print Printer View e-mail E-mail this page Bookmark Bookmark
Oracle Internet Directory 10g R3 feature overview
feature overview Oracle Application Server Logo

Oracle Internet Directory 10.1.4.2

September 2008

Summary
Oracle Internet Directory is an LDAP v3 service that combines the mission-critical strength of Oracle's database technology with the flexibility and compatibility of the LDAP v3 directory standard.  Oracle Internet Directory is a critical component of the Oracle Application Server 10g management and security infrastructure.  It is tightly integrated with the Oracle Database 10g, making it the directory of choice for Oracle shops. In addition, Oracle Internet Directory's scalability, high availability and security features make it the ideal customer choice for high-end carrier and online service provider implementations.

Product Overview
Oracle Internet Directory offers the flexibility and extensibility of LDAP along with the scalability and reliability of the Oracle10 g platform.  The Oracle Internet Directory server is implemented as an application running on top of Oracle Database 10g.  Through its integration, Oracle Internet Directory effectively leverages the features of the Oracle platform to make it the compelling choice for mission-critical applications.

Within Oracle Application Server 10g, Oracle Internet Directory enables users to be created centrally and shared across components such as Oracle Application Server 10g Portal, Oracle Access Manager, Oracle Identity Manager, Oracle Collaboration Suite, Oracle E-Business Suite 11i and others . When users log in, they are authenticated once by the Oracle Application Server 10g Single Sign-on Server against their Oracle Internet Directory credential, and can thereby access multiple applications seamlessly.

Scalability
Oracle Internet Directory exploits the massive strengths of Oracle Database 10g, enabling support for huge enterprise and Internet-scale directory applications. Like the database underneath it, Oracle Internet Directory scales to support terabytes of real-world directory information on a single server. In addition, technologies such as multi-process and multi-threaded LDAP processes and database connection pooling allow it to support tens of thousands of concurrent client requests while maintaining millisecond response times.

Oracle Internet Directory also supports LDAP referral objects, which enable the physical partitioning of directories.  An administrator embeds pointers which connect the various partitions so that each can be accessed from the other.  Partitioned directories allow delegated administration of the physical directory segments, while maintaining a logically contiguous view of the directory as whole. This is a critical feature for service providers and enterprises hosting a large directory for a federation of smaller, autonomous organizations. Features like Server Chaining makes integration of external directories like SUN Java System Directory Server or Microsoft Active Directory transparent to directory clients.

Oracle Internet Directory provides data management tools for manipulating huge volumes of LDAP data.  For example, with the Oracle Internet Directory bulk loader (based on SQL*Loader), administrators can populate a million user-entry directory in about one hour.

High availability
Oracle Internet Directory has been designed to meet the needs of mission-critical deployments.  The underlying Oracle Database 10g running with large data stores and heavy loads can recover from system failures in a matter of seconds.  In addition, Oracle Internet Directory supports all Oracle 10g high-availability solutions and techniques, including hot backups, clustered "logical hosts", Real Application Clusters, failover, and full multi-master replication. This means if one server in a clustered or replicated community is unavailable for any reason, end users can continue to work and administrators can administer the directory from any other server. Administrators can perform functions such as directory user administration, schema extensions and entry modifications.

Oracle Internet Directory supports LDAP protocol based multi-master replication. This becomes important when directory information needs to be replicated in firewall separated environments to reduce ports to be opened. For in depth descriptions of supported High Availability topologies refer to the Oracle Application Server High Availability Guide.

Security
Oracle Internet Directory offers comprehensive and flexible support for directory access control. This includes entry level, attribute level, and prescriptive access control to provide varying levels of security to custom fit enterprise and service provider needs. An administrator can grant or restrict access to a specific directory attribute, entry, group or naming context. Oracle Internet Directory implements three levels of user authentication: anonymous, password-based, and certificate-based using Secure Sockets Layer (SSL) v3 for authenticated access and data privacy.

Oracle Internet Directory offers sophisticated password policy management capabilities based on password "state" or "value" . Password value policies e.g. use mixed case characters (ie. minimum upper and/or lower case characters), special characters (non-alphanumeric) and maximum repeated characters. Password state policies are used e.g. to assist user account life-cycle management such as grace logins constrained by time period (in addition to login instances) and minimum age for password self-modification. Multiple password policies are can be created per directory subtree or entry level.

Oracle Internet Directory offers sophisticated password policy management capabilities and the ability to store passwords using a variety of hashing schemes.  These features allow administrators to define consistent security policies across applications and easily share passwords with other systems.

The external authentication plug-in provides authentication to 3rd party directories like Microsoft Active Directory, SUN Java System Directory Server, Novell eDirectory and OpenLDAP.

Oracle Internet Directory supports two unique database security features, Oracle Database Vault and Oracle Transparent Data Encryption.

Oracle Database Vault addresses common regulatory compliance requirements and reduces the risk of insider threats by:

·         Preventing highly privileged users (DBA) from accessing application data

·         Enforcing separation of duty

·         Providing controls over who, when, where and how applications, data and databases can be accessed.

Oracle Database Transparent Data Encryption supports enterprise PCI compliance efforts by transparently encrypting data when it is written to disk and decrypting it when it is read back to the authorized user. Applications don't have to be modified, and authorized users won't even notice the fact that the data has been encrypted on the storage media.

Directory Integration Platform
Oracle Internet Directory includes the Directory Integration Platform, which enables customers to synchronize data between various directories and Oracle Internet Directory.  The Directory Integration Platform is a set of services and interfaces which allows to develop synchronization solutions with other enterprise repositories. It can also be used to provide Oracle Internet Directory interoperability with third party metadirectory solutions.

Directory Integration Platform includes agents for out-of-the-box synchronization with Oracle Human Resources, Oracle Database, as well as agents for synchronizing information with select third-party LDAP servers, such as SunOne/iPlanet Directory Server,  Microsoft Active Directory, Novell eDirectory and OpenLDAP.

Using Directory Integration Platform, customers can build a single enterprise directory with global directory entries containing data from such diverse sources as Human Resources applications, LDAP directories, and other data repositories. Oracle Directory Integration Platform uses Oracle Internet Directory as the central enterprise directory for both user and configuration data.

Integration with the Oracle Environment
Oracle Internet Directory provides the directory backbone for a variety of Oracle products, like Oracle Advanced Security Option and Oracle Application Server 10g. Therefore other Oracle Products like E-Business Suite which are using Oracle Application Server use Oracle Internet Directory as well. It is also the preferred product for storing Oracle database service names and is replacing Oracle Names for this purpose.

Oracle Internet Directory also includes the Self-Service Console, an easy-to-use, web-based interface which allows end users and application administrators to search for and manage data in the directory.  Another component of the Oracle Internet Directory is the Delegated Administration Service. This console provides Oracle Application Server 10g application administrators with a means of provisioning end users in the Oracle environment.  Oracle Internet Directory also enables components of Oracle Application Server 10g to synchronize data about user and group events, so that those components can update user information stored in their local application instances e.g. Oracle Portal.

Applications outside the Oracle Application Server 10g environment can track directory changes via the Oracle Internet Directory Provisioning Integration System, so that they can keep private user repositories synchronized with the data in the directory.
In addition, Oracle supplies a "Password Filter for Microsoft Active Directory" to support the need for keeping Oracle passwords in synch with user passwords being stored and updated frequently in Microsoft Active Directory.  This is a key requirement for Oracle customers deploying identity-centric features such as Enterprise User Security for Oracle Databases.

For example, users who take advantage of the Password Filter for Microsoft Active Directory and Oracle's Directory Integration Platform can log in to databases using their Microsoft Active Directory username and password, without separate password maintenance within the database or Oracle Internet Directory. The "Oracle Password Filter" synchronizes password changes in Active Directory with Oracle Internet Directory and can be safely and securely deployed on any Active Directory instances where password changes are allowed.

An alternative for Enterprise User Security with Active Directory is provided by using Oracle Internet Directory's Server Chaining capability, alongside a Kerberos enabled Oracle Database. This combination eliminates the usage of passwords for authentication and configuration of the Directory Integration Platform to synchronize user informations.

Manageability
Oracle Internet Directory includes Oracle Directory Manager, a Java-based graphical directory administration tool. It is used for administration of operational aspects of the directory such as directory metadata information, password policies, schema and access control information etc.

Standalone directory deployments of Oracle Internet Directory and Directory Integration Platform can be monitored using the Application Server Control. This will be installed as of an Identity Management Infrastructure installation.

To monitor and administer Oracle Internet Directory and directory replication together with Directory Integration Platform in a distributed environment the usage of  usage of Enterprise Manager Grid Control is suggested. Grid Control besides many other features provides a topology viewer (important in distributed enviroments), performance monitoring, reporting framework and process monitoring & control.

Enterprise Manager Grid Control is the single interface of choice for Identity Management components like Oracle Internet Directory, Directory Replication, Directory Integration platform and others.

Oracle Internet Directory has a comprehensive and efficient Server Manageability infrastructure that gathers the necessary information to aid the Monitoring and Management of Oracle Internet Directory. The information gathered by the Server Manageability Infrastructure in Oracle Internet Directory can be exposed to various industry standard monitoring agents and presented to Directory Administrators through suitable GUI interfaces

Application Development
Oracle Internet Directory supports the development of custom applications that make use of directory data, such as user identity and password.  Application development is facilitated through C and PL/SQL APIs, and JNDI. Developers could use other toolskits available for popular language like PERL, PHP etc as long as they are LDAP v2/v3 compatible.

In addition, Oracle Internet Directory provides a server side plug-in framework for applications that require customized server functionality, such as referential integrity of data, special auditing and report functionality, customized password policies etc. The plug-in framework is delivered as a highly flexible PL/SQL interface, allowing user-defined operations to be invoked by the directory server before, when or after LDAP commands. The framework allows developing of Java based plug-ins as well.

By using the DSML (Directory Services Markup Language) v2 web service provided by Oracle Virtual Directory developers can access Oracle Internet Directory via SOAP/HTTP using XML.

Availability
Oracle Internet Directory is available on all major platforms and is translated into all languages supported by Oracle Application Server 10g.

 

Technical Overview

Key Directory Features

  • Implements relevant IETF Version 2 and 3 LDAP RFCs, X.500 information model
  • Extensible directory schema
  • Supports online changes to directory schema with no downtime
  • Multi-byte National Language and Unicode support
  • An Open Group LDAP 2000 Branded Server
  • Common Criteria Evaluations at EAL4
  • Server extensibility via Java and PL/SQL Plug-in's
  • Server chaining to access data in non Oracle directories transparently

Performance

  • Scales to the capabilities of the Oracle Database 10g to support multi-terabyte data stores
  • Unique multi-threaded, multi-process LDAP processes and database connection pooling to support thousands of simultaneous clients
  • Delivers millisecond response time independent of data size
  • Supports server-side entry caching to improve search performance

Security

  • Supports Oracle Database Vault and Oracle Transparent Data Encryption
  • Configurable multi Password Policies
  • Fine-grained ACL control:
    • Per Entry 
    • Per Attribute
    • By Group Membership
    • Prescriptive (Naming Context)
    • By Mode of Authentication 
  • Configurable SSL v3 data privacy
  • Supports anonymous, password-based and certificate-based user authentication
  • Strong authentication via X.509 v3 digital certificates for PKI implementations 
  • Proxy capabilities enable middle-tier applications to access the directory "on behalf of" end user communities
  • External authentication plug-in to authenticate against Microsoft Active Directory, SUN Java System Directory, Novell eDirectory and OpenLDAP

Replication and High Availability

  • Multi-master replication using Oracle 10g Replication
  • Updatable Fan-Out replication (i.e. Multi-master replication) based on LDAP v3 Protocol
  • OracleAS cluster

Administration

  • Oracle Identity Management Grid Control embedded in Enterprise Manager Grid Control for Monitoring and Administration of distributed deployments.
  • Oracle Directory Manager, a Java-based GUI directory administration based on Oracle Enterprise Manager framework
  • Command-line tools for standard LDAP operations and replication administration
  • Specialized tools for bulk loading and exporting of LDIF data
  • Delegated Administration Service which enables end users and departmental or application administrators to create and update directory information

Requirements

Consult the specific OS system installation guide for Oracle Application Server

Related products

  • Oracle Virtual Directory
  • Oracle Identity Management
  • Oracle Advanced Security

Getting started

To order Oracle Internet Directory, please visit the Oracle Store .

 
E-mail this page
Printer View Printer View
Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Privacy