nsure idntity manager & oracle internet directory michel bluteau field corporate strategist...
TRANSCRIPT
Nsure Idntity Manager &Oracle Internet Directory
Michel BluteauField Corporate StrategistNsure Identity ManagementNovell Québec
© 12 mai 2004 Novell Inc, Confidential & Proprietary2
Driver for Oracle 10g OID
• Required privileges for driver• Mandatory Classes for
– OID– Enterprise User– Enterprise Role
• Required ACLs for the changelog
© 12 mai 2004 Novell Inc, Confidential & Proprietary3
Oracle Internet Directory
•OID is an application that runs off Oracle•OID clients use LDAP•OID uses Oracle Net to communicate with Database servers
© 12 mai 2004 Novell Inc, Confidential & Proprietary4
Oracle Internet DirectoryOracle Directory Manager
© 12 mai 2004 Novell Inc, Confidential & Proprietary5
Oracle Internet DirectoryOracle Directory Manager
© 12 mai 2004 Novell Inc, Confidential & Proprietary6
Oracle Internet DirectoryCommunication
© 12 mai 2004 Novell Inc, Confidential & Proprietary7
Oracle Advanced Security Uses OID for
-Storing the password for a centralized user that can have access to more than one Database server-Centrally store and assign privileges-Integration of VPD(Virtual Private Database) and Row Label Security-With 10g, synchro of attributes userPassword(SSO) and orclPassword(DB)-OID can leverage RAS and RAC for high availability in a Oracle bubble(many DB servers)
© 12 mai 2004 Novell Inc, Confidential & Proprietary8
Driver for Oracle OID
• bi-directional sync for data• uni-directional sync for the password
– From eDirectory to OID
• No customization required(versus JDBC)
© 12 mai 2004 Novell Inc, Confidential & Proprietary9
Driver User: Select cn=orcladmin
© 12 mai 2004 Novell Inc, Confidential & Proprietary10
Choose Create Like, create meta
© 12 mai 2004 Novell Inc, Confidential & Proprietary11
Modify cn, sn, uid and userPassword
© 12 mai 2004 Novell Inc, Confidential & Proprietary12
Result: cn=meta
© 12 mai 2004 Novell Inc, Confidential & Proprietary13
Under cn=OracleContext, cn=Groups
© 12 mai 2004 Novell Inc, Confidential & Proprietary14
Add to cn=OracleSuperAdminGroup
© 12 mai 2004 Novell Inc, Confidential & Proprietary15
Add to cn=OracleUserSecurityAdmin
© 12 mai 2004 Novell Inc, Confidential & Proprietary16
Add to cn=Common User Attributes
© 12 mai 2004 Novell Inc, Confidential & Proprietary17
Add to cn=OracleContextAdmins
© 12 mai 2004 Novell Inc, Confidential & Proprietary18
Add to required DAS groups
© 12 mai 2004 Novell Inc, Confidential & Proprietary19
After adding meta to groups
- meta can create users and groups via oidadmin
- but cannot do so via LDAP with ldapadd or the DirXML driver
See:http://download-east.oracle.com/docs/cd/B10464_02/manage.904/b12118/priv_de3.htm
© 12 mai 2004 Novell Inc, Confidential & Proprietary20
After adding meta to groups
- Provide meta with the required ACLs for cn=Users and cn=Groups (under dc=novl,dc=ca).
See: http://download-east.oracle.com/docs/cd/B10464_02/manage.904/b12118/access2.htm#1059039
© 12 mai 2004 Novell Inc, Confidential & Proprietary21
After adding meta to groups
© 12 mai 2004 Novell Inc, Confidential & Proprietary22
After adding meta to groups
© 12 mai 2004 Novell Inc, Confidential & Proprietary23
Required privileges for changelog
The ACLs for changelog MUST be modified in order to allow meta access to the changelog
© 12 mai 2004 Novell Inc, Confidential & Proprietary24
Under Access Control Management
© 12 mai 2004 Novell Inc, Confidential & Proprietary25
Add meta, via Create Like
© 12 mai 2004 Novell Inc, Confidential & Proprietary26
Add meta, via Create Like
© 12 mai 2004 Novell Inc, Confidential & Proprietary27
Add meta, via Create Like
© 12 mai 2004 Novell Inc, Confidential & Proprietary28
Add meta, via Create Like
© 12 mai 2004 Novell Inc, Confidential & Proprietary29
Add meta, résultat
© 12 mai 2004 Novell Inc, Confidential & Proprietary30
Classes required for OID
- User requires the following classes:• inetOrgPerson• orclUserV2• orclUser(optional)
- Group(dynamicGroup) requires the following classes:
• groupOfUniqueNames• orclGroup• the displayname attribute is mandatory
© 12 mai 2004 Novell Inc, Confidential & Proprietary31
© 12 mai 2004 Novell Inc, Confidential & Proprietary32
Classes required for OID
© 12 mai 2004 Novell Inc, Confidential & Proprietary33
Classes required for OID
© 12 mai 2004 Novell Inc, Confidential & Proprietary34
Classes required for OID