Siebel Security Guide > Security Adapter Authentication > About LDAP or ADSI Security Adapter Authentication >

Comparison of LDAP and ADSI Security Adapters

This topic outlines the differences in functionality provided by the LDAP and ADSI security adapters. The relative benefits of each type of security adapter are shown in Table 10.

The ADSI security adapter can authenticate against ADSI-compliant directories (Microsoft Active Directory). The ADSI security adapter can only be used with Microsoft Windows operating systems. If you want to authenticate against Microsoft Active Directory and you are using a non-Windows operating system such as Linux or HP-UX, you must use the LDAP security adapter.

The LDAP security adapter can be used to authenticate against supported LDAP-compliant directories and is also supported for integration to Active Directory. It is recommended that you use the LDAP security adapter for authenticating against both Active Directory and LDAP-based external directories. The LDAP security adapter is standards-based, it supports the IETF password policy draft (09) standard for handling passwords, and it can be used on multiple computer platforms.

If you use the LDAP security adapter to authenticate users against Active Directory, and if you want to manage user passwords or create new users in the Active Directory, then you must configure SSL between the LDAP security adapter and the Active Directory. Implementing SSL in these circumstances is a requirement of Microsoft Windows and Active Directory.

NOTE:  SSL encryption is supported with the LDAP security adapter. TLS encryption is supported with the ADSI security adapter. The SSL encryption standard is not secure. It is recommended that you implement additional methods of securing connections between the LDAP security adapter and directory servers.

About Administering the Directory through Siebel Business Applications

If you choose to administer the LDAP or Active Directory directory through Siebel Business Applications, then be aware that in large implementations timeout issues can occur, particularly if using the ADSI security adapter. To prevent timeout issues:

• Use the LDAP security adapter.
• Do not set the Base DN to the root level of your directory server.

For help with overall design recommendations and performance improvement, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.

Using the LDAP Security Adapter with Active Directory: Setting the Base DN

If you use the LDAP security adapter with Active Directory, then problems can occur if you set the base distinguished name (Base DN), which specifies the root directory under which users are stored, to the root level of the Active Directory.

When the LDAP security adapter searches the Active Directory, it searches everything under the Base DN. If the Base DN is set to the Active Directory root, then the LDAP security adapter searches all directory entities, including configuration and schema entities to which the application user does not have access. To prevent this situation from occurring, do not set the base DN to the Active Directory root directory; this recommendation also applies to implementations in which the ADSI security adapter performs the authentication function.

Communicating with More Than One Authentication Server

This topic describes the specific circumstances in which the LDAP and ADSI security adapters can connect to more than one directory server, either to authenticate users in more than one directory, or for failover purposes.

ADSI Security Adapter

The ADSI security adapter does not support authentication of users in different domains or forests. However, the ADSI security adapter can connect to multiple AD servers for authentication or failover purposes provided that the following conditions are met:

• The Active Directory servers are all in the same domain
• The Siebel Server is in the same domain as the Active Directory servers or, if the Siebel Server is in a different domain to the Active Directory servers, a trust relationship exists between the two domains

To enable the ADSI security adapter to connect to multiple AD servers, specify the NetBIOS name of the domain containing the Active Directory servers, instead of the name of a specific Active Directory server, for the Server Name parameter of the ADSI security adapter profile.

LDAP Security Adapter

The LDAP security adapter provided with Siebel Business Applications currently does not support communication with more than one directory server. However, the following options are available:

• Failover functionality can be implemented to a limited degree for the LDAP security adapter. To implement failover functionality, specify the names of the primary and secondary servers for the Server Name parameter of the LDAP security adapter profile. For example:

  ServerName=ldap1 ldap2

  If communication cannot be established between the Siebel Application Object Manager and the primary LDAP server, then failover to the secondary LDAP server occurs. If the Application Object Manager can communicate with the primary server, but LDAP functionality on the server is not available, then failover to the secondary server does not occur.

• Oracle provides products, for example, Oracle Virtual Directory, that enable LDAP security adapters to communicate with multiple LDAP-compliant directories and Active Directories. For additional information on Oracle Virtual Directory, go to

  http://www.oracle.com/technetwork/testcontent/index-093158.html