|Oracle Internet Directory Administrator's Guide
Part Number A86101-01
An attribute that determines who has what type of access to what directory data. It contains a set of rules for structural access items, which pertain to entries, and content access items, which pertain to attributes. Access to both structural and content access items may be granted to one or more users or groups.
The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both.
A feature in Oracle8i that allows database tables to be kept synchronized across two Oracle databases.
Programs to access the services of a specified application. For example, LDAP-enabled clients access directory information through programmatic calls available in the LDAP API.
A subtree on a directory server whose entries are under the control (schema, ACL, and collective attributes) of a single administrative authority.
The process by which the directory authenticates a user without requiring a user name and password combination. Each anonymous user then exercises the privileges specified for anonymous users.
An item of information that describes some aspect of an entry. An entry comprises a set of attributes, each of which belongs to an object class. Moreover, each attribute has both a type, which describes the kind of information in the attribute, and a value, which contains the actual data.
The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
Permission given to a user, program, or process to access an object or set of objects.
The process of authenticating to a directory.
An ITU x.509 v3 standard data structure that securely binds an identity to a public key. A certificate is created when an entity's public key is signed by a trusted identity: a certificate authority (CA). This certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
A trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. The certificate authority verifies the user's identity and grants a certificate, signing it with the certificate authority's private key.
An ordered list of certificates containing an end-user or subscriber certificate and its certificate authority certificates.
A database that records changes made to a directory server.
In SSL, a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
The total number of clients that have established a session with Oracle Internet Directory.
The number of operations that are being executed on the directory from all of the concurrent clients. Note that this is not necessarily the same as the concurrent clients, because some of the clients may be keeping their sessions idle.
A directory entry holding the configuration parameters for a specific instance of the directory server. Multiple configuration set entries can be stored and referenced at run-time. The configuration set entries are maintained in the subtree specified by the subConfigsubEntry attribute of the DSE, which itself resides in the associated directory information base (DIB) against which the servers are started.
A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information.
The destination service is indicated by using its service name for Oracle8i release 8.1 database or its Oracle System Identifier (SID) for Oracle release 8.0 or version 7 databases. The network route provides, at a minimum, the location of the listener through use of a network address.
A directory server that is the destination of replication updates. Sometimes called a slave.
The guarantee that the contents of the message received were not altered from the contents of the original message sent.
The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).
A knowledge reference that is returned when the base object is not in the directory, and the operation is performed in a naming context not held locally by the server. A default knowledge reference typically sends the user to a server that has more knowledge about the directory partitioning arrangement.
Data Encryption Standard, a block cipher developed by IBM and the U.S. government in the 1970's as an official standard.
A hierarchical tree-like structure consisting of the DNs of the entries.
The directory servers participating in a replication agreement.
The X.500 term for a directory server.
The unique name of a directory entry. It comprises all of the individual names of the parent entries back to the root.
DSA specific entries. Different DSAs may hold the same DIT name, but have different contents. That is, the contents can be specific to the DSA holding it. A DSE is an entry with contents specific to the DSA holding it.
The process of disguising the contents of a message and rendering it unreadable (ciphertext) to anyone but the intended recipient.
The building block of a directory, it contains information about an object of interest to directory users.
The process of failure recognition and recovery.
A method of qualifying data, usually data that you are seeking. Filters are always expressed as DNs, for example:
cn=susie smith, o=acme, c=us.
In a multi-master replication environment, an entry replicated on multiple nodes has the same DN on each node. However, even though it has the same DN, it is assigned a different GUID on each node. For example, the same DN can be replicated on both node1 and node2, but the GUID for that DN as it resides on node1 would be different from the GUID for that DN on node2.
One who is not an anonymous user, and, at the same time, does not have a specific user entry.
A protocol two computers use to initiate a communication session.
When an object class has been derived from another class, it also derives, or inherits, many of the characteristics of that other class. Similarly, an attribute subtype inherits the characteristics of its supertype.
The guarantee that the contents of the message received were not altered from the contents of the original message sent.
A protocol allowing a client to access and manipulate electronic mail messages on a server. It permits manipulation of remote message folders, also called mailboxes, in a way that is functionally equivalent to local mailboxes.
A string of bits used widely in cryptography, allowing people to encrypt and decrypt data; a key can be used to perform other mathematical operations as well. Given a cipher, a key determines the mapping of the plaintext to the ciphertext.
The time a client has to wait for a given directory operation to complete.
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.
The set of standards for formatting an input file for any of the LDAP command line utilities.
In replication, a Master Definition Site is the Oracle Internet Directory database from which the administrator runs the configuration scripts.
In replication, a master site is any site other than the Master Definition Site that participates in LDAP replication.
In a search or compare operation, determines equality between the attribute value sought and the attribute value stored. For example, matching rules associated with the
telephoneNumber attribute could cause "(650) 123-4567" to be matched with either "(650) 123-4567" or "6501234567" or both. When you create an attribute, you associate a matching rule with it.
A one-way hash function that produces a 128-bit hash, or message digest. If as little as a single bit value in the file is modified, the MD4 checksum for the file will change. Forgery of a file in a way that will cause MD4 to generate the same result as that for the original file is considered extremely difficult.
An improved version of MD4.
A server that is configured to allow many user processes to share very few server processes, so the number of users that can be supported is increased. With MTS configuration, many user processes connect to a dispatcher. The dispatcher directs multiple incoming network session requests to a common queue. An idle shared server process from a shared pool of server processes picks up a request from the queue. This means a small pool of server processes can server a large amount of clients. Contrast with dedicated server.
A specialized attribute that holds values for different types of RDN. A naming attribute is identifiable by its mnemonic label, usually
c, and so on. For example, the naming attribute
c is the mnemonic for the naming attribute
country, and it holds the RDN for specific country values.
A subtree that resides entirely on one server. It must be contiguous, that is, it must begin at an entry that serves as the top of the subtree, and extend downward to either leaf entries or knowledge references (also called referrals) to subordinate naming contexts. It can range in size from a single entry to the entire DIT.
The foundation of the Oracle family of networking products, allowing services and their client applications to reside on different computers and communicate. The main function of Net8 is to establish network sessions and transfer data between a client application and a server. Net8 is located on each computer in the network. Once a network session is established, Net8 acts as a data courier for the client and the server.
A simple name for a service that resolves to a connect descriptor. Users initiate a connect request by passing a user name and password along with a net service name in a connect string for the service to which they wish to connect:
Depending on your needs, net service names can be stored in a variety of places, including:
A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes.
All objects associated with the same object class share the same attributes.
The utility used to change the password with which Oracle Internet Directory connects to an Oracle database.
The Oracle Internet Directory component that initiates, monitors, and terminates the Oracle directory server processes. It also controls the replication server if one is installed.
A function that is easy to compute in one direction but quite difficult to reverse compute, that is, to compute in the opposite direction.
An application programming interface (API) that allows you to create applications that use the native procedures or function calls of a third-generation language to access an Oracle database server and control all phases of SQL statement execution.
A Java-based tool with a graphical user interface for administering Oracle Internet Directory.
A general purpose directory service that enables retrieval of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of Oracle8i.
A Java-based application that security administrators use to manage public-key security credentials on clients and servers.
A unique, non-overlapping directory naming context that is stored on one directory server.
In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures.
A kind of user typically employed in an environment with a middle tier such as a firewall. In such an environment, the end user authenticates to the middle tier. The middle tier then logs into the directory on the end user's behalf, but does so as a proxy user. A proxy user has the privilege to switch identities and, once it has logged into the directory, switches to the end user's identity. It then performs operations on the end user's behalf, using the authorization appropriate to that particular end user.
In public-key cryptography this key is made public to all, it is primarily used for encryption but can be used for verifying signatures.
Cryptography based on methods involving a public key and a private key.
The process in which the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using the recipient's private key.
A mathematically related set of two numbers where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are available only to their owners. Data encrypted with a public key can only be decrypted with its associated private key and vice versa. Data encrypted with a public key cannot be decrypted with the same public key.
A database is a structured collection of data. In a relational system, data is stored in tables consisting of one or more rows, each containing the same set of columns. Oracle makes it very easy to link the data in multiple tables. This is what makes Oracle a relational database management system, or RDBMS. It stores data in two or more tables and enables you to define relationships between the tables. The link is based on one or more fields common to both tables.
Each copy of a naming context that is contained within a single server.
Entries containing run-time information associated with invocations of Oracle Internet Directory servers, called server instances. Registry entries are stored in the directory itself, and remain there until the corresponding directory server instance stops.
The local, most granular level entry name. It has no other qualifying entry names that would serve to uniquely address the entry. In the example,
cn=Smith,o=acme,c=US, the RDN is
An entry storing operational information about the directory. The information is stored in a number of attributes.
An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
An industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity using public key infrastructure (PKI).
A discrete invocation of a directory server. Different invocations of a directory server, each started with the same or different configuration set entries and startup flags, are said to be different server instances.
A key for symmetric-key cryptosystems that is used for the duration of one message or communication session
An entry that has the same parent as one or more other entries.
The process by which the client identifies itself to the server by means of a DN and a password which are not encrypted when sent over the network. In the simple authentication option, the server verifies that the DN and password sent by the client match the DN and password stored in the directory.
Standalone LDAP daemon.
Administrative areas control:
A specific administrative area controls one of the above aspects of administration. A specific administrative area is part of an autonomous administrative area.
In replication, the node that is used to provide initial data to a new node.
The list of DIT areas having independent schema definitions.
A type of entry containing information applicable to a group of entries in a subtree. The information can be of these types:
Subentries are located immediately below the root of an administrative area.
A knowledge reference pointing downward in the DIT to a naming context that starts immediately below an entry.
An attribute with one or more options, in contrast to that same attribute without the options. For example, a
cn) attribute with American English as an option is a subtype of the
cn) attribute without that option. Conversely, the
cn) attribute without an option is the supertype of the same attribute with an option.
A specific type of subentry that contains ACL information.
A special directory administrator who typically has full access to directory information.
The object class from which another object class is derived. For example, the object class
person is the superclass of the object class
organizationalPerson. The latter, namely,
organizationalPerson, is a subclass of
person and inherits the attributes contained in
A knowledge reference pointing upward to a DSA that holds a naming context higher in the DIT than all the naming contexts held by the referencing DSA.
An attribute without options, in contrast to the same attribute with one or more options. For example, the
cn) attribute without an option is the supertype of the same attribute with an option. Conversely, a
cn) attribute with American English as an option is a subtype of the
cn) attribute without that option.
A group of shared memory structures that contain data and control information for one Oracle database instance. If multiple users are concurrently connected to the same instance, the data in the instance SGA is shared among the users. Consequently, the SGA is sometimes referred to as the "shared global area."
An attribute holding information that pertains to the operation of the directory itself. Some operational information is specified by the directory to control the server, for example, the time stamp for an entry. Other operational information, such as access information, is defined by administrators and is used by the directory program in its processing.
The overall rate at which directory operations are being completed by Oracle Internet Directory. This is typically represented as "operations per second".
A third party identity that is qualified with a level of trust. The trust is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust issue user certificates.
A type of universal character set, a collection of 64K characters encoded in a 16-bit space. It encodes nearly every character in just about every existing character set standard, covering most written scripts used in the world. It is owned and defined by Unicode Inc. Unicode is canonical encoding which means its value can be passed around in different locales. But it does not guarantee a round-trip conversion between it and every Oracle character set without information loss.
The UNIX encryption algorithm.
The standard time common to every place in the world. Formerly and still widely called Greenwich Mean Time (GMT) and also World Time, UTC nominally reflects the mean solar time along the Earth's prime meridian. UTC is indicated by a z at the end of the value, for example, 200011281010z.
A variable-width encoding of UCS2 which uses sequences of 1, 2, or 3 bytes per character. Characters from 0-127 (the 7-bit ASCII characters) are encoded with one byte, characters from 128-2047 require two bytes, and characters from 2048-65535 require three bytes. The Oracle character set name for this is UTF-8 (for the Unicode 2.1 standard). The standard has left room for expansion to support the UCS4 characters with sequences of 4, 5, and 6 bytes per character.
An abstraction used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A wallet resource locator (WRL) provides all the necessary information to locate the wallet.
A popular format from ISO used to sign public keys.