What's New in Oracle Internet Directory?

This section provides a brief description of new features introduced with the latest releases of Oracle Internet Directory, and points you to more information about each one. It contains these topics:

• New Features Introduced with Oracle Internet Directory Release 9.0.2

• New Features Introduced with Oracle Internet Directory Release 3.0.1

• New Features Introduced with Oracle Internet Directory Release 2.1.1

New Features Introduced with Oracle Internet Directory Release 9.0.2

This section describes the new features introduced with Oracle Internet Directory Release 9.0.2.

Enhanced Performance and High Availability

• Server-side entry caching--This feature reduces directory query latency for LDAP clients. By configuring a server-side entry cache based on naming context, identity of client, or other available parameters, Oracle Internet Directory ensures that previously retrieved entries and their attributes are stored in shared memory, and are thus available to subsequent data requestors. Queries that conform to the configured parameters then need only retrieve a small subset of data--internal globally unique identifiers (GUIDs)--for filter-matching entries from the directory. These returned GUIDs are then used as a fast lookup mechanism into the cached entry and attribute data, which is then returned to the client.

  See Also: "Entry Caching"

• New directory integration capabilities--Oracle Internet Directory Release 9.0.2 introduces new kinds of connectivity with other applications and repositories, both Oracle-built and otherwise. The new Oracle Provisioning Integration Service and Oracle Directory Synchronization Service are built upon the Oracle Directory Integration platform (introduced with Oracle Internet Directory v2.1.1.1 in the Oracle8i Release 3 timeframe).
  • Oracle Provisioning Integration Service--Provisioning is the process of granting or revoking a user's access to application resources based on business rules. The user may be either a human end user or an application.

    The Oracle Provisioning Integration Service ensures that subscribing applications or business entities are alerted to updates in Oracle Internet Directory for the purpose of keeping local repositories in synch. It enables you to synchronize local, application-specific information by using Oracle Internet Directory as a source of truth.

  • Oracle Directory Synchronization Service and the LDAP connector--The Oracle Directory Synchronization Service enables near-complete leveraging of previously-deployed infrastructure, including but not limited to ERP and CRM systems, third-party LDAP directories, and NOS user repositories. It enables you to synchronize information between enterprise directories and Oracle Internet Directory. This allows for centralized administration, thereby reducing administrative costs. It ensures that data is consistent and up-to-date across the enterprise.

    See Also: Chapter 28, "Oracle Directory Integration Platform Concepts and Components"

• Enterprise password policy management enhancements--You can now construct password policies to ensure:
  • Expiration dates

  • Grace periods

  • Minimum password lengths

  • Approved password syntaxes and retry limits

  • Lockout of those attempting to gain illicit access to the directory service after a certain number of failed attempts

  You can now use salted SHA as a hashing algorithm. This means that you can now select from these available hashing algorithms:

  • MD4--A one-way hash function that produces a 128-bit hash

  • MD5--An improved, and more complex, version of MD4

  • SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

    You can also use salted SHA. A salt is a random number added to and stored with the hash value. It prevents pre-computed dictionary attacks by making it extremely expensive to recover the value that was originally hashed.

  • UNIX Crypt--The UNIX encryption algorithm

  • No Hashing

    See Also: "Protection of User Passwords for Directory Authentication" for a conceptual discussion Chapter 18, "Password Policies" for instructions on setting password hashing

• Attribute uniqueness--In the prior Oracle Internet Directory architecture, the only way to enforce attribute uniqueness was to make an attribute a part of your DN. This worked well with the user identifier (if used as the RDN), but it was not always appropriate and easy to configure. Within a level of a branch of the tree, it was guaranteed to be unique. For example, if your DN was uid=dlin, ou=people, o=oracle, then this would be unique directly under ou=people. However, you could have the same user identifier in another branch--for example, uid=dlin, ou=others, o=oracle. In short, attribute uniqueness was guaranteed only under a given branch, and only within one level.

  The applications Oracle Internet Directory synchronizes with can use attributes other than DN as their unique keys. The ability of Oracle Internet Directory to enforce attribute uniqueness enables all applications their own notions of "user," to synchronize their user base with a user repository stored in an enterprise's Oracle Internet Directory server.

• Multiple password verifier support--Oracle Internet Directory can now store passwords for multiple applications and protocols. For example, four-digit Personal Identification Numbers (PINs) for voicemail can sit alongside longer alphanumeric single sign-on passwords and X509 v3 digital certificates for the same user. This new feature gives the application developer far greater flexibility for directory-enabling their product stack.

  See Also: Chapter 17, "Directory Storage of User Authentication Credentials"

• Expanded proxy user capabilities--This new feature enables a developer to exploit the power of the middle tier more effectively. Users no longer need to establish independent, unrelated sessions with the directory. If a middle-tier fromOracle9i Application Server or elsewhere invokes the proxy user bind method on behalf of numerous clients in succession, then Oracle Internet Directory respects each client's credential and privileges respectively, even though the agent doing the actual binding remains unchanged throughout.

  See Also: Chapter 11, "Directory Security Concepts" "Managing Super Users, Guest Users, and Proxy Users"

• Integration with Oracle9i Application Server components--Through the Oracle Provisioning Integration Service, Oracle Internet Directory Release 9.0.2 serves as a central component of the Oracle9i Application Server. Every component of Oracle9i Application Server now uses Oracle Internet Directory for storing common cross-component metadata, such as valid user identifiers and their passwords.

  See Also: Chapter 15, "Oracle Components and Oracle Internet Directory"

• Delegated Administration Service Self-Service Console--This new feature enables you to flexibly administer applications, subscribers, and end users either from a central team or through decentralization and delegation.

  The Delegated Administration Service Self-Service Console gives authorized end users a view of their personalized preferences and the ability to update their Oracle9iAS Single Sign-On password. It provides an intuitive user interface for searching for people and other directory-based resource information within Oracle Internet Directory.

  You can use the Self-Service Console to configure the object classes, user groups, permissions, and other elements of directory information metadata stored in Oracle Internet Directory.

  See Also: Chapter 9, "The Delegated Administration Service"

• Enterprise Manager integration--You can start, stop, and monitor Oracle Internet Directory instances by using the standard, newly-enhanced Enterprise Manager console. You can perform system diagnostics on running Oracle Internet Directory instances, and generate performance graphs to determine ongoing performance and peak load times.

  See Also: Monitoring, Debugging, and Auditing the Directory Server

• Oracle Directory Manager enhancements--Oracle Internet Directory's standalone, 100% Java administration console, Oracle Directory Manager, has now evolved in many ways. You can use it to:
  • Configure hosted subscriber domains

  • Construct password policies

  • Configure Oracle Directory Synchronization Service and Oracle Internet Directory connectors and agents

  In general, any directory-specific configuration or maintenance task not available at the high-level OEM GUI is now doable through ODM, as well as command-line interfaces supplied with Oracle Internet Directory.

  See Also: Chapter 4, "Directory Administration Tools"

• Server-side plug-in framework--This new feature enables directory applications to roll out advanced capabilities such as referential integrity/cascading deletions of LDAP objects, external authentication of directory clients, brokered access, and synchronization with external relational tables. The plug-ins are executable before or after an LDAP command takes place, without the traditional risks of such technologies.

  See Also: Chapter 27, "Oracle Internet Directory Plug-in Framework"

• Entry alias dereferencing--The LDAP v3 standard requires that all entries in a directory have globally unique identifiers known as distinguished names. These are typically fairly long and cumbersome to use, so Oracle Internet Directory provides this new feature to automatically dereference IETF-standard alias objects used to point to a fully-qualified LDAP distinguished name. For example, "DavesServer1" can be used as an entry alias or pointer to the actual directory entry named dc=server1, dc=us, dc=oracle, dc=com. Oracle Internet Directory stores, parses, and chases all alias references for complete client-side transparency.

  See Also: "Dereferencing Alias Entries"

• Delegated Administration Service enhancements

  Administrators can now use the Delegated Administration Service and its accompanying console to:

  • Create other regional or departmental administrators

  • Grant them specific, delegated permissions to administer users for a particular region or department

  The Oracle Internet Directory Self-Service Console provides a unified resource for directory administrators, directory service subscribers, and end users.

  See Also: Chapter 9, "The Delegated Administration Service"

• Upgrade procedures

  These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1. and release 3.0.1.

  See Also: Appendix E, "Upgrading Oracle Internet Directory"

New Features Introduced with Oracle Internet Directory Release 3.0.1

This section describes the new features introduced with Oracle Internet Directory Release 3.0.1.

• Capability to run multiple Oracle Internet Directory instances on the same host

  This new feature enables you to run more than one installation of Oracle Internet Directory on a single host. You can then replicate between them or use this new feature as part of a failover strategy.

  See Also: "Running Multiple Installations of Oracle Internet Directory on One Host"

• Delegated Administration Service

  This new service enables directory users to modify their own personal data--such as addresses, phone numbers, and photos--without the intervention of an administrator. It also enables users to search other parts of the directory to which they have access. This frees directory administrators for other tasks in the enterprise.

  See Also: Chapter 9, "The Delegated Administration Service"

• Failover in cluster configurations

  This new feature enables you to increase high availability by using logical hosts--as opposed to physical hosts--in clustered environments.

  See Also: Chapter 25, "Failover in Cluster Configurations"

• Failover in an Oracle Real Application Clusters environment

  Oracle9i Real Application Clusters is a computing environment that harnesses the processing power of multiple, interconnected computers. Along with a collection of hardware, called a cluster, it unites the processing power of each component to become a single, robust computing environment. A cluster comprises two or more computers, also called nodes.

  You can run Oracle Internet Directory in an Oracle Real Application Clusters system.

  See Also: Chapter 26, "Directory Failover in an Oracle9i Real Application Clusters Environment"

• Support for logical hosts--Oracle Internet Directory Release 3.0.1 enables you to increase high availability by using logical hosts - as opposed to physical hosts - in clustered environments. A logical host consists of one or more disk groups, and pairs of host names and IP addresses. It is mapped to a physical host in the cluster. This physical host services the host name and IP address of the logical host.

  In this paradigm, the directory server binds to the logical host, rather than the physical host. It maintains this connection even if the logical host fails over to a new physical host.

  A client connects to the directory server by using the logical host name and address of the server. If the logical host fails over to a new physical host, then that failover is transparent to the client.

• Oracle Directory Integration platform

  This new feature enables you to synchronize various directories with Oracle Internet Directory. It also makes it easier for third party metadirectory vendors and developers to develop and deploy their own connectivity agents.

  See Also: Part VIII: "The Oracle Directory Integration Platform"

• Password policy management

  Password policy management enables you to establish and enforce rules for how passwords are used.

  See Also: "Password Policies" for a conceptual discussion Chapter 18, "Password Policies"

• Performance and scalability enhancements

• Upgrade procedures

  These procedures enable you to upgrade from Oracle Internet Directory release 2.1.1.

  See Also: Appendix E, "Upgrading Oracle Internet Directory"

• UTF8 restriction removed

  The Oracle directory server and database tools are no long restricted to run on a UTF8 database.

New Features Introduced with Oracle Internet Directory Release 2.1.1

This section describes the new features introduced with Oracle Internet Directory release 2.1.1.

• Attribute options, including language codes

  Attribute options enable you to specify how the value for an attribute is made available in a search or a compare operation. For example, suppose that an employee has two addresses, one in London, the other in New York. Options for that employee's address attribute could allow you to store both addresses. Users could then search for either address.

  Attribute options can include language codes. For example, options for John Doe's givenName attribute could enable you to store his given name in both French and Japanese. A user could then search for the name in either language.

  See Also: "Attribute Options" for a conceptual discussion "Managing Entries with Attribute Options by Using Oracle Directory Manager" "Managing Entries with Attribute Options by Using Command-Line Tools"

• Change log purging enhancements

  These enhancements enable you to specify the type of change log purging to use: change number-based or time-based.

  See Also: "Change Log Purging" for a conceptual discussion "Modifying Directory Replication Server Configuration Parameters"

• Enhanced support for these operational attributes:
  • creatorsName

  • createTimestamp

  • modifiersName

  • modifyTimestamp

  This enhanced support enables you to use one or more of these attributes in searches.

  See Also: "Kinds of Attribute Information" for a conceptual discussion "Example 7: Searching for All User Attributes and Specified Operational Attributes" for an example of a search operation using the createTimestamp attribute

• Migration from other LDAP-compliant directories

  This new feature enables you to migrate data from other LDAP v3-compatible directories into Oracle Internet Directory.

  See Also: Appendix F, "Migrating Data from Other LDAP-Compliant Directories"

• Object class explosion

  Object class explosion enables you to add or perform an operation on an entry without specifying the entire hierarchy of superclasses associated with that entry.

  See Also: "Guidelines for Adding Object Classes" for an explanation of how to use this feature when adding object classes

• OID database statistics collection tool

  This tool assists in capacity planning. It helps you analyze the various database schema objects so that you can estimate the statistics.

  See Also: "Using the OID Database Statistics Collection Tool"

• Password protection enhancements

  This new feature enhances the available password protection by storing passwords as hashed values. Storing passwords as one-way hashed values--rather than as encrypted values--more fully secures them because a malicious user can neither read nor decrypt them. You can select one of the following hashing algorithms:

  • MD4--A one-way hash function that produces a 128-bit hash

  • MD5--An improved, and more complex, version of MD4

  • SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

  • UNIX Crypt--The UNIX encryption algorithm

  • No Hashing

    See Also: "Protection of User Passwords for Directory Authentication" for a conceptual discussion Chapter 18, "Password Policies" for instructions on setting password hashing

• Replication tools

  The following new replication tools are now added:

  • Human intervention queue manipulation tool

    This tool enables you to move changes from the human intervention queue to either the retry queue or the purge queue.

  • OID reconciliation tool

    This tool enables you to synchronize conflicting changes in a replicated environment.

    See Also: "Using the Replication Tools" for a brief explanation of this tool "Using the Human Intervention Queue Manipulation Tool" "Using the OID Reconciliation Tool"

• Replication node deletion

  This new feature enables you to delete a node from a directory replication group.

  See Also: "Deleting a Replication Node"

• Synchronization with multiple directories in a metadirectory environment (release 2.1.1 only)

  If you are working in a metadirectory environment, then this new feature enables you to form a single virtual directory by synchronizing multiple directories with Oracle Internet Directory.

  Note: This feature was replaced in Release 9.0.2 by the Oracle Directory Integration platform. See Chapter 28, "Oracle Directory Integration Platform Concepts and Components" for further information.

• Upgrade procedures (release 2.1.1 only)

  These new procedures enable you to upgrade from either Oracle Internet Directory release 2.0.4.x or release 2.0.6. Not supported in release 2.1.1.1 or in Release 9.0.2.

  See Also: Appendix E, "Upgrading Oracle Internet Directory"