Oracle Directory Server Instance Architecture
- Oracle Directory Server instance or OID Instance contains one dispatcher process and one or more server processes.
- LDAP clients send LDAP requests to an Oracle Internet Directory listener/dispatcher process listening for LDAP commands at its port.
- Oracle Internet Directory listener/dispatcher starts the server process at startup time.
- The number of server processes is controlled by the 'orclserverprocs' attribute in the instance-specific configuration entry. The default value for orclserverprocs is 1.
- Multiple server processes can be used to enable Oracle Internet Directory to leverage the multiple processor systems.
- The Oracle Internet Directory dispatcher process sends the LDAP connections to the Oracle Internet Directory server process in a round robin fashion.
- The maximum number of LDAP connections accepted by each server is 1024 by default. This number can be increased by changing the attribute orclmaxldapconns in the instance-specific configuration entry, which has a DN of the form: cn=componentname,cn=osdldapd,cn=subconfigsubentry
Processes in Instance: ORACLE_INSTANCE
---------------+--------------------+---------
ias-component|process |pid | status |ports
---------------+--------------------+---------
oid2 | oidldapd |18724 | Alive | N/A
oid2 | oidldapd |18713 | Alive | N/A
oid2 | oidmon |18679 | Alive | LDAPS:3132,LDAP:3061
oid1 | oidldapd |18720 | Alive | N/A
oid1 | oidldapd |18701 | Alive | N/A
oid1 | oidmon |18678 | Alive | LDAPS:3131,LDAP:3060
EMAGENT | EMAGENT |18680 | Alive | N/A
Oracle Internet Directory Ports
Default OID port 3060 for Non-SSl and 3131 for SSL. If these ports are unavailable, installer tries ports in the range 3061 to 3070, then 13060 to 13070.
Directory Metadata
Directory metadata is the information used by the directory server during run time for processing LDAP requests. It is stored in the oracle database. During startup, the directory server reads this information and stores it in a local metadata cache. It then uses this cache during its run time to process incoming LDAP operation requests.
Metadata cache
- The metadata cache is a write-through cache.
- An LDAP operation first writes to the database and then invalidates the corresponding cache entry.
- A subsequent search of that entry causes the cache to be refreshed.
- The directory server has the following types of metadata in its local metadata cache:
Directory Schema
Schema consists, definitions of object classes, attributes, and matching rules supported by the directory server. The directory server uses this information during creation and modification of directory objects. A directory object is a collection of object classes and their associated attributes and matching rules.
Access control policy point (ACP)
ACP contains access controll information. The directory server uses ACPs to determine access of user when performing LDAP Operation.
Root DSE entry
The root DSE (Directory Service Agent-Specific Entry) contains several attributes that store information about the directory server itself.
Privilege groups
- Groups that can be used in access control policies.
- The directory schema supports directory group objects through the standard groupofuniquenames and groupofnames object classes. These object classes hold information for such groups as distribution lists and mailing lists to mention just two.
- Oracle Internet Directory extends these standard group objects through an auxiliary object class called orclprivilegegroup.
- This object class, which supports privilege groups that can be used in access control policies, provides flexibility to grant or deny access to groups of users.
- The directory server uses this information during:LDAP bind operations to find out the subscribed privileged groups for a given user and Access control policy evaluation if the policy has directives that grant or deny access to privileged groups
Catalog entry
A special entry containing information about indexed attributes in the underlying database. The directory uses this information during directory search operations.
Common entry
A special entry containing information about hosted companies. A hosted company is an enterprise to which another enterprise provides services.
Plug-in entry
A special entry containing information about the kind of operation that triggers a plug-in event, and the point in the operation when that plug-in is to be triggered.
Password verifier entry
A special entry containing information about the encryption and verifier attribute types.
Password policy entry
One or more special entries containing information about policies enforced by the directory server for the user password credentials. The directory server uses this information during run time to enforce the password policies.
No comments:
Post a Comment