This section provides a brief description of the new features introduced with the latest releases of Oracle Internet Directory and points you to more information about each new feature.
This chapter describes the following releases:
Persistent Search Operations: A persistent search operation is an enhanced search that continues after the initial search results are returned by Oracle Internet Directory server to an LDAP client. After the initial search is finished, the connection to the server is kept alive until the client unbinds or abandons the operation. A persistent search operation allows a client to receive notifications if entries in the search scope are modified.
Oracle Directory Services Manager (ODSM) Session Timeout: The ODSM session timeout default is now 5 minutes. You can configure a different value using the WebLogic Server Administration Console.
Result Set and Metadata Cache Configuration: The new
orclcachemaxsize configuration attribute allows you to specify the size of the result set and metadata caches to improve the performance of read and write operations from Oracle Internet Directory server to its Oracle Database.
Enhanced Logging: The new
orcltraceconnip instance-specific configuration attributes allow you to specify logging based on a connection distinguished name (DN) and IP address, respectively.
New DSA Configuration Attributes:
orclblockdnip attribute causes Oracle Internet Directory server to reject any new connections and close any existing connections from an IP address.
orclmaxlatencylog attribute specifies a time in microseconds after which any Oracle Internet Directory server operations that exceed this time are logged to the alert log.
Restricting Binding to the Server. The new
bindAuthPriv attribute allows you to specify the users who can bind to Oracle Internet Directory server.
Computed Attributes connectBy Interface: The
connectBy interface allows you to compute attributes by connecting attributes from two or more other entries.
DIT View: You can create a DIT view, which is a virtual view or name space that shows entries from a different or source DIT.
LDAP Replication Filter: Oracle Internet Directory server and the replication server support filtering of specific entries based on an LDAP filter string configured with the
orclEntryExclusionFilter attribute in the replication agreement.
New and Revised Troubleshooting Information: See Appendix R, "Troubleshooting Oracle Internet Directory."
Change Log Partitioning: Oracle Internet Directory introduces the concept of partitioning of change log tables.
New Instance-Specific Configuration Entry:
orclskipspecialinfilter attribute evaluates whether Oracle Internet Directory should skip the processing of special characters specified in filter values during a search operation.
Extended scope of specificationFilter in Collective Attributes: Oracle Internet Directory now allows you to define LDAP filters in the subtree specification.
Enhanced Performance Tuning:
The new optional
catalog command IOT option causes an Index Organized Table (IOT) to be created for the specified attribute without creating an additional index. The IOT option improves both read and write performance for a normal LDAP operation and reduces the storage as well. See Section 15.7, "Creating and Dropping Indexes from Existing Attributes by Using catalog."
Oracle Internet Directory server reports duplicate attribute values in the
attr_uniqueness_log table. You can scan the
attr_uniqueness_log table to determine and then cleanup the duplicate values. See Section 19.2, "Cleaning Up Duplicate Attribute Values."
Diagnostics Improvements: You can specify that Oracle Internet Directory server calls
OCIPing() to send keep alive messages to its Oracle Database. The frequency of these messages is determined by the new
orclMaxTcpIdleConnTime attribute to a value less than the timeout value of the firewall between Oracle Internet Directory server and the Oracle Database prevents the Database connection from being dropped.
Support for orclMemberOf in Search Filters:
orclMemberOf is a multivalued attribute containing the groups to which the entry belongs. You can now
orclMemberOf in search filters.
LDAP Replication Improvements: The data flow in LDAP replication consists of the apply phase with the apply queue only, and the transport phase with the transport queue is no longer used.
Computed Attribute Support: The new
orclComputedAttribute attribute provides a mechanism to dynamically compute a configurable attribute and its value based on one or more rules.
Enable/Disable Entry Cache and Result Set Cache: The
orclecacheenabled attribute allows you to enable and disable both the Entry Cache and the Result Set Cache.
Transaction Support: The Oracle Internet Directory SDK now supports transactions, as defined in RFC 5805. See Using LDAP Transactions in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management.
Shared Entry Cache: The entry cache now resides in shared memory, so multiple Oracle Internet Directory server instances on the same host can share a cache. If the host is part of a cluster, all hosts are notified to remove an entry when it changes on one host. Not all search types are cached, only those that benefit from the performance improvement. Attributes for configuring the cache now reside in the DSA configuration entry. See the Server Entry Cache section of the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide for more information.
Autocatalog: A new autocatalog feature is enabled by default in fresh Release 1 (220.127.116.11.0) installs. When this feature is enabled, Oracle Internet Directory automatically invokes the
catalog command to index attributes when you search for them.
If the autocatalog feature is not enabled, and you want to use previously uncataloged attributes in search filters, you must add them to the catalog entry, as in previous releases. You can now use
ldapmodify instead of
catalog to index an attribute. The
ldapmodify command invokes
catalog to perform the operation.
DIT Masking: You can now restrict the DIT content that is exposed in an Oracle Internet Directory server instance. This enables you to present different views of the DIT to different users, depending on which instance they connect to. See Section 39, "Managing DIT Masking."
AES encryption of sensitive attributes: The algorithm for encrypting sensitive attributes is now AES. See "Encryption Algorithm for Sensitive Attributes".
Support for more SHA-2 variants: Several variants of the SHA-2 hashing algorithm are now available for protecting user passwords. See Chapter 31, "Managing Password Verifiers."
Account expiration based on period of inactivity: You can now expire an account based on user inactivity. See "Password Policy Attributes".
Access control constrained by IP address: You can create ACIs with constraint on the IP address of the client. See "Bind IP Filter" and Appendix H, "The Access Control Directive Format."
Oracle Directory Services Manager Capabilities
SSO Integration: You can configure ODSM to use Oracle Access Manager 11g or Oracle Access Manager 10g for single sign on. See "Single Sign-On Integration with Oracle Directory Services Manager".
Unlocking locked accounts: You can list and unlock locked accounts from ODSM. See "Listing and Unlocking Locked Accounts by Using Oracle Directory Services Manager".
Importing entries from an LDIF file and exporting entries to an LDIF file: You can import and export from/to an LDIF file. See "Importing Entries from an LDIF File by Using Oracle Directory Services Manager" and "Exporting Entries to an LDIF File by Using Oracle Directory Services Manager".
Deleting a subtree: You can delete an entire subtree at once. "Deleting an Entry or Subtree by Using Oracle Directory Services Manager".
Configurable session timeout: You can control the length of time before an inactive session times out. "Configuring Oracle Directory Services Manager Session Timeout".
LDAP Protocol Features
Support for the "+" option: You can use this option to return operational attributes on a search. See "Listing Operational Attributes by Using ldapsearch".
Support for collective attributes: You can configure an attribute that is common to multiple entries. See Chapter 16, "Managing Collective Attributes."
Rolling Upgrade of Directory Replication Groups: If multimaster replication is configured in your existing Oracle Internet Directory environment, you must follow the procedure in Appendix Q, "Performing a Rolling Upgrade."
Performance and Footprint Improvements
Improved performance: Performance enhancements have been made in LDAP add, LDAP search, and privilege group update.
Reduced storage footprint: Certain multi valued attributes are now stored in one row.
Automatic run of oidstats.sql: An administrator is no longer required to run
oidstats.sql manually. OIDMON runs it, based on the number of updates in the database. See "Updating Database Statistics by Using oidstats.sql" in Oracle Fusion Middleware Performance and Tuning Guide.
WebLogic Server Integration: Oracle Internet Directory in 11g Release 1 (11.1.1) is a system component that can use the WebLogic Administrative Domain for management services.
Fusion Middleware Control: You can manage Oracle Internet Directory by using a graphical user interface called Oracle Enterprise Manager Fusion Middleware Control
Oracle Directory Services Manager: The old graphical user interface for managing directories, Oracle Directory Manager, has been replaced by this web-based administration tool. Use it to manage Oracle Internet Directory and Oracle Virtual Directory. You can invoke it directly or from Oracle Enterprise Manager Fusion Middleware Control.
LDAP-Based Multimaster Replication: You can now use LDAP-based replication for multimaster directory replication groups. You no longer need Oracle Database Advanced Replication-based replication for this purpose. If you want to replicate Oracle Single Sign-On, however, you still must use Oracle Database Advanced Replication-based replication.
Improved Replication Manageability: You can set up and manage LDAP-based replication by using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control. A separate Replication page enables you to adjust attributes that control the replication server.
Sizing and Tuning Wizard: You can obtain recommendations for tuning and sizing by running the Sizing and Tuning wizard in Oracle Enterprise Manager Fusion Middleware Control.
See Also:The Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
Integration with Common Auditing Infrastructure: Oracle Internet Directory is now integrated with the Oracle Fusion Middleware common audit framework. You can configure auditing from the command line or by using Oracle Enterprise Manager Fusion Middleware Control.
See Also:Chapter 23, "Managing Auditing"
Improvements to Referential Integrity: Referential Integrity has been completely reimplemented. You can configure it from the command line or by using Oracle Enterprise Manager Fusion Middleware Control.
Updates to Password Policy Controls and Error Messages: New controls and error messages were added to the LDAP API.
"Password Policies" in the "Extensions to the LDAP Protocol" chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
Configuration Parameter Changes: Most configuration attributes for the LDAP server now reside in two entries. Instance-specific attributes are in the instance-specific configuration entry and shared attributes are in the DSA Configuration entry. You can manage most of these from the command line or by using Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory Services Manager.
Improvements to Attribute and Entry Alias Support: Oracle Internet Directory now supports several different options for dereferencing aliases in a search.
See Also:Chapter 18, "Managing Alias Entries"
Extensible Matching in Search Filters: Oracle Internet Directory now supports search filters of the form:
attr:dn:=value. With this filter,
dn attributes are considered part of the entry for search purposes. Oracle Internet Directory does not support extensible matching using matching rules specified in the filter.
While Oracle Internet Directory supports extensible filters,
ldapsearch and the Oracle LDAP API do not. You must use a different API, such as JNDI, to use this type of filter.
See Also:"Developing Applications with Standard LDAP APIs" in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
Support for Oracle Single Sign-On and Oracle Delegated Administration Services 10g (10.1.4.3.0) or later: Oracle Fusion Middleware 11g Release 1 (11.1.1) does not include Oracle Single Sign-On or Oracle Delegated Administration Services. Oracle Internet Directory 11g Release 1 (11.1.1), however, is compatible with Oracle Single Sign-On and Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.
Links to Procedural Information: This document contains a table of links to important tasks.
Identity Management Grid Control Plug-in: This new interface enables you to monitor and manage Oracle Internet Directory, Oracle Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration Platform, using the features of the Oracle Enterprise Manager 10g Grid Control Console.
Improved Bulk Tools: The following bulk tools have been converted into C executable:
Examples and descriptions in this document and in Oracle Fusion Middleware Reference for Oracle Identity Management have been updated to reflect the new features of these tools.
The chapter on Oracle Internet Directory server administration tools in Oracle Fusion Middleware Reference for Oracle Identity Management
Application-Specific Schema Containers: A product that adds schema to Oracle Internet Directory can have its own
Support for Attribute Aliases: You can create user-friendly aliases for attribute names.
Caching of Dynamic Groups: Dynamic group members are computed when the dynamic group is added, and the member list is kept consistent when the dynamic group is later modified.
Optimizing Searches for Large Group Entries: There is an additional technique for optimizing searches by increasing the size of the entry cache instead of disabling the entry cache.
See Also:The Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
Referential Integrity: If you enable Referential Integrity, whenever you update an entry in the directory, the server also updates other entries that refer to that entry.
New Monitoring Capabilities for Server Manageability: You can enable additional health statistics, user statistics, and security events tracking.
New Password Policy Features: You can apply a password policy to any subtree, or even a single entry. There are also more password policy attributes to choose from.
See Also:Chapter 29, "Managing Password Policies"
Server Chaining: This feature enables you to map entries that reside in third party LDAP directories to part of the directory tree and access them through Oracle Internet Directory, without synchronization or data migration.
Paging and Sorting of LDAP Search Results: The
ldapsearch command now has a
-T option for sorting and a
-j option for paging.
ldapsearch command-line reference in Oracle Fusion Middleware Reference for Oracle Identity Management
The chapter on extensions to the LDAP protocol in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
New Replication Features: Oracle Internet Directory Replication has been enhanced with the following features:
Two-way LDAP-Based Replication: This feature enables you to deploy fan-out replication groups where replication flows in both directions and updates at any node are replicated to the whole group.
Replication Failover: Failover of LDAP replicas from one supplier to another is supported, with administrator intervention.
Oracle Internet Directory Comparison and Reconciliation Tool: A new
oidcmprec command, with improved functionality, replaces the old
oidcmprec command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management
Java Server Plug-ins: The Oracle Internet Directory Plug-in Framework now supports plug-ins written in Java and in PL/SQL.
The following chapters have been moved to Oracle Fusion Middleware High Availability Guide:
"High Availability And Failover Considerations"
"Oracle Application Server Cluster (Identity Management) Configurations"
"Oracle Application Server Cold Failover Cluster (Identity Management)"
"The Directory in an Oracle Real Application Clusters Environment"
The following appendixes have been rewritten as chapters in Oracle Fusion Middleware Reference for Oracle Identity Management:
"Syntax for LDIF and Command-Line Tools"
"Oracle Internet Directory Schema Elements"
Improved integration with other components: New features provide better integration with components such as Oracle Collaboration Suite. These features include service-to-service authentication, the service registry, and verifier generation using dynamic parameters.
Support for Certificate Matching Rule: External authentication using certificates can now take either of two forms: an exact match, in which the subject DN of the client certificate is used to authenticate the user, or a certificate hash, in which the client certificate is hashed and is then compared with a certificate hash stored in the directory.
See Also:"Direct Authentication"
Ease of deployment for Replication: Replication is now much easier to install, configure, and manage.
Ease of deployment for Clusters: Cluster configurations are now much easier to install, configure, and manage.
Enforcing access control for Oracle Internet Directory superuser: The superuser is now subject to access control policies like any other user. New ACL keywords allow you to restrict superuser access through privileged groups.
Oracle Internet Directory Server Diagnostic Tool: The OID Diagnostic Tool collects diagnostic information that helps triage issues reported on Oracle Internet Directory.
oiddiagcommand-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management