|Oracle Internet Directory Administrator's Guide
Part Number A96574-01
This chapter introduces online directories, provides an overview of the Lightweight Directory Application Protocol (LDAP) version 3, and explains some of the unique features and benefits of Oracle Internet Directory.
This chapter contains these topics:
Directories organize complex information, making it easy to find. They list resources--for example, people, books in a library, or merchandise in a department store--and give details about each one. You probably use several offline directories everyday: a telephone book, a card catalog in a library, or a department store catalog, to mention a few.
Enterprises with distributed computer systems use online directories for fast searches, cost-effective management of users and security, and a central integration point for multiple applications and services. Online directories are also becoming critical to both e-businesses and hosted environments.
This section contains these topics:
An online directory is a specialized database that stores and retrieves collections of information about objects. Such information can represent any resources that require management: employee names, titles, and security credentials; information about partners; or information about shared network resources such as conference rooms and printers.
Online directories can be used by a variety of users and applications, and for a variety of purposes, including:
Although an online directory is a database--that is, a structured collection of data--it is not a relational database. The following table contrasts online directories with relational databases.
|Online Directories||Relational Databases|
Primarily read-focused. Typical use involves a relatively small number of data updates, and a potentially large number of data retrievals.
Primarily write-focused. Typical use involves continuous recording of transactions, with retrievals done relatively infrequently.
Designed to handle relatively simple transactions on relatively small units of data. For example, an application might use a directory simply to store and retrieve an e-mail address, a telephone number, or a digital portrait.
Designed to handle large and diverse transactions using many operations on large units of data.
Designed to be location-independent. Directory applications expect, at all times, to see the same information throughout the deployment environment--regardless of which server they are querying. If a queried server does not store the information locally, then it must either retrieve the information or point the client application to it transparently.
Typically designed to be location-specific. While a relational database can be distributed, it usually resides on a particular database server.
Designed to store information in entries. These entries might represent any resource customers wish to manage: employees, e-commerce partners, conference rooms, or shared network resources such as printers. Associated with each entry is a number of attributes, each of which may have one or more values assigned. For example, typical attributes for a
Designed to store information as rows in relational tables.
According to some estimates, each of the world's largest companies has an average of 180 different directories, each designated for a special purpose. Add to this the various enterprise applications, each with its own additional directory of user names, and the actual number of special purpose directories becomes even greater.
Managing so many special purpose directories can cause problems:
Today's enterprises need a more general purpose directory infrastructure, one based on a common standard for supporting a wide variety of applications and services.
LDAP is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate.
This section contains these topics:
LDAP was conceived as an Internet-ready, lightweight implementation of the International Standardization Organization (ISO) X.500 standard for directory services. It requires a minimal amount of networking software on the client side, which makes it particularly attractive for Internet-based, thin client applications.
The LDAP standard simplifies management of directory information in three ways:
The most recent version of LDAP, Version 3, was approved as a proposed Internet Standard by the Internet Engineering Task Force (IETF) in December 1997. LDAP Version 3 improves on LDAP Version 2 in several important areas:
Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of Oracle9i.
This section contains these topics:
Oracle Internet Directory runs as an application on Oracle9i. It communicates with the database, which may or may not be on the same operating system, by using Oracle Net Services, Oracle's operating system-independent database connectivity solution. Figure 1-1 illustrates this relationship.
Oracle Internet Directory includes:
Part VIII, "The Oracle Directory Integration Platform"
Among its more significant benefits, Oracle Internet Directory provides scalability, high availability, security, and tight integration with the Oracle environment.
Oracle Internet Directory exploits the strengths of Oracle9i, enabling support for terabytes of directory information. In addition, such technologies as shared LDAP servers and database connection pooling enable it to support thousands of concurrent clients with subsecond search response times.
Oracle Internet Directory also provides data management tools, such as Oracle Directory Manager and a variety of command-line tools, for manipulating large volumes of LDAP data.
Oracle Internet Directory is designed to meet the needs of a variety of important applications. For example, it supports full, multimaster replication between directory servers: If one server in a replication community becomes unavailable, then a user can access the data from another server. Information about changes made to directory data on a server is stored in special tables on the Oracle9i database. These are replicated throughout the directory environment by Oracle9i Replication, a robust replication mechanism.
Oracle Internet Directory also takes advantage of all the availability features of the Oracle9i. Because directory information is stored securely in the Oracle9i database, it is protected by Oracle's backup capabilities. Additionally, the Oracle9i database, running with large datastores and heavy loads, can recover from system failures quickly.
Oracle Internet Directory offers comprehensive and flexible access control. An administrator can grant or restrict access to a specific directory object or to an entire directory subtree. Moreover, Oracle Internet Directory implements three levels of user authentication: anonymous, password-based, and certificate-based using Secure Socket Layer (SSL) Version 3 for authenticated access and data privacy.
All Oracle products use Oracle Internet Directory. Through the Oracle Directory Integration Platform, Oracle Internet Directory provides a single point of integration between the Oracle environment and other directories such as NOS directories, third-party enterprise directories, and application-specific user repositories.
Oracle Internet Directory enables Oracle components to achieve easier and more cost-effective administration of the application environment; tighter security through centralized security policy administration; and a single point of integration between distributed enterprise directories. This section describes a few examples.
Oracle Net Services uses Oracle Internet Directory to store and resolve database services and the simple names, called net service names, that can be used to represent them. In client connect strings, net service names serve as connect identifiers. The directory server resolves these connect identifiers to connect descriptors, which are passed back to the client.
Oracle Unified Messaging uses Oracle Internet Directory:
The self-service, integrated enterprise portals that use Oracle Portal access Oracle Internet Directory to store common user and group attributes.
Oracle9i uses Oracle Internet Directory to store user names and passwords, and it authenticates users by using LDAP mechanisms instead of SSL. It uses Oracle Internet Directory to store a password verifier along with the entry of each user.
Oracle Advanced Security uses Oracle Internet Directory for:
Oracle Advanced Security stores a user's database password in the directory as an attribute of his or her user entry, instead of in each database.
Oracle Advanced Security uses directory entries called enterprise roles to determine what privileges a given enterprise user has within a given schema, shared or owned. Enterprise roles are containers for database-specific global roles. For example, a user might be assigned the enterprise role clerk, which might contain the global role hrclerk and its attendant privileges on the human resources database and the global role analyst and its attendant privileges on the payroll database.
Oracle Advanced Security uses mappings--that is, directory entries that point an enterprise user to shared application schema on the database instead of to an individual account. For example, you might map several enterprise users to the schema
sales_application instead of to separate accounts in their names.
In Oracle9i, Oracle Advanced Security enables enterprise users to authenticate to multiple databases by using a single, centrally managed password. The password is stored in the directory as an attribute of the user's entry and is protected by encryption and access control lists. This feature eliminates the overhead associated with setting up Secure Sockets Layer (SSL) on clients and frees users from having to remember multiple passwords.
The alternative to authenticating with a centrally managed password is to use PKI-based enterprise user security through SSL. Like single password authentication, this feature relies on a user entry in the directory. A user's wallet must be stored as an attribute of his or her entry.
In Oracle9i, user wallets can be stored in the directory as an attribute of the user's entry. This feature enables mobile users to retrieve and open their wallets by using Enterprise Login Assistant. While the wallet is open, authentication is transparent--that is, users can access any database on which they own or share a schema without having to authenticate again.
Oracle9iAS Single Sign-On uses Oracle Internet Directory to store user entries. It maps users for any partner application to user entries in Oracle Internet Directory entries, and authenticates them by using LDAP mechanisms.
The Oracle Directory Integration Platform is a collection of interfaces and services for integrating multiple directories by using Oracle Internet Directory as the central directory.
The Oracle Directory Integration Platform provides these benefits: