Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Security in the Oracle Directory Integration and Provisioning Platform , 2 of 6
Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the ldapbind operation.
It is important that each component in the Oracle Directory Integration and Provisioning platform be properly authenticated before it is allowed access to the directory.
This section contains these topics:
You can deploy the Oracle Directory Integration and Provisioning platform with or without Secure Socket Layer (SSL). SSL implementation supports these modes:
The server verifies its identity to the client by sending a certificate issued by a trusted certificate authority (CA). This mode requires a public key infrastructure (PKI) and SSL wallets to hold the certificates.
To use SSL with the Oracle Directory Integration and Provisioning platform, you must start both the Oracle directory server and Oracle directory integration and provisioning server in the SSL mode.
See Also:
Chapter 3, "Preliminary Tasks and Information" for instructions on starting the Oracle directory server in SSL mode |
You can install and run multiple instances of the directory integration and provisioning server on various hosts. However, when you do this, beware of a malicious user either posing as the directory integration and provisioning server or using an unauthorized copy of it.
To avoid such security issues:
To use non-SSL authentication, register each directory integration and provisioning server by using the registration tool called odisrvreg.
The registration tool creates:
odi.properties
file and it is stored in the $
ORACLE_HOME
/ldap/odi/conf
directory.
When it binds to the directory, the directory integration and provisioning server uses the encrypted password in the private wallet.
See Also:
"Manually Registering the Oracle Directory Integration and Provisioning Server" for instructions on registering the directory integration and provisioning server |
The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration and provisioning server in the SSL server authentication mode. In this case, the directory server provides its certificate to the directory integration and provisioning server, which acts as the client of Oracle Internet Directory.
The directory integration and provisioning server is authenticated by using the same mechanism used in the non-SSL mode.
You can also configure the Oracle directory integration and provisioning server to use SSL when connecting to a third-party directory. In this case, you store the connected directory certificates in the wallet as described in "Managing the SSL Certificates of Oracle Internet Directory and Connected Directories".
Within Oracle Internet Directory, an integration profile represents a user with its own DN and password. The users who can access the profiles are:
DIPAdmin
)
DIPAdminGroup
)
When the directory integration and provisioning server imports data to Oracle Internet Directory based on an integration profile, it proxy-binds to the directory as that integration profile. The Oracle Directory Integration and Provisioning platform uses this mechanism to authenticate agents in both the SSL and non-SSL mode.
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|