1
Introduction

The following sections discuss online directories, provide an overview of the Lightweight Directory Application Protocol (LDAP), and explains some of the unique features and benefits of Oracle Internet Directory.

• What is a Directory?

• What is LDAP?

• Oracle Internet Directory Features

  See Also: Chapter 2 for a fuller explanation of Oracle Internet Directory concepts, components, and architecture

What is a Directory?

A directory is a way of organizing information so that you can find it easily. It lists objects--for example, people, books in a library, merchandise in a department store--and gives details about each one. A telephone book is a familiar type of directory, a card catalog in a library is another, and a department store catalog still another.

In a computerized environment, a directory is a specialized database that stores collections of information about objects. The information in such a directory might represent any resources that require management--for example, employee names, titles, and security credentials, information about e-commerce partners, or information about shared network resources such as conference rooms and printers.

Although a directory is a database, it is designed very differently from a relational database.

• Directories are primarily read-focused. Typical use of a directory involves a relatively small number of data updates, and a potentially very large number of data retrievals. By contrast, a relational database is primarily write-focused, involving continuous recording of transactions, with retrievals done relatively infrequently--when, for example, an employee needs to generate a monthly report.

• Directories handle relatively simple transactions on relatively small units of data. For example, an application might use a directory to store and retrieve an e-mail address, a telephone number, or a digital portrait. By contrast, a relational database is designed to handle large and diverse transactions using large data items and many operations.

• Directories are location-independent. Directory applications expect, at all times, to see the same information throughout the deployment environment regardless of which server they are querying. If a queried server does not have the information locally, then the server must either retrieve it or point the client application to it transparently. By contrast, relational database applications generally expect data to be location-specific, that is, to reside on a particular database server.

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is the emerging Internet standard for directory services. It is based on the earlier ISO X.500 Directory Access Protocol (DAP) standard, but simplifies that standard considerably, allowing LDAP to be more efficient, straightforward, and easier to implement. LDAP is especially suited for deployment with Internet-centric, "thin-client" applications.

Oracle Internet Directory implements Version 3 of LDAP, which was approved as a proposed Internet Standard by the Internet Engineering Task Force (IETF) in December 1997. LDAP Version 3 improves on LDAP Version 2 in a number of important areas:

• Internationalization: LDAP Version 3 allows servers and clients to support characters used in every language in the world.

• Referrals (also called knowledge references): LDAP Version 3 implements a referral mechanism that allows servers to return references to other servers as a result of a directory query. This makes it possible to partition a Directory Information Tree (DIT) (described in Chapter 2) across multiple LDAP servers, enabling global deployment.

• Security: A standard mechanism for supporting Simple Authentication and Security Layer (SASL) and Transport Layer Security (TLS) were added, providing LDAP with a comprehensive and extensible framework for data security.

• Extensibility: LDAP Version 3 enables vendors to extend existing LDAP operations through the use of mechanisms called controls.

• Feature and schema discovery: LDAP Version 3 enables publishing information useful to other LDAP servers and clients, such as what LDAP protocols are supported and a description of the directory schema.

  See Also: RFCs 2251-2256 of the Internet Engineering Task Force, available on the Worldwide Web at: http://www.ietf.org/rfc.html "Further Reading" for an additional list of resources on LDAP

Oracle Internet Directory Features

Oracle Internet Directory is a directory service implemented as an application on the Oracle 8i database. It enables retrieval of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3, the open Internet standard directory access protocol, with the high performance, scalability, robustness, and availability of the Oracle8i Server.

Oracle Internet Directory includes:

• Oracle Directory Server, which responds to client requests for information about people and resources, and to updates of that information, using a multi-tiered architecture directly over TCP/IP

• Oracle Directory Replication Server, which replicates LDAP data between Oracle Directory Servers

• Oracle Directory Manager, a graphical user interface administration tool

• A variety of command line administration and data management tools

Oracle Internet Directory provides three solid benefits as described in the following subsections:

• Scalability

• High Availability

• Security

Scalability

Oracle Internet Directory exploits the massive strengths of the Oracle8i database, enabling support for terabytes of directory information. In addition, technologies such as multithreaded LDAP servers and database connection pooling allow it to support thousands of concurrent clients with subsecond search response times.

Oracle Internet Directory also provides data management tools, such as Oracle Directory Manager and a variety of command line tools, for manipulating large volumes of LDAP data.

High Availability

Oracle Internet Directory is designed to meet the needs of mission critical deployment applications. One way this is reflected is in its replication capability. Oracle Internet Directory supports full, multi-master replication between directory servers. This means that if one server in a replication community is unavailable for any reason, a user can access the directory data from another server. Information about changes made to data on a server is stored in special tables on the Oracle8i database. These are replicated throughout the directory environment by Oracle's Advanced Symmetric Replication (ASR), a robust, field-proven replication mechanism.

Oracle Internet Directory also leverages all of the availability features of the Oracle8i database server. Because directory information is stored securely in the Oracle8i database, it is protected by Oracle's backup capabilities. Additionally, the Oracle8i database, running with large datastores and heavy loads, can recover from system failures quickly.

Security

Oracle Internet Directory offers comprehensive and flexible support for directory access control. This includes entry level, attribute level, and prescriptive access control to provide varying levels of security to meet the specific needs of enterprise and service providers. An administrator can grant or control access to a specific directory object or to an entire directory subtree. Oracle Internet Directory implements three levels of user authentication: anonymous, password-based, and certificate-based using Secure Sockets Layer (SSL) Version 3 for authenticated access and data privacy.