security infrastructure strategy.
What is needed is a directory service integration layer where practical issues such as distributed security (availability, verifiability), routing (how to get to different data), integration (how do we handle differing formats), and data-level federation (merging trusted directories) must be handled. Oracle Virtual Directory is Oracle's answer to this challenge.
Oracle Virtual Directory answers this challenge via:
Data Federation: enabling directory services access that crosses political and corporate boundaries
Translation: enabling access to directory information in multiple formats including RDBMS
Data Ownership: allowing multiple organizations to share data while retaining full control and ensuring up-to-date accurate use
Security Domains: enhancing security by providing new security domain contexts
Secure Publication: providing features to ensure security and integrity of proxied data
Application-To-Directory Integration: enabling integration of applications with different directory designs and implementations
Flexible Deployment: providing flexible deployment options that allow Oracle Virtual Directory to be embedded with applications by COTS (commercial-off-the-shelf) developers and business application developers, or to be deployed by corporate IT department as a shared directory service distribution network
Low-Cost, High Value: providing a solution that is easy to deploy, maintain, and run
Oracle Virtual Directory acts as a directory gateway that processes client requests and dynamically re-routes them to one or more existing directories, regardless of format (LDAP, RDBMS, etc.). Oracle Virtual Directory does this by presenting a virtual directory hierarchy (or tree) to its clients and then assigning hierarchy branches of that tree to designated LDAP or RDBMS servers. Oracle Virtual Directory handles the issues of inter-directory security, protocol, and data translation so that LDAP-clients assume that all information comes from a single trusted LDAP directory, the Oracle Virtual Directory.
One of the least obvious but most important benefits of virtualization is data ownership. Directories are often set up by organizations with specific purposes and objectives in mind. When another organization wishes to access data owned by the first, questions arise as to who owns the data and who controls it. Politics can occur when different parties wish to use and share information. Everyone acknowledges the value in re-using existing data, but re-using data brings up many care and control issues. Many organizations that ÒownÓ data are very concerned when copies of their data go to other organizations or outside parties. Who is responsible for it? Who will ensure its accuracy? Who will ensure its security and confidentiality? If the information is copied, how does the owning organization assure itself about how the information is being used and controlled by the other party?
Virtualization through proxy technology solves many of these political problems by keeping data where it belongs – with the owner. At any time, the owner can restrict or cut off access to this data. Additionally, the owner is free to revise this information at will and can be assured that partners are always working with the latest relevant information. Most importantly, by keeping information with the owner, the use of that information can be continuously monitored and controlled by the owner. Oracle Virtual Directory supports this type of solution by not copying information. Information accessed by Oracle Virtual Directory occurs in real time. This assures the consumer and provider that the information is current, accurate, and authorized.
Oracle Virtual Directory supports an unlimited number of directory data connection components known as adapters. Each adapter is responsible for managing a particular namespace that is represented by a specific parent distinguished name (DN). Multiple adapters can be combined and overlapped to present a customized directory tree.
Oracle Virtual Directory offers the following adapters:
LDAP Adapter: provides proxied access to LDAPv2/LDAPv3 directory servers such as Microsoft Active Directory, Novell eDirectory, Sun ONE Directory, or IBM/Tivoli SecureWay Directory as well other Oracle Virtual Directories. The LDAP Proxy provides namespace translation and advanced connection pooling and operation level load-balancing.
Database Adapter: provides LDAP virtualization of relational database data. Almost any data structure can be mapped into a hierarchy of LDAP objects. DB Adapter also provides automatic schema mapping and attribute value translation.
Local Store Adapter: provides a local directory store that enables Oracle Virtual Directory to operate as a standalone directory server. The Standard Adapter supports single-master replication and is compatible with other directory servers (such as IBM/Tivoli SecureWay or Netscape Directory) that support SLURPD replication.
Windows NTLM Adapter: provides LDAP virtualization of a Microsoft Windows NT domain (available only on Win32 platforms).
JoinView Adapter: provides real-time join capabilities between entries located in other Oracle Virtual Directory adapters. The JoinView Adapter provides an extendible API that allows the development of customer specific joiners. The JoinView Adapter comes with three out-of-the-box Joiners: Simple, OneToMany, and Shadow. These joiners demonstrate the widely ranging capabilities of the Oracle Virtual Directory joiner and the different join functions that can be performed.
When deploying new business applications across multiple business organizations, identity and security can be complicated by the existence of multiple directory security infrastructures. As Microsoft Active Directory administrators know, having multiple windows infrastructures (forests) is great for administration and performance, but has a downside in that there is no automatic trust between forests and no inter-forest global catalogue. (Refer to Microsoft's TechNet Paper: Design Considerations for Delegation of Administration in Active Directory for more information.)
Oracle Virtual Directory can create a new transitive security context with fine-grained access controls built to support all IETF standards for access control, while supporting the IETF draft model for implementation. Oracle Virtual Directory is also designed to properly integrate with security restrictions from the source directories that it proxies. This results in a multi-layer or multi-domain security concept that gives administrators the ultimate security control.
Oracle Virtual Directory supports a wide array of authentication models. In addition to SSL/TLS (including StartTLS) and certificate-based authentication, Oracle Virtual Directory is able to use server-to-server authentication with proxied servers (authenticating itself), or alternatively is able to pass user context through to source directories. By providing user-context at the Oracle Virtual Directory and source directory, both directories can provide end-user contextual security control.
Oracle Virtual Directory offers several data security features, for example:
SSL/TLS support: Oracle Virtual Directory offers SSL/TLS capabilities that provide for secure communication sessions with LDAP clients. This allows you greater security by allowing Oracle Virtual Directory to be the trusted transport mechanism.
Transaction Cleansing: Oracle Virtual Directory is based on a protocol conversion engine, which means that it deconstructs every query, recompiling and assessing validity before transmission to trusted proxied directory sources. This protects source LDAP servers from malformed or unauthorized queries. After cleaning the garbage requests, Oracle Virtual Directory is able to protect limited resources from exposure to huge loads from malicious attacks by providing the ability to set limits on items such as:
Maximum operations per connection
Maximum concurrent connections
Maximum total connections in a specified period for a particular subject
Maximum total connections in a specified period for a particular address
Access Control: Oracle Virtual Directory implements its own access controls and provides filtered access to internal proxied directory data.
Oracle Virtual Directory offers multiple high availability capabilities, including the following:
Fault Tolerance and Fail-Over: Oracle Virtual Directories provide fault tolerance in two forms:
they can be configured in fault tolerant configurations
they can manage flow to fault tolerant proxied sources
Multiple Oracle Virtual Directories can be quickly deployed simply by copying, or even sharing configuration files. When combined with round-robin DNS, redirector, or cluster technology, Oracle Virtual Directory provides a complete fault-tolerant solution.
For each proxied directory source, Oracle Virtual Directory can be configured to access multiple hosts (replicas) for any particular source. It intelligently fails over between hosts and spreads the load between them. Flexible configuration options allow administrators to control percentages of a load to be directed towards specific replica nodes and to indicate whether a particular host is a read-only replica or a read-write server (master). This avoids unnecessary referrals resulting from attempts to write to a read-only replica.
Load-Balancing: Oracle Virtual Directory was designed with powerful load balancing features that allow it to spread load and manage failures between its proxied LDAP directory sources.
Oracle Virtual Directory's virtual directory tree capability allows large sets of directory information to be broken up into multiple distinct directory servers. Oracle Virtual Directory is able to recombine the separated data sets back into one virtual tree by simply gluing together the separate directory tree branches. In scenarios where either an application or the data doesn't support this, or the directory tree from separate directories needs to overlap, Oracle Virtual Directory supports routing.
Routing means search filters can be included in addition to the search base to determine optimized search targets. In this mode, Oracle Virtual Directory automatically routes queries to the appropriate virtualized directory sources enabling the ability to work with many millions of directory entries.
A directory is only useful if the applications it serves can gain access to the data it needs, in a form that has consistent formats or schema. But the typical enterprise environment contains a myriad of directory repositories with different schema, namespace, and data designs.
In addition to providing a secure bridge to existing directory information, Oracle Virtual Directory provides "meta-directory"-like functionality to translate and transform data on-the-fly. This functionality enables administrators to easily normalize differences in data found between different organizations and directory infrastructures.
The resulting virtualized directory view contains all the directory information an application needs to run, without needing drastic changes or integration technology to be built into the application.
Oracle Virtual Directory's management console, the Oracle Virtual Directory Manager, is a rich and extensible management environment based on the open source Eclipse platform. It simplifies deployment and management whether using a single Oracle Virtual Directory in a single environment, or in an environment with tens of servers in multiple data centers and at multiple stages of deployment.
Management can also be performed via a Web Services API with a published WSDL specification. This gives administrators the ability to script or otherwise programmatically access Oracle Virtual Directories without walking through the GUI.
Oracle Virtual Directory provides three main areas of extensibility within the product. This allows customers and consultants to enhance the functionality of Oracle Virtual Directory to meet specific business or technical integration needs.
Oracle Virtual Directory Plug-ins: Oracle Virtual Directory provides a flexible plug-in framework modeled on Java Servlet Filters. Plug-ins can be used to provide custom logic as part of a transaction or simply to connect to a custom data source. Plug-ins can be inserted globally or only for specific adapters. The ordering of plug-ins can be changed and plug-ins can be isolated to particular types of transactions. Oracle Virtual Directory's management tools provide wizards for creating new plug-ins along with examples that can be used to get started quickly.
Custom Joiners: The Oracle Virtual Directory JoinView Adapter is based on an extensible model known as Joiners. Custom Joiners can be written providing different joiner behaviors. Joiners provide functions such as mapping, joining and pre/post/handler event handling. Joiners can be written to provide simple entry level joins, or can be extended to provide complex join logic, or transaction handling and rollback capability.
Web Gateway: Oracle Virtual Directory includes a customizable DSML/XSLT based gateway. This gateway provides basic web server support based on the Apache web server model that supports static HTML and XSLT rendered content. The gateway includes a directory-enabled interface allowing for queries as well as modification operations. Web server security enables custom delegated administration applications to be developed based on this interface.
Traditional directory integration solutions require complex LDAP provisioning and replication schemes and even synchronization to operate. These new directories then become yet another directory source that has to be maintained and managed.
As a light, real-time service, Oracle Virtual Directory improves efficiency by reusing existing directory infrastructure, rather than synchronizing and duplicating it. Oracle Virtual Directory extends the reach of existing enterprise directories and capitalizes on their value.
Oracle Virtual Directory features and benefits for businesses include:
Reducing administrative costs, improving security, and reducing risk of security breaches by eliminating issues with updates from duplication, synchronization and replication. Oracle Virtual Directory data is up-to-date and consistent at all times.
Extends enterprise applications quickly: supports enterprise directory applications and legacy data right out of the box; secure accurate data access is available for corporate resources, suppliers and customers
Ubiquitous access to information: software is fully LDAPv3 (including LDAP v2) compliant: works with most applications and is compatible with many directory products, tools, and applications.
Low cost of implementation: less expensive to acquire or implement than a custom or synchronization-based solution; Oracle Virtual Directory can be deployed tactically to solve a specific application integration issue, or strategically in an overall directory infrastructure architecture.