Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
Previous |
Next |
This section provides a brief description of new features introduced with the latest releases of Oracle Internet Directory, and points you to more information about each one. It contains these topics:
New Features Introduced with Oracle Internet Directory 10g Release 2 (10.1.2)
New Features Introduced with Oracle Internet Directory 10g (9.0.4)
New Features Introduced with Oracle Internet Directory Release 9.0.2
New Features Introduced with Oracle Internet Directory Release 3.0.1
New Features Introduced with Oracle Internet Directory Release 2.1.1
Note: The following chapters have been moved to Oracle Application Server High Availability Guide:
The following appendixes have been rewritten as chapters in Oracle Identity Management User Reference:
|
Improved integration with other components—New features provide better integration with components such as Oracle Collaboration Suite. These features include service-to-service authentication, the service registry, and verifier generation using dynamic parameters.
Support for Certificate Matching Rule—External authentication using certificates can now take either of two forms: an exact match, in which the subject DN of the client certificate is used to authenticate the user, or a certificate hash, in which the client certificate is hashed and is then compared with a certificate hash stored in the directory.
Ease of deployment for Replication—Replication is now much easier to install, configure, and manage.
See Also:
|
Ease of deployment for Clusters—Cluster configurations are now much easier to install, configure, and manage.
See Also:
|
Enforcing access control for Oracle Internet Directory super user—The super user is now subject to access control policies like any other user. New ACL keywords allow you to restrict super user access through privileged groups.
Oracle Internet Directory Server Diagnostic Tool—The OID Diagnostic Tool collects diagnostic information that helps triage issues reported on Oracle Internet Directory.
Integration with the Microsoft Windows environment—You can integrate the Oracle Application Server infrastructure with the Microsoft Windows Operating System—including Microsoft Active Directory and Microsoft Windows NT 4.0. This integration is achieved by using the Active Directory Connector in Oracle Directory Integration and Provisioning and plug-ins.
See Also: The chapter on integration with Microsoft Windows in the Oracle Identity Management Integration Guide |
External authentication support—You can store user security credentials in a repository other than Oracle Internet Directory—for example, a database or another LDAP directory such as Microsoft Active Directory or SunONE Directory Server. You can then use these credentials for user authentication.
See Also:
|
Dynamic groups—You can create and use dynamic groups whose membership, rather than being maintained in a list, is computed on the fly, based on assertions that you specify.
Query optimization—In searches, some attributes have very different response times depending on their values. You can uniform the response times of search operations for such attributes to enhance performance.
Garbage collection framework—A garbage collector is a background database process that removes obsolete data from the directory. The Oracle Internet Directory garbage collection framework provides a default set of garbage collectors, and enables you to modify them.
Simple Authentication Security Layer (SASL) support—Oracle Internet Directory supports the use of SASL, a method for adding authentication support to connection-based protocols. To use it, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.
Logging enhancements—This release of Oracle Internet Directory provides the following enhancements to logging and tracing:
Object-based tracing for operations associated with thread and connection identifiers. This facilitates non-interleaved and coherent logging for each LDAP operation in a multithreaded environment.
Selective tracing for chosen operations by using the operation dimension.
Structured, meaningful trace messages with additional information including thread identifier and criticality.
OID Migration Tool (ldifmigrator) enhancements—You can use this tool to reconcile data with that in an existing directory, and to directly load data into Oracle Internet Directory.
See Also:
|
Client side referral caching—This new feature enables clients to cache referral information and use it to speed up referral processing.
See Also:
|
Fan-out and partial replication support—Oracle Internet Directory now supports:
Partial replication—that is, propagation of one or more naming contexts, rather than the entire DIT, to another node
Fan-out replication, in which a consumer, having received changes from a supplier, can then replicate those changes to one or more other consumers. Fan-out replication can be either full or partial.
Password policy enhancements—New password policy capabilities in Oracle Internet Directory include:
Password history
Unlocking of accounts
Forced password change upon first login
Self-resetting of password in case of account lockout or forgotten passwords
Super user account lockout requiring reset.
IP-based account lockout
Password policy enablement or disablement by using a single attribute in the password policy entry
Security credential storage enhancements—New security credential storage capabilities in Oracle Internet Directory include:
Generation of O3logon verifier for enterprise users
Generation of a default set of verifiers for application bootstrapping
Generation of SASL/MD5 verifiers for directory authentication
Replication Environment Management Tool—This tool ensures that Oracle Advanced Replication is properly configured for directory replication. In the event of a directory replication failure, this tool looks for common problems and seeks to rectify them. If it cannot solve the problem, then it gives you a report of the nature of the problem and points you to a possible solution.
Server discovery by using DNS—This feature enables the location of a directory server in a distributed environment to be discovered dynamically by using the domain name system (DNS). Rather than storing server location information statically in an ldap.ora
file on the client, that information is stored and managed in a central domain name server. The client, at request processing time, retrieves this information from the domain name server.
Bulkload tool enhancements—You can now use bulkload to add a large volume of entries to a non-empty directory. For example, you can add one million entries to a directory that has one million entries already. You can also incrementally add a medium-size number of entries to a large directory. For example, you can add 50,000 entries at a time to a directory that has five million entries already.
Oracle Application Server Cluster (Identity Management) directory server configuration support—This configuration provides high availability of a directory server by running multiple directory server instances on different hardware nodes. The directory servers are connected to the same underlying data store, which is an Oracle Database.
See Also: "Oracle Application Server Cluster (Identity Management) Configurations" in Oracle Application Server High Availability Guide |
Two-way provisioning between Oracle Internet Directory and other application directories—The Oracle Directory Provisioning Integration Service can send notification of provisioning events bidirectionally between Oracle Internet Directory and other applications.
See Also: The chapter on provisioning service concepts in the Oracle Identity Management Integration Guide |
Integration of provisioning data with the Oracle E-Business Suite—You can synchronize user accounts and other user information from the Oracle E-Business Suite to Oracle Internet Directory by using the Oracle Directory Provisioning Integration Service.
See Also: The chapter on integration with the Oracle E-Business Suite in the Oracle Identity Management Integration Guide |
Installation of Oracle Internet Directory on Oracle Real Application Clusters—You can install Oracle Internet Directory on Oracle Real Application Clusters. When you do this, both the software and schema for Oracle Internet Directory are installed on the primary node, while only the software is installed on the secondary nodes.
See Also: The installation documentation for this release of Oracle Internet Directory |
Oracle Directory Manager enhancements—Oracle Directory Manager now enables you to manage the following:
Attribute uniqueness
Plug-ins
Garbage collection
Change logs
Replication
Query optimization
Debug logging to a finer degree than previously
Enhancement of ACLs
Oracle Internet Directory Self-Service Console enhancements—Oracle Internet Directory Self-Service Console, a graphical administrative tool built with Oracle Delegated Administration Services units, enables you to manage the following:
Realms
Services
Accounts
Password resetting
Oracle Internet Directory Self-Service Console also enables you to view your organization chart, and users to edit their own profiles.
See Also: The chapter about the Oracle Internet Directory Self-Service Console in Oracle Identity Management Guide to Delegated Administration |
Upgrade procedures
See Also: Oracle Application Server Upgrade and Compatibility Guide for information about upgrading from an earlier version of Oracle Internet Directory |
This section describes an important new feature employing the capabilities of Oracle Internet Directory. It also explains changes in Oracle Internet Directory since Release 9.0.2.
User Migration Utility for bulk-migrating database users to Oracle Internet Directory—This utility, released with Oracle Advanced Security Release 2 (9.2), enables you to migrate users from a local or external database to Oracle Internet Directory. Use it to store and centrally manage thousands of users in Oracle Internet Directory.
See Also: The chapter about migrating local or external users to enterprise users in Oracle Advanced Security Administrator's Guide |
Note:
|
This section describes the new features introduced with Oracle Internet Directory Release 9.0.2.
Server-side entry caching—This feature reduces directory query latency for LDAP clients. By configuring a server-side entry cache based on naming context, identity of client, or other available parameters, Oracle Internet Directory ensures that previously retrieved entries and their attributes are stored in shared memory, and are thus available to subsequent data requestors. Queries that conform to the configured parameters then need only retrieve a small subset of data—internal globally unique identifiers (GUIDs)—for filter-matching entries from the directory. These returned GUIDs are then used as a fast lookup mechanism into the cached entry and attribute data, which is then returned to the client.
New directory integration capabilities—Oracle Internet Directory Release 9.0.2 introduces new kinds of connectivity with other applications and repositories, both Oracle-built and otherwise. The new Oracle Directory Provisioning Integration Service and Oracle Directory Synchronization Service are built upon Oracle Directory Integration and Provisioning (introduced with Oracle Internet Directory v2.1.1.1 in the Oracle8i Release 3 time frame).
Oracle Directory Provisioning Integration Service—Provisioning is the process of granting or revoking a user's access to application resources based on business rules. The user may be either a human end user or an application.
The Oracle Directory Provisioning Integration Service ensures that subscribing applications or business entities are alerted to updates in Oracle Internet Directory for keeping local repositories in synch. It enables you to synchronize local, application-specific information by using Oracle Internet Directory as a source of truth.
Oracle Directory Synchronization Service and the LDAP connector—The Oracle Directory Synchronization Service enables near-complete leveraging of previously-deployed infrastructure, including but not limited to ERP and CRM systems, third-party LDAP directories, and NOS user repositories. It enables you to synchronize information between enterprise directories and Oracle Internet Directory. This allows for centralized administration, thereby reducing administrative costs. It ensures that data is consistent and up-to-date across the enterprise.
Enterprise password policy management enhancements—You can now construct password policies to ensure:
Expiration dates
Grace periods
Minimum password lengths
Approved password syntaxes and retry limits
Lockout of those attempting to gain illicit access to the directory service after a certain number of failed attempts
You can now use salted SHA as a hashing algorithm. This means that you can now select from these available hashing algorithms:
MD4—A one-way hash function that produces a 128-bit hash
MD5—An improved, and more complex, version of MD4
SHA—Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
You can also use salted SHA. A salt is a random number added to and stored with the hash value. It prevents pre-computed dictionary attacks by making it extremely expensive to recover the value that was originally hashed.
UNIX Crypt—The UNIX encryption algorithm
No Hashing
See Also:
|
Attribute uniqueness—In the prior Oracle Internet Directory architecture, the only way to enforce attribute uniqueness was to make an attribute a part of your DN. This worked well with the user identifier (if used as the RDN), but it was not always appropriate and easy to configure. Within a level of a branch of the tree, it was guaranteed to be unique. For example, if your DN was uid=dlin,ou=people, o=oracle
, then the RDN dlin
would be unique directly under ou=people,o=oracle
. However, you could have the same user identifier in another branch—for example, uid=dlin, ou=others, o=oracle
. In short, attribute uniqueness was guaranteed only under a given branch, and only within one level.
Attributes other than dn
can be used as unique keys of applications synchronizing with Oracle Internet Directory. The ability of Oracle Internet Directory to enforce attribute uniqueness enables all applications to have their own notions of "user," and to synchronize their user base with a user repository stored in an enterprise Oracle Internet Directory server.
Multiple password verifier support—Oracle Internet Directory can now store passwords for multiple applications and protocols. For example, four-digit Personal Identification Numbers (PINs) for voicemail can sit alongside longer alphanumeric single sign-on passwords and X.509 v3 digital certificates for the same user. This new feature gives the application developer far greater flexibility for directory-enabling their product stack.
Expanded proxy user capabilities—This new feature enables a developer to exploit the power of the middle tier more effectively. Users no longer need to establish independent, unrelated sessions with the directory. If a middle-tier from Oracle Application Server or elsewhere invokes the proxy user bind method on behalf of numerous clients in succession, then Oracle Internet Directory respects each client's credential and privileges respectively, even though the agent doing the actual binding remains unchanged throughout.
Integration with Oracle Application Server components—Through the Oracle Directory Provisioning Integration Service, Oracle Internet Directory Release 9.0.2 serves as a central component of the Oracle Application Server. Every component of Oracle Application Server now uses Oracle Internet Directory for storing common cross-component metadata, such as valid user identifiers and their passwords.
Enterprise Manager integration—You can start, stop, and monitor Oracle Internet Directory instances by using the standard, newly-enhanced Enterprise Manager console. You can perform system diagnostics on running Oracle Internet Directory instances, and generate performance graphs to determine ongoing performance and peak load times.
Oracle Directory Manager enhancements—Oracle Internet Directory's standalone, 100% Java administration console, Oracle Directory Manager, has now evolved in many ways. You can use it to:
Configure realms
Construct password policies
Configure Oracle Directory Synchronization Service and Oracle Internet Directory connectors and agents
In general, any directory-specific configuration or maintenance task not available at the high-level Oracle Enterprise Manager GUI can now be done through Oracle Directory Manager as well as command-line interfaces supplied with Oracle Internet Directory.
Server-side plug-in framework—This new feature enables directory applications to roll out advanced capabilities such as referential integrity/cascading deletions of LDAP objects, external authentication of directory clients, brokered access, and synchronization with external relational tables. The plug-ins are executable before or after an LDAP command takes place, without the traditional risks of such technologies.
Entry alias dereferencing—The LDAP v3 standard requires that all entries in a directory have globally unique identifiers known as distinguished names. These are typically fairly long and cumbersome to use, so Oracle Internet Directory provides this new feature to automatically dereference IETF-standard alias objects used to point to a fully-qualified LDAP distinguished name. For example, "DavesServer1" can be used as an entry alias or pointer to the actual directory entry named dc=server1, dc=us, dc=oracle, dc=com
. Oracle Internet Directory stores, parses, and chases all alias references for complete client-side transparency.
Delegated Administration Service
The Oracle Delegated Administration Services is a set of individual, pre-defined services—called Oracle Delegated Administration Services units—for performing directory operations on behalf of a user. It makes it easier to develop and deploy administration solutions for both Oracle directory-enabled applications and other directory-enabled applications that use Oracle Internet Directory.
Administrators can now use the Oracle Delegated Administration Services and its accompanying console to:
Create other regional or departmental administrators
Grant them specific, delegated permissions to administer users for a particular region or department
The Oracle Internet Directory Self-Service Console, a new component of the Oracle Delegated Administration Services, enables you to flexibly administer applications, realms, and end users either from a central team or through decentralization and delegation. It provides:
A unified resource for directory administrators, directory service subscribers, and end users
A view of an authorized end user's personalized preferences and the ability to update their Oracle Application Server Single Sign-On password
An intuitive user interface for searching for people and other directory-based resource information within Oracle Internet Directory.
You can use the Oracle Internet Directory Self-Service Console to configure the object classes, user groups, permissions, and other elements of directory information metadata stored in Oracle Internet Directory.
See Also: The chapter on the Oracle Internet Directory Self-Service Console in Oracle Identity Management Guide to Delegated Administration |
Upgrade procedures
These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1. and release 3.0.1.
This section describes the new features introduced with Oracle Internet Directory Release 3.0.1.
Failover in cluster configurations
This new feature enables you to increase high availability by using logical hosts—as opposed to physical hosts—in clustered environments.
See Also: "Oracle Application Server Cold Failover Cluster (Identity Management)" in Oracle Application Server High Availability Guide |
Failover in an Oracle Real Application Clusters environment
Oracle Real Application Clusters is a computing environment that harnesses the processing power of multiple, interconnected computers. Along with a collection of hardware, called a cluster, it unites the processing power of each component to become a single, robust computing environment. A cluster comprises two or more computers, also called nodes.
You can run Oracle Internet Directory in an Oracle Real Application Clusters system.
See Also: "The Directory in an Oracle Real Application Clusters Environment" in Oracle Application Server High Availability Guide |
Support for logical hosts—Oracle Internet Directory Release 3.0.1 enables you to increase high availability by using logical hosts – as opposed to physical hosts – in clustered environments. A logical host consists of one or more disk groups, and pairs of host names and IP addresses. It is mapped to a physical host in the cluster. This physical host services the host name and IP address of the logical host.
In this paradigm, the directory server binds to the logical host, rather than the physical host. It maintains this connection even if the logical host fails over to a new physical host.
A client connects to the directory server by using the logical host name and address of the server. If the logical host fails over to a new physical host, then that failover is transparent to the client.
See Also: "Oracle Application Server Cold Failover Cluster (Identity Management)" in Oracle Application Server High Availability Guide |
Capability to run multiple Oracle Internet Directory instances on the same host
This new feature enables you to run more than one installation of Oracle Internet Directory on a single host. You can then replicate between them or use this new feature as part of a failover strategy.
Oracle Directory Integration and Provisioning
This new feature enables you to synchronize various directories with Oracle Internet Directory. It also makes it easier for third party metadirectory vendors and developers to develop and deploy their own connectivity agents.
Password policy management
Password policy management enables you to establish and enforce rules for how passwords are used.
See Also: |
Performance and scalability enhancements
Upgrade procedures
These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1.
UTF8 restriction removed
The Oracle directory server and database tools are no long restricted to run on a UTF8 database. However, there may be data loss during add, delete, modify, or modifydn operations if the character sets of the data contained in the client request and the directory server database repository are different and the client data cannot be mapped to the database character set. If the database underlying the Oracle directory server is neither AL32UTF8 nor UTF8, then be sure that all characters in the client character set are included in the database character set, with the same or different character codes.
This section describes the new features introduced with Oracle Internet Directory release 2.1.1.
Attribute options, including language codes
Attribute options enable you to specify how the value for an attribute is made available in a search or a compare operation. For example, suppose that an employee has two addresses, one in London, the other in New York. Options for that employee's address
attribute could allow you to store both addresses. Users could then search for either address.
Attribute options can include language codes. For example, options for John Doe's givenName
attribute could enable you to store his given name in both French and Japanese. A user could then search for the name in either language.
Change log purging enhancements
These enhancements enable you to specify the type of change log purging to use: change number-based or time-based.
See Also: |
Enhanced support for these operational attributes: creatorsName, createTimestamp, modifiersName, and modifyTimestamp
This enhanced support enables you to use one or more of these attributes in searches.
See Also:
|
Migration from other LDAP-compliant directories
This new feature enables you to migrate data from other LDAP v3-compatible directories into Oracle Internet Directory.
Object class explosion
Object class explosion enables you to add or perform an operation on an entry without specifying the entire hierarchy of superclasses associated with that entry.
See Also: "Guidelines for Adding Object Classes" for an explanation of how to use this feature when adding object classes |
OID Database Statistics Collection tool
This tool assists in capacity planning. It helps you analyze the various database schema objects so that you can estimate the statistics.
See Also: The "oidstats.sql" command-line tool reference in Oracle Identity Management User Reference |
Password protection enhancements
This new feature enhances the available password protection by storing passwords as hashed values. Storing passwords as one-way hashed values—rather than as encrypted values—more fully secures them because a malicious user can neither read nor decrypt them. You can select one of the following hashing algorithms:
MD4—A one-way hash function that produces a 128-bit hash
MD5—An improved, and more complex, version of MD4
SHA—Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
UNIX Crypt—The UNIX encryption algorithm
No Hashing
See Also:
|
Replication tools
The following new replication tools are now added:
Human Intervention Queue Manipulation tool
This tool enables you to move changes from the human intervention queue to either the retry queue or the purge queue.
OID Reconciliation Tool
This tool enables you to synchronize conflicting changes in a replicated environment.
Replication node deletion
This new feature enables you to delete a node from a directory replication group.
Synchronization with multiple directories in a metadirectory environment (release 2.1.1 only)
If you are working in a metadirectory environment, then this new feature enables you to synchronize multiple directories with Oracle Internet Directory.
Note: This feature was replaced in Release 3.0.1 by Oracle Directory Integration and Provisioning. See the chapter on concepts and components in the Oracle Identity Management Integration Guide |
Upgrade procedures (release 2.1.1 only)
These new procedures enable you to upgrade from either Oracle Internet Directory release 2.0.4.x or release 2.0.6. Not supported in release 2.1.1.1 or in release 3.0.1.