Contents

Title and Copyright Information

Send Us Your Comments

Preface

Intended Audience

How This Book Is Organized

Part I: Getting Started

Part II: Managing Oracle Internet Directory

Part III: Deploying Oracle Internet Directory

Part IV: Appendixes

Related Oracle Documents

Conventions

Part I Getting Started

1 Introduction

What is a Directory?

What is LDAP?

Oracle Internet Directory Features

Scalability

High Availability

Security

2 Concepts and Architecture

Entries

Attributes

Kinds of Attribute Information

Single-Valued and Multi-Valued Attributes

Common LDAP Attributes

Attribute Syntax

Attribute Matching Rules

Object Classes

Subclasses, Superclasses, and Inheritance

Object Class Types

Abstract Object Classes

Structural Object Classes

Auxiliary Object Classes

Schemas

Distributed Directories

Replication

Overview of Replication

Directory Replication Groups and Replication Agreements

Oracle Advanced Symmetric Replication (ASR)

Replication Architecture

How Replication Works

Partitioning

Security

Authentication

Anonymous Authentication

Simple Authentication

Strong Authentication with SSL

Access Control and Authorization

Data Integrity

Data Privacy

National Language Support

Oracle Internet Directory Architecture

Architectural Overview

An Oracle Internet Directory Node

An LDAP Directory Server Instance

Configuration Set Entries

How Oracle Internet Directory Works: An Example

Further Reading

3 Preliminary Tasks

Step One: Start the OID Monitor Daemon

Starting the OID Monitor Daemon

Stopping the OID Monitor Daemon

Step Two: Start Server Instances

Starting an LDAP Server Instance

Stopping an LDAP Server Instance

Starting an Oracle Directory Replication Server Instance

Stopping an Oracle Directory Replication Server Instance

Restarting Directory Server Instances

Troubleshooting Directory Server Instance Startup

Step Three: Reset the Default Security Configuration

4 Using the Administration Tools

Using Oracle Directory Manager

Starting Oracle Directory Manager

Connecting to a Directory Server

Navigating Oracle Directory Manager

The Oracle Directory Manager Menu Bar

The Oracle Directory Manager Toolbar

Connecting to Additional Directory Servers

Disconnecting from a Directory Server

Performing Administration Tasks by Using Oracle Directory Manager

Using Command Line Tools

Using Bulk Tools

Using OID Control Utility

Using the Catalog Management Tool

Using the OID Database Password Utility

Administration Tasks at a Glance

Part II Managing Oracle Internet Directory

5 Managing an Oracle Directory Server

Managing Server Configuration Set Entries

Preliminary Considerations

Managing Server Configuration Set Entries by Using Oracle Directory Manager

Viewing Configuration Set Entries

Adding Configuration Set Entries

Modifying Configuration Set Entries

Deleting Configuration Set Entries

Managing Server Configuration Set Entries by Using Command Line Tools

Adding Configuration Set Entries by Using ldapadd

Modifying and Deleting Configuration Set Entries by Using ldapmodify

Setting System Operational Attributes

Setting System Operational Attributes by Using Oracle Directory Manager

Setting System Operational Attributes by Using ldapmodify

Managing Super, Guest, and Proxy Users

Managing User Names and Passwords by Using Oracle Directory Manager

Managing User Names and Passwords by Using ldapmodify

Viewing Active Server Instance Information

Setting Debug Logging Levels by Using the OID Control Utility

Using Audit Log

Structure of Audit Log Entries

Position of Audit Log Entries in the DIT

Auditable Events

Auditing Events

Setting the Audit Level by Using Oracle Directory Manager

Setting the Audit Level by Using ldapmodify

Searching for Audit Log Entries

Searching for Audit Log Entries by Using Oracle Directory Manager

Searching for Audit Log Entries by Using ldapsearch

Changing the Password to an Oracle Data Server

6 Managing Directory Schema

Guidelines for Managing Object Classes

Adding Object Classes

Modifying Object Classes

Deleting Object Classes

Managing Object Classes by Using Oracle Directory Manager

Searching for Object Classes

Viewing Properties of Object Classes

Viewing All Object Classes in the Schema

Viewing Properties of an Individual Object Class

Adding Object Classes

Modifying Object Classes

Deleting Object Classes

Managing Object Classes by Using Command Line Tools

Example 1: Adding a New Object Class

Example 2: Modifying an Auxiliary Object Class by Adding a New Attribute

Rules for Managing Attributes

Adding Attributes

Modifying Attributes

Deleting Attributes

Managing Attributes by Using Oracle Directory Manager

Searching for Attributes

Adding an Attribute

Adding a New Attribute

Adding an Attribute by Copying an Existing Attribute

Modifying an Attribute

Indexing an Attribute

Viewing Indexed Attributes

Indexing an Attribute When You Create It

Dropping an Index from an Attribute

Managing Attributes by Using Command Line Tools

Adding and Modifying Attributes

Finding a Syntax Object ID

Indexing an Attribute by Using Command Line Tools

Indexing an Attribute for Which No Directory Data Exists

Indexing an Attribute for Which Directory Data Exists

7 Managing Directory Entries

Managing Entries by Using Oracle Directory Manager

Searching for Entries

Searching for Audit Log Entries

Viewing Directory Entry Attributes

Adding Entries

Adding a New Entry

Adding an Entry by Copying an Existing Entry

Example: Adding a User Entry by Using Oracle Directory Manager

Adding Group Entries

Modifying Entries

Example: Modifying a User Entry by Oracle Directory Manager

Managing Entries by Using Command Line Tools

Example: Adding a User Entry by Using ldapadd

Example: Modifying a User Entry by Using ldapmodify

Managing Entries by Using Bulk Tools

Importing an LDIF File by Using bulkload

Step 1: Back up the Oracle server

Step 2: Find out the Oracle Internet Directory password

Step 3: Check input for schema and data consistency violations

Step 4: Generate the input files for SQL*Loader

Step 5: Load the input files

If Bulk Loading Fails

Converting Directory Data to LDIF

Modifying a Large Number of Entries

Deleting a Large Number of Entries

8 Managing Secure Sockets Layer (SSL)

Supported Cipher Suites

SSL Client Scenarios

Configuring SSL Parameters

Configuring SSL Parameters by Using Oracle Directory Manager

Configuring SSL Parameters by Using Command Line Tools

Issues Specific to This Release of Oracle Internet Directory

9 Managing Directory Access Control

Overview of Access Control Policy Administration

Access Control Management Constructs

orclACI

Access Control Policy Points

orclEntryLevelACI

Privilege Groups

Access Control Information Components

Object: To What Are You Granting Access?

Subject: To Whom Are You Granting Access?

Operations: What Access Are You Granting?

ACL Evaluation

ACL Evaluation Precedence Rules

Assigning More Than One ACI to the Same Object

Granting Exclusionary Access to Objects

ACL Evaluation For Groups

Access Level Requirements for LDAP Operations

Managing Access Control by Using Oracle Directory Manager

Modifying Existing ACPs and their ACI Directives

Viewing an ACP

Adding Structural Access Items to an Existing ACP

Adding Content Access Items to an Existing ACP

Modifying Structural Access Items of an Existing ACP

Modifying Content Access Items of an Existing ACP

Adding an ACP and Creating Access Items

Managing ACPs: An Example

Create a New ACP

Create Another ACI

Create a Third ACI

Create a Fourth ACI

Granting Entry-Level Access

Managing Access Control by Using Command Line Tools

Managing Access Control: Examples

Setting Up an Inheritable ACP by Using ldapmodify

Setting Up Entry-Level ACIs by Using ldapmodify

Typical Access Control Policies

10 Managing Directory Replication

Installing and Configuring Replication

Step 1: Install Oracle Internet Directory on All Nodes in the DRG

Step 2: Configure Database Parameters for ASR on All Nodes

Step 3: Decide Which Node Will Serve as the ASR Master Definition Site (MDS)

Step 4: At the MDS, Set Up ASR for a Directory Replication Group

Prepare the Net8 Environment for Replication

Configure Oracle ASR For Directory Replication

Step 5: Start Oracle Directory Server Instances on All the Nodes

Step 6: Configure Replication

Replication Server Configuration Parameters

Replication Agreement Parameters

Step 7: Start the Replication Servers on All the Nodes

Toggling the Change-Log Flag

Toggling the Multi-Master Flag

Adding a Replication Node

Step 1: Stop the Replication Server on All Nodes

Step 2: Configure the New Node into the LDAP Replication Group on All the Existing
Nodes

Step 3: Identify a Sponsor Node and Switch the Sponsor Node to Read-Only Mode

Step 4: Back Up the Sponsor Node by Using ldifwrite

Step 5: Perform ASR Add Node Setup

Step 6: Switch the Sponsor Node to Updatable Mode

Step 7: Start the Replication Server on All Nodes Except the New Node

Step 8: Load Data into the New Node by Using bulkload

Step 9: Start LDAP Server on the New Node

Step 10: Configure the LDAP Replication Agreement on the New Node

Step 11: Start the Replication Server on the New Node

Conflict Resolution

Entry-Level Conflicts

Attribute-Level Conflicts

Typical Causes of Conflicts

Automated Resolution of Conflicts

Manual Resolution of Conflicts

Sample Conflict Resolution Messages

The Replication Process

Adding a New Entry

Deleting an Entry

Modifying an Entry

Modifying a Relative Distinguished Name

Modifying a Distinguished Name

11 Managing National Language Support (NLS)

The NLS_LANG Environment Variable

Using NLS with LDIF Files

An LDIF file Containing Only ASCII Strings

An LDIF file Containing UTF-8 Encoded Strings

CASE 1: Native Strings (Non-UTF8)

CASE 2: UTF-8 Strings

CASE 3: BASE64 Encoding of UTF8 Strings

CASE 4: BASE64 Encoding of Native Strings

Using NLS with Command Line Tools

Specifying the -E Argument When Using Each Tool

Examples: Using the -E Argument with Command Line Tools

Setting NLS_LANG in the Client Environment

Using NLS with Bulk Tools

bulkload

ldifwrite

bulkdelete

bulkmodify

Part III Deploying Oracle Internet Directory

12 Capacity Planning

About Capacity Planning

Getting to Know Directory Usage Patterns: Acme Corporation

I/O Subsystem Requirements

Rough Estimates of Disk Space Requirements

Detailed Calculations of Disk Space Requirements

Memory Requirements

Network Requirements

CPU Requirements

Rough Estimates of CPU Requirements

Detailed Calculations of CPU Requirements

Summary of Capacity Plan for Acme Corporation

13 Tuning

Introduction

Tools for Performance Tuning

CPU Usage Tuning

Tuning CPU for Oracle Internet Directory Processes

Tuning Oracle Internet Directory Processes When CPU Is 100% Utilized

Tuning Oracle Internet Directory Processes When CPU Is Under-Utilized

Tuning CPU for Oracle Foreground Processes

Taking Advantage of Processor Affinity on SMP Systems

Other Alternatives for a CPU Constrained System

Memory Tuning

Tuning the System Global Area (SGA) for Oracle8i

Other Alternatives for a Memory-Constrained System

Disk Tuning

Balancing Tablespaces

RAID

Database Tuning

Required Parameters

Parameters Dependent on Oracle Internet Directory Server Configuration

Using MTS

SGA Parameters Dependent on Hardware Resources

Performance Troubleshooting

If LDAP Search Performance is Poor

If LDAP Add/Modify Performance is Poor

14 High Availability And Failover

Introduction

The Oracle Internet Directory/Oracle8i Technology Stack

Failover Options on Clients

Alternate Server List from User Input

Alternate Server List from the Oracle Internet Directory Server

Failover Options in the Public Network Infrastructure

Hardware-Based Connection Redirection

Software-Based Connection Redirection

Availability and Failover Capabilities in Oracle Internet Directory

Failover Options in the Private Network Infrastructure

IP Address Takeover (IPAT)

Redundant Links

Deployment Examples

Part IV Appendixes

A Syntax for LDIF and Command Line Tools

Using LDAP Data Interchange Format (LDIF)

Using Command Line Tools

ldapsearch

Examples of ldapsearch Filters

ldapbind

ldapadd

ldapaddmt

ldapmodify

ldapmodifymt

ldapdelete

ldapcompare

ldapmoddn

Using Bulk Tools

bulkload

ldifwrite

bulkmodify

bulkdelete

Using the Catalog Management Tool

Using the OID Database Password Utility

B Adding a DSA Using the Database Copy Procedure

Assumptions

Sponsor Directory Site Environment

New Directory Site Environment

Tasks To Be Performed on the Sponsor Node

Tasks To Be Performed on the New Node

Verification Process

C Troubleshooting

Installation Errors

Administration Error Messages and Causes

Oracle Database Server Error Due to Schema Modifications

Standard Error Messages Returned from Oracle Directory Server

Additional Error Messages

D Using Oracle Wallet Manager

Overview

Security Concepts

Starting Oracle Wallet Manager

Managing Wallets

Creating a New Wallet

Opening an Existing Wallet

Closing a Wallet

Saving Changes

Saving a Wallet to a New Location

Saving in System Default

Deleting the Wallet

Changing the Password

Managing Certificates

Managing User Certificates

Creating a Certificate Request

Exporting a User Certificate Request

Importing the User Certificate into the Wallet

Removing a User Certificate from a Wallet

Managing Trusted Certificates

Importing a Trusted Certificate

Removing a Trusted Certificate

Exporting a Trusted Certificate

Exporting All Trusted Certificates

Exporting a Wallet

E Using Access Control Directive Format

Schema for orclACI

Schema for orclEntryLevelACI

F Oracle Internet Directory Schema Elements

IETF Requests for Comments (RFCs) Enforced by Oracle Internet Directory

IETF Drafts Enforced by Oracle Internet Directory

Proprietary Oracle Internet Directory Schema Elements

LDAP Syntax

LDAP Syntax Enforced by Oracle Internet Directory

Commonly Used LDAP Syntax Recognized by Oracle Internet Directory

Additional LDAP Syntax Recognized by Oracle Internet Directory

Size of Attribute Values

Matching Rules

Glossary

Index