What's New in Oracle Internet Directory?

This section provides a brief description of new features introduced with the latest releases of Oracle Internet Directory, and points you to more information about each one. It contains these topics:

• New Features Introduced with Oracle Internet Directory 10g (9.0.4)

• About Oracle Internet Directory Release 9.2

• New Features Introduced with Oracle Internet Directory Release 9.0.2

• New Features Introduced with Oracle Internet Directory Release 3.0.1

• New Features Introduced with Oracle Internet Directory Release 2.1.1

New Features Introduced with Oracle Internet Directory 10g (9.0.4)

• Integration with the Microsoft Windows environment--You can integrate the Oracle Application Server infrastructure with the Microsoft Windows Operating System--including Microsoft Active Directory and Microsoft Windows NT 4.0. This integration is achieved by using the Active Directory Connector in the Oracle Directory Integration and Provisioning platform and plug-ins.

  See Also: Chapter 43, "Integration with the Microsoft Windows Environment"

• External authentication support--You can store user security credentials in a repository other than Oracle Internet Directory--for example, a database or another LDAP directory such as Microsoft Active Directory or SunONE Directory Server. You can then use these credentials for user authentication.

  See Also: Chapter 47, "Setting Up the Customized External Authentication Plug-in" "Choose Where to Store Passwords"

• Dynamic groups--You can create and use dynamic groups whose membership, rather than being maintained in a list, is computed on the fly, based on assertions that you specify.

  See Also: Chapter 9, "Dynamic and Static Groups in Oracle Internet Directory"

• Query optimization--In searches, some attributes have very different response times depending on their values. You can uniform the response times of search operations for such attributes to enhance performance.

  See Also: "Optimizing Searches"

• Garbage collection framework--A garbage collector is a background database process that removes obsolete data from the directory. The Oracle Internet Directory garbage collection framework provides a default set of garbage collectors, and enables you to modify them.

  See Also: Chapter 22, "Garbage Collection in Oracle Internet Directory"

• Simple Authentication Security Layer (SASL) support--Oracle Internet Directory supports the use of SASL, a method for adding authentication support to connection-based protocols. To use it, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.

  See Also: "Authentication in Oracle Internet Directory"

• Logging enhancements--This release of Oracle Internet Directory provides the following enhancements to logging and tracing:
  • Object-based tracing for operations associated with thread and connection identifiers. This facilitates non-interleaved and coherent logging for each LDAP operation in a multithreaded environment.

  • Selective tracing for chosen operations by using the operation dimension

  • Structured, meaningful trace messages with additional information including thread identifier and criticality

    See Also: Chapter 10, "Logging, Auditing, and Monitoring the Directory"

• OID Migration Tool (ldifmigrator) enhancements--You can use this tool to reconcile data with that in an existing directory, and to directly load data into Oracle Internet Directory.

  See Also: "Migrating User Data from Application-Specific Repositories" "The OID Migration Tool (ldifmigrator) Syntax"

• Client side referral caching--This new feature enables clients to cache referral information and use it to speed up referral processing.

  See Also: "Client-Side Referral Caching" The material on the ldap_set_option and the ldap_get_option in Oracle Internet Directory Application Developer's Guide

• Fan-out and partial replication support--Oracle Internet Directory now supports:
  • Partial replication--that is, propagation of one or more naming contexts, rather than the entire DIT, to another node

  • Fan-out replication, in which a consumer, having received changes from a supplier, can then replicate those changes to one or more other consumers. Fan-out replication can be either full or partial.

    See Also: Chapter 24, "Directory Replication Concepts" Chapter 25, "Oracle Directory Replication Administration"

• Password policy enhancements--New password policy capabilities in Oracle Internet Directory include:
  • Password history

  • Unlocking of accounts

  • Forced password change upon first login

  • Self-resetting of password in case of account lockout or forgotten passwords

  • IP-based account lockout

  • Password policy enablement or disablement by using a single attribute in the password policy entry

    See Also: Chapter 15, "Password Policies in Oracle Internet Directory"

• Security credential storage enhancements--New security credential storage capabilities in Oracle Internet Directory include:
  • Generation of O3logon verifier for enterprise users

  • Generation of a default set of verifiers for application bootstrapping

  • Generation of SASL/MD5 verifiers for directory authentication

    See Also: Chapter 16, "Directory Storage of Password Verifiers"

• Replication Environment Management Tool--This tool ensures that Oracle9i Advanced Replication is properly configured for directory replication. In the event of a directory replication failure, this tool looks for common problems and seeks to rectify them. If it cannot solve the problem, then it gives you a report of the nature of the problem and points you to a possible solution.

  See Also: "The Replication Environment Management Tool"

• Server discovery by using DNS--This feature enables the location of a directory server in a distributed environment to be discovered dynamically by using the domain name system (DNS). Rather than storing server location information statically in an ldap.ora file on the client, that information is stored and managed in a central domain name server. The client, at request processing time, retrieves this information from the domain name server.

  See Also: "The Replication Environment Management Tool"

• Bulkload tool enhancements--You can now use bulkload to add a large volume of entries to a non-empty directory. For example, you can add one million entries to a directory that has one million entries already. You can also incrementally add a medium-size number of entries to a large directory. For example, you can add 50,000 entries at a time to a directory that has five million entries already.

  See Also: "bulkload Syntax"

• Rack-mounted directory server configuration support--This configuration provides high availability of a directory server by running multiple directory server instances on different hardware nodes. The directory servers are connected to the same underlying data store, which is an Oracle9i Database Server.

  See Also: Chapter 27, "Rack-Mounted Directory Server Configurations"

• Two-way provisioning between Oracle Internet Directory and other application directories--The Oracle Directory Provisioning Integration Service can send notification of provisioning events bidirectionally between Oracle Internet Directory and other applications.

  See Also: "How an Application Receives Provisioning Information from Oracle Internet Directory" "How Oracle Internet Directory Receives Provisioning Information from an Application"

• Integration of provisioning data with the Oracle E-Business Suite--You can synchronize user accounts and other user information from the Oracle E-Business Suite to Oracle Internet Directory by using the Oracle Directory Provisioning Integration Service.

  See Also: Chapter 40, "Integration of Provisioning Data with the Oracle E-Business Suite"

• Installation of Oracle Internet Directory on Oracle9i Real Application Clusters--You can install Oracle Internet Directory on Oracle9i Real Application Clusters. When you do this, both the software and schema for Oracle Internet Directory are installed on the primary node, while only the software is installed on the secondary nodes.

  See Also: The installation documentation for this release of Oracle Internet Directory

• Oracle Directory Manager enhancements--Oracle Directory Manager now enables you to manage the following:
  • Attribute uniqueness

  • Plug-ins

  • Garbage collection

  • Change logs

  • Replication

  • Query optimization

  • Debug logging to a finer degree than previously

  • Enhancement of ACLs

• Oracle Internet Directory Self-Service Console enhancements--Oracle Internet Directory Self-Service Console, a graphical administrative tool built with Oracle Delegated Administration Services units, enables you to manage the following:
  • Realms

  • Services

  • Accounts

  • Password resetting

  Oracle Internet Directory Self-Service Console also enables you to view your organization chart, and users to edit their own profiles.

  See Also: Chapter 31, "Oracle Internet Directory Self-Service Console"

• Upgrade procedures

  See Also: Oracle Application Server 10g Upgrading to 10g (9.0.4) for information about upgrading from an earlier version of Oracle Internet Directory

About Oracle Internet Directory Release 9.2

This section describes an important new feature employing the capabilities of Oracle Internet Directory. It also explains changes in Oracle Internet Directory since Release 9.0.2.

• User Migration Utility for bulk-migrating database users to Oracle Internet Directory--This utility, released with Oracle Advanced Security Release 2 (9.2), enables you to migrate users from a local or external database to Oracle Internet Directory. Use it to store and centrally manage thousands of users in Oracle Internet Directory.

  See Also: The chapter about migrating local or external users to enterprise users in Oracle Advanced Security Administrator's Guide

  Note: Beginning with Oracle Internet Directory Release 9.2, the Oracle Delegated Administration Services and tools built on it are components of Oracle Application Server and not the Oracle9i Database Server. To ensure that you have the self-management tools for administering Web and Oracle Application Server applications, and that those tools are well-integrated with your middle-tier environment, Oracle Corporation recommends that you use the version of Oracle Internet Directory that is included with the Oracle Application Server. To develop and deploy tools based on the Oracle Delegated Administration Services, Oracle Corporation recommends that you use the Java and security infrastructure of Oracle Application Server. Oracle Internet Directory Release 9.2 does not include Enterprise Manager integration for performing system diagnostics on Oracle Internet Directory instances.

New Features Introduced with Oracle Internet Directory Release 9.0.2

This section describes the new features introduced with Oracle Internet Directory Release 9.0.2.

Enhanced Performance and High Availability

• Server-side entry caching--This feature reduces directory query latency for LDAP clients. By configuring a server-side entry cache based on naming context, identity of client, or other available parameters, Oracle Internet Directory ensures that previously retrieved entries and their attributes are stored in shared memory, and are thus available to subsequent data requestors. Queries that conform to the configured parameters then need only retrieve a small subset of data--internal globally unique identifiers (GUIDs)--for filter-matching entries from the directory. These returned GUIDs are then used as a fast lookup mechanism into the cached entry and attribute data, which is then returned to the client.

  See Also: "Entry Caching"

• New directory integration capabilities--Oracle Internet Directory Release 9.0.2 introduces new kinds of connectivity with other applications and repositories, both Oracle-built and otherwise. The new Oracle Directory Provisioning Integration Service and Oracle Directory Synchronization Service are built upon the Oracle Directory Integration and Provisioning platform (introduced with Oracle Internet Directory v2.1.1.1 in the Oracle8i Release 3 timeframe).
  • Oracle Directory Provisioning Integration Service--Provisioning is the process of granting or revoking a user's access to application resources based on business rules. The user may be either a human end user or an application.

    The Oracle Directory Provisioning Integration Service ensures that subscribing applications or business entities are alerted to updates in Oracle Internet Directory for keeping local repositories in synch. It enables you to synchronize local, application-specific information by using Oracle Internet Directory as a source of truth.

  • Oracle Directory Synchronization Service and the LDAP connector--The Oracle Directory Synchronization Service enables near-complete leveraging of previously-deployed infrastructure, including but not limited to ERP and CRM systems, third-party LDAP directories, and NOS user repositories. It enables you to synchronize information between enterprise directories and Oracle Internet Directory. This allows for centralized administration, thereby reducing administrative costs. It ensures that data is consistent and up-to-date across the enterprise.

    See Also: Chapter 32, "Oracle Directory Integration and Provisioning Platform Concepts and Components"

• Enterprise password policy management enhancements--You can now construct password policies to ensure:
  • Expiration dates

  • Grace periods

  • Minimum password lengths

  • Approved password syntaxes and retry limits

  • Lockout of those attempting to gain illicit access to the directory service after a certain number of failed attempts

  You can now use salted SHA as a hashing algorithm. This means that you can now select from these available hashing algorithms:

  • MD4--A one-way hash function that produces a 128-bit hash

  • MD5--An improved, and more complex, version of MD4

  • SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

  • You can also use salted SHA. A salt is a random number added to and stored with the hash value. It prevents pre-computed dictionary attacks by making it extremely expensive to recover the value that was originally hashed.

  • UNIX Crypt--The UNIX encryption algorithm

  • No Hashing

    See Also: "Protection of User Passwords for Directory Authentication" for a conceptual discussion Chapter 15, "Password Policies in Oracle Internet Directory" for instructions on setting password hashing

• Attribute uniqueness--In the prior Oracle Internet Directory architecture, the only way to enforce attribute uniqueness was to make an attribute a part of your DN. This worked well with the user identifier (if used as the RDN), but it was not always appropriate and easy to configure. Within a level of a branch of the tree, it was guaranteed to be unique. For example, if your DN was uid=dlin,ou=people, o=oracle, then the RDN dlin would be unique directly under ou=people,o=oracle. However, you could have the same user identifier in another branch--for example, uid=dlin, ou=others, o=oracle. In short, attribute uniqueness was guaranteed only under a given branch, and only within one level.

  Attributes other than dn can be used as unique keys of applications synchronizing with Oracle Internet Directory. The ability of Oracle Internet Directory to enforce attribute uniqueness enables all applications to have their own notions of "user," and to synchronize their user base with a user repository stored in an enterprise Oracle Internet Directory server.

  See Also: Chapter 8, "Attribute Uniqueness in the Directory"

• Multiple password verifier support--Oracle Internet Directory can now store passwords for multiple applications and protocols. For example, four-digit Personal Identification Numbers (PINs) for voicemail can sit alongside longer alphanumeric single sign-on passwords and X.509 v3 digital certificates for the same user. This new feature gives the application developer far greater flexibility for directory-enabling their product stack.

  See Also: Chapter 16, "Directory Storage of Password Verifiers"

• Expanded proxy user capabilities--This new feature enables a developer to exploit the power of the middle tier more effectively. Users no longer need to establish independent, unrelated sessions with the directory. If a middle-tier from Oracle Application Server or elsewhere invokes the proxy user bind method on behalf of numerous clients in succession, then Oracle Internet Directory respects each client's credential and privileges respectively, even though the agent doing the actual binding remains unchanged throughout.

  See Also: Chapter 12, "Directory Security Concepts" "Managing Super Users, Guest Users, and Proxy Users"

• Integration with Oracle Application Server components--Through the Oracle Directory Provisioning Integration Service, Oracle Internet Directory Release 9.0.2 serves as a central component of the Oracle Application Server. Every component of Oracle Application Server now uses Oracle Internet Directory for storing common cross-component metadata, such as valid user identifiers and their passwords.

  See Also: Chapter 19, "Deployment of Oracle Identity Management Realms"

• Enterprise Manager integration--You can start, stop, and monitor Oracle Internet Directory instances by using the standard, newly-enhanced Enterprise Manager console. You can perform system diagnostics on running Oracle Internet Directory instances, and generate performance graphs to determine ongoing performance and peak load times.

  See Also: Monitoring Oracle Internet Directory Servers

• Oracle Directory Manager enhancements--Oracle Internet Directory's standalone, 100% Java administration console, Oracle Directory Manager, has now evolved in many ways. You can use it to:
  • Configure realms

  • Construct password policies

  • Configure Oracle Directory Synchronization Service and Oracle Internet Directory connectors and agents

  In general, any directory-specific configuration or maintenance task not available at the high-level Oracle Enterprise Manager GUI can now be done through Oracle Directory Manager as well as command-line interfaces supplied with Oracle Internet Directory.

  See Also: Chapter 4, "Directory Administration Tools"

• Server-side plug-in framework--This new feature enables directory applications to roll out advanced capabilities such as referential integrity/cascading deletions of LDAP objects, external authentication of directory clients, brokered access, and synchronization with external relational tables. The plug-ins are executable before or after an LDAP command takes place, without the traditional risks of such technologies.

  See Also: Chapter 45, "Oracle Internet Directory Plug-in Framework"

• Entry alias dereferencing--The LDAP v3 standard requires that all entries in a directory have globally unique identifiers known as distinguished names. These are typically fairly long and cumbersome to use, so Oracle Internet Directory provides this new feature to automatically dereference IETF-standard alias objects used to point to a fully-qualified LDAP distinguished name. For example, "DavesServer1" can be used as an entry alias or pointer to the actual directory entry named dc=server1, dc=us, dc=oracle, dc=com. Oracle Internet Directory stores, parses, and chases all alias references for complete client-side transparency.

  See Also: "Dereferencing Alias Entries"

• Delegated Administration Service

  The Oracle Delegated Administration Services is a set of individual, pre-defined services--called Oracle Delegated Administration Services units--for performing directory operations on behalf of a user. It makes it easier to develop and deploy administration solutions for both Oracle directory-enabled applications and other directory-enabled applications that use Oracle Internet Directory.

  Administrators can now use the Oracle Delegated Administration Services and its accompanying console to:

  • Create other regional or departmental administrators

  • Grant them specific, delegated permissions to administer users for a particular region or department

  The Oracle Internet Directory Self-Service Console, a new component of the Oracle Delegated Administration Services, enables you to flexibly administer applications, realms, and end users either from a central team or through decentralization and delegation. It provides:

  • A unified resource for directory administrators, directory service subscribers, and end users

  • A view of an authorized end user's personalized preferences and the ability to update their Oracle Application Server Single Sign-On password

  • An intuitive user interface for searching for people and other directory-based resource information within Oracle Internet Directory.

  You can use the Oracle Internet Directory Self-Service Console to configure the object classes, user groups, permissions, and other elements of directory information metadata stored in Oracle Internet Directory.

  See Also: Chapter 31, "Oracle Internet Directory Self-Service Console"

• Upgrade procedures

  These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1. and release 3.0.1.

New Features Introduced with Oracle Internet Directory Release 3.0.1

This section describes the new features introduced with Oracle Internet Directory Release 3.0.1.

• Failover in cluster configurations

  This new feature enables you to increase high availability by using logical hosts--as opposed to physical hosts--in clustered environments.

  See Also: Chapter 28, "Cold Failover Cluster Configuration"

• Failover in an Oracle Real Application Clusters environment

  Oracle9i Real Application Clusters is a computing environment that harnesses the processing power of multiple, interconnected computers. Along with a collection of hardware, called a cluster, it unites the processing power of each component to become a single, robust computing environment. A cluster comprises two or more computers, also called nodes.

  You can run Oracle Internet Directory in an Oracle Real Application Clusters system.

  See Also: Chapter 29, "The Directory in an Oracle9i Real Application Clusters Environment"

• Support for logical hosts--Oracle Internet Directory Release 3.0.1 enables you to increase high availability by using logical hosts - as opposed to physical hosts - in clustered environments. A logical host consists of one or more disk groups, and pairs of host names and IP addresses. It is mapped to a physical host in the cluster. This physical host services the host name and IP address of the logical host.

  In this paradigm, the directory server binds to the logical host, rather than the physical host. It maintains this connection even if the logical host fails over to a new physical host.

  A client connects to the directory server by using the logical host name and address of the server. If the logical host fails over to a new physical host, then that failover is transparent to the client.

  See Also: Chapter 28, "Cold Failover Cluster Configuration"

• Capability to run multiple Oracle Internet Directory instances on the same host

  This new feature enables you to run more than one installation of Oracle Internet Directory on a single host. You can then replicate between them or use this new feature as part of a failover strategy.

  See Also: "Multiple installations of Oracle Internet Directory on one host"

• Oracle Directory Integration and Provisioning Platform

  This new feature enables you to synchronize various directories with Oracle Internet Directory. It also makes it easier for third party metadirectory vendors and developers to develop and deploy their own connectivity agents.

  See Also: Part VII: "Oracle Directory Integration and Provisioning Platform"

• Password policy management

  Password policy management enables you to establish and enforce rules for how passwords are used.

  See Also: "Password Policies in Oracle Internet Directory" for a conceptual discussion Chapter 15, "Password Policies in Oracle Internet Directory"

• Performance and scalability enhancements

• Upgrade procedures

  These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1.

• UTF8 restriction removed

  The Oracle directory server and database tools are no long restricted to run on a UTF8 database. However, there may be data loss during add, delete, modify, or modifydn operations if the character sets of the data contained in the client request and the directory server database repository are different and the client data cannot be mapped to the database character set. If the database underlying the Oracle directory server is neither AL32UTF8 nor UTF8, then be sure that all characters in the client character set are included in the database character set, with the same or different character codes.

New Features Introduced with Oracle Internet Directory Release 2.1.1

This section describes the new features introduced with Oracle Internet Directory release 2.1.1.

• Attribute options, including language codes

  Attribute options enable you to specify how the value for an attribute is made available in a search or a compare operation. For example, suppose that an employee has two addresses, one in London, the other in New York. Options for that employee's address attribute could allow you to store both addresses. Users could then search for either address.

  Attribute options can include language codes. For example, options for John Doe's givenName attribute could enable you to store his given name in both French and Japanese. A user could then search for the name in either language.

  See Also: "Attribute Options" for a conceptual discussion "Managing Entries with Attribute Options by Using Oracle Directory Manager" "Managing Entries with Attribute Options by Using Command-Line Tools"

• Change log purging enhancements

  These enhancements enable you to specify the type of change log purging to use: change number-based or time-based.

  See Also: "Change Log Purging in Multimaster Replication" for a conceptual discussion "Viewing and Modifying Directory Replication Server Configuration Parameters"

• Enhanced support for these operational attributes: creatorsName, createTimestamp, modifiersName, and modifyTimestamp

  This enhanced support enables you to use one or more of these attributes in searches.

  See Also: "Kinds of Attribute Information" for a conceptual discussion "Example 7: Searching for All User Attributes and Specified Operational Attributes" for an example of a search operation using the createTimestamp attribute

• Migration from other LDAP-compliant directories

  This new feature enables you to migrate data from other LDAP v3-compatible directories into Oracle Internet Directory.

  See Also: Appendix 23, "Migration of Data from Other Directories"

• Object class explosion

  Object class explosion enables you to add or perform an operation on an entry without specifying the entire hierarchy of superclasses associated with that entry.

  See Also: "Guidelines for Adding Object Classes" for an explanation of how to use this feature when adding object classes

• OID Database Statistics Collection tool

  This tool assists in capacity planning. It helps you analyze the various database schema objects so that you can estimate the statistics.

  See Also: "OID Database Statistics Collection Tool (oidstats.sh) Syntax"

• Password protection enhancements

  This new feature enhances the available password protection by storing passwords as hashed values. Storing passwords as one-way hashed values--rather than as encrypted values--more fully secures them because a malicious user can neither read nor decrypt them. You can select one of the following hashing algorithms:

  • MD4--A one-way hash function that produces a 128-bit hash

  • MD5--An improved, and more complex, version of MD4

  • SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

  • UNIX Crypt--The UNIX encryption algorithm

  • No Hashing

    See Also: "Protection of User Passwords for Directory Authentication" for a conceptual discussion Chapter 15, "Password Policies in Oracle Internet Directory" for instructions on setting password hashing

• Replication tools

  The following new replication tools are now added:

  • Human Intervention Queue Manipulation tool

    This tool enables you to move changes from the human intervention queue to either the retry queue or the purge queue.

  • OID Reconciliation Tool

    This tool enables you to synchronize conflicting changes in a replicated environment.

    See Also: "Using Command-Line Tools" for a brief explanation of this tool "About the Human Intervention Queue Manipulation Tool" "About the OID Reconciliation Tool"

• Replication node deletion

  This new feature enables you to delete a node from a directory replication group.

  See Also: "Deleting a Node from a Multimaster Replication Group"

• Synchronization with multiple directories in a metadirectory environment (release 2.1.1 only)

  If you are working in a metadirectory environment, then this new feature enables you to form a single virtual directory by synchronizing multiple directories with Oracle Internet Directory.

  Note: This feature was replaced in Release 3.0.1 by the Oracle Directory Integration and Provisioning platform. See Chapter 32, "Oracle Directory Integration and Provisioning Platform Concepts and Components" for further information.

• Upgrade procedures (release 2.1.1 only)

  These new procedures enable you to upgrade from either Oracle Internet Directory release 2.0.4.x or release 2.0.6. Not supported in release 2.1.1.1 or in release 3.0.1.