3 Understanding the Concepts and Architecture of Oracle Internet Directory
This section contains the following topics:
-
Understanding How Oracle Internet Directory Processes a Search Request
-
Understanding Directory Entries in Oracle Internet Directory
-
Understanding the Concept of Attributes in Oracle Internet Directory
-
Understanding the Role of Identity Management in Oracle Internet Directory
-
Understanding the Concept of Resource Information
See Also:
Related Documents for suggestions on further reading about LDAP-compliant directories
3.1 Understanding the Architecture of Oracle Internet Directory
Understand about the contextual description of the various components in Oracle Internet Directory.
This section contains the following topics:
3.1.1 Oracle Internet Directory Node
An Oracle Internet Directory node consists of one or more directory server instances connected to the same directory store. The directory store—the repository of the directory data—is an Oracle Database.
Note:
All Oracle Internet Directory instances in the same domain connect to the same Oracle Database.
Figure 3-1 shows the various directory server elements and their relationships running on a single node.
Oracle Net Services is used for all connections between the Oracle database server and:
-
The Oracle directory server non-SSL port (3060 by default)
-
The Oracle directory server SSL-enabled port (3131 by default)
-
The OID Monitor
LDAP is used for connections between directory server and:
-
Oracle Directory Services Manager
-
Oracle directory replication server
The Oracle directory server instance and the Oracle directory replication server connect to OID Monitor by way of the operating system.
Note:
Beginning with Oracle Internet Directory 11g Release 1 (11.1.1.7.0), you can specify that Oracle Internet Directory server call OCIPing() to send keep alive messages to its Oracle Database. The frequency of these messages is determined by the new orclMaxTcpIdleConnTime
attribute.
Setting this attribute to a value less than the timeout value of the firewall between Oracle Internet Directory server and the Oracle Database prevents the Database connection from being dropped.
For more information, see Attributes of the DSA Configuration Entry.
Figure 3-1 A Typical Oracle Internet Directory Node
As shown in Figure 3-1, an Oracle Internet Directory node includes the following major elements:
Table 3-1 An Oracle Internet Directory Node
Element | Description |
---|---|
Oracle directory server instance |
Also called either an LDAP server instance or a directory server instance, it services directory requests through a single Oracle Internet Directory dispatcher process listening at specific TCP/IP ports. There can be more than one directory server instance on a node, listening on different ports. |
Oracle directory replication server |
Also called a replication server, it tracks and sends changes to replication servers in another Oracle Internet Directory system. There can be only one replication server on a node. You can choose whether to configure the replication server. |
Oracle Database Server |
Stores the directory data. The database can reside on the same node as the directory server instances. Note: To meet the need of Oracle Internet Directory's potentially large data volume as customer data size grows and to achieve continuous optimized database query performance, Oracle strongly recommends that you dedicate a database for exclusive use by the directory. |
OID Monitor (OIDMON) |
Initiates, monitors, and terminates the LDAP server and replication server processes. When you invoke process management commands, such as OIDMON also monitors servers and restarts them if they have stopped running for abnormal reasons. OIDMON starts a default instance of OIDLDAPD. If the default instance of OIDLDAPD is stopped using the OIDCTL command, then OIDMON stops the instance. However, when OIDMON is started by All OID Monitor activity is logged in the file OID Monitor checks the state of the servers through mechanisms provided by the operating system. |
OID Control Utility (OIDCTL) |
Communicates with OID Monitor by placing message data in Oracle Internet Directory server tables. This message data includes configuration parameters required to run each Oracle directory server instance. Normally used from the command line only to stop and start the replication server. OIDCTL is also used for checking the status of Oracle Internet Directory. |
The Oracle directory replication server uses LDAP to communicate with an Oracle directory (LDAP) server instance. To communicate with the database, all components use OCI/Oracle Net Services. Oracle Directory Services Manager and the command-line tools communicate with the Oracle directory servers over LDAP.
3.1.2 Oracle Directory Server Instance
You can understand about Oracle Directory Server Instance architecture from the illustration and the description provided in this topic.
Figure 3-2 illustrates an Oracle directory server instance, also called an LDAP server instance.
Figure 3-2 Oracle Directory Server Instance Architecture
Description of "Figure 3-2 Oracle Directory Server Instance Architecture"
One instance comprises one dispatcher process and one or more server processes. The Oracle Internet Directory dispatcher and server processes can use multiple threads to distribute the load. LDAP clients send LDAP requests to an Oracle Internet Directory listener/dispatcher process listening for LDAP commands at its port.
Oracle Internet Directory listener/dispatcher starts a configured number server process at startup time. The number of server processes is controlled by the orclserverprocs
attribute in the instance-specific configuration entry. The default value for orclserverprocs
is 1. Multiple server processes enable Oracle Internet Directory to take advantage of multiple processor systems.
The Oracle Internet Directory dispatcher process sends the LDAP connections to the Oracle Internet Directory server process in a round robin fashion. The maximum number of LDAP connections accepted by each server is 1024 by default. This number can be increased by changing the attribute orclmaxldapconns
in the instance-specific configuration entry, which has a DN of the form:
cn=componentname,cn=osdldapd,cn=subconfigsubentry
3.1.3 Oracle Internet Directory Ports
An Oracle Internet Directory component can be created by Oracle Identity Management 11g Installer or by a command-line tool. The program that creates Oracle Internet Directory follows specific steps in assigning the SSL and non-SSL port.
First, it attempts to use 3060 as the non-SSL port. If that port is unavailable, it tries ports in the range 3061 to 3070, then 13060 to 13070.
Similarly, the program that creates Oracle Internet Directory attempts to use 3131 as its SSL port, then ports in the range 3132 to 3141, then 13131 to 13141.
3.1.4 Directory Metadata
Directory metadata is the information used by the directory server during run time for processing LDAP requests. It is stored in the underlying data repository. During startup, the directory server reads this information and stores it in a local metadata cache. It then uses this cache during its run time to process incoming LDAP operation requests.
Note:
The metadata cache is a write-through cache. An LDAP operation first writes to the database and then invalidates the corresponding cache entry. A subsequent search of that entry causes the cache to be refreshed.
The directory server has the following types of metadata in its local metadata cache:
-
Directory Schema
The definitions of object classes, attributes, and matching rules supported by the directory server. The directory server uses this information during creation and modification of directory objects. A directory object is a collection of object classes and their associated attributes and matching rules. See Managing Directory Schema.
-
Access control policy point (ACP)
A directory administrative domain for defining and controlling access to the information in that domain. The directory server uses ACPs when determining whether to allow a certain LDAP operation performed by a user. See Managing Directory Access Control.
-
Root DSE entry
The root DSE (Directory Service Agent-Specific Entry) contains several attributes that store information about the directory server itself. For example, these attributes contain the following information items, to mention just a few:
-
Naming contexts DNs
-
Sub Schema Subentry DN
-
Superior references (referrals) DNs
-
Special entry DNs like Oracle Internet Directory configuration and registry containers
-
Special Entry DNs like change log and change status containers
-
DN of replications agreement container
See "Attributes of the DSE".
-
-
Privilege groups
Groups that can be used in access control policies.
The directory schema supports directory group objects through the standard
groupofuniquenames
andgroupofnames
object classes. These object classes hold information for such groups as distribution lists and mailing lists to mention just two.Oracle Internet Directory extends these standard group objects through an auxiliary object class called
orclprivilegegroup
. This object class, which supports privilege groups that can be used in access control policies, provides flexibility to grant or deny access to groups of users. The directory server uses this information during:-
LDAP bind operations to find out the subscribed privileged groups for a given user
-
Access control policy evaluation if the policy has directives that grant or deny access to privileged groups
-
-
Catalog entry
A special entry containing information about indexed attributes in the underlying database. The directory uses this information during directory search operations. See "Index option in Oracle Internet Directory to Search Attributes".
-
Common entry
A special entry containing information about hosted companies. A hosted company is an enterprise to which another enterprise provides services. The metadata in this entry includes the hosted company DN, user search base, nickname and other attributes, all of which are described in Planning, Deploying and Managing Realms.
-
Plug-in entry
A special entry containing information about the kind of operation that triggers a plug-in event, and the point in the operation when that plug-in is to be triggered. Developing Plug-ins for the Oracle Internet Directory Server, describes this information.
-
Password verifier entry
A special entry containing information about the encryption and verifier attribute types. Managing Password Verifiers, describes this information.
-
Password policy entry
One or more special entries containing information about policies enforced by the directory server for the user password credentials. The directory server uses this information during run time to enforce the password policies. See Managing Password Policies.
3.2 Understanding How Oracle Internet Directory Processes a Search Request
Understand about how Oracle Internet Directory processes a standard and persistent LDAP search operations.
The following topics provide a contextual description of the various LDAP search operations in Oracle Internet Directory:
3.2.1 Standard LDAP Search Operations
Follow the procedure to process standard LDAP search request.
This example shows you how Oracle Internet Directory processes a search request.
-
The user or client enters a search request that is conditioned by one or more of the following options:
-
SSL: The client and server can establish a session that uses SSL encryption and authentication, or SSL encryption only. If SSL is not used, the client's message is sent in clear text.
-
Type of user: The user can seek access to the directory either as a particular user or as an anonymous user, depending on which of the two has the necessary privileges to perform the desired function.
-
Filters: The user can narrow the search by using one or more search filters, including those that use the Boolean conditions "and," "or," and "not," and those that use other operators such as "greater than, "equal to," and "less than."
-
-
The C API, using the LDAP protocol, sends a request to a directory server instance to connect to the directory.
-
The directory server authenticates the user, a process called binding. The directory server also checks the Access Control Lists (ACLs) to verify that the user is authorized to perform the requested search.
-
The directory server converts the search request from LDAP to Oracle Call Interface (OCI)/Oracle Net Services and sends it to the Oracle Database.
-
The Oracle Database retrieves the information and passes it back through the chain—to the directory server, then to the C API, and, finally, to the client.
Note:
The maximum number of attributes you can specify in a search filter is 255.
3.2.2 Persistent LDAP Search Operations
A persistent search continues after the initial search results are returned by the Oracle Internet Directory server to the LDAP client. After the initial search is finished, the connection to the server is kept alive until the client unbinds or abandons the operation. A persistent search operation allows a client to receive notifications if an entry in the search scope is modified. If an entry is modified, the server sends a new copy of the entry to the LDAP client along and, if requested, an Entry Change Notification control that describes the change.
Beginning with Release 11g Release 1 (11.1.1.9.0), Oracle Internet Directory supports persistent search operations.
A persistent search operation uses the following controls:
-
Persistent Search control - The LDAP client sends this control to the Oracle Internet Directory server with the persistent search request including specific options for returning the search results.
-
Entry Change Notification control - If requested by the client, the server returns this control to the client for each changed entry that matches the search criteria in the search request.
Persistent searches are not be supported on special entries such as configuration entries, referrals, and entry aliases.
Persistent searches need to keep connections from the LDAP client to the server alive. Therefore, if a large number of persistent searches are issued, the LDAP connection limit might be reached and new connections could not be established. To prevent this situation from occurring, the orclmaxpsearchconns
instance-specific attribute determines the maximum number of connections allowed for an LDAP persistent search operation.
An LDAP persistent search operation for Oracle Internet Directory follows this sequence:
-
The LDAP client authenticates to the Oracle Internet Directory server.
-
The client issues a persistent search request with an attached Persistent Search control. This control specifies the following information:
-
changesOnly
- If this field is FALSE, the server returns the initial set of results that match the search criteria. Or, if the field is TRUE, the server does not return these entries. -
changeTypes
- This field specifies the type of changes the client wants to track. If subsequent changes are made to entries that match the search criteria, the server returns these changed entries to the client.The
changeTypes
field is a logical OR of one or more of these values:-
add: 1
-
delete: 2
-
modify: 4
-
moddn: 8
-
-
returnECs
- If this field is TRUE, the server also returns an Entry Change Notification control along with each changed entry.
-
-
The OID server processes the persistent search request using the options described in the previous step.
The server does not return the
SearchResultDone
message to the client, because the connection must be kept alive until the client unbinds or abandons the operation. -
If the server returns search results, the client processes these results as required.
-
The LDAP client ends the Persistent Search operation by sending an unbind or abandon request.
See Also:
-
For information about the
orclmaxpsearchconns
attribute, see Table 9-1. -
For information about the Persistent Search and Entry Change Notification controls, see Extensions to the LDAP Protocol in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management.
-
Internet Engineering Task Force (IETF) document - Persistent Search: A Simple LDAP Change Notification Mechanism:
3.3 Understanding Directory Entries in Oracle Internet Directory
In an online directory, each collection of information about an object is called an entry. An entry can include, for example, information about an employee, a conference room, an e-commerce partner, or a shared network resource such as a printer.
This section contains the following topics:
3.3.1 Distinguished Names and Directory Information Trees
Each entry in an online directory is uniquely identified by a distinguished name (DN). The distinguished name tells you exactly where the entry resides in the directory hierarchy. This hierarchy is represented by a directory information tree (DIT).
To understand the relation between a distinguished name and a directory information tree, look at Figure 3-3.
The DIT in Figure 3-3 includes entries for two employees of Acme Corporation who are both named Anne Smith. It is structured along geographical and organizational lines. The Anne Smith contained in the left branch works in the Sales division in the United States, while the other works in the Server Development division in the United Kingdom.
The Anne Smith contained in the right branch has the common name (cn
) Anne Smith. She works in an organizational unit (ou
) named Server Development, in the country (c
) of United Kingdom of Great Britain and Northern Ireland (uk
), in the organization (o
) Acme.
The DN for this "Anne Smith" entry is:
cn=Anne Smith,ou=Server Development,c=uk,o=acme
Note that the conventional format of a distinguished name places the lowest DIT component at the left, then follows it with the next highest component, moving progressively up to the root.
Within a distinguished name, the lowest component is called the relative distinguished name (RDN). For example, in the previous entry for Anne Smith, the RDN is cn=Anne Smith
. Similarly, the RDN for the entry immediately above Anne Smith's RDN is ou=Server Development
, the RDN for the entry immediately above ou=Server Development
is c=uk
, and so on. A DN is thus a concatenation of RDNs that reflects parent-child relationships in the DIT. Within the DN, RDNs are separated by commas.
To locate a particular entry within the overall DIT, a client uniquely identifies that entry by using the full DN—not simply the RDN—of that entry. For example, within the global organization in Figure 3-3, to avoid confusion between the two Anne Smiths, you would use each one's full DN. If there are potentially two employees with the same name in the same organizational unit, you could use additional mechanisms—for example, you could identify each employee with a unique number.
3.3.2 Entry Caching
To make operations on entries quick and efficient, Oracle Internet Directory uses entry caching. When you enable this feature, Oracle Internet Directory assigns a unique identifier to each entry, then stores a specified number of those identifiers in cache memory. When a user performs an operation on an entry, the directory server looks in the cache for the entry identifier, then retrieves the corresponding entry from the directory.
Note:
-
Beginning with Release 11g Release 1 (11.1.1.6.0), the entry cache resides in shared memory, so multiple Oracle Internet Directory server instances on the same host can share the same cache. Attributes for configuring the cache now reside in the DSA configuration entry.
-
The entry cache is a write-through cache. An LDAP operation first writes to the database and then invalidates the corresponding cache entry. A subsequent search of that entry causes the cache to be refreshed.
See Also:
-
See Server Entry Cache in Tuning Performance.
3.4 Understanding the Concept of Attributes in Oracle Internet Directory
Understand about the conceptual description of attributes in online directory and their syntaxes, rules and options.
This section contains the following topics:
3.4.1 Attributes in Online Directory
In a typical telephone directory, an entry for a person contains such information items as an address and a phone number. In an online directory, such an information item is called an attribute. Attributes in a typical employee entry can include, for example, a job title, an e-mail address, or a phone number.
For example, in Figure 3-4, the entry for Anne Smith in Great Britain (uk) has several attributes, each providing specific information about her. These are listed in the balloon to the right of the tree, and they include emailaddrs
, printername
, jpegPhoto
, and app preferences
. Moreover, each bullet in Figure 3-4 is also an entry with attributes, although the attributes for each are not shown.
Figure 3-4 Attributes of the Entry for Anne Smith
Description of "Figure 3-4 Attributes of the Entry for Anne Smith"
Each attribute consists of an attribute type and one or more attribute values. The attribute type is the kind of information that the attribute contains—for example, jobTitle
. The attribute value is the particular occurrence of information appearing in that entry. For example, the value for the jobTitle
attribute could be manager
.
3.4.2 Application and System Configuration Attributes
Understand about the application and system configuration attributes.
Attributes contain two kinds of information.
-
Application Attributes
This information is maintained and retrieved by directory clients and is unimportant to the operation of the directory. A telephone number, for example, is application information.
-
System Configuration Attributes
This information pertains to the operation of the directory itself. Some operational information is specified by the directory to control the server—for example, the time stamp for the creation or modification of an entry, or the name of the user who creates or modifies an entry. Other operational information, such as access information, is defined by administrators and is used by the directory program in its processing.
See Also:
Managing System Configuration Attributes for more information about system configuration attributes.
3.4.3 Attributes Created with Each New Entry
To enhance your ability to search for entries, Oracle Internet Directory automatically creates several system configuration attributes when you add an entry to the directory.
These include:
Table 3-2 Attributes Created with Each New Entry
Attribute | Description |
---|---|
|
Name of the person creating the entry |
|
Time of entry creation in UTC (Coordinated Universal Time) |
|
Name of person modifying the entry |
|
Time of last entry modification in UTC |
Moreover, when a user modifies an entry, Oracle Internet Directory automatically updates the modifiersName
and modifyTimestamp
attributes to, respectively, the name of the person modifying the entry, and the time of the entry modification in UTC.
See Also:
Managing System Configuration Attributes for instructions on configuring system configuration attributes.
3.4.4 Single-Valued and Multivalued Attributes
Attributes can be either single-valued or multivalued. Single-valued attributes carry only one value in the attribute, whereas multivalued attributes can have several. An example of a multivalued attribute is a group membership list with names of everyone in the group.
3.4.5 Common LDAP Attributes
Oracle Internet Directory implements all of the standard LDAP attributes. Some of the more common ones are defined by RFC 2798 of the Internet Engineering Task Force (IETF).
See Table 3-3.
Table 3-3 Common LDAP Attributes
Attribute Type | Attribute String | Description |
---|---|---|
commonName |
|
Common name of an entry—for example, |
domainComponent |
|
The DN of the component in a Domain Name System (DNS)—for example, |
jpegPhoto |
|
Photographic image in JPEG format. This is stored in binary format. |
organization |
|
Name of an organization—for example, |
organizationalUnitName |
|
Name of a unit within an organization—for example, |
owner |
|
Distinguished name of the person who owns the entry, for example, |
surname, sn |
|
Last name of a person—for example, |
telephoneNumber |
|
Telephone number—for example, |
See Also:
Oracle Identity Management LDAP Attribute Reference in Reference for Oracle Identity Management for a list of several attributes Oracle Internet Directory provides.
3.4.6 Attribute Syntax
Attribute syntax is the format of the data that can be loaded into each attribute. For example, the syntax of the telephoneNumber
attribute might require a telephone number to be a string of numbers containing spaces and hyphens. However, the syntax for another attribute might require specifying whether the data has to be in the form of a date, or whether the data can consist of numbers only. Each attribute must have one and only one syntax.
Oracle Internet Directory recognizes most of the syntaxes specified in RFC 2252 of the Internet Engineering Task Force (IETF), allowing you to associate most of the syntaxes described in that document with an attribute. In addition to recognizing the syntaxes in RFC 2252, Oracle Internet Directory also enforces some LDAP syntaxes. You cannot add new syntaxes beyond those already supported by Oracle Internet Directory.
See Also:
About LDAP Attribute Syntax in Reference for Oracle Identity Management.
3.4.7 Attribute Matching Rules
In response to most incoming client requests, the directory server performs search and compare operations. During these operations, the directory server consults the relevant matching rule to determine equality between the attribute value sought and the attribute value stored.
For example, matching rules associated with the telephoneNumber
attribute could cause "(650) 123-4567" to be matched with either "(650) 123-4567" or "6501234567" or both. When you create an attribute, you associate a matching rule with it.
Oracle Internet Directory implements all the standard LDAP matching rules. You cannot add new matching rules beyond those already supported by Oracle Internet Directory.
See Also:
-
Managing Directory Schema for information on viewing matching rules.
-
About LDAP Matching Rules in Reference for Oracle Identity Management.
3.4.8 Attribute Options
An attribute type can have various options that enable you to specify how the value for that attribute is made available in a search or a compare operation.
For example, suppose that an employee has two addresses, one in London, the other in New York. Options for that employee's address
attribute could allow you to store both addresses.
Moreover, attribute options can include language codes. For example, options for John Doe's givenName
attribute could enable you to store his given name in both French and Japanese.
For clarity, we can distinguish between an attribute with an option and its base attribute, which is the same attribute without an option. For example, in the case of givenName;lang-fr=Jean
, the base attribute is givenName
; the French value for that base attribute is givenName;lang-fr=Jean
.
An attribute with one or more options inherits the properties—for example, matching rules and syntax— of its base attribute. To continue the previous example, the attribute with the option cn;lang-fr=Jean
inherits the properties of cn
.
Note:
You cannot use an attribute option within a DN. For example, the following DN is incorrect: cn;lang-fr=Jean, ou=sales,o=acme,c=uk
.
3.5 Understanding Object Classes in Oracle Internet Directory
An object class is a group of attributes that define the structure of an entry. When you define a directory entry, you assign one or more object classes to it. Some of the attributes in these object classes are mandatory and must have values, others are optional and can be empty.
For example, the organizationalPerson
object class includes the mandatory attributes commonName
(cn
) and surname
(sn
), and the optional attributes telephoneNumber
, uid
, streetAddress
, and userPassword
. When you define an entry by using the organizationalPerson
object class, you must specify values for commonName
(cn
) and surname
(sn
). You do not need to provide values for telephoneNumber
, uid
, streetAddress
, and userPassword
.
This section contains the following topics:
3.5.1 Subclasses, Superclasses, and Inheritance
A subclass is an object class derived from another object class. The object class from which a subclass is derived is called its superclass.
For example, the object class organizationalPerson
is a subclass of the object class person
. Conversely, the object class person
is the superclass of the object class organizationalPerson
.
Subclasses inherit all of the attributes belonging to their superclasses. For example, the subclass organizationalPerson
inherits the attributes of its superclass, person
. Entries also inherit attributes that their superclasses have inherited.
Note:
In itself, an object class contains no values. Only an instance of an object class—that is, an entry—contains values. When a subclass inherits attributes from a superclass, it inherits only the attribute definitions of the superclass.
One special object class, called top
, has no superclasses. It is one of the superclasses of every object class in the directory, and its attribute definitions are inherited by every entry.
3.5.2 Understanding the Types of Object Class
Understand about the various types of object classes available.
This section contains the following topics:
3.5.2.1 Structural Object Classes
Structural object classes describe the basic aspects of an object. Most of the object classes that you use are structural object classes, and every entry should belong to at least one structural object class. Examples of structural object classes are person
and groupOfNames
.
These object classes model real-world entities and their physical or logical attributes. Examples include people, printers, and database connections.
Structural object classes use structure rules to place restrictions on the kinds of objects you can create under any given object class. For example, a structure rule might require all objects below the organization
(o
) object class to be organizational units
(ou
). Following this rule, you could not enter person
objects directly below an organization
object class. Similarly, a structure rule might disallow you from placing an organizational unit (ou
) object below a person
object.
3.5.2.2 Auxiliary Object Classes
Auxiliary object classes are groupings of optional attributes that expand the existing list of attributes in an entry. Unlike structural object classes, they do not place restrictions on where an entry may be stored, and you can attach them to any entry regardless of that entry's location in the DIT.
Note:
Oracle Internet Directory does not enforce structure rules. It therefore handles both structural and auxiliary object classes in the same way.
3.5.2.3 Abstract Object Classes
An abstract object class is a virtual object class. It is used only for convenience when specifying the highest levels of the object class hierarchy. It cannot be the only object class for an entry. For example, the object class top
is an abstract object class. It is required as a superclass for all structural object classes, but it cannot be used alone.
The top
object class includes the mandatory attribute objectClass
and several optional attributes. The optional attributes in top
are:
-
orclGuid
: Global identification which remains constant if the entry is moved -
creatorsName
: Name of the creator of the object class -
createTimestamp
: Time when the object class was created -
modifiersName
: Name of the last person to modify the object class -
modifyTimestamp
: Time when the object class was last modified -
orclACI
: access control list (ACL) directives that apply to all entries in the subtree below the access control policy point (ACP) where this attribute is defined -
orclEntryLevelACI
: Access control policy pertaining to only a specific entity, for example, a special userSee Also:
-
Globalization Support for more information on access control policies and ACLs
-
Understanding Attributes for a discussion of how to add additional content to entries
-
3.6 Directory Naming Contexts
A directory naming context is a subtree that resides entirely on one server. It must be a complete subtree, that is, it must begin at an entry that serves as the top of the subtree, and extend downward to either leaf entries or references to subordinate naming contexts. It can range in size from a single entry to the entire directory information tree (DIT).
Figure 3-5 illustrates correct and incorrect naming contexts. Notice that the correct ones on the left are contiguous, and the incorrect ones on the right are not.
Figure 3-5 Correct and Incorrect Naming Contexts
Description of "Figure 3-5 Correct and Incorrect Naming Contexts"
To enable users to discover specific naming contexts, you can publish those naming contexts in Oracle Internet Directory by using ldapmodify.
See Also:
Managing Naming Contexts in Oracle Internet Directory for instructions on how to publish a naming context
3.7 Security Features in Oracle Internet Directory
Oracle Internet Directory is a key element of Oracle Identity Management. You can deploy multiple Oracle components to work against a shared instance of Oracle Internet Directory. This sharing allows an enterprise to simplify security management across all applications.
In addition to the role it plays in the Oracle Identity Management infrastructure, Oracle Internet Directory provides many powerful features for protecting information.
Security features within Oracle Internet Directory itself include:
-
The Secure Sockets layer: Ensuring that data is not modified, deleted, or replayed during transmission
-
Data privacy: Ensuring that data is not inappropriately observed while it is stored in Oracle Internet Directory
-
Password policies: Establishing and enforcing rules for how passwords are defined and used
-
Authorization: Ensuring that a user reads or updates only the information for which that user has privileges
-
Password protection: Ensuring that passwords are not easily discovered by others
-
Authentication: Ensuring that the identities of users, hosts, and clients are correctly validated
You can use all these features to enforce a uniform security policy for multiple applications enabled for Oracle Internet Directory, and do so in either an enterprise or hosted environment. You do this by deploying the directory for administrative delegation. This deployment allows, for example, a global administrator to delegate to department administrators access to the metadata of applications in their departments. These department administrators can then control access to their department applications.
You can also use security features of the underlying Oracle Database, such as Transparent Data Encryption and Database Vault, to protect Oracle Internet Directory data.
See Also:
3.8 Globalization Support
Oracle Internet Directory follows LDAP Version 3 internationalization (I18N) standards. These standards require that the database storing directory data use Unicode Transformation Format 8-bit (UTF-8) character set. With Oracle9i, Oracle added a new UTF-8 character set called AL32UTF8. This database character set supports the latest version of Unicode (3.2), including the latest supplementary characters. This allows Oracle Internet Directory to store the character data of almost any language supported by Oracle Globalization Support. Moreover, although several different application program interfaces are involved in the Oracle Internet Directory implementation, Oracle Internet Directory ensures that the correct character encoding is used with each API.
Globalization Support means support for both single-byte and multibyte characters. A single-byte character is represented by one byte of memory. ASCII text, for example, uses single-byte characters. By contrast, a multibyte character can be represented by more than one byte. Simplified Chinese, for example, uses multibyte characters. An ASCII representation of a simplified Chinese directory entry definition might look like this:
dn: o=\274\327\271\307\316\304,c=\303\300\271\372 objectclass: top objectclass: organization o: \274\327\271\307\316\304
Where the attribute values correspond to an ASCII representation of a simplified Chinese directory entry definition.
By default, the main Oracle Internet Directory components—OID Monitor (OIDMON), OID Control Utility (OIDCTL), Oracle directory server (OIDLDAPD), and Oracle directory replication server (OIDREPLD)—accept only the UTF-8 character set. The Oracle character set name is AL32UTF8.
The Oracle directory server and database tools are no longer restricted to run on a UTF8 database. However, you must ensure that all characters in the client character set are included in the database character set (with same or different character codes) if the database underlying the Oracle Internet Directory server is not AL32UTF8 or UTF8. Otherwise, there may be data loss during LDAP add, delete, modify, or modifydn operations if the client data cannot be mapped to the database character set.
Oracle Directory Services Manager uses Unicode (UTF-16—that is, fixed-width 16-bit Unicode). It can support internationalized character sets.
See Also:
-
Overview of Globalization Support in Oracle Database Globalization Support Guide for a detailed discussion of Globalization Support.
3.9 Understanding Distributed Directories
Although an online directory is logically centralized, it can be physically distributed onto several servers. This distribution reduces the work a single server would otherwise have to do, and enables the directory to accommodate a larger number of entries. A distributed directory can be either replicated or partitioned. When information is replicated, the same naming contexts are stored by more than one server. When information is partitioned, one or more unique, non-overlapping naming contexts are stored on each directory server. In a distributed directory, some information may be partitioned and some may be replicated.
This section contains the following topics:
3.9.1 Directory Replication
Replication is the process of copying and maintaining the same naming contexts on multiple directory servers.
See Understanding Oracle Internet Directory Replication for a discussion of replication concepts.
3.9.2 Directory Partitioning
Partitioning, in which each directory server stores one or more unique, non-overlapping naming contexts, is another way of distributing directory information.
Figure 3-6 shows a partitioned directory in which some naming contexts reside on different servers.
In Figure 3-6, four naming contexts reside on Server A:
-
dc=acme,dc=com
-
c=us,dc=acme,dc=com
-
c=uk,dc=acme,dc=com
-
c=au,dc=acme,dc=com
Two naming contexts on Server A are replicated on Server B:
-
dc=acme,dc=com
-
c=au,dc=acme,dc=com
The directory uses one or more knowledge references to locate information that is requested of Server B, but that resides on Server A. It passes this information to a client in the form of a referral.
3.10 Knowledge References and Referrals
A knowledge reference provides the names and addresses of the various naming contexts held in another partition.
For example, in Figure 3-6, Server B uses knowledge references to point to the c=us
and c=uk
naming contexts on Server A. When Server B is asked for information residing on Server A, it sends back one or more referrals to Server A. Clients can then use these referrals to contact Server A.
Typically, each directory server contains both superior and subordinate knowledge references. Superior knowledge references point upward in the DIT toward the root. They tie the partitioned naming context to its parent. Subordinate knowledge references point downward in the DIT to other partitions.
For example, in Figure 3-7, Server B holds four naming contexts, two of which are superior to the others. These two superior naming contexts use subordinate knowledge references to point to their subordinate naming contexts. Conversely, the naming context on Server A has an immediate superior residing on Server B. Server A therefore uses a superior knowledge reference to point to its parent on Server B.
Figure 3-7 Using Knowledge References to Point to Naming Contexts
Naming contexts that start at the top of the DIT obviously cannot have a knowledge reference to a superior naming context.
Note:
-
There are presently no Internet standards for enforcing the validity of knowledge references, and Oracle Internet Directory does not do so. It is up to the administrator to ensure consistency among knowledge references within an enterprise network.
-
Oracle recommends that permission for managing knowledge reference entries be restricted, as is the case with any other privileged administrative function such as schema or access control.
There are two kinds of referrals:
-
Smart referrals
These are returned to the client when the knowledge reference entry is in the scope of the search. It points the client to the server that stores the requested information.
For example, suppose that:
-
Server A holds the naming context,
ou=server development,c=us,o=acme
, and has a knowledge reference to Server B. -
Server B holds the naming context
ou=sales,c=us,o=acme
.
When a client sends a request to Server A for information in
ou=sales,c=us,o=acme
, Server A provides the user with a referral to Server B. -
-
Default referrals
These are returned when the base object is not in the directory, and the operation is performed in a naming context on another server. A default referral typically sends the client to a server that has more detailed information about the directory partitioning arrangement.
For example, suppose that Server A holds:
-
The naming context
c=us,o=acme
-
A knowledge reference to Server PQR that has more knowledge about the overall directory partitioning arrangement
Now suppose that a client requests information on
c=uk,o=acme
. When Server A finds that it does not have thec=uk,o=acme
naming context, it provides the client with a referral to Server PQR. From there, the client can find the server holding the requested naming context.See Also:
-
3.11 Service Registry and Service to Service Authentication
The Service Registry and the Service to Service Authentication framework are Oracle Internet Directory features that facilitate integration between Oracle technology components that request services from one another. The Service Registry provides a place to store information, so that the components can discover each other. The Service to Service Authentication framework allows one component to authenticate to another and establishes trust among them.
The Service Registry is a container in Oracle Internet Directory (under cn=Services, Cn=OracleContext) where components store connectivity information, such as protocol, and other information, such as type of service. During installation, each OCS component registers its information in the Registry. At run-time the components discover information registered by other components. Service Registry objects are stored in the Oracle Internet Directory DIT in a component-specific Services container in the rootOracleContext.
Service to Service Authentication is a framework that allows one service to authenticate to another and establish trusts among the services. At install time, each of the client services is provisioned with a user name and password in Oracle Internet Directory. In addition, each target service defines an authorization role in Oracle Internet Directory to control which components should it trust. When a component requests services of another component, the requestor must authenticate to the target service like any other client, using its own identity and credentials. The requesting service must also be listed in the Target services Trusted Application group (Default Group: contrasted Applications, counterpoise, cn=OracleContext). The requesting service also must send the user's identity so that the target service can authenticate the user as well. The data is sent securely, using either Digest authentication or the target service's native secure authentication.
3.12 Oracle Directory Integration Platform
Oracle Directory Integration Platform enables an enterprise to integrate its applications and other directories with Oracle Internet Directory. It provides all the interfaces and infrastructure necessary to keep the data in Oracle Internet Directory consistent with that in enterprise applications and connected directories. It also makes it easier for third-party vendors and developers to develop and deploy their own connectivity agents.
For example, an enterprise might want employee records in its HR database to be synchronized with Oracle Internet Directory. In addition, the enterprise may deploy certain LDAP-enabled applications (such as Oracle Portal) that must be notified whenever changes are applied to Oracle Internet Directory.
Based on the nature of integration, Oracle Directory Integration Platform provides two distinct services:
-
The synchronization integration service, which keeps connected directories consistent with the central Oracle Internet Directory
-
The provisioning integration service, which sends notifications to target applications to reflect changes made to a entries of interest, such as users and groups
See Also:
Synchronization, Provisioning, and the Differences Between Them in Administering Oracle Directory Integration Platform.
3.13 Understanding the Role of Identity Management in Oracle Internet Directory
Understand about the role of Identity Management and its realms in Oracle Internet Directory.
This section contains the following topics:
3.13.1 Identity Management
Identity management usually refers to the management of an organization's application users. Steps in their security life cycle include account creation, suspension, privilege modification, and account deletion. The managed entities may also include devices, processes, applications, or anything else that must interact in a networked environment. They may also include users outside of the organization, for example customers, trading partners, or Web services.
Identity management is important to IT deployments because it can reduce administrative costs while at the same time improving security.
The Oracle Identity Management products enable deployments to manage centrally and securely all enterprise identities and their access to various applications in the enterprise. Identity management comprises these tasks:
-
Creating enterprise identities and managing shared properties of these identities through a single enterprise-wide console
-
Creating groups of enterprise identities
-
Provisioning these identities in various services available in the enterprise. This includes:
-
Account creation
-
Account suspension
-
Account deletion
-
-
Managing policies associated with these identities. These include:
-
Authorization policies
-
Authentication Policies
-
Privileges delegated to existing identities
-
Note:
For complete information and additional resources for Oracle Identity Management, go to the Oracle Technology Network (OTN) web site at http://www.oracle.com/technetwork/index.html
.
3.13.2 Understanding the Identity Management Realms
Understand about the contextual description of Identity Management realm and Identity Management policies.
This section contains the following topics:
3.13.2.1 Identity Management Realm
An identity management realm defines an enterprise scope over which certain identity management policies are defined and enforced by the deployment. It comprises:
-
A well-scoped collection of enterprise identities—for example, all employees in the US domain.
-
A collection of identity management policies associated with these identities. An example of an identity management policy would be to require that all user passwords have at least one alphanumeric character.
-
A collection of groups—that is, aggregations of identities—that simplifies the setting of the identity management policies.
You can define multiple identity management realms within the same Oracle Identity Management infrastructure. Multiple realms enable you to isolate user populations and enforce a different identity management policy—for example, password policy, naming policy, self-modification policy—in each realm.
Each identity management realm is uniquely named to distinguish it from other realms. It also has a realm-specific administrator with complete administrative control over the realm.
3.13.2.2 Default Identity Management Realm
For all Oracle components to function, an identity management realm is required. One particular realm, created during installation of Oracle Internet Directory, is called the default identity management realm. It is where Oracle components expect to find users, groups, and associated policies whenever the name of a realm is not specified.
There can be only one default identity management realm in the directory. If a deployment requires multiple identity management realms, then one of them must be chosen as the default.
3.13.2.3 Identity Management Policies
The Oracle Identity Management infrastructure supports a flexible set of management policies which comprise:
-
Directory structure and naming policies that enable you to:
-
Customize the directory structure in Oracle Internet Directory for your deployment.
-
Specify where various identities are to be located and how they are uniquely identified.
-
-
Authentication policies that enable you to specify authentication methods and protocols supported by the Oracle Identity Management infrastructure
-
Identity management authorizations that enable you to control access to certain privileged services and delegate administration wherever necessary
Note:
In Oracle Internet Directory Release 9.0.2, the equivalent term for "identity management realm" was "subscriber."
3.14 TCP Keep-Alive Mechanism
By default, Oracle Internet Directory supports TCP keep-alive as long as the TCP keep-alive mechanism is enabled at the operating system level. No specific Oracle Internet Directory configuration is required.
However, if Oracle Virtual Directory is configured with Oracle Internet Directory server, TCP keep-alive is split between Listeners (what LDAP clients connect to) and Adapters (Oracle Internet Directory or other LDAP server). For this scenario, the following configuration is required:
-
At the operating system level, enable the TCP keep-alive mechanism.
-
For Oracle Virtual Directory, set the
vde.soTimeoutBackend
JVM parameter to specify how long Oracle Virtual Directory should wait for a response from Oracle Internet Directory before closing the connection. In other words, this parameter tells Oracle Virtual Directory to close inactive sockets after the time specified by the parameter.The
vde.soTimeoutBackend
parameter, if configured, helps Oracle Virtual Directory detect and safely close orphan server connections caused by remote client or server failure This greatly enhances the performance of the server.The value of
vde.soTimeoutBackend
parameter is passed to the Socket that is created using the Java API as follows:public void setSoTimeout(int timeout) throws SocketException
The preceding method allows you to enable or disable
SO_TIMEOUT
with the specifiedtimeout
limit parameter, in milliseconds. With this option set to a non-zero timeout, a read() call on the InputStream associated with this Socket will block for only this amount of time. If the timeout expires, ajava.net.SocketTimeoutException
is raised, though the Socket is still valid. The option must be enabled prior to entering the blocking operation to have effect. The timeout must be greater than0
. A timeout of zero is interpreted as an infinite timeout.
3.15 Understanding the Concept of Resource Information
Understand about the contextual description or resource information components and where these components are located in the DIT from the following topics.
To fulfill the requests of users, some Oracle components gather data from various repositories and services. To gather the data, these components require the following information:
-
Information specifying the type of resource from which the data is to be gathered. The type of resource could be, for example, an Oracle Database. This is called resource type information.
-
Information for connecting and authenticating users to the resources. This is called resource access information.
These sections contains the following topics:
3.15.1 Resource Type Information
Information about the resources that an application uses to service a user request is called resource type information. A resource type can be, for example, an Oracle Database or a Java Database Connectivity Pluggable Data Source. Resource type information includes such items as the class used to authenticate a user, the user identifier, and the password.
You specify resource type information by using the Oracle Internet Directory Self-Service Console.
3.15.2 Resource Access Information
Information for connecting and authenticating users to the databases is called resource access information. It is stored in an entry called a resource access descriptor (RAD) from which it can be retrieved and shared by various Oracle components.
For example, to service the request of a user for a sales report, Oracle Reports queries multiple databases. When it does this, it does the following:
-
Retrieves the necessary connect information from the RAD
-
Uses that information to connect to those databases and to authenticate the user requesting the data
After it has done this, it compiles the report.
You specify resource access information by using the Oracle Internet Directory Self-Service Console. You can specify resource access information for each individual user or commonly for all users. In the latter case, all users connecting to a given application use, by default, the same information to connect to the necessary databases. Oracle recommends defining default resource access information whenever an application has its own integrated account management—for example, where each user is defined within the application itself with a unique single sign-on user name.
3.15.3 Location of Resource Information in the DIT
Understand how to locate resource information in DIT from the illustration and description provided below..
Figure 3-8 shows where resource information is located in the DIT.
Figure 3-8 Placement of Resource Access and Resource Type Information in the DIT
As Figure 3-8 shows, the resource access and resource type information is stored in the Oracle Context.
Resource access information for each user is stored in the cn=User Extensions
node in the Oracle Context. In this example, the cn=User Extensions
node contains resource access information for both the default user and for specific users. In the latter cases, the resource access information includes that needed for accessing both the Sales and the Bug databases.
Resource access information for each application is stored in the object identified by the application name—in this example, cn=Oracle Reports
Services, cn=Products,cn=Oracle Context,dc=us,dc=acme,dc=com
. This is the user information specific to that product.
Resource type information is stored in the container cn=resource types, cn=common,cn=products,cn=Oracle Context
.
See Also:
-
The sections about managing your own resource information, creating user entries, configuring default resources, and creating new resource types in Reference for Oracle Identity Management in the 10g (10.1.4.0.1) library for instructions for an end user to specify resource access information
-
Plug-in Schema Elements in Reference for Oracle Identity Management
-
Publishing Reports to the Web with Oracle Reports Services in Publishing Reports to the Web with Oracle Reports Services