We have been working with Oracle's Internet Directory (OID) lately and thought we woudl capture some notes on what we have run into that seem worth noting.
Backgroud on Oracle's Internet Directory
Oracle's Internet Directory and Oracle Data Bases
The client, which is typical of many organizations, has some 200 Oracle database instances throughout thier organization. Each database contains a seperate user credential store. So, if a user used 100 of these database instances, they would have 100 credentials with seperate passwords with or without any password control.Oracle's Internet Directory is Oracle's methodology to solve this condition. A user is created in Oracle's Internet Directory and assigend to an "Enterprise Role". The "Neterprise Role" is assigned to the database access desired for the Enterprise Role.
This allows the OID admistrator to assign users to Enterprise Roles which could provide access to any of level, to any of the 100 database instances as desired.
The client has an existing LDAP directory, Novell's eDirectory, that is being used to provide CSO to thier AD, Netware and some other applicaitons using LDAP. However, we know of no method to allow the Oracle database instances to be able to use any other LDAP server than OID. See Why you need OID. (Commming soon)
Interesting Information on OID
We wanted to document some things we feel are anommolies. These anommolies are based on our experiance and not intended to say that Oracle or any other vendor is right or wrong. We just thought these anommolies were worth noting.InetOrgPerson
There seems to be some attributes that are usually present in the inetOrgPerson class that OID does not provide.Dynamic Groups
OrganizationalUnit vs orclContainer
We noticed that by default, when creating containers in OID from the provided administration toll that containers are created as orclContainer and not the "noraml" organizationalUnit. Since our client's desire was to be able to allow the help desk to be able to use their existing tools to look and make some changes to OID with thier tools, we wanted to use the more common organizationalUnit.We put started a thread in (Oracle's news group
to find out if we coudl use organizationalUnit.
We also put a request with the client's Oracle support team. They said it was not an issue.
However, they were against us putting the gorups and users in the same OU stucture. They had issues when this was done as the "Enterprise Users" could not authenticate if the Users and groups were mixed. I think it is a rights thing, but if they don not know, who would?
From the news fourm, it appears that it will work, but there maybe some ties if the client wanted to use Oracle's SSO product in the future.