|Oracle Internet Directory Administrator's Guide
Part Number A96574-01
This section provides a brief description of new features introduced with the latest releases of Oracle Internet Directory, and points you to more information about each one. It contains these topics:
This section describes an important new feature employing the capabilities of Oracle Internet Directory. It also explains changes in Oracle Internet Directory since Release 9.0.2.
The chapter about migrating local or external users to enterprise users in Oracle Advanced Security Administrator's Guide
This section describes the new features introduced with Oracle Internet Directory Release 9.0.2.Enhanced Performance and High Availability
The Oracle Directory Provisioning Integration Service ensures that subscribing applications or business entities are alerted to updates in Oracle Internet Directory for keeping local repositories in synch. It enables you to synchronize local, application-specific information by using Oracle Internet Directory as a source of truth.
You can now use salted SHA as a hashing algorithm. This means that you can now select from these available hashing algorithms:
You can also use salted SHA. A salt is a random number added to and stored with the hash value. It prevents pre-computed dictionary attacks by making it extremely expensive to recover the value that was originally hashed.
uid=dlin, ou=people, o=oracle, then this would be unique directly under
ou=people. However, you could have the same user identifier in another branch--for example,
uid=dlin, ou=others, o=oracle. In short, attribute uniqueness was guaranteed only under a given branch, and only within one level.
The applications Oracle Internet Directory synchronizes with can use attributes other than DN as their unique keys. The ability of Oracle Internet Directory to enforce attribute uniqueness enables all applications their own notions of "user," to synchronize their user base with a user repository stored in an enterprise's Oracle Internet Directory server.
In general, any directory-specific configuration or maintenance task not available at the high-level Oracle Enterprise Manager GUI is now doable through ODM, as well as command-line interfaces supplied with Oracle Internet Directory.
dc=server1, dc=us, dc=oracle, dc=com. Oracle Internet Directory stores, parses, and chases all alias references for complete client-side transparency.
The Delegated Administration Service is a set of individual, pre-defined services--called Delegated Administration Service units--for performing directory operations on behalf of a user. It makes it easier to develop and deploy administration solutions for both Oracle directory-enabled applications and other directory-enabled applications that use Oracle Internet Directory.
Administrators can now use the Delegated Administration Service and its accompanying console to:
The Oracle Internet Directory Self-Service Console, a new component of the Delegated Administration Service, enables you to flexibly administer applications, subscribers, and end users either from a central team or through decentralization and delegation. It provides:
You can use the Oracle Internet Directory Self-Service Console to configure the object classes, user groups, permissions, and other elements of directory information metadata stored in Oracle Internet Directory.
These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1. and release 3.0.1.
This section describes the new features introduced with Oracle Internet Directory Release 3.0.1.
This new feature enables you to run more than one installation of Oracle Internet Directory on a single host. You can then replicate between them or use this new feature as part of a failover strategy.
This new service enables directory users to modify their own personal data--such as addresses, phone numbers, and photos--without the intervention of an administrator. It also enables users to search other parts of the directory to which they have access. This frees directory administrators for other tasks in the enterprise.
Failover in cluster configurations
This new feature enables you to increase high availability by using logical hosts--as opposed to physical hosts--in clustered environments.
Oracle9i Real Application Clusters is a computing environment that harnesses the processing power of multiple, interconnected computers. Along with a collection of hardware, called a cluster, it unites the processing power of each component to become a single, robust computing environment. A cluster comprises two or more computers, also called nodes.
You can run Oracle Internet Directory in an Oracle Real Application Clusters system.
In this paradigm, the directory server binds to the logical host, rather than the physical host. It maintains this connection even if the logical host fails over to a new physical host.
A client connects to the directory server by using the logical host name and address of the server. If the logical host fails over to a new physical host, then that failover is transparent to the client.
This new feature enables you to synchronize various directories with Oracle Internet Directory. It also makes it easier for third party metadirectory vendors and developers to develop and deploy their own connectivity agents.
Password policy management enables you to establish and enforce rules for how passwords are used.
These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1.
The Oracle directory server and database tools are no long restricted to run on a UTF8 database. However, there may be data loss during add, delete, modify, or modifydn operations if the character sets of the data contained in the client request and the directory server database repository are different and the client data cannot be mapped to the database character set. If the database underlying the Oracle directory server is neither AL32UTF8 nor UTF8, then be sure that all characters in the client character set are included in the database character set, with the same or different character codes.
This section describes the new features introduced with Oracle Internet Directory release 2.1.1.
Attribute options enable you to specify how the value for an attribute is made available in a search or a compare operation. For example, suppose that an employee has two addresses, one in London, the other in New York. Options for that employee's
address attribute could allow you to store both addresses. Users could then search for either address.
Attribute options can include language codes. For example, options for John Doe's
givenName attribute could enable you to store his given name in both French and Japanese. A user could then search for the name in either language.
These enhancements enable you to specify the type of change log purging to use: change number-based or time-based.
This enhanced support enables you to use one or more of these attributes in searches.
This new feature enables you to migrate data from other LDAP v3-compatible directories into Oracle Internet Directory.
Object class explosion enables you to add or perform an operation on an entry without specifying the entire hierarchy of superclasses associated with that entry.
""Guidelines for Adding Object Classes" for an explanation of how to use this feature when adding object classes
This tool assists in capacity planning. It helps you analyze the various database schema objects so that you can estimate the statistics.
This new feature enhances the available password protection by storing passwords as hashed values. Storing passwords as one-way hashed values--rather than as encrypted values--more fully secures them because a malicious user can neither read nor decrypt them. You can select one of the following hashing algorithms:
The following new replication tools are now added:
This tool enables you to move changes from the human intervention queue to either the retry queue or the purge queue.
This tool enables you to synchronize conflicting changes in a replicated environment.
This new feature enables you to delete a node from a directory replication group.
If you are working in a metadirectory environment, then this new feature enables you to form a single virtual directory by synchronizing multiple directories with Oracle Internet Directory.
This feature was replaced in Release 3.0.1 by the Oracle Directory Integration Platform. See Chapter 27, "Oracle Directory Integration Platform Concepts and Components" for further information.