The chapter describes DIT masking with Oracle Internet Directory, including how to configure the attributes required for DIT masking. DIT masking is the restriction of the DIT content that is exposed in an Oracle Internet Directory server instance.
DIT masking restricts access by all users except the super user, cn=orcladmin
. Typically, you use masking to prevent some users from seeing certain portions of the DIT, based on which instance of the Oracle Internet Directory server they connect to. Typical use cases for presenting different views of the DIT include test vs. production and internal vs. external users.
Beginning with Oracle Internet Directory 11g Release 1 (11.1.1.7.0), you can also disallow access to one or more containers from the entire directory, as opposed to hiding the containers from a specific Oracle Internet Directory server instance.
You could also restrict a user's view of the DIT by using Oracle Virtual Directory, but DIT masking has far less performance and administrative overhead.
This chapter includes the following sections:
By default, no masking is configured. You use the following configuration attributes of the instance-specific configuration entry to configure masking.
Table 39-1 Masking Configuration Attributes
Attribute | Description |
---|---|
|
Contains the DIT subtrees that are exposed in an instance. The DN configured and its children are visible in the instance. Other entries in the DIT are masked (hidden) for all LDAP operations. |
|
Contains DIT subtrees that are hidden in a container for an entire directory. |
|
Filters the entries exposed in the instance. Entries matching the filter criteria are exposed. Other entries are hidden for all LDAP operations. |
You modify these attributes in the same way as other attributes of the instance-specific configuration entry. See Section 9.4.1, "Setting System Configuration Attributes by Using ldapmodify."
Masking is useful in scenarios where the administrator wants to selectively expose or hide the entries present in the directory. The following examples illustrate this use case.
Consider a DIT setup with the following hierarchy:
cn=internal,o=oracle cn=external,o=oracle cn=public,o=oracle
The internal container contains entries internal to the organization and should have limited access. The external
and public
container contains data about external users and some public information that is accessible to all. An administrator wants to ensure that only the external
and public
data is available outside of the organization firewall. This can be achieved through masking. Create an Oracle Internet Directory instance, such as oid2
, that runs on a port exposed through the firewall. To ensure applications and users connecting to this port see only publicly accessible content, create masking realms in cn=oid2
with ldapmodify
, using the following LDIF file:
dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry changetype: modify add: orclmaskrealm orclmaskrealm: cn=external,o=oracle orclmaskrealm: cn=public,o=oracle
This example ensures that only the entries in the configured containers public and external are seen through this instance. Applications and users connecting to this instance cannot see the Internal container and its entries.
Another use case is restricting entries based on the data stored in them. An organization might have data about employees, contract workers and temp workers. A user lookup application such as an email client looks up data on the directory server to find out email addresses. An administrator wants to hide temp workers' information and only expose employees and contractor workers in the instance, say cn=oid2
, that is accessed by the email client. This can be done by configuring masking filters with ldapmodify
, using the following LDIF file:
dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry changetype: modify add: orclmaskfilter orclmaskfilter: (usertype=employee) orclmaskfilter: (usertype=contract)
This example ensures that entries with usertype=employee
or usertype=contract
are exposed and others are not exposed.
Consider a DIT setup with the following container:
cn=internal,o=oracle
You can disallow access to this container from the entire directory (as opposed to hiding the container from a specific instance) with ldapmodify
, using the following LDIF file:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclmaskrealm;disallowed orclmaskrealm;disallowed: cn=internal,o=oracle
This example ensures that entries in the internal
container are not accessible to users other than super user, cn=orcladmin
, for all LDAP operations.