1 Introduction to Oracle Unified Directory
This section contains the following topics:
1.1 Understanding Oracle Unified Directory
Oracle Unified Directory is a comprehensive next generation directory service. It is designed to address large deployments and to provide high performance, and is highly extensive. Oracle Unified Directory is easy to deploy, manage, and monitor.
The following topics provide an overview of Oracle Unified Directory:
1.1.1 Overview of Oracle Unified Directory Components
You can define some components in Oracle Unified Directory for a robust directory server performance.
Oracle Unified Directory components include:
-
LDAP directory server, used for storing data
-
Proxy server, where the server acts as an interface between the client and the directory server that contains the data
-
Replication gateway between Oracle Unified Directory and Oracle Directory Server Enterprise Edition.
For more information about which Oracle Unified Directory server mode you should use, see Understanding Oracle Unified Directory Installation Types.
1.1.2 Understanding Oracle Unified Directory Installation Types
The mode in which the Oracle Unified Directory server runs depends on how you install the software based on your requirement. You can select the installation type depending on your requirement.
The following installation types are available while installing Oracle Unified Directory:
1.1.2.1 About Directory Server Set Up
To create an LDAP directory server that contains directory data, install Oracle Unified Directory as a directory server as described in Setting Up Oracle Unified Directory as a Directory Server in Oracle® Fusion Middleware Installing Oracle Unified Directory.
1.1.2.2 About Proxy Server Set Up
If you want the server to act as an interface between the client and the directory server containing the data, then install Oracle Unified Directory as a proxy server. The proxy server does not contain any data. It handles client requests through load balancing or data distribution. See Setting Up Oracle Unified Directory as a Proxy Server in Oracle® Fusion Middleware Installing Oracle Unified Directory.
Note:
To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus
license.
1.1.2.3 About Replication Gateway Server Set Up
If you want the Oracle Unified Directory server to replicate information between Oracle Unified Directory and Oracle Directory Server Enterprise Edition, then install Oracle Unified Directory as a replication gateway. See Setting Up Oracle Unified Directory as a Replication Gateway in Oracle® Fusion Middleware Installing Oracle Unified Directory.
1.1.3 Understanding Oracle Unified Directory Synchronization with Other Directories
You can synchronize Oracle Unified Directory with other directories using Oracle Directory Integration Platform. Oracle Directory Integration Platform consists of a set of services and interfaces that facilitates synchronization and provisioning solutions between the directory and other repositories.
To use Directory Integration Platform to enable synchronization for Oracle Unified Directory, you must enable the Oracle Unified Directory changelog.
Directory Integration Platform synchronization can be described as follows:
-
Understanding Synchronization between Oracle Unified Directory and Oracle Internet Directory
-
Understanding Synchronization between Oracle Unified Directory and Third-Party Directories
Note:
You can obtain Oracle Directory Integration Platform by installing Oracle Identity Management release 11.1.1.6.0 or above.
1.1.3.1 Understanding Synchronization between Oracle Unified Directory and Oracle Internet Directory
Oracle Directory Integration Platform 11.1.1.5 and higher supports synchronization between Oracle Internet Directory and Oracle Unified Directory. For more information about the synchronization procedure, see Integrating with Oracle Directory Server Enterprise Edition (Connected Directory) in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.
Note:
Oracle Directory Server Enterprise Edition was formerly known as the Sun Java System Directory Server. You must replace all references of SJSDS
in the guide to OUD
for synchronization to work accurately. You can obtain Oracle Directory Integration Platform by installing Oracle Identity Management release 11.1.1.6.0 or above.
1.1.3.2 Understanding Synchronization between Oracle Unified Directory and Third-Party Directories
To enable synchronization of data between Oracle Unified Directory and third-party directories, you must integrate Oracle Directory Integration Platform with . You can obtain Oracle Directory Integration Platform by installing Oracle Identity Management release 11.1.1.6.0 or above.
1.2 Overview of Directory Server
A directory server provides a central repository for storing and managing information such as identity profiles, user credentials, access privileges, application resource information, and network resource information. The Oracle Unified Directory server is an LDAPv3-compliant directory server written entirely in Java for data storage.
The directory server includes the following high-level functionality:
-
Full LDAPv3 compliance (RFC 4510-4519) with support for numerous standard and experimental extensions
-
High performance and space effective data storage
-
Ease of configuration and administration
-
A highly extensible administrative framework that enables you to customize most of the features listed below.
-
An administration connector that manages all administration traffic to the server. The administration connector enables the separation of user traffic and administration traffic to simplify logging and monitoring, and to ensure that administrative commands take precedence over commands that manipulate user data.
-
A graphical control panel that displays server status information and enables you to perform basic server and data administration.
-
Several command-line utilities to assist with configuration, administration tasks, basic monitoring, and data management. The main configuration utility (
dsconfig
) provides an interactive mode that guides you through most configuration tasks.
-
-
Advanced replication mechanism
-
Enhanced multi-master replication across directory server instances
-
Assured replication feature that ensures high availability of data and immediacy of data availability for specific deployment requirements
-
Fractional replication capabilities
-
Support for an external change log that publicizes all changes that occur in a directory server database
-
-
Extensible security model
-
Support for various levels of authentication and confidentiality
-
Access to resources based on privileges
-
Advanced access control mechanism
-
-
Multi-faceted monitoring capabilities
-
Rich user management functionality
-
Password policies
-
Identity mapping
-
Account status notification
-
1.3 Overview of Proxy Server
A proxy server acts as a bridge for requests from clients seeking resources from large-scale networks. Proxy servers enhance performance and security. Oracle Unified Directory support load balancing, failover, data distribution, and global index.
The following topics provide a brief overview of Oracle Unified Directory's proxy component:
1.3.1 Understanding the Proxy Server
The Oracle Unified Directory proxy is an LDAPv3 compliant server that does not store data but routes LDAP requests from clients to the directory servers that are spread across an enterprise.
The proxy is the entry point to a directory service deployment spread over multiple directory servers, multiple data centers, or both. All client requests are routed by the proxy to the appropriate remote LDAP server. The Oracle Unified Directory proxy component can be used with any LDAP v3-compliant directory server, such as the Oracle Unified Directory server or Oracle Directory Server Enterprise Edition.
To route data requests to the remote LDAP servers, you can configure the proxy component to use either load balancing or data distribution, or both.
You can deploy the Oracle Unified Directory proxy in very simple configurations, or in more complex, replicated scenarios, using oud-proxy-setup
. For detailed information about some simple deployments, see Understanding Deployments Using the Proxy Server.
Note:
The proxy component cannot be used directly as a datastore.
As the interface between the client and the remote LDAP server, the proxy provides numerous security features to ensure secure connection if and when required. See Configuring Security Between the Proxy and the Data Source.
For an in-depth presentation of the elements that constitute the Oracle Unified Directory proxy, see Understanding the Proxy, Distribution, and Virtualization Functionality.
1.3.2 Understanding the Use of the Proxy Server
The proxy manages all the connections between a client and a data source (be it a single server, replicated server, or data center). As such, it centralizes all the rules for client connections, including handling load balancing, data distribution and security with the data source.
When you deploy the proxy for load balancing, all requests received by the proxy are routed to one of the remote LDAP servers based on the load balancing algorithm set during deployment. This routing enables you to identify the back-end directory servers that the proxy should communicate with and specify the percentage of total client load each directory server should receive. Once configured, the proxy automatically distributes client queries to different directory servers conforming to the load criteria defined in the configuration.
To deploy a highly available directory service, you must have at least two replicated directory servers. To ensure that requests that fail to the first server are treated by the backup server, you must ensure that all the clients know the addresses for both data sources, and are coded to treat a failure on the primary server by re-sending the request to the backup server. The proxy handles the failover and load balancing of requests, thereby simplifying high availability and scalability.
Typically, if your deployment used only one server to store all the data, you would have performance issues if your data store was too large. You could resolve this issue by replacing the single server with several servers, and splitting the data across these servers. In this case, each client application would need to know which server to search for its data. With the proxy, there is no need to replicate the distribution information for each application, because the proxy manages the distribution of requests to the appropriate data source. Instead, the client application sends a request to the proxy. The proxy knows which partition holds the requested data and handles the request using distribution.
By including the proxy in your deployment, you ease the configuration and management of client applications. The proxy centralizes and handles all requests, ensuring load balancing, distribution of requests, or both.
The proxy also provides a single access point for managing security in a directory service. You can use the proxy to authorize or restrict access to remote directory servers. In addition, to perform maintenance or back up an LDAP server, you can simply modify your proxy deployment to avoid service interruption.
For a description of sample deployments, see Understanding Deployments Using the Proxy Server.
1.4 Overview of the Replication Gateway
A replication server facilitates replication (copying) of data from one Oracle Unified Directory instance to another Oracle Unified Directory server or to another Oracle Directory Server Enterprise Edition (ODSEE) server.
The following topics provide a brief overview of the replication gateway component of Oracle Unified Directory:
1.4.1 About the Replication Gateway
Replication is the mechanism that propagates a change made on one directory server to multiple different directories in a replication topology. The replication gateway translates and propagates replication information effectively between directory servers from Oracle Directory Server Enterprise Edition and directory servers from Oracle Unified Directory.
The main purpose of the replication gateway is to facilitate migration from an existing Directory Server Enterprise Edition deployment to an Oracle Unified Directory topology. For this migration to succeed, you must use one of the following versions:
-
Any Oracle Directory Server Enterprise Edition since 11g Release 1 (11.1.1)
-
A Sun Java System Directory Server Enterprise Edition, 6.3.1.1.2 Release (starting with the Oracle Unified Directory 11g Release 2 (11.1.2.3) release)
The replication gateway translates the synchronization mechanism specific to each version of the directory, offering two-way replication between the disparate topologies. The replication gateway can be regarded as a pipe that propagates updates between heterogeneous replicated topologies. Translations are managed "on the fly" without storing any data on disk.
1.4.2 Understanding the Role of the Replication Gateway
The replication gateway is responsible for propagating changes made on the disparate servers to the entire replication topology. You need replication setup to meet the objectives of high availability and performance.
The following example shows how you can transition an existing Oracle Directory Server Enterprise Edition deployment to an Oracle Unified Directory topology by using the replication gateway between the two topologies.
Figure 1-1 Transitioning an Existing ODSEE Deployment to OUD
Description of "Figure 1-1 Transitioning an Existing ODSEE Deployment to OUD"
Within the overall replication topology, the replication gateway acts as a two-way forwarding server. It propagates modifications from the Oracle Directory Server Enterprise Edition servers to the Oracle Unified Directory replication topology, and from the Oracle Unified Directory servers to the Oracle Directory Server Enterprise Edition replication topology. In each instance, the replication gateway propagates both ways. You can disable changes from being propagated from the Oracle Unified Directory servers to the Oracle Directory Server Enterprise Edition replication topology, according to your transition scenario.
Note:
In a replication architecture, each replication server is connected to every other replication server in the topology.For high availability, two replication gateway servers are deployed in every transition scenario.
For information about deploying the replication gateway in a migration scenario, see Replicating Between Oracle Directory Server Enterprise Edition and Oracle Unified Directory.
1.4.3 Limitations of the Replication Gateway
Replication is necessary for improving the availability of data across the network. However, there are several limitations to replication that one must be aware of before setting up the replication gateway.
The replication gateway does not manage the following aspects:
-
Data initialization. Total update is not supported through the replication gateway. To initialize an Oracle Directory Server Enterprise Edition topology with data from an Oracle Unified Directory server, the data must be exported from the Oracle Unified Directory server and then imported to an Oracle Directory Server Enterprise Edition master server.
-
Schema coherency. The replication gateway does not ensure that schema is coherent across the disparate servers. The administrator must define coherent schema.
-
Feature translation. The replication gateway does not translate features between the disparate servers, and assumes that the topologies are heterogeneous, regarding features. The best way to handle incompatible features (for example, macro ACIs, CoS, password policies) is to filter out the affected object classes and attribute types before replication occurs.
The replication gateway does provide a filtering option, for replication from Oracle Directory Server Enterprise Edition to Oracle Unified Directory. This option enables you to filter out object classes and attribute types that do not apply to Oracle Unified Directory servers. The default values that are configured for filtering account for differences in CoS, roles, password policies, and conflict resolution.
-
Replication Conflict Resolution. For single-valued attributes, if different values are added simultaneously to the same single-valued attribute, then the Oracle Directory Server Enterprise Edition server and the Oracle Unified Directory server handle the conflict in different ways. The Oracle Directory Server Enterprise Edition server retains the value of the last modify/add operation while the Oracle Unified Directory server retains the oldest value. These values may not always be the same.