JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Deployment Planning Guide 11g Release 1 (
search filter icon
search icon

Document Information


Part I Overview of Deployment Planning for Directory Server Enterprise Edition

1.  Introduction to Deployment Planning for Directory Server Enterprise Edition

2.  Business Analysis for Directory Server Enterprise Edition

Part II Technical Requirements

3.  Usage Analysis for Directory Server Enterprise Edition

4.  Defining Data Characteristics

5.  Defining Service Level Agreements

6.  Tuning System Characteristics and Hardware Sizing

7.  Identifying Security Requirements

Security Threats

Overview of Security Methods

Determining Authentication Methods

Anonymous Access

Simple Password Authentication

Simple Password Authentication Over a Secure Connection

Certificate-Based Client Authentication

SASL-Based Client Authentication

Preventing Authentication by Account Inactivation

Preventing Authentication by Using Global Account Lockout

External Authentication Mappings and Services

Proxy Authorization

Designing Password Policies

Password Policy Options

Password Policies in a Replicated Environment

Password Policy Migration

Password Synchronization With Windows

Determining Encryption Methods

Securing Connections With SSL

Encrypting Stored Attributes

What Is Attribute Encryption?

Attribute Encryption Implementation

Attribute Encryption and Performance

Designing Access Control With ACIs

Default ACIs

ACI Scope

Obtaining Effective Rights Information

Tips on Using ACIs

Designing Access Control With Connection Rules

Designing Access Control With Directory Proxy Server

How Connection Handlers Work

Grouping Entries Securely

Using Roles Securely

Using CoS Securely

Using Firewalls

Running as Non-Root

Other Security Resources

8.  Identifying Administration and Monitoring Requirements

Part III Logical Design

9.  Designing a Basic Deployment

10.  Designing a Scaled Deployment

11.  Designing a Global Deployment

12.  Designing a Highly Available Deployment

Part IV Advanced Deployment Topics

13.  Using LDAP-Based Naming With Solaris

14.  Deploying a Virtual Directory

15.  Designing a Deployment With Synchronized Data


Grouping Entries Securely

Roles and CoS require special consideration with regard to security.

Using Roles Securely

Not every role is suitable for use within a security context. When creating a role, consider how easily it can be assigned to and removed from an entry. Sometimes, users should be able to add themselves to or remove themselves from a role. However, in some security contexts such open roles are inappropriate. For more information, see Directory Server Roles in Oracle Directory Server Enterprise Edition Reference.

Using CoS Securely

Access control for reading applies to both the real attributes and the virtual attributes of an entry. A virtual attribute generated by the Class of Service (CoS) mechanism is read like a normal attribute. Virtual attributes should therefore be given read protection in the same way. However, to make the CoS value secure, you must protect all of the sources of information the CoS value uses: the definition entries, the template entries, and the target entries. The same is true for update operations. Write access to each source of information must be controlled to protect the value that is generated from these sources. For more information, see Chapter 12, Directory Server Class of Service, in Oracle Directory Server Enterprise Edition Reference.