Introducing Oracle Internet Directory -- Whitepaper

Introducing Oracle Internet Directory

Michael P. Mesaros, Oracle Corporation

Introduction

Directory services have emerged as a key enabling technology for enterprise and internet computing. For the enterprise, directory services hold the promise of improving the manageability of the network infrastructure by combining a number of repositories of information such as user credentials, user access privileges, and network and device configuration parameters. For the internet, directory services promise to enable the creation of seamless worldwide directories of information such as email addresses and digital certificate information. In fact, as enterprises begin to engage in the world of e-commerce, and as companies begin to appreciate the value of making some of their directory information available on internets and extranets, the distinction between enterprise and internet applications for directory services begin to blur.

What is a Directory Service?

Directory services are actually special-purpose databases, designed to hold a wide variety of information about people, network devices, resources, and other objects. To further describe directory services, we offer the following definition:
"A directory service is a flexible, special-purpose distributed database designed to enable the storage and retrieval of entry-oriented information for a wide range of applications"
This definition reveals some important differences between a directory service and a relational database:

Directory services are flexible - That is, a directory service can hold a wide variety of information associated with resources. Some of this information may be standardized, while other might be specific to a particular directory deployment.

Directory services are special-purpose - Directory services are typically designed with certain usage assumptions. For example, one assumption is that the ratio of data updates to data accesses will be relatively low. This makes sense for information such as telephone numbers, e-mail addresses and passwords which are much more likely to be accessed then updated. In contrast, relational databases are often deployed in high update to access ratio applications. For example, one might envision an OLTP application that writes transaction information to a database. This information might be accessed relatively infrequently, for example, when a summary report is generated at the end of a month.

Directory services are distributed - While relational databases may be distributed across servers, directories are designed from the ground up to support distributed management and retrieval of information. Directories support this distributed functionality by organizing information with a global, hierarchical naming model.

Directory services manage entry-oriented information - As opposed to relational databases, which store information as records in relational tables, directories are designed to manage information represented as entries. These entries might represent any resource customers wish to manage in their environment, for example employees, conference rooms, shared network resources such as printers, or e-commerce partners. Associated with each entry is a number of attributes, each of which may have one or more values assigned. For example, typical attributes for a person entry might include first and last names, e-mail addresses, the address of a preferred mail server, passwords or other login credentials, or even a digitized portrait of the person.

Directory services support a wide range of applications - given the general nature of the information managed in directory services, they might be used by any number of users and applications for a wide variety of purposes. For example, users might access a directory service directory for purposes of accessing corporate whitepages information, and through their mail clients for purposes of looking up e-mail addresses. Applications such as message transport agents might access a directory service to locate a user's mail server, while database applications might access a directory service to identify user role information. Finally "smart" network devices such as directory-enabled routers and switches might access directory services for run-time configuration information.

Some of the key differences between a relational database and a directory service are shown in Table 1. The bottom line is while both are examples of database technology, relational databases and directory services have very different design centers. This poses a daunting challenge for vendors and customers seeking to bridge the gap between these two technologies.

Table 1: Key differences between relational database and directory service technologies.

Relational databases	Directory services
Table-oriented	Entry-oriented
Location-specific data (e.g. a table)	Global data
May require distributed access	Usually requires distributed access
Application-consistent naming policies	Globally consistent naming policies
Low access to update ratio	High access to update ratio
Performance emphasis on transactions	Performance emphasis on retrieval

Applications of Directory Services

We now look at some applications for directory services in enterprise environments. Four applications we will discuss are shown in Table 2.

Table 2: Common directory uses.

Directory use	Kinds of information managed
e-mail address book	Names, e-mail addresses
Corporate whitepages	Names, telephone numbers, office addresses, employee hire dates, manager names, departments, cost centers, etc.
Centralized management of credentials and privileges	Passwords, remote user wallets, user roles
Configuration and management of system resources	Device state and configuration information, service addresses, profile and policy information.

Perhaps the most familiar to corporate users is e-mail address books. In fact, virtually every e-mail system provides some mechanism for users to look up e-mail addresses given a user's name. Some of these e-mail systems permit administrators to also store other user information such as the department name, manager name, or telephone number.
This capability of directories to store other information besides e-mail addresses led MIS managers and others to investigate using stand-alone directory services to deploy on-line whitepages directory services. This allows the enterprise to replace paper bound corporate directories with an on-line service that is easily searchable and always up to date.
Management of user credentials, preferences and privileges represents yet another use for directories in the enterprise environment. Here, directories can add value by providing system administrators with a central repository for managing user access to the various applications running in the enterprise. If an employee leaves the company, for example, directories can make it very easy for system administrators to disable access to the user's accounts.
Finally, a more recent use of directory services is for configuring and managing system resources. If fact, a number of system and networking hardware vendors are working together in an industry initiative called DEN, for Directory Enabled Networks, with the goal of defining standard data structures that will allow network administrators to configure all kinds of networking devices thorough a centralized directory service. By providing well-defined interfaces to applications and networking hardware, directories become an essential "middleware" component, enabling a policy-based networking infrastructure which can provide varying levels of service to different users and applications. A diagram of such a network is shown in Figure 1.

Figure 1: Illustration of a global, directory-enabled network.

The LDAP Directory Standard

While the value of directory services is well understood by IT management, most are not looking for another directory service to deploy in their environments. In fact, they currently have too many directory services. Some estimates state that the world's largest companies have on average 180 different directories in their environments, and this is probably a conservative estimate. If one considers all of the applications running in a typical enterprise environment, each one of which might maintain its own local list of users and login credentials, the number is probably much higher. For example, in the typical Oracle deployment, each instance of the Oracle server running in the enterprise has, in effect, its own "directory" of user names.
As a result of this proliferation of directories, the same information often ends up being represented many different ways in enterprise systems. This translates to a high cost of ownership, as administrators must input and maintain essentially the same information in many different places. There is also a cost associated with some of this information being incomplete, inaccurate, or out of synch.
Another problem for organizations resulting from the proliferation of proprietary directories occurs when they look at deploying Internet ready applications. Organizations would like to make some of this information stored in company directories available to business partners and others on a controlled basis. Unfortunately, the traditional directory services deployed in many enterprises do not make this easy, and organizations are faced with security concerns such as how to expose only the information they want to, as well as practical concerns of how to define the directory data structures and interfaces so that this information is available to a potentially wide variety of internet-based applications.
LDAP represents the emerging solution to both of these problems. LDAP stands for "Lightweight Directory Access Protocol," and was conceived as an internet-ready, lightweight implementation of the International Standard Organization's X.500 (pronounced "X five hundred") standard for directory services. One major feature of the LDAP specification is that it requires a minimal amount of networking software on the client side, making it particularly attractive for internet-based, "thin client" applications.
The LDAP standard is defined and maintained by the Internet Engineering Taskforce, the same body responsible for other popular internet protocols such as TCP/IP, DNS, and HTTP. The customer need for interoperability between directory services and client applications is driving rapid adoption of the LDAP standard in the vendor community. In fact, virtually every hardware and software systems vendor has announced an LDAP support strategy in recent months.

Figure 2: The LDAP vision for the enterprise.

The LDAP standard promises to simplify management of directory information considerably. By providing all the various users and applications in the enterprise with a single, well-defined standard interface to a single, extensible directory service, rapid development and deployment of directory-enabled applications become much easier. In addition, administration of the information becomes much less costly as the need to enter and coordinate redundant information in a wide variety of different services is reduced. Finally, the LDAP standard's well-defined wire protocol and array of programmatic interfaces make deployment of internet-ready applications that leverage the directory practical. This application for LDAP directories is illustrated in Figure 2.

Oracle's Directory Strategy

Oracle has embraced the LDAP standard as a means of enabling centralized management of the Oracle environment, and as the basis for providing a comprehensive directory information management solution for customers. Oracle's product strategy for LDAP directory services may be summarized with four key points:

Provide a standards-based, cross-platform LDAP directory, called Oracle Internet Directory, which builds on the reliability, availability and scalability characteristics of Oracle8 i .

Directory-enable the various components of the Oracle product stack to take advantage of the LDAP directory service.

Implement tight integration between Oracle Internet Directory and the Oracle administrative environment, with the goal of providing transparent directory administration for Oracle shops.

Provide the tools and services required to enable customers to integrate all of the directory services and information sources in their environments.

Each aspect of this strategy is described below.

Oracle Internet Directory

Our first point in Oracle's product strategy for LDAP directory services is to provide a scalable, Internet standards-based directory service based on the Oracle8 i database. This product is called Oracle Internet Directory, and is shown in Figure 3. Oracle Internet Directory is a native, LDAP Version 3-compliant directory service which runs as an application on the Oracle8 i database. This architecture provides a very robust and secure platform for enterprise directory services. By implementing the LDAP server as an Oracle8 i application, Oracle Internet Directory can provide LDAP directory services with an unprecedented level of scalability, high-availability and information security. Each of these characteristics is described below.

Figure 3: Oracle Internet Directory Overview

Scalability

Scalability of a directory service can be evaluated in any number of different ways. For example, one might talk about the total number of objects supported in a directory tree, or the capabilities of the underlying hardware and/or software platform. Two aspects of scalability that we will examine here are the number of entries, or directory objects that can be supported on a single server instance, and the number of simultaneous client accesses supported by the server. Experience has shown that these aspects of scalability are of particular interest to service provider and large extranet environments because they determine to a large degree the number of directory server nodes required to support a given directory information tree. While management and administration of the actual data in the directory information tree might be partitioned in any number of ways, enterprises generally want to implement their directories with as few servers as possible in order to simplify infrastructure management. In discussing these, we will point out aspects of the Oracle Internet Directory architecture that support high levels of scalability in these regards.
The first aspect of scalability we will mention in the number of entries that can be supported on a single server instance. Oracle Internet Directory inherits considerable capability in this area by virtue of being implemented as an application on top of the Oracle8 i database. The Oracle8 i database has demonstrated industry-leading performance in large database environments. As of this writing, Oracle8 i -based applications occupy four of the eight top positions for certified TPC-D benchmarks against a 1 terabyte data store. A data store of this size translates to the capability of storing over half a billion real-world directory entries on a single server, well beyond the current and projected business needs of the largest directory deployments.
Simply being able to accommodate a large number of directory entries is not enough, however. Large directory implementations also require the tools necessary to populate these directories in a reasonable period of time. Here, Oracle Internet Directory leverages the tools and services available to the Oracle8 i platform. For example, Oracle Internet Directory provides a bulk loading utility based on Oracle's SQL*loader that makes it possible to populate a large directory very efficiently.
The second aspect of scalability we will examine is the number of simultaneous clients a directory server node can support in typical usage scenarios. This is commonly measured in terms of throughput, or the aggregate number of retrievals performed by the directory server in supporting a population of clients. The architecture of Oracle Internet Directory supports throughput scalability in a couple of ways.
First, the LDAP servers running on an Oracle Internet Directory server node are multithreaded, and share a common pool of persistent database connections through a technology called connection pooling. Since each database connection incurs a certain amount of operating system overhead, sharing database connections in this way makes the most efficient use of these connections and prevents running into resource limitations as the number of simultaneous LDAP client connections increases.
A second aspect of the architecture contributing to throughput scalability is the ability to run multiple LDAP server processes on a single Oracle Internet Directory server node. This architecture scales very well to take advantage of multiprocessor platforms.
These architectural considerations mean that a single Oracle Internet Directory server node can support increasing numbers of clients with no appreciable impact on throughput. As a result, Oracle Internet Directory customers can typically support their organization's directory service needs by deploying fewer servers.

Figure 4: LDAP replication through Oracle Advanced Symmetric Replication Services.

High Availability

High availability is always a concern for service provider and e-commerce environments. As more mission-critical applications become directory-enabled, high availability with respect to directory services becomes a necessity for the enterprise environment as well. Oracle Internet Directory is designed to enable continuous service availability. With Oracle Internet Directory, system administrators can change the directory schema, for example adding new entry and attribute types, with no need to take the system off-line. Administrators can even add and delete directory server nodes to a replicated community of servers, and populate these servers without loss of availability.
As an application implemented on top of the Oracle8 i infrastructure, Oracle Internet Directory inherits a number of high availability features. For example, Oracle Internet Directory implements multi-master replication between Oracle Internet Directory servers. This means that if any of the servers in the replicated environment goes down, any of the other servers can act as the "master" server for purposes of adding or deleting entries, adding new attribute types, etc. To provide this capability, Oracle Internet Directory takes advantage of the highly robust, field-proven Oracle Advanced Symmetric Replication Services available with Oracle8 i . This is shown in Figure 4. In a replicated community, change information is recorded in change logs which are replicated to the other Oracle Internet Directory servers using Oracle Advanced Symmetric Replication as the transport. When an offline server comes back online, this change log information is read by the server in such a way as to guarantee that all the servers contain the same directory information. This replication architecture ensures that the service is always available not just for queries, but also for directory administration functions.
Other features and options in the Oracle8 i platform also help guarantee a high level of service availability. Oracle8 i 's hot backup capability allows sites to protect directory data with no loss of service. The Oracle8 i database also has the ability to quickly recover from server failures. Finally, options such as Oracle Parallel Server can be leveraged in the production environment to ensure a high level of directory service availability.

Information Security

Finally, Oracle Internet Directory is a secure platform for managing directory information. Oracle Internet Directory implements three different levels of directory user authentication: anonymous, password-based and certificate-based through SSL. Administrators can define their directory service environment so as to provide different levels of access to the directory information based on how a given user was authenticated.
In addition, by implementing the security mechanisms through access control lists, administrators have very fine-grained control over how they grant access to data. For example, user entries in a directory might have several attributes associated with them. These could be things like phone numbers, e-mail addresses, and even sensitive information like salary information. An administrator may want to give anyone, for example an anonymous user, the ability to look up an e-mail address in the directory. On the other hand, he may want to require a password before dispensing more sensitive information such as department and telephone numbers. Finally, he may require strong authentication by authorized personnel before exposing salary information. All of these access privileges can be defined with Oracle Internet Directory.

Directory Enabling Oracle Products

The second strategic point in Oracle's directory strategy is to work to directory enable all of Oracle's products. This has started with Oracle8 i in the areas of networking and user administration. These features are currently being beta tested, and are scheduled to be available with the 8.1.6 release of Oracle8 i .
Figure 5 shows the functionality of the Oracle Net8 LDAP Native Naming Adapter. Net8 is Oracle's protocol-independent networking software for client/server applications. When a Net8 client user establishes a connection to an Oracle database, he or she types in an Oracle Service Identifier in the form of a simple name. With the LDAP Native Naming Adapter, the Net8 client transparently forwards that simple name to the LDAP directory service, which in turn returns all the information that the Net8 client needs to establish a connection with the database. All of this takes place "under the covers" and is transparent to the user.
The Net8 LDAP Native Naming Adapter allows administrators to add, delete and move Oracle services at will, without reconfiguring clients. Changes to the network are simply reflected in the Oracle Internet Directory, and are fetched by the Net8 client at connect time.
Another way future releases of Oracle8 i will be using the Oracle Internet Directory is as the centerpiece of its enterprise security strategy. Here, information such as user identities, remote user wallets, and user role information are stored centrally on the Oracle Internet Directory. To access the system, the user first accesses his or her remote wallet on the directory server, and opens that wallet with a password. The wallet contains the user's private key, certificate and trust point information. The user then has the ability to access the various Oracle systems in the environment without the need for a password. All authentication is handled via certificate exchange and SSL.
When a user accesses an Oracle8 i database, the server connects to the Oracle Internet Directory as an LDAP client. SSL provides a mechanism for mutual authentication of the database and directory servers. The Oracle8 i database then retrieves the user's configuration and role information which it may use to set the security context of the user's session on that server. This permits centralized administration of database user roles and privileges, making it easy for administrators, for example, to disable access to all systems when an employee leaves the company.

Figure 5: The Net8 LDAP Native Naming Adapter.

Integrated Management Environment

Another point in Oracle's directory strategy is to provide tight integration with the Oracle administrative environment. For example, Oracle Internet Directory installs using the same installation mechanism as other Oracle server products. Once installed, Oracle Internet Directory is administered through a Java-based, graphical interface called Oracle Directory Manager (Figure 6). Oracle Directory Manager uses the same user interface framework as Oracle's flagship system management product, Oracle Enterprise Manager, and is launchable from Oracle Enterprise Manager. Going forward, Oracle's goal is to provide "administrative transparency" for Oracle shops looking to deploy Oracle Internet Directory in their environment, allowing them to leverage as much as possible their existing Oracle product expertise.

Providing Enterprise Directory Integration

The final point of Oracle's directory strategy is to provide the tools and services necessary to enable enterprise-wide directory service integration. This includes integration with applications, Oracle relational databases, and other LDAP and legacy directory services.
Client integration for Oracle Internet Directory can be provided through any LDAP-compliant software development kit. These are widely available for a variety of languages including C, Java and Perl. In addition, Oracle will offer software development kits tailored for use with Oracle Internet Directory with future server releases. This will include native LDAP interface support for SQL language programs, to allow SQL-based client/server applications easy access to data stored in the LDAP directory.

Figure 6: Oracle Directory Manager user interface.

The SQL software development kit represents one aspect of a larger enterprise need, and that is integration of relational and directory information. Access to LDAP directory data through SQL-like commands permits access to LDAP directory information from the SQL world. Another useful functionality is the ability to represent subsets of relational data as part of an LDAP directory tree, making this information available to any LDAP client application. This functionality is currently being designed, and will be available with a future release of the Oracle Internet Directory.
Finally, there is tremendous value for customers in being able to integrate with a wide variety of directory services running in the enterprise. Oracle is working with other industry leaders in the various standards bodies to extend the LDAP specification to enable higher degrees of interoperability between enterprise directory services. One goal here it to enable secure replication of LDAP directory information between directory vendors' products. Oracle will also look for opportunities to leverage partnerships to provide out-of-the-box, enterprise metadirectory solutions that allow Oracle Internet Directory to integrate with legacy directories.

Conclusion: Why Oracle Internet Directory?

Oracle's directory product direction coupled with its own native LDAP directory service, offer considerable value for customers. Indeed, there are at least three reasons why an Oracle LDAP directory service is compelling. These are:

Management of the Oracle Environment

Leveraging the reliability, availability and scalability features of the Oracle8 i platform

Integrating enterprise data management

Each of these considerations is described below.

Management of the Oracle Environment

Perhaps the most visible benefit of directory services is their value in making distributed computing environments easier to manage. The Oracle environment itself offers considerable deployment flexibility. It may contain multiple client, server and middle tiers, each running multiple processes Oracle-based applications may be running over multiple servers, operating systems and network protocols. Configuration and management of all of these components benefits from being directory enabled.
Oracle-based applications can also take advantage of directories as an aid to making the environment easier to administer. There is tremendous value for developers of Oracle-based applications to know that there is an LDAP directory service available in the target environment. As more Oracle environments deploy Oracle Internet Directory, and as more developers take advantage of this fact to directory-enable their applications, overall manageability of the Oracle environment is improved.
In distributed environments, user authentication and access control is a concern. Typically, each instance of a database server or application will maintain its own list of users and credentials. This poses a problem for users when they have to remember multiple passwords or risk compromise as they write them down. This is also a problem for administrators, who would like to be able to control users' access to systems when they leave the company or when their responsibilities change. Oracle Internet Directory will be a key technology for providing unified access control to the Oracle environment.

Oracle Reliability/Scalability features

In addition to the aforementioned value of Oracle Internet Directory to the management and administration of the Oracle environment, there are some compelling benefits that result from basing an LDAP directory service on the Oracle8 i infrastructure. These were described in detail above, and fall in the general categories of scalability, high availability, and security. These are obviously of paramount concern to carriers, national ISPs, portals, and other service providers. As more enterprises deploy extranet applications, and mission-critical enterprise applications that are directory enabled, these also become essential qualities for an LDAP directory service in the enterprise environment as well.

Integrating Enterprise Data Management

Finally, Oracle Internet Directory will answer the need for integrating all of the enterprise's mission-critical data. Today, most of this information is stored in relational databases. In the future, increasing amounts of mission-critical data will be stored in LDAP directory services. A standards-based directory service product from Oracle promises to bridge this gap between the relational and directory worlds for enterprise customers. Planned enhancements such as SQL-language LDAP interfaces and "projection views" of relational data into the LDAP directory space will represent first steps towards true integration of relational and directory data.