Tuesday, February 15, 2011

11g OID Concepts and Architecture - Part 3

How Oracle Internet Directory Processes a Search Request ?
  • The user or client enters a search request, it may be SSL or non-ssl connection, and it may be particular user connection or anonymous connection. The request can have search filters
  • The C API, using the LDAP protocol, sends a request to a directory server instance to connect to the directory.
  • The directory server authenticates the user, a process called binding. The directory server also checks the Access Control Lists (ACLs) to verify that the user is authorized to perform the requested search.
  • The directory server converts the search request from LDAP to Oracle Call Interface (OCI)/Oracle Net Services and sends it to the Oracle Database.
  • The Oracle Database retrieves the information and passes it back through the chain—to the directory server, then to the C API, and, finally, to the client.
Directory Entries

Each object in OID is called entry. An Entry can be a user, computer or network resources,etc....

Distinguished Names (DNs)
  • Each entry in OID is uniquely identified by a distinguished name (DN). The distinguished name tells you exactly where the entry resides in the directory hierarchy.
  • This hierarchy is represented by a directory information tree (DIT).
  • Exmaple DN: cn=Chuck voleti,ou=Server Development,c=ux,o=abcd
  • Lowest component is called the relative distinguished name (RDN)
  • RDN for above entry is cn=chuck voleti
  • To locate a particular entry within the overall DIT, a client uniquely identifies that entry by using the full DN—not simply the RDN—of that
Entry Caching
  • OID uses 'entry caching'to make operations on entries quick and efficient.
  • When this feature is enabled, OID assigns a unique identifier to each entry, then stores a specified number of those identifiers in cache memory.
  • During ldap operation on an entry, the directory server looks in the cache for the entry identifier, then retrieves the corresponding entry from the directory.
  • This method enhances Oracle Internet Directory performance, and is especially useful in smaller and medium-sized enterprises.
  • Entry caching can be used only in the case of a single server, single instance Oracle Internet Directory node.
  • The entry cache is a write-through cache. An LDAP operation first writes to the database and then invalidates the corresponding cache entry. A subsequent search of that entry causes the cache to be refreshed.
Attributes
  • Each entry in OID has multiple attributes which provides information about the entry.
  • Attribute are of two kinds i.e. Application Attributes and System Configuration Attributes.
  • Application attributes contains customaizable information like name,address,etc....
  • System Configuration attributes are managed by Directory server for its operation purpose.
  • Attributes can be single valued or multivalued.
Object Classes
  • An object class is a group of attributes that define the structure of an entry.
  • Each entry in directory has one or more object classes to it.
  • Some of the attributes in these object classes are mandatory and must have values, others are optional and can be empty.
  • There are three types of object classes:Structural,Auxiliary and Abstract
  • Structural object classes describe the basic aspects of an object. Every entry should belong to at least one structural object class. Examples of structural object classes are person and groupOfNames.
  • Auxiliary object classes are groupings of optional attributes that expand the existing list of attributes in an entry.
  • An abstract object class is a virtual object class. It is used only for convenience when specifying the highest levels of the object class hierarchy. It cannot be the only object class for an entry. For example, the object class top is an abstract object class. It is required as a superclass for all structural object classes, but it cannot be used alone.

Posted by at No comments:
Labels: ,

11g OID Concepts and Architecture - Part 2

Oracle Directory Server Instance Architecture
  • Oracle Directory Server instance or OID Instance contains one dispatcher process and one or more server processes.
  • LDAP clients send LDAP requests to an Oracle Internet Directory listener/dispatcher process listening for LDAP commands at its port.
  • Oracle Internet Directory listener/dispatcher starts the server process at startup time.
  • The number of server processes is controlled by the 'orclserverprocs' attribute in the instance-specific configuration entry. The default value for orclserverprocs is 1.
  • Multiple server processes can be used to enable Oracle Internet Directory to leverage the multiple processor systems.
  • The Oracle Internet Directory dispatcher process sends the LDAP connections to the Oracle Internet Directory server process in a round robin fashion.
  • The maximum number of LDAP connections accepted by each server is 1024 by default. This number can be increased by changing the attribute orclmaxldapconns in the instance-specific configuration entry, which has a DN of the form: cn=componentname,cn=osdldapd,cn=subconfigsubentry





Processes in Instance: ORACLE_INSTANCE
---------------+--------------------+---------
ias-component|process |pid | status |ports
---------------+--------------------+---------
oid2 | oidldapd |18724 | Alive | N/A
oid2 | oidldapd |18713 | Alive | N/A
oid2 | oidmon |18679 | Alive | LDAPS:3132,LDAP:3061
oid1 | oidldapd |18720 | Alive | N/A
oid1 | oidldapd |18701 | Alive | N/A
oid1 | oidmon |18678 | Alive | LDAPS:3131,LDAP:3060
EMAGENT | EMAGENT |18680 | Alive | N/A

Oracle Internet Directory Ports

Default OID port 3060 for Non-SSl and 3131 for SSL. If these ports are unavailable, installer tries ports in the range 3061 to 3070, then 13060 to 13070.

Directory Metadata

Directory metadata is the information used by the directory server during run time for processing LDAP requests. It is stored in the oracle database. During startup, the directory server reads this information and stores it in a local metadata cache. It then uses this cache during its run time to process incoming LDAP operation requests.

Metadata cache
  • The metadata cache is a write-through cache.
  • An LDAP operation first writes to the database and then invalidates the corresponding cache entry.
  • A subsequent search of that entry causes the cache to be refreshed.
  • The directory server has the following types of metadata in its local metadata cache:
Directory Schema

Schema consists, definitions of object classes, attributes, and matching rules supported by the directory server. The directory server uses this information during creation and modification of directory objects. A directory object is a collection of object classes and their associated attributes and matching rules.

Access control policy point (ACP)

ACP contains access controll information. The directory server uses ACPs to determine access of user when performing LDAP Operation.

Root DSE entry

The root DSE (Directory Service Agent-Specific Entry) contains several attributes that store information about the directory server itself.

Privilege groups
  • Groups that can be used in access control policies.
  • The directory schema supports directory group objects through the standard groupofuniquenames and groupofnames object classes. These object classes hold information for such groups as distribution lists and mailing lists to mention just two.
  • Oracle Internet Directory extends these standard group objects through an auxiliary object class called orclprivilegegroup.
  • This object class, which supports privilege groups that can be used in access control policies, provides flexibility to grant or deny access to groups of users.
  • The directory server uses this information during:LDAP bind operations to find out the subscribed privileged groups for a given user and Access control policy evaluation if the policy has directives that grant or deny access to privileged groups

Catalog entry

A special entry containing information about indexed attributes in the underlying database. The directory uses this information during directory search operations.

Common entry

A special entry containing information about hosted companies. A hosted company is an enterprise to which another enterprise provides services.

Plug-in entry

A special entry containing information about the kind of operation that triggers a plug-in event, and the point in the operation when that plug-in is to be triggered.

Password verifier entry

A special entry containing information about the encryption and verifier attribute types.

Password policy entry

One or more special entries containing information about policies enforced by the directory server for the user password credentials. The directory server uses this information during run time to enforce the password policies.
Posted by at No comments:
Labels: ,

11g OID Concepts and Architecture - Part 1

Components of Oracle Internet Directory(11g)
  • Oracle directory server which process client requests.
  • Oracle directory replication server, which replicates Directory data between Oracle directory servers.
  • Directory administration tools.
  • Oracle Internet Directory Software Developer's Kit.
Oracle Internet Directory Architecture
  • Oracle Internet Directory Node
  • Oracle Directory Server Instance
  • Oracle Internet Directory Ports
  • Directory Metadata



OID NODE

OID node contains one or more directory server instances connected to the same directory store i.e. Oracle Database.

OID instance
  • It services directory requests through a single Oracle Internet Directory dispatcher process listening at specific TCP/IP ports(default port is 3060).
  • There can be more than one directory server instance on a node, listening on different ports.
Oracle directory replication server
  • Replication server tracks and sends changes to replication servers in another Oracle Internet Directory.There can be only one replication server on a node. .
Oracle Database Server
  • It stores the directory data. The database can reside on the same node as the directory server instances.
Oracle Process Manager and Notification Server (OPMN)
  • OPMN Manages the Oracle Fusion Middleware system component. OID being a system component, managed by OPMN.
  • OPMN Configuration informations are stored in $ORACLE_INSTANCE/config/OPMN/opmn/opmn.xml.
  • OPMN invokes OIDMON and OIDCTL for during startup/shutdown of OID.
OID Monitor (OIDMON)
  • It Initiates, monitors, and terminates the LDAP server and replication server processes.
  • OIDMON monitors directory servers and restarts them if they have stopped running for abnormal reasons.
  • OIDMON starts a default instance of OIDLDAPD (despatcher process). If the default instance of OIDLDAPD is stopped using the OIDCTL command, then OIDMON stops the instance. However, when OIDMON is restarted by OPMN, OIDMON restarts the default instance.
  • All OID Monitor activity is logged in the file ORACLE_INSTANCE/diagnostics/logs/OID/Component_Name/oidmon-xxxx.log.

OID Control Utility (OIDCTL)
  • It Communicates with OID Monitor by placing message data in Oracle Internet Directory server tables. This message data includes configuration parameters required to run each Oracle directory server instance.
  • OIDCTL is mainly used to stop and start the replication server. OIDCTL is also used for checking the status of Oracle Internet Directory.


Posted by at No comments:
Labels: ,

Monday, February 14, 2011

Understanding 11g Fusion Middleware Concepts

Understanding 11g Fusion Middleware Concepts.

Before moving to 11g OID concepts, one should understand 11g FMW concepts. Read 11g FMW concepts .

Oracle Internet Directory is a system component. OID is a 'C' based process. OID's runtime dependency is database and it doesn't require Weblogic Server.OID is Managed by Oracle Process Management and Notification Server (OPMN). To manage OID through FMW Management Framework i.e. Fusion Middleware Control, OID should be registered with weblogic server.

OID can be registered with weblogic server during the installation or using commandline after installation. Internet Directory installation provides various options like Create New Domain, Extend Existing Domain, Expand Cluster, Configure Without Domain during installation. We will look into each of these option in detail in installation section.



Posted by at No comments:
Labels: ,

Directory Services Basic Concepts


What is a Directory ?

A Directory is a collection of hierarchically organized object. Objects in Directory have similar attributes. For example Telephone Directory, Store catalog, etc... . Directories can online or offline.

What is Light Weight Directory Access Protocol (LDAP) ?

LDAP is a standard, extensible directory access protocol that directory clients and servers use to communicate.

What is Oracle Internet Directory ?

Oracle Internet Directory is a general purpose, LDAP V3 compliant directory service that provides faster retrieval and centralized management of information about dispersed resources.

Oracle Internet Directory provides scalability, high availability, security, and tight integration with the Oracle environment.



Posted by at No comments:
Labels: ,

Learning Series :11g Oracle Internet Directory(OID) ( for beginners and 10g AS Administrator)


11g OID Concepts ( for beginners and 10g AS Administrator). In this series, I will discuss following topics
  • Directory Services Basic Concepts.
  • Understanding 11g Fusion Middleware Concepts.
  • 11g OID Concepts and Architecture.
  • Installing 11g Oracle Internet Directory.
  • Starting and Stopping OID
  • Managing OID through Oracle Process Manager and Notification Server (OPMN).
  • Creating Multiple OID Instances using OPMN.
  • Registering OID with Weblogic Server.
  • Oracle Directory Services Manager(ODSM).
  • Configuring SSL for OID.
  • Configuring Directory Integration and Provisioning server(DIP).
  • Configuring Replication Server.
  • Oracle Virtual Direcotry.
  • Oracle Identity Federation.
  • Oracle Identity Management Suite.
Posted by at No comments:
Labels:

Sunday, October 24, 2010

RECAP : WLS Basic Concepts

Let's revisit WLS Basic concepts:

  • The basic administrative unit for a WLS is called a DOMAIN. Its just a logical unit.
  • A domain is a logically related group of WebLogic Server resources that you manage as a unit.
  • Each Domain includes only one instance of weblogic server called ADMINSTRATION SERVER. Admin server is the SPOC for all instances running on that domain and for system administration.
  • Domain may also include additional WLS instances called MANAGED SERVERS. Within a domain some or all of the Managed Servers may be part of the cluster.
  • A Managed Server can also function as a virtual host.
  • A CLUSTER is a group of WebLogic Server instances that work together to provide scalability and high-availability for applications.
  • A Managed Server in a cluster can act as a backup for services such as JMS and JTA that are hosted on another server instance in the cluster.
  • All applications are also deployed and managed as part of a domain.
  • There are two startup modes available for domains, i.e. DEVELOPMENT or PRODUCTION.
  • As the name suggests,development mode is used while developing applications. Development mode uses a relaxed security configuration and has auto-deploy option for applications deployment.
  • Production mode used when application is running in its final form.
  • Startup mode details are stored in config.xml file
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)