About LDAP or ADSI Security Adapter Authentication

Siebel Business Applications include security adapters that are based on the LDAP and ADSI standards, allowing customers to use LDAP directory products or Microsoft Active Directory (AD) for user authentication. LDAP or ADSI security adapter authentication can offer the following benefits:

• User authentication external to the database

• Automatic updating of the directory with new or modified user information entered through the Siebel Business Applications user interface by an internal administrator, a delegated administrator, or a self-registering user

Security adapter authentication provides a user with access to the Siebel application for which the security adapter is configured. Different Siebel Business Applications can be configured to use different security adapters.

The process of implementing security adapter authentication is similar for both the LDAP and ADSI security adapters although there are some differences, for example:

• You must install the Oracle LDAP Client on the Siebel Server or Siebel Gateway Name Server computer if you choose the LDAP security adapter. For more information, see "About Installing Oracle LDAP Client Software".

• How you configure communications encryption between the Siebel security adapter and the directory server differs depending on the security adapter you use. TLS encryption is supported with the LDAP security adapter and the ADSI security adapter. For more information, see "Configuring Secure Communications for Security Adapters".

For additional information about the LDAP and ADSI security adapters, see the following topics:

• "LDAP and ADSI Security Adapter Authentication Process"

• "Directory Servers Supported by Siebel Business Applications"

• "Comparison of LDAP and ADSI Security Adapters"

LDAP and ADSI Security Adapter Authentication Process

In an implementation using LDAP or ADSI authentication, the security adapter authenticates a user's credentials against the directory and retrieves database login credentials from the directory. The security adapter functions as the authentication service in this architecture. The steps in the LDAP or ADSI security adapter authentication process are:

1. The user enters credentials to a Siebel Business Applications login form.

   These user credentials (a user name and password) can vary depending on the way you configure the security adapter. For example, the user name could be the Siebel user ID or an identifier such as an email address or telephone number. The user credentials are passed to the Siebel Web Server Extension (SWSE) and then to the Application Object Manager, which in turn passes them to the authentication manager.

2. The authentication manager determines how to process the user credentials and calls the security adapter to validate the credentials against the directory.

   
   

   Note: The ADSI security adapter and the LDAP security adapter used with the Oracle LDAP Client allow special characters in passwords. Be aware, however, that only a limited number of special characters are supported for use in Siebel passwords. Passwords are also subject to the requirements and limitations imposed by the external directory service. For additional information, see "Characters Supported in Siebel Passwords".

   
   

3. The security adapter returns the Siebel user ID and a database credential assigned to this user to the authentication manager. (If roles are used, they are also returned to the authentication manager.)

4. The Application Object Manager (or other module that requested authentication services) uses the returned credentials to connect the user to the database and to identify the user.

Directory Servers Supported by Siebel Business Applications

This topic outlines the directory servers supported by the Siebel LDAP and ADSI security adapters.

Siebel Business Applications support the following directories:

• LDAP directory servers. Siebel Business Applications support any directory server that meets both of the following requirements:

  • The LDAP directory server is compliant with the LDAP 3.0 standard

  • Password management is handled in either one of the following ways:

    • The directory server implements the IETF password policy draft (09) standard.

    • Password management functions, such as password expiry and other password-messaging features, are handled externally to the directory server.

• Active Directory servers. Siebel Business Applications support any Active Directory server that is supported by Microsoft.

  Siebel support for Microsoft Active Directory requires the native connector shipped with the operating systems that are supported for Siebel Business Applications on Microsoft Windows servers. Support for Active Directory is limited to either:

  • Specific active directory connectors based on the operating systems supported by the release. The Active Directory connector used to connect with an Active Directory schema must be deemed compatible by Microsoft.

  • Use of only the LDAP version 3-compliant set of features supported by Active Directory. In this instance, Active Directory functions as an LDAP server.

Comparison of LDAP and ADSI Security Adapters

This topic outlines the differences in functionality provided by the LDAP and ADSI security adapters. The relative benefits of each type of security adapter are shown in Table 5-2, "Comparison of LDAP and ADSI Security Adapter Functionality".

The ADSI security adapter can authenticate against ADSI-compliant directories (Microsoft Active Directory), and can only be used with Microsoft Windows operating systems. If you want to authenticate against Microsoft Active Directory and you are using a non-Windows operating system such as Linux or HP-UX, then you must use the LDAP security adapter.

The LDAP security adapter can be used to authenticate against supported LDAP-compliant directories and is also supported for integration to Active Directory. It is recommended that you use the LDAP security adapter for authenticating against both Active Directory and LDAP-based external directories. The LDAP security adapter is standards-based, it supports the IETF password policy draft (09) standard for handling passwords, and it can be used on multiple computer platforms.

If you use the LDAP security adapter to authenticate users against Active Directory, and if you want to manage user passwords or create new users in the Active Directory, then you must configure TLS between the LDAP security adapter and the Active Directory. Implementing TLS in these circumstances is a requirement of Microsoft Windows and Active Directory.

Table 5-2 Comparison of LDAP and ADSI Security Adapter Functionality

Functionality	LDAP Security Adapter	LDAP Security Adapter with AD Directory	ADSI Security Adapter
Shared database account credentials can be stored as security adapter profile parameters eliminating the necessity for a shared credentials user record in the external directory.	Yes	Yes	Yes
Password expiration warning.	Yes Provided the directory server implements the IETF password policy draft (09) standard	Yes	Yes
Administration of the directory through Siebel Business Applications (manage user passwords or create new users). For additional information, see "About Administering the Directory through Siebel Business Applications".	Yes	Yes, provided that TLS is enabled between the LDAP security adapter and the Active Directory server.	Yes, provided that the Active Directory client can establish a secure connection to the Active Directory server. This can be achieved by: Including all systems as part of a single Microsoft Windows domain forest By configuring TLS
Communication with more than one directory server.	See "Communicating with More Than One Authentication Server".	See "Communicating with More Than One Authentication Server".	See "Communicating with More Than One Authentication Server".

About Administering the Directory through Siebel Business Applications

If you choose to administer the LDAP or Active Directory directory through Siebel Business Applications, then be aware that in large implementations timeout issues can occur, particularly if using the ADSI security adapter. To prevent timeout issues:

• Use the LDAP security adapter.

• Do not set the Base DN to the root level of your directory server.

For help with overall design recommendations and performance improvement, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.

Using the LDAP Security Adapter with Active Directory: Setting the Base DN

If you use the LDAP security adapter with Active Directory, then problems can occur if you set the base distinguished name (Base DN), which specifies the root directory under which users are stored, to the root level of the Active Directory

When the LDAP security adapter searches the Active Directory, it searches everything under the Base DN. If the Base DN is set to the Active Directory root, then the LDAP security adapter searches all directory entities, including configuration and schema entities to which the application user does not have access. To prevent this situation from occurring, do not set the base DN to the Active Directory root directory; this recommendation also applies to implementations in which the ADSI security adapter performs the authentication function.

Communicating with More Than One Authentication Server

This topic describes the specific circumstances in which the LDAP and ADSI security adapters can connect to more than one directory server, either to authenticate users in more than one directory, or for failover purposes.

ADSI Security Adapter

The ADSI security adapter does not support authentication of users in different domains or forests. However, the ADSI security adapter can connect to multiple AD servers for authentication or failover purposes provided that the following conditions are met:

• The Active Directory servers are all in the same domain

• The Siebel Server is in the same domain as the Active Directory servers or, if the Siebel Server is in a different domain to the Active Directory servers, a trust relationship exists between the two domains

To enable the ADSI security adapter to connect to multiple AD servers, specify the NetBIOS name of the domain containing the Active Directory servers, instead of the name of a specific Active Directory server, for the Server Name parameter of the ADSI security adapter profile.

LDAP Security Adapter

The LDAP security adapter provided with Siebel Business Applications currently does not support communication with more than one directory server. However, the following options are available:

• Failover functionality can be implemented to a limited degree for the LDAP security adapter. To implement failover functionality, specify the names of the primary and secondary servers for the Server Name parameter of the LDAP security adapter profile. For example:

  ServerName=ldap1 ldap2
  

  If communication cannot be established between the Siebel Application Object Manager and the primary LDAP server, then failover to the secondary LDAP server occurs. If the Application Object Manager can communicate with the primary server, but LDAP functionality on the server is not available, then failover to the secondary server does not occur.

• Oracle provides products, for example, Oracle Virtual Directory, that enable LDAP security adapters to communicate with multiple LDAP-compliant directories and Active Directories. For additional information on Oracle Virtual Directory, go to

  http://www.oracle.com/technetwork/testcontent/index-093158.html