Skip Navigation Links | |
Exit Print View | |
![]() |
Oracle Fusion Middleware Glossary for Oracle Unified Directory 11g Release 1 (11.1.1) |
access control instruction (ACI)
authentication password syntax
authorization identity control
deprecated password storage scheme
Directory Services Markup Language
entry change notification control
extensible match search filter
greater than or equal to search filter
less than or equal to search filter
Lightweight Directory Access Protocol
notice of disconnection unsolicited notification
Password Modify extended operation
Simple Authentication and Security Layer
virtual attributes only control
The LDAP Cancel extended operation is an extended operation that provides a function similar to the core LDAP abandon operation in that it can be used to request that the server stop processing on an operation in progress. The primary advantages of the Cancel extended operation over the abandon operation are that both the cancel request and the operation being canceled are guaranteed to get a response, whereas there is no response for the abandon request and there may not be a response for the operation being abandoned.
The Cancel extended operation is defined in RFC 3909. The value of the Cancel Request extended operation is encoded as follows:
cancelRequestValue ::= SEQUENCE { cancelID MessageID -- MessageID is as defined in [RFC2251] }
See Common Development and Distribution License.
A certificate is an element of public key cryptography that may be used to perform asymmetric encryption. In particular, a certificate consists of a pair of keys (called the “public key” and the “private key”, respectively) that are linked so that any data encrypted using the public key can be decrypted using the private key. With many public key algorithms, like RSA, the reverse is also true so that any data encrypted with the private key can be decrypted using the public key.
The term certificate has different meanings, based on the context in which it is used. In many cases, it refers to only the public key (in particular, whenever the server presents its certificate to the client, or if a client presents its certificate to the server, then only the public key is included). However, in other cases, it does include the private key (i.e., the server will require the use of the private key to establish a secure communication channel with the client, and the client will need access to its private key in order to send its own certificate to the server).
Certificates have two primary uses in the directory server. The first is for providing a secure communication mechanism, generally through the use of SSL or StartTLS. In this case, the negotiation process involves the client encrypting information using the server's public key so that only the server can decrypt it using its public key and that information will not be exposed to any third party that might be able to observe the communication. Certificates may also be used for data signing, in which case the server will encrypt information using its private key, and clients will know that the data is legitimately from the server if it can be decrypted using the server's public key.
A certificate mapper provides the logic required to identify a user in the Directory Server that corresponds to a provided client certificate. The mapping may use any of the information contained in the certificate, although many certificate mappers are based primarily on the certificate's subject (the name of the certificate, which comprises a number of attribute-value pairs and looks very much like an LDAP distinguished name.
For more information about the certificate mappers available for use in the directory server, see the Certificate Mapper Configuration.
Chaining provides a mechanism for making data in a remote Directory Server instance appear as if it is part of the local server. That is, chaining is used to present a part of the DIT using data from another server. Any request that the server receives for data in a chained portion of the DIT will be transparently forwarded to the server that actually contains the request.
A changelog is a special kind of database that is used to keep track of the changes that occur in a Directory Server instance. There are two different kinds of changelogs:
A replication changelog stores change information in a format needed for replication.
An LDAP-accessible changelog that represents its data in the format specified in draft-good-ldap-changelog that allows clients to learn about the changes that have occurred in the directory environment.
See directory manager.
A collective attribute is a special type of virtual attribute that is defined in RFC 3671. Collective attributes enable you to define values that are assigned to attributes based on an entry's membership in a subentry.
The Common Development and Distribution License (CDDL) is an OSI-approved open source license which is used by the OpenDS project, on which Oracle Unified Directory.
The CDDL is a file-based license, which means that any changes to files contained in the project need to remain licensed under the CDDL. New files, however, may be licensed under any license chosen by the author (including closed-source licenses). The CDDL is based on the Mozilla Public License (MPL) and includes a patent grant clause so that any technology covered by patents will be granted to other projects using the code.
The CDDL license contents may be found at http://www.opensource.org/licenses/cddl1.php.
The LDAP compare operation can be used to determine whether a specified entry contains a given attribute value. The compare request protocol op is defined as follows:
CompareRequest ::= [APPLICATION 14] SEQUENCE { entry LDAPDN, ava AttributeValueAssertion } AttributeValueAssertion ::= SEQUENCE { attributeDesc AttributeDescription, assertionValue AssertionValue }
The elements of the request include the following:
The DN of the entry in which the comparison is to be made.
The name of the attribute in which the comparison is to be made.
The assertion value to try to find in the specified attribute.
The response to an LDAP compare operation is an LDAP result element as defined below:
CompareResponse ::= [APPLICATION 15] LDAPResult
A connection handler is a component of the Directory Server that is responsible for accepting connections from clients, reading and parsing requests submitted by the clients, ensuring that they are processed by the server, and sending the corresponding responses back to the client. The connection handler manages all communication with the client and therefore needs to implement support for the associated protocol.
The directory server currently provides connection handlers capable of communicating using LDAP and JMX, as well as a special connection handler for internal use that may be used to allow components of the server (like plug-ins and other kinds of extensions) to perform operations. The server also provides an extensible connection handler API that may be used to implement support for additional network protocols.
A connection ID is a unique integer identifier that is assigned to each connection maintained within the Directory Server. It is used primarily for logging purposes, so that it is possible to correlate the various operations performed on a given connection.
The connection ID counter starts at zero for the first connection received by the server and increments by one for each additional connection. The counter is reset whenever the server is restarted.
Internal connections, which are used for processing internal operations, are assigned negative values to distinguish them from connections from external clients.
An LDAP control is an element that may be included in an message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed. If it is included in the response message, it can be used to provide additional information about the way the operation was processed.
Examples of LDAP controls include:
Account usability control - This is a pair of request and response controls that indicate whether an account is able to authenticate to the server.
Authorization identity control - This is a pair of request and response controls that may be used to determine the authorization identity for a user as part of a bind operation.
Entry change notification control - This is a control that is included in search result entry messages performed as part of a persistent search to indicate how an entry has been updated.
Get effective rights control - This is a request control that may be used to obtain information about what rights a user has for accessing a given entry.
LDAP assertion control - This is a request control that may be used to ensure that an operation is only processed if the target entry matches a given assertion filter.
LDAP no-op control - This is a request control that may be used to ensure that a write operation does not actually change any information in the server but attempts to determine whether the operation would otherwise be successful.
LDAP post-read control - This is a pair of request and response controls that may be used to retrieve an entry as it appeared immediately after performing an add, modify, or modify DN operation.
LDAP pre-read control - This is a pair of request and response controls that may be used to retrieve an entry as it appeared immediately before performing a delete, modify, or modify DN operation.
Manage DSA IT control - This is a request control that may be used to request that the server treat smart referrals as regular entries rather than as referrals.
Matched values control - This is a request control that may be used to request that entries returned from a search operation only include values matching a given filter.
Persistent search control - This is a request control that may be used to receive notification whenever an entry matching a given set of criteria is updated in the server.
Proxied authorization control - This is a request control that may be used to request that an operation be performed under the authorization of another user.
Server-side sort control - This is a request control that may be used to request that the server sort the results before returning them to the client.
Simple paged results control - This is a request control that may be used to request that the server retrieve only a subset of the results, and when used repeatedly can allow the client to page through the result set.
Virtual list view control - This is a pair of request and response controls that may be used to retrieve an arbitrary page of search results from the server.
An LDAP control is defined as follows:
Control ::= SEQUENCE { controlType LDAPOID, .... criticality BOOLEAN DEFAULT FALSE, .... controlValue OCTET STRING OPTIONAL }
A control includes these elements:
An OID that specifies the type of control.
A criticality, which indicates whether the control should be considered a critical part of the operation (that is, if the server cannot process the control, the operation should fail).
An optional value, which can be used to provide additional information about the way the control should be processed.
The CRAM-MD5 SASL mechanism provides a way for clients to authenticate to the Directory Server with a username and password in a manner that does not expose the clear-text password, so it is significantly safer than simple authentication or the PLAIN SASL mechanism when the connection between the client and the server is not secure.
The CRAM-MD5 SASL mechanism is described in the draft-ietf-sasl-crammd5-10 internet draft. The process is as follows:
The client sends an LDAP message to the server with a bind request protocol op type using an authentication type of SASL with a mechanism name of CRAM-MD5 and no credentials.
The server sends a bind response message back to the client with a result code of 14 (SASL bind in progress) and a server SASL credentials element including randomly-generated data (the challenge).
The client responds with a second SASL bind request message to the server with a mechanism name of CRAM-M5, and this time provides SASL credentials containing the authentication ID used to identify the user and an MD5 digest that is computed by combining the server-provided challenge with the clear-text password.
The server uses the authentication ID to identify the user, and then retrieves the clear-text password for that user (if the clear-text password cannot be obtained, then authentication will fail) and uses it to determine whether the provided digest is valid. The server will then send an appropriate response to the client (usually with a result of either success or invalid credentials) indicating whether the authentication was successful.
The CRAM-MD5 SASL mechanism is very similar to DIGEST-MD5, but it is somewhat weaker because CRAM-MD5 only includes random data from the server whereas DIGEST-MD5 includes random data from both the client and the server. DIGEST-MD5 also provides a provision for ensuring connection integrity and/or confidentiality, which CRAM-MD5 does not offer.
See UNIX crypt algorithm.