Thursday, October 22, 2009

Some FACT About ORACLE VIRTUAL DIRECTORY 10.1.4

Oracle Virtual Directory (OVD), a directory virtualization service (not a repository), enables enterprises to implement EUS leveraging their existing directory infrastructure.

Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and gives you the ability to centrally manage database users and role memberships in an LDAP directory. Enterprise User Security reduces administration cost, increases security, and improves compliance through centralized database user account management, centralized provisioning and de-provisioning of database users, centralized password management and self-service password reset, and centralized management of
authorizations using global database roles.

CENTRALIZING DATABASE ACCOUNT MANAGEMENT USING EXISTING DIRECTORIES WITH OVD.

Oracle Database Enterprise User Security was developed to use Oracle Internet Directory (OID) as the default meta-data and identity store for an Oracle database. So the database interaction is specifically tailored to work seamlessly with OID, OVD provides a real-time, virtual view of identity data from any data-store including directories, databases and Web Services without data persistence and synchronization. The database will communicate with OVD in the same way it does with OID without knowing the information it receives is actually stored in a third party directory. Using OVD enables the database to interact with third party directories without losing database functionality or changing the database code.
Oracle Virtual Directory will leverage existing user and group information in the existing third party directory infrastructure. Besides user data, database meta-data like DB registration information, user/role mappings and other EUS specific metadata have to be stored in the third party directory. To manage this data, it is required to enhance the existing third party directory schema. In some Active Directory deployments this might be prohibited by corporate policy. To meet this policy and prevent required schema changes in Active Directory for EUS specific
metadata, Oracle Internet Directory could be deployed (or leveraged if already being used) to manage the meta-data, together with OVD that will provide access to AD user and group information.

Oracle Virtual Directory is certified with EUS to support Active Directory and Sun Java System Directory (JSDS) for deployments. Deploying EUS using OVD with existing AD or Sun directories eliminates user data duplication and synchronization and lowers total cost of ownership (TCO).

Enterprise User Security, besides centralizing database user management, are the different methods of user authentication EUS provides

1. Certificate (X.509) introduced in DB 8i
2. Password introduced in DB 9i
3. Kerberos introduced in DB 10g

The database is doing user authentication, not through LDAP bind to OVD or the third party directory behind OVD. For example, in the password authentication scenario, the database collects user credentials, hashes the password, and compares the password hash value retrieved from AD or Sun Directory through OVD

CENTRALIZING DATABASE ACCOUNT MANAGEMENT USING ACTIVE DIRECTORY

Active Directory Integration for Password Authentication



This is the default deployment for EUS with OVD. The database is establishing a connection to OVD which will lookup the requested DB information in Active Directory. This integration does not require any changes in the database (beyond what is usually required for EUS) nor for database clients that use username/password authentication. All of the EUS meta-data, as well as user/group information including passwords are stored in Active Directory.

CENTRALIZING DATABASE ACCOUNT MANAGEMENT USING SUN JAVA SYSTEM DIRECTORY SERVER



Sun JSDS Integration for Password Authentication



This is the default deployment for EUS with OVD and SUN directory. The database is establishing a connection to OVD which will lookup the requested DB information in SUN JSDS. This integration does not require any changes in the database (beyond what is usually required for EUS) nor for database clients that use username/password authentication. All of the EUS meta-data, as well as user/group information including passwords are stored in JSDS. Using SUN JSDS doesn’t require an Oracle password filter since the password hashing schemes used by SUN are compatible to the DB. Only works with database versions 10.1 or later due to incompatible password formats in earlier DB versions.