Monday, March 19, 2012

Using JXplorer to Learn Oracle Internet Directory

JXplorer[1] is an open source ldap browser originally developed by Computer Associates' eTrust Directory development lab. It is a standards compliant general purpose ldap browser that can be used to read and search any ldap directory, or any X500 directory[4] with an ldap interface.

Oracle Internet Directory (OID) is an LDAP V3-compliant directory service.  LDAP (Lightweight Directory Access Protocol) was conceived as an Internet-ready, lightweight implementation of the X.500 standard for directory services.  In this article, we will use JXplorer to explore the structure of OID.

OID Component and Instance

When you install Oracle Internet Directory[2] on a host computer, Oracle Identity Management 11g Installer creates a system component of type OID in a new or existing Oracle instance.

The Oracle Internet Directory component contains an OIDMON process (i.e. Oracle Internet Directory Monitor process) and an Oracle Internet Directory instance. The Oracle Internet Directory instance consists of a dispatcher process and one or more OIDLDAPD processes.


The component name for the first Oracle Internet Directory component is usually oid1 and the Oracle instance name is chosen during the installation, usually asinst_1.

Oracle Identity Management 11g Installer also creates the following instance-specific configuration entry for this component during installation:
  • cn=oid1,cn=osdldapd,cn=subconfigsubentry

In summary, OID components and instances are created as below:
  • oid1
    • The first Oracle Internet Directory component
        • Successive installations in the cluster will have the component names oid2, oid3, and so forth.
        • This new Oracle Internet Directory component consists of 
          • An OIDMON process
          • An OIDLDAPD dispatcher process
          • One or more OIDLDAPD server processes
      • File system directories created by installer
        • ORACLE_INSTANCE/config/OID/oid1
        • ORACLE_INSTANCE/diagnostics/logs/OID/oid1
    • asinst_1
      • Oracle instance name is chosen during the installation, usually is asinst_1

    JXplorer

    You explore OID by making a connection to it first.  An LDAP server is called a Directory System Agent (DSA).
    OID uses the following default ports:
    • SSL port: 3131
    • Non SSL port: 3060
     In the User DN, you specify:
    • cn=orcldadmin
    On the left panel, you can find oid1 in the hierarchical tree-like structure (i.e., Directory Information Tree).  If you right click on it and select Copy DN,

    the DN (i.e., distinguished name) of oid1 configuration entry is returned:
    • cn=oid1,cn=osdldapd,cn=subconfigsubentry

    The action in LDAP takes place around entries such as oid1.  An entry is defined as a set of attributes, and an attribute is a set (i.e., unordered) of values.  For example, oid1 has the following attributes:
    • orcloidinstancename: asinst_1
    • orclmaxcc: 10
    • etc.
    OID component oid1 has one instance named asinst_1.   It also has other attributes such as orclmaxcc which specifies maximum number of DB connections or orclserverprocs which specifies number of server processes.  You can modify them to tune OID's performance.

    Configuring the Oraccle Internet Directory Authentication Provider

    You can follow the instructions here to set up OID as one of the authentication providers in WebLogic Server.  Some of the information required for the setup can also be found from JXplorer.  For example, to find user base DN and group base DN, you can right click on the Users or Groups and select "Copy DN":
     
    • User base DN : cn=Users, dc=us, dc=oracle, dc=com 
    • Group base DN : cn=Groups, dc=us, dc=oracle, dc=com
    Entry's name is specified by LDAP's naming model.  Entry's name (i.e., a DN) is composed of RDNs (i.e., Relative Distinguished Name) which are separated by commas.   DNs are more like postal addresses because they have a “most specific component first” ordering.  In our example, entry Users has a distinguished name:
    • cn=Users, dc=us, dc=oracle, dc=com
    where cn is the shorthand for common name and dc is the shorthand for domain componentUser base DN and group base DN are used by WebLogic Server to search users and groups within OID.

    References

    1. JXplorer
    2.  Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1)
    3. Lightweight Directory Access Protocol
    4. International Standardization Organization (ISO) X.500 
    5. Configure the Oracle Internet Directory Authentication provider
    6. Oracle Fusion Middleware Security Blog

    No comments: