Nsure Idntity Manager & Oracle Internet Directory Michel Bluteau Field Corporate Strategist Nsure Identity Management Novell Québec.

Nsure Idntity Manager &Oracle Internet Directory

Michel BluteauField Corporate StrategistNsure Identity ManagementNovell Québec

© 12 mai 2004 Novell Inc, Confidential & Proprietary2

Driver for Oracle 10g OID

• Required privileges for driver• Mandatory Classes for

– OID– Enterprise User– Enterprise Role

• Required ACLs for the changelog


Oracle Internet Directory

•OID is an application that runs off Oracle•OID clients use LDAP•OID uses Oracle Net to communicate with Database servers


Oracle Internet DirectoryOracle Directory Manager


Oracle Internet DirectoryOracle Directory Manager


Oracle Internet DirectoryCommunication


Oracle Advanced Security Uses OID for

-Storing the password for a centralized user that can have access to more than one Database server-Centrally store and assign privileges-Integration of VPD(Virtual Private Database) and Row Label Security-With 10g, synchro of attributes userPassword(SSO) and orclPassword(DB)-OID can leverage RAS and RAC for high availability in a Oracle bubble(many DB servers)


Driver for Oracle OID

• bi-directional sync for data• uni-directional sync for the password

– From eDirectory to OID

• No customization required(versus JDBC)


Driver User: Select cn=orcladmin


Choose Create Like, create meta


Modify cn, sn, uid and userPassword


Result: cn=meta


Under cn=OracleContext, cn=Groups


Add to cn=OracleSuperAdminGroup


Add to cn=OracleUserSecurityAdmin


Add to cn=Common User Attributes


Add to cn=OracleContextAdmins


Add to required DAS groups


After adding meta to groups

- meta can create users and groups via oidadmin

- but cannot do so via LDAP with ldapadd or the DirXML driver

See:http://download-east.oracle.com/docs/cd/B10464_02/manage.904/b12118/priv_de3.htm



- Provide meta with the required ACLs for cn=Users and cn=Groups (under dc=novl,dc=ca).

See: http://download-east.oracle.com/docs/cd/B10464_02/manage.904/b12118/access2.htm#1059039






Required privileges for changelog

The ACLs for changelog MUST be modified in order to allow meta access to the changelog


Under Access Control Management


Add meta, via Create Like








Add meta, résultat


Classes required for OID

- User requires the following classes:• inetOrgPerson• orclUserV2• orclUser(optional)

- Group(dynamicGroup) requires the following classes:

• groupOfUniqueNames• orclGroup• the displayname attribute is mandatory








Nsure Idntity Manager & Oracle Internet Directory Michel Bluteau Field Corporate Strategist Nsure Identity Management Novell Québec.

Documents

confidential proprietary

groups meta

meta access

das groups

oracle oidbidirectional

driver user

oracle bubblemany db

changelogthe acls