Presentation on Oracle Identity Management from Insync10 conference in Melbourne August 2010. Looks at OID and some of the potential issues around installation and configuration
Practical management of development & QA environments for SharePoint 2013
11g Identity Management - InSync10
1. 11g Identity Management Peter McLarty Pacific DBMS Pty Ltd 17 th August 2010 The most comprehensive Oracle applications & technology content under one roof
2. Everyone who has ever taken a shower has had an idea. It's the person who gets out of the shower, dries off, and does something about it that makes a difference. -- Nolan Bushnell
Welcome all Mention something about the conference Thank them for coming to the presentation Dont forget to be human
I can see some here that did get out of the shower, see how rough people are from prior nights events
I don't know on some days if I feel like the cat or the bird Operation – cat – cant get to the product on offer Bird - oh god today is not looking so good Funny thing the bird doesn't care one bit about the cats presence on the cage
This is a run down on Identity Management and we delve into one key component Sharing across sites both within and outside of the organisation Securing your cloud applications NSW Gov has recently announced about cloud, Macquarie student email The old chestnut, still not all that effectively done in places, some very good and some with significant work
Entitlements Server Entitlements Server Security Module Directory Services Plus Access Manager Adaptive Access Manager Identity Federation Identity Manager Identity Manager Connector Role Manager Information Rights Management Enterprise Single Sign-On Suite Plus Access Management Suite Plus Identity and Access Management Suite Plus Identity Analytics Identity Management Enterprise Management Management Pack Plus for Identity Management
Meet compliance requirements to say we measure up for lets say our PCI DSS requirements We increase our security through the use of a centralised directory of user accounts Who has had to provision a user in the network for a login set up an email account add them to finance system the list goes on and on? (Not funny) Directories provide a cost benefit as we don't have to provision a user over and over again for each application they use, One user account across systems ith the details all retained in a common repository.
Access Control sets who can do what Manage those policiies froma central location Audit support for the our compliance requirements
Set up roles to simply application or system access management Fine grain control is able to use many different attributes eg by entry, by name, By mode Auditing basic – log on and log off
All the ODSP products Directory Server EE is a high performance directory Server, embedded database ; Identity Synchronisation; Resource kit for tuning
Now down to a key component the directory Server and more importantly the Oracle Internet Directory OID
LDAP v3 compliant Use it as a way for client systems to obtain connection information for databases It is often the datastore of choice of other products within the Oracle Identity management offering
There is 4 main components Database 10.2.0.4 or above and is certified to use 11.2 OIDMON ODS – the instance – provides the LDAP service to the clients ODRS – replication service for LDAP replication to other OID on other directory servers.
The server processes are the LDAP Instance, OIDMON, OPMN to manage it – starting stopping and some other changes. Out of the box OID is not configured to support any connection load, so you will ned to tune it to maximize its workload capability – whole section on this Default ports no longer well known ports 389 and 636
When OID starts it creates a cache and it is populated with some information, then as caches do it ads content during the life of the cache. Less database calls Cache is write through Directory schema is the object table of the data types that have been configured for the OID – this is people objects, password objects database connection objects alias objects and so it goes Access Control is configured under a separate section of the directory allowing such things as roles, user passwords. Root DSE Contains Server data itself, number instances, port info
DIT Directory Information Tree We search the DIT for our information we require Under our DIT should be all the data, there is aliases that can be used for transitional roles. Do you homework for integrating to other Directories if you already have AD or something else then make sure you align your DIT to that one even if you feel integration is a way off, much easier if your DIT is the same. I say this about the DIT as from usage there is the ability to have more than one tree for multiple organisations or even having multiple trees within the same organisation. Reasons to not have are great but maybe unavoidable in some cases of migration
Unless you use an SSL only server can be either Anonymous bind is available by default but can be disabled Filters to limit data can be used in the query/update Once the user is authenticated as gues or user, then the bind is made and ACL is checked as to what objects in the directory are accesible
As the directory uses OCI – conversion of the LDAP request is made for OCI transport Database acts upon the query Query sent back to OID Server converted to ldap and returned to the user.
How we connect to the other directories E-directory AD (what is IBM's? I don't know, is it part of Tivoli?) So it is allows us to pass information between different directory offerings
Why Server chain?
Non Oracle Middleware clustering Linux VM's could be the cheapest option of implementing many of these in your organisation and can make it easy to moving servers Whilst LDAP is light weight there is good reason to have them closer to end users if you have a highly dispersed user base
I found that a server with OEL and just 4GB to be a minimum requirement, I think 6 GB is a better minimum for a production system You can do small memory footprint but it detunes I will explain how in a second You need to manage the