1
Introduction

This chapter briefly describes the intended audience and components of Oracle Internet Directory Software Developer's Kit 10g (9.0.4). It also lists the other components of Oracle Internet Directory and the platforms it supports.

This chapter contains these topics:

About Oracle Internet Directory Software Developer's Kit 10g (9.0.4)

Oracle Internet Directory SDK 10g (9.0.4) is intended for application developers using C, C++, and PL/SQL. Java developers can use the JNDI provider from Sun to access directory information in an Oracle Internet Directory server.

Components of the Oracle Internet Directory Software Developer's Kit

Oracle Internet Directory Software Developer's Kit 10g (9.0.4) consists of:

An LDAP Version 3-compliant C API
A PL/SQL API contained in a PL/SQL package called DBMS_LDAP
Sample programs
Oracle Internet Directory Application Developer's Guide (this document)
Command-line tools

Application Development in the Oracle Internet Directory Environment

This section contains these topics:

Architecture of a Directory-Enabled Application

Most directory-enabled applications are backend programs that simultaneously handle multiple requests from multiple users. Figure 1-1 shows how a directory is used in such environments.

Figure 1-1 A Directory-Enabled Application

Text description of oiddg007.gif follows

Text description of the illustration oiddg007.gif

As Figure 1-1 shows, when a user request needs an LDAP operation to be performed, the directory-enabled application performs the requested operation by using a smaller set of pre-created connections to Oracle Internet Directory.

Directory Interactions During Application Lifecycle

Table 1-1 gives an overview of the typical directory interactions that an application makes during its lifecycle..

Table 1-1 Interactions During Application Lifecycle

Point in Application Lifecycle	Logic
Application Installation	Create in Oracle Internet Directory an identity correspondent to the application. The application uses this identity to perform a majority of the LDAP operations. Give this identity certain LDAP authorizations, by making it part of the correct LDAP groups, so that it can: Accept user credentials and authenticate them against Oracle Internet Directory Impersonate a user--that is, become a proxy user--if certain LDAP operations must be performed on behalf of the user
Application Startup and Bootstrap	The application must retrieve the credentials to authenticate itself to Oracle Internet Directory. If the application stores configuration metadata in Oracle Internet Directory, then it can retrieve that metadata and initialize other parts of the application. The application can then establish a pool of connections to serve user requests.
Application Runtime	For every end-user request that needs an LDAP operation, the application can: Pick a connection from the pool of LDAP connections Authenticate the end-user if required, and if Oracle Application Server Single Sign-On is not used Switch the user to the end-user identity, if the LDAP operation needs to be performed with the effective rights of the end-user Perform the LDAP operation by using regular API or the enhancements to it described in this chapter Ensure that the effective user is now the application identity itself, once the operation is complete, if the application performed a proxy operation Return the LDAP connection back to the pool of connections
Application Shutdown	Abandon any outstanding LDAP operations and close all LDAP connections.
Application Deinstallation	Remove the application identity and the associated LDAP authorizations granted to the application identity.

Services and APIs for Integrating Applications with Oracle Internet Directory

Application developers can integrate with Oracle Internet Directory by using the services and APIs listed and described in Table 1-2.

Table 1-2 Services and APIs for Integrating with Oracle Internet Directory

Service/API	Description	More Information
Standard LDAP APIs in C, PL/SQL and Java	These provide basic LDAP operations. The standard LDAP API to be used in Java is the JNDI API with the LDAP service provider from Sun Microsystems.	Chapter 2, "Developing Applications with Standard LDAP APIs"
Oracle Extensions to Standard C, PL/SQL and Java APIs	These APIs provide additional programmatic interfaces that model various Identity Management related concepts.	Chapter 3, "Developing Applications with Oracle Extensions to the Standard LDAP APIs"
Oracle Delegated Administration Services	The Oracle Delegated Administration Services consist of a core self-service console and administrative interfaces that may be customized to support third-party applications.	Chapter 6, "Developing Applications Integrated with Oracle Delegated Administration Services" "Oracle Delegated Administration Services", in Oracle Internet Directory Administrator's Guide
Oracle Directory Provisioning Integration Service	You can use the Oracle Provisioning Integration System for provisioning third-party applications, as well as as a means of integrating other provisioning systems.	Chapter 4, "Developing Provisioning-Integrated Applications" "The Oracle Directory Provisioning Integration Service" in Oracle Internet Directory Administrator's Guide
Oracle Internet Directory Plug-ins	Oracle Internet Directory plug-ins can be used to customize the behavior of the directory server in certain deployment scenarios.	Chapter 5, "Developing Oracle Internet Directory Server Plug-ins" "Oracle Internet Directory Plug-In Framework" in Oracle Internet Directory Administrator's Guide

Figure 1-2 illustrates an application leveraging some of the services illustrated in Table 1-2 .

Figure 1-2 An Application Leveraging APIs and Services

Text description of oiddg015.gif follows

Text description of the illustration oiddg015.gif

As Figure 1-2 shows, the application integrates with Oracle Internet Directory as follows:

Through Oracle Internet Directory PL/SQL, C, or Java APIs, it performs LDAP operations directly against Oracle Internet Directory.
For certain operations, it directs its users to some of the self-service capabilities of Oracle Delegated Administration Services.
Through the Oracle Directory Provisioning Integration Service, it is notified of changes to certain user or group entries in Oracle Internet Directory.

Integrating Existing Applications with Oracle Internet Directory

Your enterprise may already have deployed certain applications to perform critical business applications. Table 1-3 lists and describes the services of the Oracle Internet Directory infrastructure that you can leverage to modify existing applications.

Table 1-3 Services for Modifying Existing Applications

Service Description More Information

Service	Description	More Information
Automated User Provisioning	You can develop a custom provisioning agent that automates the provisioning of users in the existing application in response to provisioning events in the Oracle Identity Management infrastructure. When yo develop this agent, you must use the interfaces of the Oracle Directory Provisioning Integration Service.	Chapter 4, "Developing Provisioning-Integrated Applications."
User Authentication Services	If the user interface of the existing application is based on HTTP, then integrating it with Oracle HTTP Server and protecting its URL by using `mod_osso` authenticates all incoming user requests using the Oracle Application Server Single Sign-On.	Oracle Application Server Single Sign-On Administrator's Guide
Centralized User Profile Management	If the user interface of the existing application is based on HTTP, and it is integrated with Oracle Application Server Single Sign-On for authentication, then the application can leverage the Oracle Internet Directory Self-Service Console to enable centralized user profile management. The Self-Service Console can be customized by the deployment to address the specific needs of the application.	Chapter 6, "Developing Applications Integrated with Oracle Delegated Administration Services" "Oracle Delegated Administration Services", in Oracle Internet Directory Administrator's Guide

Automated User Provisioning

You can develop a custom provisioning agent that automates the provisioning of users in the existing application in response to provisioning events in the Oracle Identity Management infrastructure. When yo develop this agent, you must use the interfaces of the Oracle Directory Provisioning Integration Service.

Chapter 4, "Developing Provisioning-Integrated Applications."

User Authentication Services

If the user interface of the existing application is based on HTTP, then integrating it with Oracle HTTP Server and protecting its URL by using mod_osso authenticates all incoming user requests using the Oracle Application Server Single Sign-On.

Oracle Application Server Single Sign-On Administrator's Guide

Centralized User Profile Management

If the user interface of the existing application is based on HTTP, and it is integrated with Oracle Application Server Single Sign-On for authentication, then the application can leverage the Oracle Internet Directory Self-Service Console to enable centralized user profile management. The Self-Service Console can be customized by the deployment to address the specific needs of the application.

Chapter 6, "Developing Applications Integrated with Oracle Delegated Administration Services"

"Oracle Delegated Administration Services", in Oracle Internet Directory Administrator's Guide

Integrating New Applications with Oracle Internet Directory

If you are developing a new application or planning a new release of an existing application, then you can leverage the services provided by the Oracle Internet Directory infrastructure extensively. Consider the integration points in described in Table 1-4 .

Table 1-4 Application Integration Points

Integration Point	Available Options	More Information
User Authentication Services	If the application is a J2EE based application, then it can use the services provided by the JAZN interface. If it relies on OC4J, then it can use the services provided by `mod_osso` to authenticate users and get important information about the user in the HTTP headers. If it is a stand-alone Web-based application, then it can still leverage Oracle Application Server Single Sign-On by becoming a partner application using the Oracle Application Server Single Sign-On APIs. Finally, if the application provides a non-Web based access interface, then it can authenticate users by using the Oracle Internet Directory LDAP APIs available in C, PL/SQL and Java.	Oracle Application Server Containers for J2EE User's Guide Oracle Application Server Single Sign-On Administrator's Guide Part II, "Oracle Internet Directory Programming Reference", which contains reference sections for the various LDAP APIs
User Authorization Services	If the application is a J2EE-based application, then it can use the services provided by the JAZN interface to implement and enforce user authorizations to application defined resources. The application can model authorizations as groups in Oracle Internet Directory and then check the authorizations of a user by checking his or her group membership. It can do this by using the Oracle Internet Directory LDAP APIs available in C, PL/SQL and Java.	Oracle Application Server Containers for J2EE User's Guide Part II, "Oracle Internet Directory Programming Reference", which contains reference sections for the various LDAP APIs
Centralized Profile Management	You can model application-specific profiles and user preferences as attributes in Oracle Internet Directory. If the user interface of the application is based on HTTP, and is integrated with Oracle Application Server Single Sign-On for authentication, then the application can leverage the Oracle Internet Directory Self-Service Console to enable centralized user profile management. You can customize the Self-Service Console to address the specific needs of the application. The application can also retrieve these profiles at runtime by using the Oracle Internet Directory LDAP APIs available in C, PL/SQL and Java.	The chapter on deployment considerations in Oracle Internet Directory Administrator's Guide Chapter 6, "Developing Applications Integrated with Oracle Delegated Administration Services" "Oracle Delegated Administration Services", in Oracle Internet Directory Administrator's Guide Part II of this guide, which contains reference sections for the various LDAP APIs
Automated User Provisioning	If the user interface of the application is based on HTTP, and it is integrated with Oracle Application Server Single Sign-On for authentication, then you can implement automated user provisioning the very first time a user accesses the application. You can integrate the application in the Oracle Identity Management Infrastructure with the Oracle Directory Provisioning Integration Service. The application can then provision or deprovision user accounts automatically in response to such administrative actions as adding, modifying, or deleting an identity.	Chapter 4, "Developing Provisioning-Integrated Applications"

Other Components of Oracle Internet Directory

The following components of Oracle Internet Directory 10g (9.0.4), not part of the Oracle Internet Directory Software Developer's Kit, can be obtained separately:

Oracle directory server, an LDAP Version 3-compliant directory server
Oracle directory replication server
Oracle Directory Manager, a Java-based graphical user interface
Oracle Internet Directory bulk tools
Oracle Internet Directory Administrator's Guide

Operating Systems Supported

Oracle Internet Directory servers and clients support these operating systems:

HPUX (64 Bit) - 11.0 & 11i
Linux (32 bit)--Red Hat AS 2.1 and United Linux 1.0
AIX 5L (64 bit)--5.1 and 5.2
HP Tru64--5.1b

1 Introduction