Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
B14085-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

2.1 Authentication in Oracle Directory Integration and Provisioning

Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the ldapbind operation.

It is important that each component in Oracle Directory Integration and Provisioning be properly authenticated before it is allowed access to the directory.

This section contains these topics:

2.1.1 Secure Sockets Layer (SSL) and Oracle Directory Integration and Provisioning

You can deploy Oracle Directory Integration and Provisioning with or without Secure Socket Layer (SSL). SSL implementation supports these modes:

  • No authentication—Provides SSL encryption of data, but does not use SSL for authentication.

  • SSL server authentication—Includes both SSL encryption of data and SSL authentication of the server to the client. In Oracle Directory Integration and Provisioning, the server is the directory server, the client is the directory integration and provisioning server.

    The server verifies its identity to the client by sending a certificate issued by a trusted certificate authority (CA). This mode requires a public key infrastructure (PKI) and SSL wallets to hold the certificates.

To use SSL with Oracle Directory Integration and Provisioning, you must start both the Oracle directory server and Oracle directory integration and provisioning server in the SSL mode.


See Also:

The chapter on preliminary tasks and information in Oracle Internet Directory Administrator's Guide for instructions on starting the Oracle directory server in SSL mode

2.1.2 Oracle Directory Integration and Provisioning Server Authentication

You can install and run multiple instances of the directory integration and provisioning server on various hosts. However, when you do this, beware of a malicious user either posing as the directory integration and provisioning server or using an unauthorized copy of it.

To avoid such security issues:

  • Ensure that each directory integration and provisioning server is identified properly

  • Ensure that, when you start a directory integration and provisioning server, it is properly authenticated before it obtains access to Oracle Internet Directory

2.1.2.1 Non-SSL Authentication

To use non-SSL authentication, register each directory integration and provisioning server by using the registration tool called odisrvreg.

The registration tool creates:

  • An identity entry in the directory. The directory integration and provisioning server uses this entry when it binds to the directory

  • An encrypted password. It stores this password in the directory integration and provisioning server entry.

  • A private wallet on the local host. This wallet contains the security credentials, including an encrypted password. The name of the wallet is specified in the odi.properties file and it is stored in the $ORACLE_HOME/ldap/odi/conf directory.

When it binds to the directory, the directory integration and provisioning server uses the encrypted password in the private wallet.


Note:

Ensure that the wallet is protected against unauthorized access.


See Also:

"Manually Registering the Oracle Directory Integration and Provisioning Server" for instructions on registering the directory integration and provisioning server

2.1.2.2 Authentication in SSL Mode

The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration and provisioning server in the SSL server authentication mode. In this case, the directory server provides its certificate to the directory integration and provisioning server, which acts as the client of Oracle Internet Directory.

The directory integration and provisioning server is authenticated by using the same mechanism used in the non-SSL mode.

You can also configure the Oracle directory integration and provisioning server to use SSL when connecting to a third-party directory. In this case, you store the connected directory certificates in the wallet as described in "Managing the SSL Certificates of Oracle Internet Directory and Connected Directories".

2.1.3 Profile Authentication

Within Oracle Internet Directory, an integration profile represents a user with its own DN and password. The users who can access the profiles are:

  • The administrator of Oracle Directory Integration and Provisioning (DIPAdmin), represented by the DN cn=dipadmin,cn=odi,cn=oracle internet directory

  • Members of the Oracle Directory Integration and Provisioning administrator group (DIPAdminGroup), represented by the DN cn=dipadmingroup,cn=odi,cn=oracle internet directory

When the directory integration and provisioning server imports data to Oracle Internet Directory based on an integration profile, it proxy-binds to the directory as that integration profile.The Oracle directory integration and provisioning server can bind in either SSL and non-SSL mode.