Contents

• Introduction
• Tree
• One Entry
• Operations
• Replication
• Application Integration
• Oracle Internet Directory

 

Introduction

LDAP (Lightweight Directory Access Protocol) is based on the X.500 standard, but simpler. Supports TCP/IP.

Helpful pages:

• http://ldapman.org/articles/intro_to_ldap.html
• http://www.sendmail.net/donnellydirtree.shtml
• http://www.pcwebopaedia.com/TERM/L/LDAP.html

Tree

Base Distiguished Name (Base DN):

o="my_organization.com", c="CH" # X.500 format
o=my_organization.com
o=my_organization, dc=com # most common; dc is Domain Component

Hierarchy with Organizational Units (ou)

o=my_organization, dc=com
  ou=it
    ou=sw
    ou=hw
  ou=financial
    ou=mis
    ou=accounting

Entries are Distinguished Names (DN), composed of Relative Distinguished Name (RDN) and location. Options for RDN are the Common Name (cn) or User ID (uid) such as login (note that uid is not the UNIX uid). Each RDN is unique in it's location, ensuring uniqueness of the DN. The RDN is "unqualified" whereas the DN is "fully qualified".

cn=This is me, ou=sw, ou=it, o=my_organization, dc=com
uid=my_login,  ou=sw, ou=it, o=my_organization, dc=com
\____  _____/  \_______________  ____________________/
     \/                        \/
    RDN                      location

A shallow hierarchy is recommended. Organizational Units don't have to be real departments because organizations change; instead group by logical entities e.g. employees (all in one box), locations, customers, devices. Plan so that entities do not have to be moved from one department to another. An exception could be creating a sub-ou so that the sub-ou may be given different security accesses.

One Entry

Example of one full entry. Always with attribute-value pairs.

dn: uid=my_login, ou=sw, ou=it, dc=my_organization, dc=com
objectclass: person                    # predefined classes
objectclass: organizationalPerson
objectclass: Person_in_my_organization # customized class
uid: my_login
givenname: Chris
sn: Yalkouye
cn: Chris Yalkouye
cn: Moussa Yalkouye
telephonenumber: +21-456-1234
roomnumber: 122G
o: My Organization
mailRoutingAddress: cy@my_organization.com
mailhost: mail.my_organization.com
userpassword: {crypt}glu328gla893glop
homedirectory: /home/cy
loginshell: /usr/local/bin/bash

Note that multiple attributes are possible.

Objectclasses contain groups of attibutes; attributes are name/value pairs.

Operations

Nine basic protocol operations:

• Search (interrogation)
• Compare (interrogation)
• Add (update)
• Delete (update)
• Modify (update)
• Rename (update)
• Bind (authentication and control): identification with dn and authentication credentials. Simple bind (dn + cleartext pw) or SASL.
• Unbind (authentication and control): close connection.
• Abandon (authentication and control): abort connection.

Three methods in LDAP version 3

• LDAP extended operations
• LDAP controls
• SASL (Simple Authentication and Security Layer)

Note that updates are atomic (fully updated or nothing).

ldapbind -p 4032 -h the_host -D "cn=orcladmin" -w pwd

Bind to ldap, that is test the connection

ldapsearch -p 4032 -h the_host -b " " -s base "objectclass=*"

Returns the fields for the root

-s option: base, one, sub

"base" --> specified DN entry only, "one" entries one level below DN, "sub" all sub-directories

ldapsearch -p 4032 -h the_host -b "cn=Users,dc=the_host,dc=com" -s sub "objectclass=*"

Specify the DN in -b option. Note use of commas (not slashes) and note root is last.

ldapsearch -p 4032 -h the_host -b "..." -s base -D "cn=orcladmin" -w pwd "objectclass=*"

Sometimes the username and password are needed, depending on "sub-tree access".

ldifwrite -c iasdb -b " " -f file_name

Do a backup (enter ODS password)

ldapsearch -p 4032 -h the_host -L -b " " -s base -D "cn=orcladmin" -w pwd "objectclass=*" > filename

Supposedly, does a backup too, but there are differences between the files

Replication

Replication between directory servers with the same naming context. Read-only replicas are consumers; updateable replicas are suppliers.

Directory replication group (DRG) = set of directory servers
Replication agreement = replication relationship within the DRG. (is this specific to Oracle ???)

There is no standard concerning replication. The general approach is through "change logs".

Replication is part of the general notion of Distributed Directories. Distributed Directories can be replicated or partitioned (where each server has part of the data).

Oracle Directory Integration Platform

Two possibilities:

• Synchronization Integration Service, where the OID is the central repository. A synchronization profile is created for the outside directory.
• Provisioning Integration Server, where notifications are sent to target applications that are LDAP-enabled but do not have a directory.

Note: Oracle applications are only certified to run against Oracle Internet Directory. The deployment will thus need to synchronize data between Oracle Internet Directory and the third-party directory.

Application Integration

Many applications allow an integration with an LDAP server, such as Active Directory, OpenLDAP or Linux LDAP.
This allows:

• Centralized management of the users in an organization
• Users need only to remember one password

Several levels of integration exist:

• The usernames are stored in the LDAP server and the usernames are periodically imported into the application.
  This allows centralized management of the creation of new usernames, but the user passwords and user groups are still stored in the application.
• Not only are the user names imported, but the application "delegates" the authentication to the LDAP server. In this way, when a user is de-activated, the user cannot enter into the application even if the import has not been done recently. But if a user changes departments, this has to be handled in the application.
• Users and groups are imported into the application. This allows centralized management of changes of department or responsibilities of users.

Active directory:
Depending on the application, it does not have to be in the AD domain
Note that AD paginates 1'000 entries at a time.

Note that it is best to be able to configure a main LDAP server and a backup LDAP server so that users can log in even if the main server is not available.

Also look into the encryption on the network (LDAPS between the application server and the LDAP server) so that the passwords do not travel in plain text over the network. And also look at the connection between the client and the application server.

Oracle Internet Directory

Oracle's implementation of LDAP.

OID Administrator's Guide
Tutorial

Manage with ODM (Oracle Directory Manager)

Environment variables:

• ORACLE_HOME
• DISPLAY
• TMP
• TNS_ADMIN (ORACLE_HOME/network/admin )
• UNIX Group Name for the Oracle Universal Installer Inventory (oinstall)
• UNIX Account to Own Oracle Software (oracle)
• UNIX Group Names for Privileged Groups (osdba)

oidadmin is administrator's tool ($ORACLE_HOME/bin/oidadmin).

Port number in $ORACLE_HOME/install/portlist.ini (389 or 4032). Superuser orcladmin/welcome.

If port 389 unavailable, then OID server is started on a different port, which is logged in the following file: $ORACLE_HOME/ldap/install/oidca.out

After Installation

Tasks for OID after installation:

• Set "Job Queue Process" parameter in the init.ora file to at least 1 (or to number of nodes - 1)
• Default Subscriber Configuration: add information to root Oracle Context (entry "cn=Common, cn=Products, %RootOracleContextDN%", where RootOracleContextDN is "cn=OracleContext" by default).
  For orclSubscriberSearchBase: node in the DIT under which all subscribers are placed.
  orclSubscriberNickNameAttribute: nickname attribute to be used when searching for a subscriber under the subscriber search base.
  orclDefaultSubscriber: root of your organization (same as in Upgrading Subscriber screen of the OID Configuration Assistant)
• Add information in subscriber-specific Oracle Context in "cn=Common, cn=Products, cn=oracleContext, <subscriber DN>." for Default Subscriber Oracle Context.
  orclCommonUserBase: node in DIT under which all users are placed. During the upgrade, this attribute value is set to the subscriber DN value. If not set, then password policy under Root Oracle Context will be applied.
  orclCommonNickNameAttribute: nickname attribute to be used when searching for a user under the user search base.
  orclCommonGroupSearchBase: node in the DIT under which all the groups are placed.
• Password Policy Configuration: under "cn=pwdpolicyentry, cn=Oracle Internet Directory". Also in "cn=PwdPolicyEntry, cn=Common, cn=Products, cn=oracleContext, <subscriber DN>".

Basic LDAP operations

ldapbind -p 4032 -h localhost -D "cn=orcladmin" -w welcome1

Authenticate a user

 

ldapadd -p p -h h -D "cn=orcladmin" -w pw -f file-name.ldif

Add entries

ldapsearch -p p -h h -b " " -s {base | one | sub} "objectclass=*" aa

-b base for search, " " for root
-s base --> search in base only
-s one --> search in one level below
-s sub --> search in all sub-directories
"objectclass=*" is the filter
aa are the attributes to return (e.g. cn sn)

 

ldap://the_host:4032/b?a?s?f

b is base for search, "" for root
s is base, one or sub
f is the filter (e.g. "objectclass=*")
a are the attributes to return (e.g. cn,sn)

ldapmodify -p p -h h -D "cn=orcladmin" -w pw -v -f file-name.ldif

Modify; see further documentation for how to write the file

ldifwrite -c iasdb -b -f /tmp/backupDIT.ldif

Same output produced with ldapsearch -L. Note that this creates attributes (creatorsname, createtimestamp, modifiersname, modifytimestamp, aci, orclguid, pwdchangedtime) needed for bulkload but not for ldapadd.

ldapmoddn -p p -h h -D cn=orcladmin -w pw -b "cn=..., ou=..., ..., c=..." -R "cn=new_cn" -N "new_location"

Modify the RDN (-R "...") and / or the location (-D "...")

ldapdelete -p p -h h -D "cn=orcladmin" -w pw "entry"

Delete an entry

ldapcompare -p p -h h -b "distinguished_name" -a title -v "expected value of attribute title"

Is the expected value in the entry?

bulkdelete
bulkload

Script files. Use bulkload with files created with ldapwrite.

An LDAP schema has mainly four categories:

Objectclasses

Groups of attributes

Attributes

Name/value pairs

Syntax

Data types that may be stored in an attribute

Matching rules

Define formatting rules on attributes

Example (table cell is an objectclass):

Adding a new attribute involves defining:

• Unique ID
• Name
• Description
• Rules for equality, matching and formatting
• Syntax
• Mandatory (MUST) or optional (MAY)
• Superclass (SUP)

Access Control

Anonymous

No anonymous access: set flag to 0

Entry access

d

Access to attribute

Browse, modify, self

orclACI

Policy for a directory and all sub-directories

orclEntryLevelACI

Overrides orclACI for an entry (leaf or directory)

View with ldapsearch -p p -h h -b "cn=subschemasubentry" -s base -v "objectclass=*"

Password Policy

OID: "Password Policy Management" (in oidadmin)

Expiry Time

0 for no expiration, 5184000 = 60 days

Account Lockout

1=enable, 0=disable

Account Lockout Duration

in case of unsuccessful binds (if account lockout), 86400 is 24 hours

Password Maximum Failure

Number of wrong password attempts

Password Failure Count Interval

0=failures are not purged,

Password expiration warning

3 days before expiry

Check Password Syntax

1=enabled

Old pw can be new pw

1=enabled=old can be new

 

Starting LDAP - Oracle Flavor

Start the monitor or guardian process. The guardian reads the table ods.ods_process to determine whether to start, restart or stop an instance.
oidmon start

Then start an instance with:
oidctl
Oidctl inserts a line in the table ods.ods_process. The oidmon actually starts the process.

At least three processes should be visible: oidmon start, oidldapd, oidldapd -i 1 ....

/u00/app/oracle/product/infra9i/ldap/bin/ldapcheck --> check which processes are running

Note that oidctl does not start or stop the server, but simply inserts or updates an entry in the table OID.OID_PROCESSES. oidmon will not start if there are records in this table with "state"=2 (=run). One option is to issue "oidctl stop" before "oidmon start" so as to remove any lines in "ods.ods_process" with "state"=2.

Summary:

1. oidldapd server processes: oidctl connect=<db-sid> server={oidldapd | oidrepld | odisrv} instance=1 stop / start
Optional parameter when starting: configset=1 flags=ff
2. Is oidldapd server process stopped: ps -ef | grep oidldapd | grep -v grep
3. OID monitor process: oidmon stop / start
4. Oracle database: sqlplus '/as sysdba' (in Windows, use double quotes)
5. database listener

Add a configuration set: navigate to Server Management -> Directory Server -> Default Configuration Set, then "Create Like".
SSL is also possible without SSL authentication: this uses the "Anonymous Diffie Hellman" algorithm.

Syntax:

oidmon [connect= connectstring] [sleep=sleeptime] start | stop

connectstring is the directory database connect string, defaults to the value of ORACLE_SID.

oidctl [connect=connectstring] server=servername instance=instanceno
  [configset=configsetno] [flags="flagsvalues"] start | stop

servername is the name of the OiD server, either osdldap/osdrepl
instanceno = the instance number
configsetno = the configuration set number to be used while starting a OID server.
flagvalues The flags needed while starting the OID server.

Replication

See also section Replication

Directory replication group (DRG) = set of directory servers
Replication agreement = replication relationship within the DRG.

Backup and Restore