SunONE Directory Server Integration Concepts

This section contains these topics:

• Synchronization Between Oracle Internet Directory and SunONE Directory Server

• The SunONE Directory Server External Authentication Plug-in

Synchronization Between Oracle Internet Directory and SunONE Directory Server

Synchronization with SunONE Directory Server is based on reading incremental changes from the source directory to the destination directory. If changes are to be made in both directories, then both directories need to have change logging enabled. For complete synchronization, make sure that the change log and the tombstones are configured correctly in different release. The purging duration should be set long enough for all changes to be synchronized.

See Also: Starting an Oracle Directory Server Instance for instructions on how to start an Oracle directory server with change logging enabled SunONE Directory Server documentation for instructions on how to start the SunONE Directory Server with change logging enabled

If you want to synchronize passwords, then be sure that the hashing technique used by SunONE Directory Server is also supported by Oracle Internet Directory. The current hashing technique enabled in Oracle Internet Directory, can be obtained by doing a base search in Oracle Internet Directory as follows:

ldapsearch  -h host -p port_number -b `' -s base `objectclass=*'   
orclcryptoscheme

The SunONE Directory Server External Authentication Plug-in

Oracle components are clients of Oracle Internet Directory. However, in an integrated environment, you have the option of storing security credentials for those components in an external repository --in this case, SunONE Directory Server--rather than in Oracle Internet Directory. When security credentials are stored in an external repository, user authentication to an Oracle component happens in the external repository and not in Oracle Internet Directory.

To communicate with the external repository, the Oracle component relies on the Oracle directory server. The Oracle directory server, in turn, uses a plug-in that can access the external repository. The entire authentication process is transparent to the Oracle components, which perceive all the LDAP requests as being handled by the Oracle directory server.

Types of External Authentication

To verify a user's security credentials, an Oracle component can, by way of the Oracle directory server, send to the external repository a simple bind with a request for one of the following:

• Non-SSL ldapbind

• SSL ldapbind

• ldapcompare

How Authentication to an External Repository Works

When an Oracle directory server has the plug-in configured and enabled, the following process occurs to authenticate a user to an Oracle component.

1. The user seeks access to an Oracle component.

2. The Oracle component, which is a client of Oracle Internet Directory, receives the authentication request, and passes to the Oracle directory server either an ldapbind or ldapcompare request.

3. The Oracle directory server passes the control to the plug-in.

4. The plug-in issues the request to the external repository.

5. The plug-in obtains the results of that request and passes the results back to the Oracle directory server.

6. The Oracle directory server passes the results back to client application, which then grants or denies access to the user.