This preface introduces the new and changed features of Oracle Unified Directory and Oracle Directory Services Manager (ODSM) since the previous release, and provides pointers to additional information. The information includes the following sections:
New and Changed Features for Oracle Unified Directory 11g Release 2 (11.1.2.3)
New and Changed Features for Oracle Unified Directory 11g Release 2 (11.1.2.2)
New and Changed Features for Oracle Unified Directory 11g Release 2 (11.1.2.1)
New and Changed Features for Oracle Unified Directory 11g Release 2 (11.1.2.3)
Follow the pointers into this guide to get more information about the features and how to use them. This document is the new edition of the formerly titled Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory.
This section provides a concise summary of the new features in this release, and contains the following topics:
What's New in Oracle Unified Directory 11g Release 2 (11.1.2.3)
What's New in Oracle Directory Services Manager 11g Release 2 (11.1.2.3)
Other Significant Changes in this Document for 11g Release 2 (11.1.2.3)
This section provides a concise summary of the new features in this release of Oracle Unified Directory, which includes the following topics:
New use-any-of
Property for Character Set Password Validator
Support to Retain Case Sensitive Attribute Values During Upgrade
memberof
User Attribute to person
EntriesOracle Unified Directory now provides a VirtualMemberof workflow element that adds the memberof
user attribute to person
entries. For more information, see Section 12.5.3, "Adding memberof
User Attributes to person
Entries."
Oracle Unified Directory now supports attribute encryption in a replication server database, also known as the changelog
. See Section 14.5, "Support for Encryption in Replication Topology."
You can now configure the use-authid-for-audit-attrs
attribute to record the authorization IDs of proxied users when they make server changes. For more information, see Section 17.1.4.3, "Configuring How Server Changes Are Recorded."
You can now use selective attribute caching to better manage operations for large deployments and large entries by differentiating attributes in an LDAP entry, based on how often they are accessed. For more information, see Section 18.9, "Configuring Selective Attribute Caching."
Password Expiration Time
Virtual AttributeOracle Unified Directory introduces a Password Expiration Time
virtual attribute that dynamically computes password expiration time based on information contained in both the user entry and the applicable password policy.
Note:
Do not confuse thePassword Expiration Time
virtual attribute with the ds-pwp-account-expiration-time
attribute, which is the account expiration time, rather than password expiration time.For more information, see Section 18.11, "Configuring Virtual Attributes."
Significant improvements to static groups now enable Oracle Unified Directory to manage huge numbers of members.
Consequently, it is no longer recommended that you use virtual static groups to avoid static group scalability. For more information, see Section 19.3.3, "Defining Virtual Static Groups."
dsreplication
SubcommandsThe dsreplication
command provides the following new subcommands:
The list-certs
subcommand lists the certificates used by the servers for replication.
The regenerate-cert
subcommand regenerates the certificate used by the specified server (or by all servers) for replication.
The set-cert
subcommand configures the server to use a certificate in a keystore for replication. This keystore also stores the public keys needed to communicate with the other replicated servers. You can use the set-cert
subcommand to set the certificate for a keystore with the type PKCS11.
The verify
subcommand verifies the replication configuration including certificates of the replicated servers and if any inconsistencies are found, prompts you (in interactive mode) for the action to be taken to fix them.
See the following sections:
Oracle Unified Directory now supports the crypt algorithm for encoding user passwords in a CRYPT password storage scheme on Linux systems. See Section D.3.15, "crypt algorithm."
use-any-of
Property for Character Set Password ValidatorThe Character Set password validator includes the new use-any-of
property to specify the minimum number of character sets from which a password must include characters. See Chapter 30, "Managing Password Validators."
Oracle Unified Directory includes the following new optimizations:
Using Specific Encoding for Single-valued Attributes
Oracle Unified Directory has been optimized to reduce the disk space used by single-valued attributes. This optimization is most efficient when many single-valued attributes are used. No specific configuration changes are required for this optimization.
Avoiding Duplication of the RDN Attribute
Oracle Unified Directory server does not duplicate the relative distinguished name (RDN) attribute and its value in a database entry, since the DN already contains this information. No specific configuration changes are required for this optimization.
Using Tokens for Attribute Values
You can specify a list of attributes whose values Oracle Unified Directory server should compact and then reference in the database using tokens. The server stores only the tokens in the database rather than repeating all of the attribute values in each entry.
To configure this option, set the new multivalued ds-cfg-compact-attribute-values-using-tokens
property, as described in Section 18.8.3, "Saving Database Space Using Tokens for Attribute Values."
previous-last-login-time
AttributeYou can now configure a previous-last-login-time
attribute that, when a new login occurs, enables Oracle Unified Directory to copy the existing last-login-time
property value to previous-last-login-time
and then update the last-login-time
value to show the current login time. For more information, see Example 30-2, "Configuring Last Login".
Oracle Unified Directory now gives you additional control over how password, encrypted, and user-specified attributes are displayed in the audit log. For more information, see Section 35.3.4, "Masking Attributes in the Audit Log."
You can now use a new, real-time LDAP connector monitoring panel to check connection pool status, including server status, current throughput for each operation type. For more information, see Section 35.8, "Monitoring the Proxy LDAP Connector."
Running the oud-setup
or oud-setup.bat
script in command-line (CLI) mode has these changes:
The --serverTuning
option now allows you to specify the percentage of the system memory to be used for Oracle Unified Directory server.
The --importTuning
option is renamed to --offlineToolsTuning
(--importTuning
usage is still available for backward compatibility).
Running the oud-setup
in graphical user interface (GUI) mode has these changes:
The default tuning provides a more aggressive tuning than in previous versions.
On the Server Tuning screen, the number of options is reduced to these choices:
Providing the Memory to be Used by OUD (the default) is the same as in previous versions.
Providing Runtime Options is a combination of the previous options based on memory and data.
dstune
UtilityThe dstune
utility has these changes:
In non-interactive mode, the data-based
subcommand tunes Oracle Unified Directory server using the current contents of the database, if you do not specify the other options.
The data-based
subcommand displays the recommended minimum and optimal values for memory for the provided data.
The mem-based
subcommand allows you to specify a percentage of system memory to be used for Oracle Unified Directory server.
The automatic
subcommand is no longer available (automatic
usage is still available for backward compatibility).
See Section A.2.7, "dstune" and Chapter 36, "Tuning Performance."
The RDBMS workflow element enables LDAP clients to access identity data stored in an RDBMS using the LDAP protocol.
See Section 12.1.1, "Enabling LDAP Clients to Access Identity Data Stored in an RDBMS."
The Ad Password Update workflow element enables LDAP clients to update user passwords stored in Microsoft Active Directory.
See Section 12.4.3, "Enabling LDAP Clients to Update User Passwords Stored in Active Directory."
You can now retain case sensitive attribute values during upgrade from 11.1.2.2 to any higher versions by setting compact-encoding flag to false right before the upgrade.
See Section 18.15, "Retaining Case Sensitivity in Attributes During Upgrade."
This section provides a concise summary of the new features in this release of Oracle Directory Services Manager. The topics include:
The OUD Statistics panel on the Oracle Directory Services Manager Home tab, has been revised.
For more information, see Section 16.3.3, "Viewing Server Statistics."
Oracle Directory Services Manager now provides a Metrics tab to provide information about the server, which includes usage since startup, current usage, and cache usage.
For more information, see Section 16.3.7, "Viewing the Server Metrics."
You can now create a Join workflow element from the Configuration tab in ODSM. For more information, see Section 17.3.4.1, "Creating a Workflow Element."
For 11g Release 2 (11.1.2.3), this guide has been updated in several ways. Following are the sections that have been added or changed.
Added new information about virtualization in proxy deployments to Chapter 3, "Example Deployments Using the Proxy Server."
Renamed to "Understanding the Proxy, Distribution, and Virtualization Functionality" and updated the chapter to provide conceptual information about new workflow elements related to virtualization.
Moved information about invoking and using Oracle Directory Services Manager to access Oracle Unified Directory from Chapter 21 to Chapter 16, "Accessing Oracle Unified Directory Using ODSM."
Add a new Part IV, "Configuring Proxy, Distribution, and Virtualization Functionality," which contains the following new chapters:
This section provides a concise summary of the new features in this release, and contains the following topics:
What's New in Oracle Unified Directory 11g Release 2 (11.1.2.2)
What's New in Oracle Directory Services Manager 11g Release 2 (11.1.2.2)
This section provides a concise summary of the new features in this release of Oracle Unified Directory, and covers the following topics:
New Option for dsconfig Security
Subcommand for Attribute Encryption
New Options for dsconfig Security
Subcommand for Virtualization
Support to Configure the Name of Rotated Log Files Using Local Time Stamp
Allows you to encrypt sensitive attributes in Oracle Unified Directory, thereby enhances security.
For more information, see Chapter 14, "Understanding Data Encryption in Oracle Unified Directory."
export-ldif
CommandThe new option -d, --decrypt
allows you to decrypt the LDIF data as it is exported.
For more information, see Section A.3.5, "export-ldif."
dsconfig Security
Subcommand for Attribute EncryptionThe new option Data Encryption allows you to configure attribute encryption.
For more information, see Section 14.7.3, "Configuring Attribute Encryption Using the dsconfig
Interactive Mode."
You can now deploy the proxy functionality and the Directory Server functionality in a single server instance.
For more information, see Chapter 4, "Example Mixed Deployments."
Oracle Unified Directory now allows virtualization through the definition of Join workflow element.
For more information, see Chapter 24, "Configuring Virtualization."
dsconfig Security
Subcommand for VirtualizationThe new options create-access-control-group, delete-access-control-group,
and list-access-control-groups allow you to configure access control groups.
For more information, see Section A.2.4.13, "Security Subcommands."
Oracle Unified Directory now allows you to determine who can access that data, and what parts of the data can be accessed through the definition of Virtual ACIs.
For more information, see Section 9.7, "Understanding Virtual ACIs."
When a replication gateway is deployed, you can use the OUD dsreplication
command or the ODSEE console to monitor replication status information.
For more information, see Section 35.7.3, "Monitoring Oracle Unified Directory and ODSEE Replication Status in Deployments Using Replication Gateways."
dsreplication status
SubcommandThe new options --dataToDisplay
and --listDataToDisplay
enable you to display only the replication status information you specify.
For more information, see Section A.2.6, "dsreplication."
You can now target one or more attributes that occur in the targeted entries to deny or allow access to partial information about an entry.
For more information, see Section 9.2.2.2, "Targeting Attributes."
You can now notify administrator if the Oracle Directory Server Enterprise Edition compatible access control subsystem detected one or more ACI rules have been modified using the new Access Control Modified
alert type.
For more information, see Section 35.4.1.3, "Supported Alert Types."
Oracle Unified Directory allows you to make the server obfuscate the scheme name in curly brackets when it returns the password by configuring the ClearPassowrdScheme
configuration parameter.
For more information, see Configuration Reference for Oracle Unified Directory.
Unsalted SHA256 and SHA512 password storage schemes are now supported.
Oracle Unified Directory now allows you to redirect the bind request to a remote directory server if the user credentials for authenticating are not stored locally using the pass-through authentication mechanism.
For more information, see Section 12.4.4, "Understanding Pass-Through Authentication."
You can configure the password policy so that after multiple soft account locks expire, the user account is hard-locked and must be reset by an administrator.
For more information, see Section 30.6.1, "Configuring the Default Password Policy."
Oracle Unified Directory now allows you to configure a server instance to include a local time stamp in the file name of rotated log files.
For more information, see Section 35.3.1.1.6, "Configuring the Name of Rotated Log Files Using Local Time Stamp."
Oracle Unified Directory now allows you to tune the server using the automatic mode or using some other criteria with the dstune
command-line utility to enhance the performance of the server.
For more information, see Section 36.4, "Tuning the Java Virtual Machine Settings Using the dstune
Utility."
oud-setup
CommandThe new options --serverTuning
and --importTuning
allow you to configure server tuning.
For more information, see Section A.2.14, "oud-setup."
dstune
Command-Line UtilityThe new dstune command allows you to tune the Oracle Unified Directory server.
Fore more information, see Section A.2.7, "dstune."
This section provides a summary of the new features in this release of Oracle Directory Services Manager (ODSM), and covers the following topics:
ODSM allows you to configure data encryption. For more information, see Section 17.3.8, "Modifying the General Server Configuration."
ODSM allows you to configure the pass through authentication join rule through the creation of pass-through authentication workflow element. For more information, see Section 17.3.4.1, "Creating a Workflow Element."
ODSM allows you to configure the Virtual ACIs through workflow configuration. For more information, see Section 17.3.5.1, "Creating a Workflow."
When a replication gateway is deployed, you can use the ODSEE console to monitor replication status information. For more information, see Section 35.7.3.2, "Using the DSCC to Monitor a Replication Gateway."
ODSM allows you to configure data replication. For more information, see Section 32.3, "Configuring Data Replication Using ODSM."
ODSM uses a new look and feel Skyros skin that incorporates current User Interface visual design trends (flat and not dimensional, reduced gradients, reduced borders, light and or white colors with splashes of color). This skin family uses CSS3 for gradients, drop shadows, rounded corners, and so on.
This section provides a concise summary of the new features in this release, and contains the following topics:
What's New in Oracle Unified Directory 11g Release 2 (11.1.2.1)
What's New in Oracle Directory Services Manager 11g Release 2 (11.1.2.1)
This section provides a concise summary of the new features in this release of Oracle Unified Directory, and covers the following topics:
Oracle Unified Directory now supports macro expressions to represent a DN in the target section of the ACI, in the bind rule section, or in both.
For more information, see Section 9.6, "Using Macro ACIs for Advanced Access Control."
nsuniqueid
Virtual AttributeOracle Unified Directory introduces nsuniqueid
operational virtual attribute that is assigned to each entry in the directory server to resolve naming conflicts while migrating legacy applications using Oracle Directory Server Enterprise Edition as an LDAP database to Oracle Unified Directory.
For more information, see Section 18.11, "Configuring Virtual Attributes."
You can now configure criticality at the workflow level by setting the criticality flag.
For more information, see Section 22.1.5, "Configuring Criticality in Workflows Using dsconfig
."
Oracle Unified Directory enables you to log administration operations into a separate log file that provides logging information associated with administration traffic.
For more information, see Section 35.3.3, "Logging Operations to Access Log Publishers."
Oracle Unified Directory supports transformation through creation of an instance of workflow element.
For more information, see Section 12.7, "Understanding the Transformation Framework."
Oracle Unified Directory provides additional properties, ecl-include-del-only
and ecl-blacklist
to configure attributes for external change log (ECL).
For more information, see Section 32.7.5, "Specifying the Attributes to be Included in the External Change Log" and Section 32.7.6, "Specifying the Attributes to be Excluded in the External Change Log."
Oracle Unified Directory supports the following external directories:
Microsoft Active Directory
Novell eDirectory
Oracle Directory Server Enterprise Edition
For more information, see Chapter 31, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."
Oracle Unified Directory allows you to relocate Root DSE, which is a special entry that provides information about the server's name, version, naming contexts, and supported features.
For more information, see Section 17.1.6.5, "Relocating the Root DSE Entry for a Network Group."
Oracle Unified Directory enables you to rename or replace RDN values from the source directory to Oracle Unified Directory using the RDNChanging
configuration.
For more information, see Section 12.5.5, "Changing RDN Values Using the Proxy."
Oracle Unified Directory supports Directory plug-in API as a means to extend the existing Directory Server functionality.
For more information, see Developing Plug-Ins for Oracle Unified Directory.
This section provides a summary of the new features in this release of Oracle Directory Services Manager (ODSM), and covers the following topics:
ODSM supports a new parameter to log administration operations in the access logs.
For more information, see Section 35.3.3.2, "Configuring Logged Operations in Access Log Publishers Using ODSM."
ODSM supports macro expressions to represent a DN in the target section of the ACI, in the bind rule section, or in both.
For more information, see Section 28.4, "Managing Macro ACIs Using ODSM."
ODSM supports a new parameter, the criticality flag to configure workflows.
For more information, see Section 22.2.1, "Configuring Criticality in Workflows Using ODSM."
ODSM allows you to configure virtual attributes.
For more information, see Section 18.11.2, "Configuring Virtual Attributes Using ODSM."
ODSM allows you to define transformations through the creation of transformation workflow element.
For more information, see Section 24.6, "Configuring Transformations."
ODSM now allows you to create the following workflow elements:
Kerberos Authentication Provider Workflow Element
RDN Changing Workflow Element
Transformations Workflow Element
For more information, see Section 19.5.2, "Configuring Proxy, Distribution, and Virtualization Functionality."
ODSM supports the ability to configure Enterprise User Security.
For more information, see Section 17.3.7, "Configuring Network Groups Using ODSM."
ODSM allows you to configure the RDN Changing workflow element.
For more information, see Section 17.3.4, "Configuring Workflow Elements Using ODSM."
This section provides a concise summary of the new features in this release, and contains the following topics:
What's New in Oracle Unified Directory 11g Release 2 (11.1.2.3)
What's New in Oracle Directory Services Manager 11g Release 2 (11.1.2.3)
This section provides a concise summary of the new features in this release of Oracle Unified Directory, and covers the following topics:
It is imperative to define the order in which identity mappers are evaluated in the network group to avoid conflicts. You can now define priorities for the conflicting identity mappers.
For more information, see Section 13.6, "Ordering Identity Mappers."
When a server cannot handle a client's request, it sends a list of referrals to the client, which point the client to other servers in the topology. The client then performs the operation again on one of the remote servers in the referral list.
For more information, see Section 18.14, "Configuring Referrals."
You can now configure proxy LDAP workflow elements with two additional parameters, such as the never-bind
parameter, use-proxy-auth
parameter, and the include and exclude lists to tweak the behavior of the server.
For more information, see Section 20.2.3, "Configuring the Bind Mode."
Oracle Unified Directory now supports Active Directory range retrieval by providing support for Microsoft Active Directory paging.
For more information, see Section 23.1, "Retrieving All Attribute Values from an Active Directory Server."
Oracle Unified Directory now implements criticality configuration, which permits the Oracle Unified Directory proxy server to return partial data to a client if a search operation fails, due to a host error.
For more information, see Section 22.1.6, "Configuring Criticality in Workflow Elements Using dsconfig
."
Integrating Oracle Unified Directory with EUS enables you to store user identities in Oracle Unified Directory for Oracle Database authentication.
In this release, support for EUS is limited to password authentication (certificate authentication and integration with Kerberos are not supported at this stage).
For more information, see Chapter 31, "Integrating Oracle Unified Directory with Oracle Enterprise User Security."
Social networking applications are now supported with two new controls, the Join control and the Proximity control.
For more information, see Section 18.5.3.2, "Searching Using the Join Search Control" and Section 18.5.3.3, "Searching Using the Proximity Search Control."
The External Change Log (ECL) functionality allows you to publish all changes that have occurred in a directory server database and is particularly useful for synchronizing the LDAP directory with other subsystems.
You now have a user-friendly CLI to configure external changelog using the dsreplication
command.
For more information, see Section 32.7, "Using the External Change Log."
You can now install, configure, customize, and validate Oracle Unified Directory in a test environment. Once the system performs as expected, you can create the production environment by moving a copy of the server and its configuration from the test environment, instead of redoing all the changes that were incorporated into the test environment.
For more information, see Chapter 34, "Moving From a Test to a Production Environment."
Some commands had an option where the password was provided in a clear text format on the CLI. This resulted in security exposure, because one could retrieve the password using the ps
command on a UNIX system.
The clear text format is deprecated now and the commands are modified to use the file-based option to store the password by introducing the following option:
-j, --bindPasswordFile
For more information, see Appendix A, "Oracle Unified Directory Command-Line Interface."
Oracle Unified Directory allows you to configure ADS trust store pin to determine whether to trust a certificate that is presented to it.
For more information, see Section 26.3, "Configuring Trust Manager Providers."
This section provides a concise summary of the new features in this release of Oracle Directory Services Manager (ODSM), and covers the following topics:
ODSM enables you to create and configure suffixes to work with Oracle Enterprise User Security (EUS).
For more information, see Section 17.3.3, "Configuring Suffixes Using ODSM."
ODSM now provides a new user interface (UI) to configure root users.
For more information, see Section 19.2.2, "Configuring Root Users Using ODSM."
You can now configure key manager providers and trust manager providers using ODSM.
For more information, see Section 26.2.7, "Configuring Key Managers Using ODSM" and Section 26.3.5, "Configuring Trust Managers Using ODSM."
ODSM now implements an auto-suggest feature in different tabs that helps streamline configuration and operations.
For more information, see Section 18.16, "Managing Data Using ODSM."
OSDM now enables you to create dynamic groups whose membership is determined by search criteria using an LDAP URL.
For more information, see Section 19.3.2, "Defining Dynamic Groups."
ODSM enables you to create virtual static groups, where each entry behaves like a static group entry using virtual attributes.
For more information, see Section 19.3.4, "Defining Nested Groups."
The default view of the configuration tree in the Configuration tab has been simplified to provide a user-friendly view of the naming context (or suffix) configuration. In addition, presence of a contextual menu to launch all the relevant operations for a selected node simplifies user interaction.
For more information, see Section 17.3, "Managing the Server Configuration Using ODSM."