This document provides answers to frequently asked questions about Oracle Internet Directory, a key component of Oracle's Identity Management Infrastructure. It applies to Oracle Applcation Server10g Release 2
(10.1.2). This FAQ is broken
into the following sections:
What is Oracle Internet Directory?
Oracle Internet Directory is a full-featured LDAP V3-compliant directory service implemented as an application on the Oracle Database 10 g . Oracle Internet Directory is available to customers deploying any Oracle product which is LDAP-enabled. The components of Oracle Internet Directory are listed below:
Oracle Internet Directory LDAP Server
Oracle Directory Integration and Provisioning Service
Delegated Administration Service, including a web-based Self Service Console
C language LDAP client SDK
Java and PL/SQL Language APIs
GUI administration tool based on the Oracle Enterprise Manager
Oracle Directory Manager a Java based administration tool
Bulk tools to load and modify large amounts of data into OID
What is LDAP? And what is the significance of an LDAP Version 3-compliant directory? LDAP stands for "Lightweight Directory Access Protocol," the Internet standard for directory services. Based on the earlier ISO X.500 directory service standard, LDAP is designed for deployment with Internet-centric, "thin client" applications. The specification for LDAP is defined by the Internet Engineering Task Force ( IETF), the same organization responsible for other well-known Internet standards such as HTTP and TCP/IP. LDAP Version 3 refers to the latest version of the LDAP specification, which was approved as a proposed Internet Standard by the IETF in December, 1997. LDAP Version 3 improves on LDAP Version 2 in a number of important areas:
Internationalization - LDAP Version 3 implements encoding of the Unicode character set, allowing servers and clients to support characters used in every language in the world.
Referrals - LDAP Version 3 implements a referral mechanism which allows servers to return references to other servers as a result of a directory query. This makes it possible to partition a directory information tree across multiple LDAP servers, enabling global deployment.
Security - A standard mechanism for supporting Simple Authentication and Security Layer (SASL) and Transport Layer Security (TLS) were added, providing LDAP with a comprehensive and extensible framework for data security.
Extensibility - LDAP Version 3 supports the ability for vendors to extend the existing LDAP operations through the use of mechanisms called controls.
Feature and schema discovery - Finally, mechanisms are provided in LDAP Version 3 for publishing information useful to other LDAP servers and clients, such as what LDAP protocols are supported and a description of the directory schema.
Where can I locate the LDAP standards? The LDAP specification is contained in a number of public documents called RFCs (Request for Comments). In particular, LDAP Version 3 is defined in RFCs 2251-2256. These are available on the worldwide web at http://www.ietf.org/rfc.html
When would one use Internet Directory instead of storing the information directly in an Oracle database?
Directories are designed for administering, securing and accessing data about entities, for example people, enterprise resources, or application metadata. Each entity has a corresponding entry in the directory. The entry will contain various pieces of information associated with the entry (attributes), and the entries are typically fairly small and relatively static. Typical use of a directory will involve a relatively small number of data updates, however a potentially very large number of data retrievals.
On the other hand, relational database systems such as Oracle's excel in recording, storing, securing and accessing data generated by application transactions. In many relational database deployment scenarios, for example OLTP, transactions might be recorded continuously, but retrievals done infrequently to support, for example, generation of a monthly report. Directories are extremely good structures for managing certain categories of data, for example:
Users identities and credentials
Users profiles
Users application preferences
Applications authorization policies
Application-discovery information
Application- and service-specific management and configuration data, and
Network configuration and management policy data
What are the key strengths of Oracle Internet Directory? Oracle Internet Directory's main strengths are its scalability, availability and security. These are described below:
Scalability - Because it is implemented on the Oracle database 10 g , a single Oracle Internet Directory server can support huge volumes of data - up to several terabytes in a single directory instance, servicing 1,000s of concurrent client requests.
Availability - Oracle Internet Directory can also take advantage of high-availability features of the Oracle database 10 g , including hot backup and restore, rapid recovery, Oracle Advanced Symmetric Replication, and Real Application Clusters.
Security - Oracle Internet Directory implements a number of security features, for example access control lists and strong authentication through SSL, which provide a highly flexible framework for managing and distributing data. And since this data is ultimately stored in the Oracle database 10 g , it is also protected from loss.
How do Oracle products use Oracle Internet Directory?
A number of Oracle products leverage Oracle Internet Directory's capabilities. Some examples include:
Oracle Database 10 g - Database Advanced Security uses the standard LDAP interface to store information about enterprise users and enterprise roles in Oracle Internet Directory, allowing administrators to control group user privileges from a single point.
Oracle Net Services Name Resolution - Oracle Net Services (formerly SQL*Net) offers an LDAP Native Naming Adapter. This allows sites to manage Oracle service identifiers and connect descriptors for Oracle clients within Oracle Internet Directory.
Oracle Application Server 10g - In OracleAS 10g, Oracle Portal provides single sign-on functionality through Oracle Single Sign-on, which uses Oracle Internet Directory as a repository for managing user identities and passwords. In addition, OracleAS 10 g Portal leverages Oracle Internet Directory's Directory Integration and Provisioning system to maintain tight synchronization for Portal users and groups, enabling detailed customization of the Portal. For example, a user's promotion from salesperson to sales manager in a Human Resources application, synched with Oracle Internet Directory, can enable Oracle Portal to display an entirely new interface to that user upon next login.
Oracle Collaboration Suite - The Oracle Email Server and Unified Messaging components of Oracle Collaboration Suite use Oracle Internet Directory to store client address book data, as well as message recipient data, such as routing information, quota, voicemail greetings, and many other server-side and user properties.
Oracle E-Business Suite - The Oracle E-Business Suite Applications 11i (Early Adopter Release) takes advantage of Oracle Internet Directory's provisioning and synchronization capabilities to provision HR and other Applications users from and into the entire Oracle platform, which includes all of the above.
Does Oracle Internet Directory support other enterprise uses? Yes. Oracle Internet Directory is a general-purpose LDAP V3 storage and retrieval product suitable for a wide range of applications. Some of the applications customers are currently implementing with Oracle Internet Directory include:
Address books for e-mail and other groupware applications
Corporate "whitepages" directory services, including information such as addresses, telephone numbers, and departments
Repositories providing single password management for a number of different applications and operating systems
Repositories of security credentials, for example X.509 certificates and Certification Revocation Lists (CRLs), as an enabling technology for Internet commerce, and
Repositories of configuration information for all kinds of networked devices, such as routers, switches, and servers.
Which Oracle Partners support Oracle Internet Directory? Numerous Oracle Partners leverage the power and scalability of Oracle Internet Directory as part of their own product offerings, through reference platforms which support various LDAP servers. Each vendor is responsible for the list of LDAP directories they support; Oracle maintains a dynamic list of partners for OracleAS 10g who have certified Oracle Internet Directory and other components of OracleAS 10g for use with their product.
How is Oracle Internet Directory administered?
Customers administer Oracle Internet Directory through Oracle Directory Manager, a Java-based, graphical application, Oracle Enterprise Manager, and via command line tools.
How are user identities created and administered in Oracle Internet Directory?
Customers who deploy Oracle Internet Directory have a wide range of Oracle and third-party tools available for provisioning and administering user identities. The Directory Integration and Provisioning system enables identity integration with external repositories such as HR systems (including Oracle e-Business Suite 11 i ), third-party LDAP directories, and flat-file user repositories. Once provisioned, Oracle Internet Directory ships with a Delegated Administration Service platform on which any number of highly customizable graphical user interfaces can be constructed. One such user interface, the Oracle Internet Directory Self-Service Console, comes pre-built as a web-based Delegated Administration Service. Using the Self-Service Console, administrators can create and delegate privileges for restricted aspects of directory administration to other admin personnel or to end users directly. Thus, Oracle Internet Directory identities can be provisioned and administered using several different methods. Refer to the Oracle Internet Directory Administrator's Guide for more on the Delegated Administration Services framework.
What bulk loading tools are available?
Those customers starting an Oracle Internet Directory installation from scratch can use an LDIF-formatted text file of any size to bulk load millions of initial entries into Oracle Internet Directory. The bulk loading tools use Oracle SQL*Loader to expedite load times; customers bulk loaded millions of entries into Oracle Internet Directory in hours. Oracle Internet Directory also ships with bulk tools to delete, modify and append data.
How does Oracle Internet Directory support multi-master directory replication?
Oracle Internet Directory supports "multimaster" replication between the various directory server nodes. With multimaster replication, any of the directories in the replication group may behave as the "master" directory, allowing administrators to perform operations like adding new object types or modifying entries, even when some of the other servers are down. This level of high availability is extremely important to service providers and others with 24x7 availability needs. Multimaster replication is based on proven Oracle Database advanced symmetric replication.
Does Oracle Internet Directory support other replication mechanisms?
Yes. OID supports “Fan-Out” replication based on the LDAP protocol. “Fan-Out” also called a point-to-point replication group, has a supplier replicating directly to a consumer. That consumer can then replicate to one or more other consumers. The replication can be either full or partial . Multimaster and Fan-Out replication can be used together to build highly flexible replication topologies
Does Oracle Internet Directory synchronize with third-party directories?
Yes. The Oracle Directory Integration and Provisioning platform, which enables customers to synchronize data between various directories and Oracle Internet Directory, is a set of services and interfaces which makes it possible to develop synchronization solutions with third party metadirectories and other enterprise repositories. With the Oracle Directory Integration and Provisioning platform, customers can build a single directory with a global directory entry containing data from such diverse sources as Human Resources applications, email services, and NOS databases. The Oracle Directory Integration and Provisioning platform uses Oracle Internet Directory as central repository (the central directory) for both user and configuration data. The platform facilitates directory integration with:
third party metadirectory products
strategic third party directories
third party provisioning systems
the Oracle technology stack, and
relational database resident data
What are the components of the Directory Integration and Provisioning platform?
The Directory Integration and Provisioning platform includes:
Directory Integration Connectors, which provide connectivity between Oracle Internet Directory, other Oracle products, and third party directories such as SunONE Directory Server and Microsoft Active Directory
the Directory Integration Server, which controls the scheduling and running of the Connectors
the Directory Integration Toolkit, which allows third party vendors to develop value-added agents and connect their solutions to Oracle Internet Directory.
Can Oracle Internet Directory synchronize with Oracle Human Resources?
Yes. Oracle Internet Directory includes an Oracle Human Resources Connector for synchronizing employee data from Oracle Human Resources into Oracle Internet Directory. The HR Agent provides out-of-the-box, instant connectivity between Oracle Internet Directory and Human Resources. Customers can modify which Human Resources attributes are synchronized, and they can reformat the data when the data is synchronized. Customers can now use Oracle Human Resources to begin provisioning other systems via Oracle Internet Directory. For example, an employee could be entered in HR. That employee's data would then be synchronized into Oracle Internet Directory, which could then be used to give the new user access to Oracle Portal.
Can I build connectors from Oracle Internet Directory to my own directory?
Yes. The Directory Integration and Provisioning platform enables customers and third party developers to build their own connectors to synchronize data between existing directories and Oracle Internet Directory. The Directory Integration Server manages the scheduling and execution of the custom-built connectors.
Can Oracle's products be made to work with third-party LDAP directories (such as SunOne/iPlanet, Microsoft Active Directory, etc)?
Yes. All Oracle products that support LDAP can leverage previously deployed third-party LDAP directories.
How do I accomplish this?
Leveraging existing third-party directories involves deploying a directory integration component based on Oracle Internet Directory and its Directory Integration and Provisioning platform. The Directory Integration and Provisioning platform serves as a consolidated point of certification for such configurations, thereby simplifying the support and maintenance of such configurations for customers and for Oracle.
I have already deployed iPlanet Directory Services (or Active Directory Services, SecureWay, etc.) How will Oracle support interoperability with these directory services?
There are several levels of directory interoperability possible. Which one a customer would select depends on a number of variables such as their application deployment and administration model, and the vendor mix of products in their environment. These approaches can be summarized as follows:
Migration to Oracle Internet Directory as a common enterprise LDAP directory. In addition to providing directory services for the Oracle e-Business Suite, Oracle Application Server, and Database products, Oracle Internet Directory is also designed to serve as a general purpose LDAP directory service for the enterprise environment. Oracle Internet Directory can currently support hundreds of enterprise applications, and Oracle is actively working with partner application vendors to ensure that their applications are tested to work with Oracle Internet Directory. Such vendors include: Entrust, CA (Netegrity), RSA and Siemens. As a result, one option available to many customers is to migrate their LDAP data to Oracle Internet Directory. This can be done through export/import of LDIF (LDAP Directory Interchange Format) files. Instructions for how to accomplish this are provided in the Oracle Internet Directory Administrator's Guide. In addition, Oracle has released tools designed to automate the migration process (ldifmigrator).
Maintaining distinct Oracle Contexts (only) in Oracle Internet Directory. The Oracle Context contains directory metadata defined and used exclusively by the Oracle environment and, in some cases, selected Oracle partner applications. Customers have the option of deploying Oracle Internet Directory servers to manage only this information. Unification with the rest of the enterprise directory environment is provided through the common X.500/LDAP information model, however data continues to be administered and accessed on the individual directories.
Enabling client interoperability through referrals. Oracle Internet Directory, as well as other third-party LDAP directories, provide a mechanism for supporting directory client referrals. These are implemented through directory referral objects which, when returned in response to a directory query, may be used by a directory client to redirect it to another directory server. Deployments of directory-enabled applications which can run against both Oracle Internet Directory and third party LDAP directory services may use referral objects as a way to maintain a single point of data administration.
Providing coexistence through directory synchronization. This involves using a metadirectory capability to automatically synchronize the contents of the two directories. This approach has the advantage of allowing application administrators to administer directory metadata using the tools and interfaces most familiar to them, while at the same time ensuring that shared data is kept in synch across systems. As stated above, Oracle Internet Directory provides the Directory Integration and Provisioning platform making implementation of such a synchronization solution possible. The Oracle Internet Directory provides out-of-the-box connectors for selected third-party LDAP services beginning with Oracle Application Server 10 g (9.0.4) This includes SunONE/iPlanet and Active Directory.
Using external authentication mechanisms. In addition to providing for anonymous, simple (password-based), and strong (certificate-based) directory authentication, the LDAP specification also permits the incorporation of external authentication mechanisms such as ones to Kerberos, NT O/S logon, or an external directory service. This capability can be used to support the same level of directory interoperability as with directory synchronization, however would address potential customer concerns about maintaining synchronization processes, replicating encrypted passwords across the network, or dealing with transient inconsistencies in the directory data.
What kinds of security interoperability do Oracle customers seek with the Microsoft Windows environment? Customers seeking security interoperability with the Windows environment are often seeking a number of benefits. These may include:
A single point of administration of user names, passwords and user preferences.
Role-based administration of groups of applications users in one environment to be reflected in the other.
Automatic provisioning of new users from one application environment into the other.
"Single sign-on" from the Windows environment into the Oracle application, portal, and/or database environment.
What are the benefits of Windows interoperability?
These benefits can be classified into three categories:
Centralized user and data administration - Once a user account is created, it needs to be maintained and administered. Centralized user and data administration ensures that all of the application-related information associated with a user, such as passwords, roles and application preferences, are administered in one place.
Unified user provisioning - User provisioning refers to the process by which new users are added and deleted from the various enterprise systems. New user provisioning can potentially be driven from a number of different sources, for example HR systems, CRM systems, network administration environments, etc. When a new user is created in one system, automated user provisioning creates the required user account "footprints" in other enterprise applications.
Runtime security service integration - Finally, customers want to be able to provide their users with a transparent runtime experience. This means that the various applications in the enterprise environment are capable of leveraging a common set of security services for purposes of authentication and data privacy.
What is Oracle's vision for providing interoperability with the Windows security environment?
Oracle provides transparent interoperability between the Oracle and Microsoft Windows security environments. Some aspects of this solution are:
Support for unified user provisioning, centralized user administration and runtime security integration between Windows and the entire Oracle technology stack, including Oracle e-Business Suite, Oracle Application Server 10 g and Oracle Database 10 g .
Flexibility to support multiple security services and modes of authentication (Kerberos, PKI and passwords).
An enterprise-wide solution, which addresses the mixed platform and application environment.
Why can't I simply replace Oracle Internet Directory with ADS, or another LDAP directory, in my deployment?
Oracle Internet Directory is an LDAPv3 compliant directory. Furthermore, Oracle's directory-enabled components are implemented using the LDAP standard protocol, so many Oracle products should (at least theoretically) work against third-party directories. There are, however, practical problems with supporting this kind of interoperability in Oracle deployments:
The LDAP standard itself defines the wire protocol and data model used by an LDAP directory service. Specific implementation considerations, for example how objects are created and managed, access control policy specification, replication, etc., are details are left up to the directory vendors. Oracle's directory-enabled products include installation procedures which define the objects and access controls that they require in Oracle Internet Directory. Customers seeking to support the Oracle product stack with a third-party directory would probably have to implement these schema objects and access controls themselves, complicating the application deployment process.
The LDAP specification defines a mechanism for extending the LDAP interface in a standards-compliant way. This allows vendors to implement advanced features such as automatic discovery, directory cache management, and specialized authentication methods. As these features are implemented in Oracle Internet Directory they are leveraged by directory-enabled components in the Oracle stack. A single, common directory service for the Oracle stack eliminates potential performance and compatibility issues with these extensions.
There is also the practical issue of certification testing with third-party directories. The Oracle technology stack is being developed to make pervasive use of the Oracle LDAP directory service across multiple product components. Testing of each of these components with every possible combination of platforms, operating systems, and release levels, and then maintaining, communicating and understanding these "certification matrices" would greatly complicate the customer deployment process.
How do I integrate Oracle Internet Directory with the Windows directory environment?
Oracle Internet Directory integrates with the Windows directory environment through a set of services and interfaces included with the product called Directory Integration and Provisioning. The capability makes it possible for Oracle Internet Directory to synchronize selected directory information with external repositories such as NT Domains and ADS. Deployment of such a synchronization solution requires deployment of a metadirectory "connector", a combination of agents and connection profile information which makes such synchronization possible. Beginning with Oracle Application Server 10g (9.0.4), Oracle offers prepackaged connectors for the Windows environment.
Will password synchronization be necessary to implement this solution? No. Oracle Internet Directory includes a plug-in architecture which permits integration of Oracle Internet Directory with external authentication mechanisms, such those used by Windows. The Windows authentication plug-in is a prepackaged capability shipped with Oracle Internet Directory. This allows Oracle's directory-enabled security components to manage user information in Oracle Internet Directory while using the credentials stored in Windows as the authentication source of truth. Besides the external authentication plug-in, Oracle provides Windows Native Authentication. This allows Oracle components like Oracle SSO or Oracle Database to use Microsoft's Kerberos tickets as authentication mechanisms.
On which platforms is Oracle Internet Directory available? Oracle Internet Directory is currently available and supported on all platforms supported by Oracle products. To answer specific questions about version/platform availability of Oracle Internet Directory, visit the Product Certifications page on the Oracle Technology Network - choose "View Certifications by Product" followed by "Internet Products" followed by "Oracle Internet Directory". Specify the platform of your choice to find all supported versions of Oracle Internet Directory which run and are supported on that platform.
This document is provided for informational purposes
only, and the information herein is subject to change without
notice. Please report any errors herein to Oracle
Corporation. Oracle Corporation does not provide any warranties
covering and specifically disclaims any liability in connection with
this document.
Oracle is a registered trademark of Oracle
Corporation.
All other company and product names mentioned are used
for identification purposes only and may be trademarks of their
respective owners.
Bookmark
