14
Oracle Components and Oracle Internet Directory

Many Oracle components use Oracle Internet Directory for a variety of purposes. In doing this, they rely on a consolidated Oracle Internet Directory schema and a default directory information tree (DIT). This chapter describes:

• The consolidated Oracle Internet Directory schema used by various components
• A default DIT structure available when using the various Oracle components
• How you can modify the default DIT structure to accommodate the needs of hosted application environments

This chapter contains these topics:

• About Oracle Components and Directory Usage
• Ready-to-Use Default Configuration
• A Default Subscriber Configuration
• Security Requirements for Oracle Components

About Oracle Components and Directory Usage

Oracle Internet Directory enables Oracle components to:

• Maintain for each user a single, global identity across the application environment
• Store and administer configuration information for components in a central place

This chapter considers two general types of environment:

• Hosted--In a hosted environment, one enterprise--for example, an application service provider--makes Oracle components available to multiple other enterprises and stores information for them. In such hosted environments, the enterprise performing the hosting is called the default subscriber, and the enterprises that are hosted are called subscribers. A global administrator performs activities that span the entire directory. Another type of administrator--called a delegated administrator--may exercise roles in specific subscriber domains, or for specific applications.
• Non-hosted--In a non-hosted environment, in which there are no subscribers, the enterprise installing Oracle Internet Directory for use with Oracle components is called the default subscriber.

Directory schema and DIT requirements are defined with enough flexibility to accommodate both deployment models.

Ready-to-Use Default Configuration

To make it easy for you to start using Oracle components that use Oracle Internet Directory, Oracle Universal Installer creates a default schema and directory information tree (DIT) during Oracle Internet Directory installation. This default DIT framework is the same for both hosted and non-hosted environments. It is flexible; you can modify it to suit the needs of your deployment.

During Oracle Internet Directory installation, the Oracle Universal Installer creates:

• Base schema elements--that is, attributes and object classes--some of which are defined by the Internet Engineering Task Force (IETF), and some of which are specific to Oracle components
• The root Oracle context, a directory container of information common to all Oracle components in the entire site
• Default subscriber Oracle context containing information common to all Oracle components in the subscriber's subtree
• Subscriber Oracle context containing information common to all Oracle components in the subscriber's subtree
• A default password policy for each subscriber. This password policy will then apply to all users in the subscriber user base.

The Root Oracle Context

The root Oracle context includes:

• Site-wide information, including such metadata as default parameter settings, default profiles, and default authorization policies
• A discovery mechanism for Oracle components in a hosted environment to find necessary information for each subscriber

Figure 14-1 shows the organization of the root Oracle context.

Figure 14-1 The Root Oracle Context

Text description of the illustration oidag053.gif

Some of the discovery-related information stored at the root Oracle context includes:

• Subscriber Search Base (orclSubscriberSearchBase)

  This attribute identifies the node in the DIT under which all the subscribers are placed. This attribute becomes particularly important in the hosted scenario because it provides a common point for all the products to locate a subscriber. For example, in Figure 14-1, Subscriber serves as the search base for locating a subscriber. In a non-hosted environment, the value of this attribute points to the parent of the default subscriber.

• Subscriber Nickname Attribute (orclSubscriberNickNameAttribute)

  This attribute identifies the nickname attribute to be used when searching for a subscriber under the subscriber search base. For example, because a subscriber is typically represented as an organization, the attribute o can be used as the nickname attribute.

• Default Subscriber (orclDefaultSubscriber)

  This attribute points to the default subscriber node in the DIT.

In both hosted and non-hosted scenarios, a component finds the correct node in the DIT by using the orclSubscriberSearchBase and orclSubscriberNickNameAttribute attributes. Once the component finds the appropriate subtree, it obtains the subscriber-specific information it needs from the Oracle context in that subtree.

For example, Oracle9iAS Single Sign-On uses this framework for authenticating a user in a hosted scenario. When a user logs in, Oracle9iAS Single Sign-On prompts the user for a the name of a subscriber. Then, when it looks for an entry, the Oracle9iAS Single Sign-On server finds the correct subscriber node in the DIT by using the orclSubscriberSearchBase and orclSubscriberNickName attributes. Once it learns where the subscriber-specific information resides, it looks in the subscriber-specific Oracle context to find the location of the user.

If a client does not specify a subscriber, then Oracle Internet Directory assumes that the user is looking for information in the default subscriber subtree.

The Subscriber Oracle Context

A subscriber-specific Oracle context includes:

• A discovery mechanism for Oracle components to find necessary information in the subscriber's subtree
• Oracle component data specific to a subscriber
• An access policy at the subscriber node to protect subscriber data from other subscribers
• A default password policy applicable to all users is placed in the Common container. The attribute orclCommonUserSearchBase must be set to the appropriate value for the password policy to be enforced,--that is, the policy will be applied to a user whenever the corresponding attribute matches the value of orclCommonUserSearchBase.

Figure 14-2 shows the organization of a subscriber-specific Oracle context.

Figure 14-2 Subscriber-Specific Oracle Context

Text description of the illustration oidag052.gif

Figure 14-2 shows subscriber-wide information in the directory for an Oracle component and information common to all components. It illustrates two aspects:

• An example of the default subscriber is shown under the container called "Users."
• An example of the default user is shown under the container called "Oracle Context."

The Common entry in the subscriber-specific Oracle context contains information for locating users and groups. Specifically, it includes:

• User Search Base (orclCommonUserSearchBase)

  This attribute specifies the node in the subscriber DIT under which all the users are placed. For example, in Figure 14-2, users serves as the search base while searching for a user in a subscriber.

• User Nickname attribute (orclCommonNickNameAttribute)

  This attribute specifies the nickname attribute to be used when searching for a user under the user search base. For example, when a user logs in, Oracle9iAS Single Sign-On prompts the user for the value of this attribute.

• Group Search Base (orclCommonGroupSearchBase)

  This attribute specifies the node in the subscriber DIT under which all the groups can be found.

• Object classes to be used for creating user entries (orclUserObjectClass)

  This attribute specifies a list of object classes to be used when creating user entries under the subscriber tree--for example, person, organizationalPerson, inetOrgPerson, orclUser, and so on.

In a hosted scenario, you might dedicate a particular instance of a component to multiple subscribers. For example, each subscriber might have its own instance of the Oracle9iAS Portal component. In this case, the instance information and other data required by each individual subscriber is stored in each subscriber's Oracle context. General information required by all subscribers is stored in the root Oracle context.

In Figure 14-2, the dotted line between the user and the subscriber shows some of the flexibility with which you can organize a subscriber subtree. You can create and store user data in different ways--for example, you can store it:

• Directly under the subscriber node
• Outside the subscriber tree as illustrated in Figure 14-3.

Figure 14-3 Separation of a Subscriber and Subscriber's User Information

Text description of the illustration oidag054.gif

As Figure 14-3 shows, you are not required to create a subscriber's users under the subscriber node itself. The orclCommonUserSearchBase attribute in the Common entry for each subscriber-specific Oracle context points to the node containing the user data--in Figure 14-3, it is dc=myCompany,dc=com. This enables subscribers to keep the DNs they may already have, without having to migrate them to a different DIT structure.

A Default Subscriber Configuration

Figure 14-4 shows an example of a DIT for a default subscriber in a non-hosted environment.

Figure 14-4 Default DIT in Non-Hosted Environment

Text description of the illustration oidag051.gif

During an Oracle Internet Directory installation, Oracle Universal Installer determines the domain information for the site where it is installing Oracle Internet Directory. It establishes the default DIT structure based on this information. For example, if Oracle Internet Directory is installed at My_Company.com, then Oracle Universal Installer creates the following nodes in the DIT:

• The root Oracle context containing information common to all Oracle components
• The node marked as Com in Figure 14-4
• The My_Company node and, under it, the Oracle context
• User and Group containers under the default subscriber node--in this example, My_Company.com

If you use the default DIT for your enterprise, then you do not need to configure anything at the root Oracle context. Instead, depending on the structure of the subtree that your deployment uses, you simply do the following:

• Configure the user search base and related discovery information in the Oracle context in the default subscriber node. For example, in the deployment in Figure 14-4 , the user search base and related discovery information reside in the Common container under cn=Products,cn=Oracle Context,o=GM.
• Place user entries in the Users container, and group entries in the Groups container, both of which reside immediately below the default subscriber node.

In a hosted environment, you would create subscribers at the same level in the DIT as the default subscriber node itself.

As part of Default DIT Creation a seed user is also created to help bootstrap using various tools. The user is identified by the following DN: cn=orclAdmin,cn=users,cn=my_company, dc=com. The initial password for the user is the same as the Oracle Internet Directory super user (cn=orcladmin) password. By default, this user is allowed to create, delete, and edit users under the cn=Users container or create, delete, and edit groups under the cn=Groups container.

Security Requirements for Oracle Components

Many Oracle components administer user entries in Oracle Internet Directory and need the corresponding privileges. Here are a couple of examples:

• When the Oracle9iAS Single Sign-On server authenticates a user, that server:
  • Connects to Oracle Internet Directory using its own identity
  • Verifies that the password entered by the user matches that user's password stored in the directory

  To do this, the Oracle9iAS Single Sign-On server needs permission to compare user passwords. Moreover, to set up the Oracle9iAS Single Sign-On cookie, it needs permission to read user attributes.

• To grant access to a user, Oracle9iAS Portal must retrieve that user's attributes. To do this, it logs in to Oracle Internet Directory as a proxy user, impersonating the user seeking access. It therefore needs the corresponding proxy user privileges.

Oracle components can require these privileges:

• Read and modify user passwords
• Compare user passwords
• Proxy on behalf of users accessing applications
• Administer the Oracle Context where all Oracle components store their metadata

You can modify the default Oracle Internet Directory security configuration to fit the needs of your deployment. Specifically, in Oracle Internet Directory Release 9.2, you may want to modify configurations for the User Security Administrator's Group and the Authentication Services Group.

This section describes each group. It contains these topics:

• User Security Administrator's Group
• Authentication Services Group

User Security Administrator's Group

This group administers security-related attributes. It is itself administered by either the Oracle Internet Directory super user or members of the Oracle Context Administrator's group.

The DN of this group is: cn=oracleUserSecurityAdmins,cn=groups,Oracle_Context_DN.

By default, Oracle Internet Directory grants this group the following privileges in the Root Oracle Context:read, write, compare, and search on userpkcs12, orclpkcs12hint, userpassword, orclpassword, and orclpasswordverifier attributes.

To enable members of this group to administer the subscriber's DIT, you can grant similar privileges to this group in the subscriber Oracle Context.

Authentication Services Group

This group consists of services--for example, Oracle Email Server--that authenticate users by using their passwords stored in Oracle Internet Directory. Such components require permission to compare the password entered by the user with the value of that user's userpassword attribute.

This group is itself administered by either by the Oracle Internet Directory super user or a member of the Oracle Context Administrator's group.

The DN of this group is: cn=authenticationServices,cn=groups,Oracle_Context_DN.

By default, Oracle Internet Directory privileges this group to compare the userpassword attribute in the users container of the default subscriber DIT.