readme_oid.htm

Debian中文参考手册,系统介绍了Debian系统

</P>

<A NAME="563213"></A>
<!--TOC=h2-"563213"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">2.4&#32; Default Directory Tree Created during Oracle Internet Directory Installation </FONT></H3>
<!--/TOC=h2-->
<A NAME="563214"></A>
<P CLASS="BP">
In Release 9.2.0.1.0, the following directory tree elements are created by default: 
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563215"></A>Root Oracle Context: cn=OracleContext. This is the container where Oracle products store enterprise-wide configuration data. 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563216"></A>Default Subscriber: dc=&lt;dns_domain_of_machine&gt;,dc=com. This is an approximation of the enterprise DIT structure. This is the container under which Oracle products expect to find users and groups in the enterprise. For example, if Oracle Internet Directory is being installed on a machine whose host name is: machine1.us.acme.com, then the Default Subscriber tree created by Oracle Internet Directory installation would be dc=acme,dc=com. Oracle products expect to find all users under the container cn=users,dc=acme,dc=com and all groups under cn=groups,dc=acme,dc=com. In addition to creating the Default Subscriber entry, OID Configuration Assistant stores a pointer to it in the Root Oracle Context so that other Oracle Internet Directory enabled components can bootstrap themselves. 
<P>
</UL>
<A NAME="563222"></A>
<P CLASS="BP">
For enterprises that have already rolled out a directory, the default subscriber may not match the actual enterprise directory tree requirements. For example, if a company wants to store all of it's users in a different container like 'o=acme,c=us', the default tree created by Oracle Internet Directory installation is not sufficient. In order to designate an alternate entry in Oracle Internet Directory as the Default Subscriber, you have to perform the following tasks 
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563226"></A>Install Oracle Internet Directory 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563227"></A>Create Enterprise Specific Directory tree using command line tools or OIDADMIN 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563228"></A>Run OIDCA in a special mode to configure the Enterprise Specific Directory Entry as a the default subscriber. Here are the arguments to OIDCA. 
<P>

<A NAME="563230"></A>
<P CLASS="BP1">
<CODE>$ORACLE_HOME/bin/oidca </CODE>
</P>

<A NAME="563232"></A>
<P CLASS="BP1">
<CODE>/createDefaultSubscriber </CODE>
</P>

<A NAME="563233"></A>
<P CLASS="BP1">
<CODE>[/help] - optional to show usage </CODE>
</P>

<A NAME="563234"></A>
<P CLASS="BP1">
<CODE>/host </CODE><EM CLASS="Italic">Oracle Internet Directory_host</EM>
</P>

<A NAME="563235"></A>
<P CLASS="BP1">
<CODE>/port </CODE><EM CLASS="Italic">Oracle Internet Directory port</EM>
</P>

<A NAME="563236"></A>
<P CLASS="BP1">
<CODE>/userDN </CODE><EM CLASS="Italic">bindDN</EM>
</P>

<A NAME="563237"></A>
<P CLASS="BP1">
<CODE>/userPwd </CODE><EM><CODE>bindDN_password</CODE></EM>
</P>

<A NAME="563238"></A>
<P CLASS="BP1">
<CODE>/subscriberDN </CODE><EM><CODE>subscriber DN to be turned into a default subscriber</CODE></EM>
</P>
</UL>

<A NAME="563240"></A>
<!--TOC=h1-"563240"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">3&#32; NEW FEATURES</FONT></H2>


<!--/TOC=h1-->

<A NAME="563242"></A>
<!--TOC=h2-"563242"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">3.1&#32; New Feature List</FONT></H3>
<!--/TOC=h2-->
<A NAME="563244"></A>
<P CLASS="BP">
The following major new features and capabilities of Oracle Internet Directory have been introduced since the release of Oracle9i Database Release 1: 
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563246"></A>Oracle Directory Integration Platform 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563247"></A>Oracle Provisioning Integration Service 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563248"></A>iPlanet Connector 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563249"></A>Entry cache 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563250"></A>Support for a single Oracle Internet Directory instance to listen on both SSL and non-SSL ports. 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563251"></A>Support for multiple verifier attributes types 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563252"></A>Password policy management enhancements 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563253"></A>Search performance enhancements 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563254"></A>Access control list (ACL) and proxy-user enhancements 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563255"></A>Alias de-referencing 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563256"></A>Replication configuration enhancements 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563257"></A>Plug-in support 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563258"></A>Attribute uniqueness 
<P>
</UL>

<A NAME="563260"></A>
<!--TOC=h2-"563260"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">3.2&#32; New Feature Details </FONT></H3>
<!--/TOC=h2-->
<A NAME="563262"></A>
<P CLASS="BP">
The following section provides more detail about each of the enhanced features listed above: 
</P>
<A NAME="563264"></A>
<P CLASS="BP">
Oracle Provisioning Integration Service--Provisioning is the process of granting or revoking a user's access to application resources based on business rules. The user may be either a human end user or an application. The Oracle Provisioning Integration Service ensures that subscribing applications or business entities are alerted to updates in Oracle Internet Directory for the purpose of keeping local repositories synchronized. It enables you to synchronize local, application-specific information with Oracle Internet Directory by using Oracle Internet Directory as a source of truth. 
</P>
<A NAME="563270"></A>
<P CLASS="BP">
iPlanet Connector--Customers can synchronize the user data in Oracle Internet Directory with a iPlanet directory. The synchronization is bidirectional; changes in Oracle Internet Directory may be propagated to an iPlanet directory, and vice versa. The attributes and entries to be synchronized can be configured at run time using standard directory integration profiles. 
</P>
<A NAME="563275"></A>
<P CLASS="BP">
Entry Cache--This feature reduces directory query latency for LDAP clients. By configuring a server side entry cache based on naming context, identity of client, or other available parameters, Oracle Internet Directory ensures that previously retrieved entries and their attributes are stored in heap and are thus available to subsequent data requestors. Queries that conform to the configured parameters then need only retrieve a small subset of data-internal globally unique identifiers (GUIDs)- for filter-matching entries from the directory. These returned GUIDs are then used as a fast lookup mechanism into the cached entry and attribute data, which is then returned to the client. 
</P>
<A NAME="563281"></A>
<P CLASS="BP">
Enterprise password policy management enhancements--You can now construct password policies to ensure: 
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563284"></A>Expiration dates 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563285"></A>Grace periods 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563286"></A>Minimum password lengths 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563287"></A>Approved password syntaxes and retry limits 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563288"></A>Lockout of those attempting to gain illicit access to the directory service after a certain number of failed attempts 
<P>
</UL>
<A NAME="563290"></A>
<P CLASS="BP">
During upgrade from 9.0.1 to 9.2, the existing password policy entry is copied to the Root Oracle Context as well as the subscriber oracle context. The entities under Root Oracle Context are exempted from any kind of password policy. Oracle Internet Directory password policy can be enforced on a per-subscriber basis. 
</P>
<A NAME="563293"></A>
<P CLASS="BP">
The password policy in the Subscriber Oracle Context, applies to the entire DIT, identified by the value of the <CODE>orclcommonusersearchbase</CODE> attribute, in the common entry under the Subscriber Oracle Context. By default, this attribute is set to <CODE>cn=users, cn=</CODE><EM><CODE>DEFAULT_SUBSCRIBER</CODE></EM><CODE>, dc=com</CODE>. This means that all users underneath the container <CODE>cn=users, cn=</CODE><EM><CODE>DEFAULT_SUBSCRIBER</CODE></EM><CODE>, dc=com</CODE>, will be governed by the password policy in the subscriber oracle context. If the attribute orclcommonusersearchbase, is not present or deleted from the common entry under the subscriber oracle context, then the policy under the Root Oracle Context applies to the entire subscriber DIT. 
</P>
<A NAME="563299"></A>
<P CLASS="BP">
The <CODE>userpassword</CODE> attribute can hashed using one of these available hashing algorithms:
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563301"></A>MD4 - A one-way hash function that produces a 128-bit hash 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563302"></A>MD5 - An improved, and more complex, version of MD4 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563303"></A>SHA - Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks. You can also use salted SHA. A salt is a random number added to and stored with the hash value. It prevents pre-computed dictionary attacks by making it extremely expensive to recover the value that was originally hashed. 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563306"></A>UNIX Crypt - The UNIX encryption algorithm 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563307"></A>NONE - No Hashing 
<P>
</UL>
<A NAME="563309"></A>
<P CLASS="BP">
Salted SHA and MD5 are supported only for the purpose of migrating data from other LDAP directories into Oracle Internet Directory. The generation of salted SHA and MD5 values are not supported. If existing passwords are hashed using salted SHA or MD5, then these values can be stored, as is, in Oracle Internet Directory without any user authentication failures. 
</P>
<A NAME="563313"></A>
<P CLASS="BP">
Attribute uniqueness--In the prior Oracle Internet Directory architecture, the only way to enforce attribute uniqueness was to make an attribute a part of your DN. This worked well with the user identifier (if used as the RDN), but it was not always appropriate and easy to configure. Within a level of a branch of the tree, it was guaranteed to be unique. For example, if your DN was uid=dlin, ou=people, o=oracle, then this would be unique directly under ou=people. However, you could have the same user identifier in another branch for example, uid=dlin, ou=others, o=oracle. In short, attribute uniqueness was guaranteed only under a given branch, and only within one level. 
</P>
<A NAME="563320"></A>
<P CLASS="BP">
The applications Oracle Internet Directory synchronizes with can use attributes other than DN as their unique keys. The ability of Oracle Internet Directory to enforce attribute uniqueness enables all applications their own notions of "user," to synchronize their user base with a user repository stored in an enterprise's Oracle Internet Directory server. 
</P>
<A NAME="563324"></A>
<P CLASS="BP">
Multiple password verifier support--Oracle Internet Directory can now store passwords for multiple applications and protocols. For example, four-digit Personal Identification Numbers (PINs) for voicemail can sit alongside longer alphanumeric single sign-on passwords and X509 v3 digital certificates for the same user. This new feature gives the application developer far greater flexibility for directory-enabling their product stack.
</P>
<A NAME="563329"></A>
<P CLASS="BP">
Expanded proxy user capabilities--This new feature enables a developer to exploit the power of the middle tier more effectively. Users no longer need to establish independent, unrelated sessions with the directory. If a middle-tier fromOracle9i Application Server or elsewhere invokes the proxy user bind method on behalf of numerous clients in succession, then Oracle Internet Directory respects each clients credential and privileges respectively, even though the agent doing the actual binding remains unchanged throughout.
</P>
<A NAME="563334"></A>
<P CLASS="BP">
Oracle Directory Manager enhancements--Oracle Internet Directory's standalone, 100% Java administration console, Oracle Directory Manager, has now evolved in many ways. You can use it to:
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563337"></A>Configure hosted subscriber domains 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563338"></A>Construct password policies 
<P>

<LI CLASS="LB1" TYPE="DISC"><A NAME="563339"></A>Configure Oracle Directory Synchronization Service and Oracle Internet Directory connectors and agents 
<P>
</UL>
<A NAME="563341"></A>
<P CLASS="BP">
In general, any directory-specific configuration or maintenance task not available at the high-level OEM GUI is now doable through ODM, as well as command-line interfaces supplied with Oracle Internet Directory. 
</P>
<A NAME="563344"></A>
<P CLASS="BP">
Server-side plug-in framework--This new feature enables directory applications to roll out advanced capabilities such as referential integrity/cascading deletions of LDAP objects, external authentication of directory clients, brokered access, and synchronization with external relational tables. The plug-ins are executable before or after an LDAP command takes place, without the traditional risks of such technologies. 
</P>
<A NAME="563349"></A>
<P CLASS="BP">
Entry alias dereferencing--The LDAP v3 standard requires that all entries in a directory have globally unique identifiers known as distinguished names. These are typically fairly long and cumbersome to use, so Oracle Internet Directory provides this new feature to automatically dereference IETF-standard alias objects used to point to a fully-qualified LDAP distinguished name. For example, "DavesServer1" can be used as an entry alias or pointer to the actual directory entry named dc=server1, dc=us, dc=oracle, dc=com. Oracle Internet Directory stores, parses, and chases all alias references for complete client-side transparency. 
</P>
<A NAME="563355"></A>
<P CLASS="BP">
Search performance enhancements--For Oracle9<EM CLASS="Italic">i</EM> Database Server Release 2 (9.2), search performance against directory data in Oracle Internet Directory has been greatly improved by the use of directory entry caching. This feature will create a cache of LDAP entries maintained in memory by the directory server. The greatest performance improvements achieved by the cache will be in relatively small to medium directory deployments (e.g., up to a few million entries with up to a few hundred concurrent clients), where all of the entries in the directory would be cached. 
</P>
<A NAME="563361"></A>
<P CLASS="BP">
Enable a single server instance to listen on both non-SSL and SSL ports--In Oracle Internet Directory Release 9.2.0.1.0, a single instance of an Oracle Internet Directory server can listen on both SSL and non-SSL ports. This obviates the need to start 2 separate instances, one listening on SSL port and the other on a non-SSL port. This can be achieved by setting a value "2" for the attribute "orclsslenable" in any given configuration set. The default configset (configset0) consists of both SSL port and NON-SSL port. Users will now get an error (Cannot Bind to port, in the LDAP server log file) while trying to start more than one instance of Oracle Internet Directory server against this default configset. 
</P>
<A NAME="563368"></A>
<P CLASS="BP">
Replication configuration enhancements--The Oracle directory replication server agreements can now be automatically setup, thereby simplifying replication server configuration. Also replication server now supports SSL connection to LDAP server. 
</P>

<A NAME="563372"></A>
<!--TOC=h1-"563372"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4&#32; ORACLE INTERNET DIRECTORY SERVER RELEASE 9.2.0.1.0</FONT></H2>


<!--/TOC=h1-->
<A NAME="563374"></A>
<P CLASS="BP">
Oracle Internet Directory Release 9.2.0.1.0 includes all of the binaries required to run the directory server, the Oracle Directory Integration Platform, and associated components from an Oracle Home.
</P>

<A NAME="563377"></A>
<!--TOC=h2-"563377"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.1&#32; Database Compatibility</FONT></H3>
<!--/TOC=h2-->
<A NAME="563379"></A>
<P CLASS="BP">
Oracle Internet Directory Release 9.2.0.1.0 is certified against Oracle9i Database Release 2 only.
</P>

<A NAME="563381"></A>
<!--TOC=h2-"563381"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.2&#32; Client Compatibility</FONT></H3>
<!--/TOC=h2-->
<A NAME="563383"></A>
<P CLASS="BP">
Oracle Directory Manager Release 9.2.0.1.0 is certified to work against Oracle Internet Directory Release 9.2.0.1.0 servers. Older versions of Oracle Directory Manager may also function against the new release of the server, but new functionality will not be accessible from these older clients. 
</P>

<A NAME="563386"></A>