3 Extensions to the LDAP Protocol
The following topics describe extensions to LDAP protocol in detail:
Using SASL Authentication Mechanism
Oracle Internet Directory supports SASL DIGEST-MD5 Authentication and SASL external authentication.
The following sections describe the two methods:
Working with SASL DIGEST-MD5 Authentication Mechanism
SASL Digest-MD5 authentication is the required authentication mechanism for LDAP Version 3 servers (RFC 2829). LDAP Version 2 does not support Digest-MD5.
To use the Digest-MD5 authentication mechanism, you can use either the Java API or the C API to set up the authentication. The C API supports only auth mode.
See Also:
-
Java-specific information in Using DIGEST-MD5 to Perform SASL Authentication and Using SASL Digest-MD5 auth-int and auth-conf Modes.
-
C-specific information in "Authenticating to the Directory" and SASL Authentication Using Oracle Extensions
This section contains the following topics:
Modes of SASL Digest-MD5 Mechanism
The SASL Digest-MD5 mechanism includes three modes, each representing a different security level or "Quality of Protection."
The following table describes modes of SASL Digest-MD5:
Table 3-1 Modes of SASL Digest-MD5
| Modes | Description |
|---|---|
|
|
Authentication only. Authentication is required only for the initial bind. After that, information is passed in clear text. |
|
|
Authentication plus integrity. Authentication is required for the initial bind. After that, check sums are used to guarantee the integrity of the data. |
|
|
Authentication plus confidentiality. Authentication is required for the initial bind. After that, encryption is used to protect the data. Five cipher choices are available:
|
Prior to 10g (10.1.4.0.1), Oracle Internet Directory supported only the auth mode of the Digest-MD5 mechanism. As of 10g (10.1.4.0.1), Oracle Internet Directory supports all three modes with the Java Naming and Directory Interface (JNDI) of jdk1.4 API or with the OpenLDAP Java API. The Oracle LDAP SDK supports only auth mode.
Using SASL Digest-MD5 Mechanism
Out of the box, Oracle Internet Directory SASL Digest-MD5 authentication supports generation of static SASL Digest-MD5 verifiers based on user or password, but not based on realm. If you want to use SASL Digest-MD5 with realms, you must enable reversible password generation by changing the value of the orclpasswordencryptionenable attribute to 1 in the related password policy before provisioning new users. The LDIF file for modifying the value should look like this:
dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext changetype: modify replace: orclpwdencryptionenable orclpwdencryptionenable: 1
The Digest-MD5 mechanism is described in RFC 2831 of the Internet Engineering Task Force. It is based on the HTTP Digest Authentication (RFC 2617).
See Also:
-
Internet Engineering Task Force Web site, at
http://www.ietf.org. -
Open LDAP class libraries
http://www.openldap.org.
Steps Involved in SASL DIGEST-MD5 Authentication Mechanism
SASL Digest-MD5 authentication involves many steps and finally the directory server verifies the client’s response.
The following steps describe SASL Digest-MD5 authentication in detail:
-
The directory server sends data that includes various authentication options that it supports and a special token to the LDAP client.
-
The client responds by sending an encrypted response that indicates the authentication options that it has selected. The response is encrypted in such a way that proves that the client knows its password.
-
The directory server then decrypts and verifies the client's response.
Understanding SASL External Authentication Mechanism
Oracle Internet Directory provides the SASL external mechanism over an SSL mutual connection. The authorization identity (DN) is derived from the client certificate during the SSL network negotiation.
The following is from section 7.4 of RFC 2222 of the Internet Engineering Task Force.
The mechanism name associated with external authentication is "EXTERNAL". The client sends an initial response with the authorization identity. The server uses information, external to SASL, to determine whether the client is authorized to authenticate as the authorization identity. If the client is so authorized, the server indicates successful completion of the authentication exchange; otherwise the server indicates failure.
The system providing this external information may be, for example, IPsec or SSL/TLS.
If the client sends the empty string as the authorization identity (thus requesting the authorization identity be derived from the client's authentication credentials), the authorization identity is to be derived from authentication credentials that exist in the system which is providing the external authentication.
Understanding Oracle Internet Directory Controls
The LDAPv3 Protocol, as defined by RFC 2251, allows extensions by means of controls.Oracle Internet Directory supports several controls. Some are standard and described by RFCs.
Other controls, such as the CONNECT_BY control for hierarchical searches are Oracle-specific. You can use controls with either Java or C.
This section contains the following topics:
Overview of Oracle Internet Directory Controls
Controls can be sent to a server or returned to the client with any LDAP message. These controls are referred to as server controls. The LDAP API also supports a client-side extension mechanism through the use of client controls. These controls affect the behavior of the LDAP API only and are never sent to a server.
For information about using LDAP controls in C, see Working With Controls
For information about using LDAP controls in Java, see the documentation for the JNDI package javax.naming.ldap at: http://www.oracle.com/technetwork/java/jndi/index.html
Controls Supported by Oracle Internet Directory
Oracle Internet Directory supports Request and Response controls.
Request Controls Supported by Oracle Internet Directory
Table 3-2 lists the request controls supported by Oracle Internet Directory
Table 3-2 Request Controls Supported by Oracle Internet Directory
| Object Identifier | Name | Description |
|---|---|---|
|
2.16.840.1.113730.3.4.18 |
Proxy Authorization |
Allows an LDAP client application to bind to Oracle Internet Directory server with its own identity and then to perform operations on behalf of another user or on behalf of multiple users. This control can improve performance especially for proxy operations performed on behalf of multiple users. The LDAP operation does not require a rebind for each user. For example, consider this scenario:
Considerations for the Proxy Authorization control are:
|
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy |
Allows an LDAP client to request information from Oracle Internet Directory server about the current password policy state for a user. If a password policy is applicable, a client can send this control with these operations:
Other operations such as The password policy request control does not have a The password policy is typically applied to the single-valued attribute For more information, see "Password Policy for LDAP Directories" at this location:
|
|
2.16.840.1.113730.3.4.3 |
Persistent Search |
Allows an LDAP client to send a persistent search request to Oracle Internet Directory server. A persistent search operation is an enhanced search that continues after the initial search results are returned by the server to the client. After the initial search is finished, the connection to the server is kept alive until the client unbinds or abandons the operation. The client can track changes for entries in the search scope and receive an Entry Change Notification response control if an entry is modified. The definition for this control is: PersistentSearch ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.3
changeTypes INTEGER,
changesOnly BOOLEAN,
returnECs BOOLEAN
}
For a description of these fields, see: |
|
2.16.840.1.113894.1.8.39 |
Computed Attribute Value Uniqueness |
Allows computed attribute value uniqueness for an entry-based combination of multiple attribute values. Usually, attribute uniqueness is configured only for a single attribute. An application that requires uniqueness for a combination of attribute values can send this control, and Oracle Internet Directory server ensures that the computed attribute value is unique across the directory during an operation such as If an entry with the computed value already exists, Oracle Internet Directory server returns the LDAP error code: LDAP_ALREADY_EXISTS = 0x44. For example, in a multi-tenant environment, the UID attribute of a user must be unique for a specific tenant but not necessarily unique across the directory. An application creates an LDAP entry with a computed attribute named TenantID_UID, where TenantID is the identifier of the tenant and UID is the attribute. The application that creates the LDAP entry sends this control, and if an entry with the computed attribute already value already exists, Oracle Internet Directory server returns the LDAP_ALREADY_EXISTS error code. |
|
2.16.840.1.113730.3.4.9 |
OID_SEARCH_VLV_REQ_CONTROL |
Allows a client to specify that the server return, for a given LDAP search, a contiguous subset of a large search result set. It can be used to go through the search results one page at a time, which allows a client to retrieve results more quickly and prevents the client from needing to store too many search results at a time. The server returns the OID_SEARCH_VLV_RES_CONTROL 2.16.840.1.113730.3.4.10. The OID_SEARCH_VLV_REQ_CONTROL works only in conjunction with the SORT control (ldapsearch -T argument). If you do not include a SORT control, the request returns LDAP error code 53 - Search operation with VLV request control is missing SORT request control. The SORT control can contain any sort specification valid for the server. When the SORT control is used with the OID_SEARCH_VLV_REQ_CONTROL, the server does not return the complete set of sorted search results, but instead returns a contiguous subset of those entries specified in the control using a target entry as a reference point for results. For more information, see "LDAP Extensions for Scrolling View Browsing of Search Results" at |
|
1.2.840.113556.1.4.319 |
OID_SEARCH_PAGING_CONTROL |
|
|
1.2.840.113556.1.4.473 |
OID_SEARCH_SORTING_REQUEST_CONTROL |
|
|
2.16.840.1.113730.3.4.2 |
GSL_MANAGE_DSA_CONTROL |
Used to manage referrals, dynamic groups, and alias objects in Oracle Internet Directory. For more information, please see RFC 3296, "Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories," at |
|
2.16.840.1.113894.1.8.1 |
OID_RESET_PROXYCONTROL_IDENTITY |
Used to perform a proxy switch of an identity on an established LDAP connection. For example, suppose that Application A connects to the directory server and then wishes to switch to Application B. It can simply do a rebind by supplying the credentials of Application B. However, there are times when the proxy mechanism for the application to switch identities could be used even when the credentials are not available. With this control, Application A can switch to Application B provided Application A has the privilege in Oracle Internet Directory to proxy as Application B. |
|
2.16.840.1.113894.1.8.2 |
OID_APPLYUSEPASSWORD_POLICY |
Sent by applications that require Oracle Internet Directory to check for account lockout before sending the verifiers of the user to the application. If Oracle Internet Directory detects this control in the verifier search request and the user account is locked, then Oracle Internet Directory does not send the verifiers to the application. It sends an appropriate password policy error. |
|
2.16.840.1.113894.1.8.3 |
CONNECT_BY |
See Performing Hierarchical Searches Using CONNECT_BY Control. |
|
2.16.840.1.113894.1.8.4 |
OID_CLIENT_IP_ADDRESS |
Intended for a client to send the end user IP address if IP lockout is to be enforced by Oracle Internet Directory. |
|
2.16.840.1.113894.1.8.5 |
GSL_REQDATTR_CONTROL |
Used with dynamic groups. Directs the directory server to read the specific attributes of the members rather than the membership lists. |
|
2.16.840.1.113894.1.8.6 |
PasswordStatusRequestControl |
When packaged as part of the LDAP Bind/Compare operation request, this control causes the server to generate a password policy response control. The actual response control depends on the situation. Cases include imminent password expiration, number of grace logins remaining, password expired, and account locked. |
|
2.16.840.1.113894.1.8.14 |
OID_DYNAMIC_VERIFIER_REQUEST_CONTROL |
The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier. |
|
2.16.840.1.113894.1.8.16 |
AccountStatusRequestControl |
When packaged with the LDAP search operation associated with the authentication process, the Oracle Internet Directory returns a password policy response control to inform the client application of account state related information like account lockout, password expiration etc. The application can then parse and enforce the results. |
|
2.16.840.1.113894.1.8.23 |
GSL_CERTIFICATE_CONTROL |
Certificate search control. The request control that the client sends to specify how to search for a user certificate. See the appendix Searching the Directory for User Certificates in Oracle Fusion Middleware Administrator’s Guide for Oracle Internet Directory. |
|
2.16.840.1.113894.1.8.29 |
EffectivePolicyControl |
This control is packaged as part of an LDAP base search, where the base DN is that of the user entry being tested. The entry need not exist in the directory at the time. Passing this control results in the return of the LDAP entry describing the applicable password policy, assuming the entity performing the search has the access rights to view the password policy entry. If the desired password is provided as the optional testPassword parameter, the directory server returns the response control 2.16.840.1.113894.1.8.32. |
|
2.16.840.1.113894.1.8.36 |
DelSubtreeControl |
When this control is sent with a delete operation, it causes the deletion of the entire subtree below the DN provided. Any user having necessary privileges can perform this operation. |
|
1.3.6.1.1.21.2 |
Transaction Specification Control |
This is an LDAPControl indicating association of an operation to a transaction by means of the transaction identifier, which is the value of this control. Its criticality is |
Response Controls Supported by Oracle Internet Directory
Table 3-3 lists the response controls supported by Oracle Internet Directory
Table 3-3 Response Controls Supported by Oracle Internet Directory
| Object Identifier | Name | Description |
|---|---|---|
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy |
Response control that the Oracle Internet Directory server returns to an LDAP client in response to the Password Policy request control. The response control value is encoded as follows: PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE {
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
error [1] ENUMERATED {
passwordExpired (0),
accountLocked (1),
changeAfterReset (2),
passwordModNotAllowed (3),
mustSupplyOldPassword (4), /*currently not supported*/
insufficientPasswordQuality (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } OPTIONAL }The Password Policy response control does not offer the The server sends either an error or warning in the password policy response control (but not both). Error codes are described in:
Control criticality is not returned in the response. For a non violation of the password policy, the server does not send a response. |
|
2.16.840.1.113730.3.4.7 |
Entry Change Notification |
Returned by the Oracle Internet Directory server to an LDAP client in response to a Persistent Search control that has the The definition for this control is: EntryChangeNotification ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.7
changeType ENUMERATED {
add (1),
delete (2),
modify (4),
modDN (8)
},
previousDN LDAPDN OPTIONAL, -- modifyDN ops. only
changeNumber INTEGER OPTIONAL -- if supported
}
For a description of these fields, see: |
|
2.16.840.1.113730.3.4.10 |
OID_SEARCH_VLV_RES_CONTROL |
The server sends this control in response to an OID_SEARCH_VLV_REQ_CONTROL 2.16.840.1.113730.3.4.9. |
|
2.16.840.1.113894.1.8.7 |
OID_PASSWORD_EXPWARNING_CONTROL |
Password policy control. Response control that the server sends when the pwdExpireWarning attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration. |
|
2.16.840.1.113894.1.8.8 |
OID_PASSWORD_GRACELOGIN_CONTROL |
Password policy control. The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins. |
|
2.16.840.1.113894.1.8.20 |
OID_PWDEXPIRED_CONTROL |
Password policy control. The response control that the server sends when the password has expired, there are no grace logins remaining, and the client sends a request control. |
|
2.16.840.1.113894.1.8.9 |
OID_PASSWORD_MUSTCHANGE_CONTROL |
Password policy control. The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control. |
|
2.16.840.1.113894.1.8.15 |
OID_DYNAMIC_VERIFIER_RESPONSE_CONTROL |
The response control that the server sends to the client when an error occurs. The response control contains the error code. |
|
2.16.840.1.113894.1.8.32 |
PasswordValidationControl |
The server sends this in response to control 2.16.840.1.113894.1.8.29 when the desired password is provided as the optional testPassword parameter. A client application can parse the validationResult to determine whether the password can be accepted by the server ("Success") or the reason it has been rejected. The same type of error message generated during a failed LDAP modify operation on userpassword is returned as the value. |
Viewing Supported Oracle Internet Directory Controls
To find out what controls are available in your Oracle Internet Directory installation, you need to run ldapsearch command.
Run the following command to view supported Oracle Directory Controls:
ldapsearch -p port -b "" -s base "objectclass=*"
Look for entries that begin with supportedcontrol=.
Using Proxy on Behalf of End Users
Often applications must perform operations that require impersonating an end user. An application may, for example, want to retrieve resource access descriptors for an end user.
Resource access descriptors are discussed in The Access Control Directive Format chapter ofOracle Fusion Middleware Administrator’s Guide for Oracle Internet Directory.
A proxy switch occurs at run time on the JNDI context. An LDAP v3 feature, proxying can only be performed using InitialLdapContext, a subclass of InitialDirContext. If you use the Oracle extension oracle.ldap.util.jndi.ConnectionUtil to establish a connection (the example following), InitialLdapContext is always returned. If you use JNDI to establish the connection, make sure that it returns InitialLdapContext.
Note:
To perform the proxy switch to an end user, you need the user's DN.
If there is a User object already available fetched from Subscriber, then the user's DN is available as shown in this fragment:
//User user = subscriber.getUser(...); user.getDn();
If you do not have the User object, you can create it if you have the user's name, UID, SAM account name, or Kerberos principal are available, as shown in the following fragment:
User user = new User(dirCtx, idType, userIdValue, subscriber, true); // idType can be Util.IDTYPE_SIMPLE / Util.IDTYPE_GUID / Util.IDTYPE_WINDOWS / Util.IDTYPE_KERB_PRINCIPALuser.getDn();
This code shows how the proxy switch occurs:
import oracle.ldap.util.jndi.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
import javax.naming.*;
public static void main(String args[])
{
try{
InitialLdapContext appCtx=ConnectionUtil.getDefaultDirCtx(args[0], // host
args[1], // port
args[2], // DN
args[3]; // pass)
// Do work as application
// . . .
String userDN=null;
// assuming userDN has the end user DN value
// Now switch to end user
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN);
ctx.addToEnvironment("java.naming.security.credentials", "");
Control ctls[] = {
new ProxyControl()
};
((LdapContext)ctx).reconnect(ctls);
// Do work on behalf of end user
// . . .
}
catch(NamingException ne)
{
// javax.naming.NamingException is thrown when an error occurs
}
}
The ProxyControl class in the code immediately preceding implements a javax.naming.ldap.Control. To learn more about LDAP controls, see the LDAP control section of Oracle Fusion Middleware Reference for Oracle Identity Management. Here is an example of what the ProxyControl class might look like:
import javax.naming.*;
import javax.naming.ldap.Control;
import java.lang.*;
public class ProxyControl implements Control {
public byte[] getEncodedValue() {
return null;
}
public String getID() {
return "2.16.840.1.113894.1.8.1";
}
public boolean isCritical() {
return false;
}
}Creating Dynamic Password Verifiers
You can modify the LDAP authentication APIs to generate application passwords dynamically—that is, when users log in to an application. This feature has been designed to meet the needs of applications that provide parameters for password verifiers only at runtime.
This section contains the following topics:
Using Request Control to Create Dynamic Password Verifiers
Creating a password verifier dynamically involves modifying the LDAP authentication APIs ldap_search or ldap_modify to include parameters for password verifiers.
An LDAP control called DynamicVerifierRequestControl is the mechanism for transmitting these parameters. It takes the place of the password verifier profile used to create password verifiers statically. Nevertheless, dynamic verifiers, like static verifiers, require that the directory attributes orclrevpwd (synchronized case) and orclunsyncrevpwd (unsynchronized case) be present and that these attributes be populated.
Note that the orclpwdencryptionenable attribute of the password policy entry in the user's realm must be set to 1 if orclrevpwd is to be generated. If you fail to set this attribute, an exception is thrown when the user tries to authenticate. To generate orclunsyncrevpwd, you must add the crypto type 3DES to the entry cn=defaultSharedPINProfileEntry,cn=common,cn=products,cn=oraclecontext.
Syntax for DynamicVerifierRequestControl
DynamicVerifierRequestControl LDAP control is the mechanism to transmit parameters for password verifiers.
The request control looks like this:
DynamicVerifierRequestControl
controlOid: 2.16.840.1.113894.1.8.14
criticality: FALSE
controlValue: an OCTET STRING whose value is the BER encoding of the following type:
ControlValue ::= SEQUENCE {
version [0]
crypto [1] CHOICE OPTIONAL {
SASL [0] LDAPString,
SyncML1.0 [1] LDAPString,
SyncML1.1 [2] LDAPString,
CRAM-MD5 [3] LDAPString },
username [1] OPTIONAL LDAPString,
realm [2] OPTIONAL LDAPString,
nonce [3] OPTIONAL LDAPString,
}
Note that the parameters in the control structure must be passed in the order in which they appear. Table 3-4 defines these parameters.
Table 3-4 Parameters in DynamicVerifierRequestControl
| Parameter | Description |
|---|---|
controlOID |
The string that uniquely identifies the control structure. |
crypto |
The hashing algorithm. Choose one of the four identified in the control structure. |
username |
The distinguished name (DN) of the user. This value must always be included. |
realm |
A randomly chosen realm. It may be the identity management realm that the user belongs to. It may even be an application realm. Required only by the SASL/MD5 algorithm. |
nonce |
An arbitrary, randomly chosen value. Required by SYNCML1.0 and SYNCML1.1. |
Parameters Required by the Hashing Algorithms
Hashing algorithms are used to create dynamic password verifiers.
Table 3-5 lists the four hashing algorithms and the parameters that each algorithm uses as building blocks. Note that, although all algorithms use the user name and password parameters, they differ in their use of the realm and nonce parameters.
Table 3-5 Parameters Required by the Hashing Algorithms
| Algorithm | Parameters Required |
|---|---|
|
SASL |
|
|
SYNCML1.0 |
|
|
SYNCML1.1 |
|
|
CRAM-MD5 |
|
Understanding Request Control for Dynamic Password Verifiers
Applications that require password verifiers to be generated dynamically must include DynamicVerifierRequestControl in their authentication APIs.
Either ldap_search or ldap_compare must incorporate the controlOID and the control values as parameters. They must BER-encode the control values as shown in Syntax for DynamicVerifierRequestControl. Then they must send both controlOID and the control values to the directory server. More description about parameters is described in the following sections:
About Parameters Required If ldap_search Is Used
If you want the application to authenticate the user, use ldap_search to pass the control structure. If ldap_search is used, the directory passes the password verifier that it creates to the client.
ldap_search must include the DN of the user, the controlOID, and the control values. If the user's password is a single sign-on password, the attribute passed is authpassword. If the password is a numeric pin or another type of unsynchronized password, the attribute passed is orclpasswordverifier;orclcommonpin.
About Parameters Required If ldap_compare Is Used
If you want Oracle Internet Directory to authenticate the user, use ldap_compare to pass the control structure. In this case, the directory retains the verifier and authenticates the user itself.
Like ldap_search, ldap_compare must include the DN of the user, the controlOID, the control values, and the user's password attribute. For ldap_compare, the password attribute is orclpasswordverifier;orclcommonpin (unsynchronized case).
Understanding Response Control for Dynamic Password Verifiers
When it encounters an error, the directory sends the LDAP control DynamicVerifierResponseControl to the client.This response control contains the error code.
To learn about the error codes that the response control sends, see the Troubleshooting Dynamic Password Verifiers in Oracle Fusion Middleware Administrator’s Guide for Oracle Internet Directory.
Obtaining Privileges for the Dynamic Verifier Framework
If you want the directory to create password verifiers dynamically, you must add your application identity to the VerifierServices group of directory administrators.
If you fail to perform this task, the directory returns an LDAP_INSUFFICIENT_ACCESS error.
Performing Hierarchical Searches Using CONNECT_BY Control
One of the server controls you can pass to an LDAP search function is CONNECT_BY. This is an Oracle-specific control that causes the search to traverse a hierarchy.
For example, if you search for all the users in group1, without the CONNECT_BY control, the search function returns only users who are direct members of group1. If you pass the CONNECT_BY control, however, the search function traverses the hierarchy. If group2 is a member of group1, the search also returns users in group2. If group3 is a member of group2, the search also returns users in group3, and so forth. More information on search function is explained in the following sections:
About Characteristic Features of the CONNECT_BY Control
CONNECT_BY control is used to search through all containers in which an entry is contained.
In 10g (10.1.4.0.1), the CONNECT_BY control was enhanced in two ways:
-
You can now traverse the hierarchy in either direction. That is, you can search through all containers in which an entry is contained, and through all containers contained within an entry.
-
You can now specify the number of levels of the hierarchy to search.
Value Fields in the CONNECT_BY Control
In previous releases, the CONNECT_BY control required no values.
Because of the new functionality, you can now pass one or both of the following values to CONNECT_BY:
Table 3-6 Connect_By Control values
| Values | Description |
|---|---|
|
Hierarchy-establishing attribute |
A string representing the attribute to be searched. This value is necessary only when searching through all containers in which an entry is contained. When searching through containers contained within an entry, you need not provide this value because the search filter provides that information. |
|
Number of levels |
An integer representing the number of levels to traverse. If the value is |
Using CONNECT_BY Control
You can use CONNECT_BY control to find all the user and group related information.
The following topics describe how to use the CONNECT_BY control:
Finding All the Groups to Which a User Belongs
Using a filter such as (member=cn=jsmith), you do not need to provide the hierarchy-establishing attribute member because it is in the search filter. You do not need to pass a value for the number of levels because 0 is the default.
Finding Only the Groups to Which a User Directly Belongs
Using the same filter as in Example 1, you would pass the integer control value 1. The result would be the same as if you did not use the CONNECT_BY control at all.
Finding All Members of a Group
In this case, your search filter would specify (objectclass=*), but if you want to find all members of group1, the attribute for traversing the hierarchy is member. For this search, you must pass the string "member" as the hierarchy-establishing attribute. You do not need to pass a value for the number of levels because 0 is the default.
Finding all Managers of a User
This is similar to Example 3, except that you want to find all managers of the user jsmith, so manager is the attribute for traversing the hierarchy. For this search, you would pass the string "manager". You do not need to pass a value for the number of levels because 0 is the default.
Understanding Sorted LDAP Search Results
As of Oracle Internet Directory g (10.1.4.0.1), you can obtain sorted results from an LDAP search, as described by IETF RFC 2891. You request sorted results by passing a control of type 1.2.840.113556.1.4.473 to the search function. The server returns a response control is of type 1.2.840.113556.1.4.474. Error processing and other details are described in RFC 2891.
See Also:
IETF RFC 2891, "LDAP Control Extension for Server Side Sorting of Search Results," at http://www.ietf.org.
Sorting and paging may be used together.
The Oracle Internet Directory implementation of RFC 2891 has the following limitations:
-
It supports only one
attributeTypein the control value. -
It uses the default ordering rule defined in the schema for each attribute.
-
Linguistic sorting is not supported.
-
The default sorting order is ascending.
-
If a sort key is a multi-valued attribute, and an entry has multiple values for that attribute, and there are no other controls that affect the sorting order, then the server uses the least value, according to the ordering rule for that attribute.
-
The sort attribute must be searchable. That is, it must be a cataloged attribute in Oracle Internet Directory.
Understanding Paged LDAP Search Results
As of As of Oracle Internet Directory g (10.1.4.0.1), you can obtain sorted results from an LDAP search, as described by IETF RFC 2891.
You request sorted results by passing a control of type 1.2.840.113556.1.4.473 to the search function. The server returns a response control is of type 1.2.840.113556.1.4.474. Error processing and other details are described in RFC 2891. 10g (10.1.4.0.1), you can obtain paged results from an LDAP search, as described by IETF RFC 2696. You request sorted results by passing a control of type 1.2.840.113556.1.4.319 to the search function. Details are described in RFC 2696.
See Also:
IETF RFC 2696, "LDAP Control Extension for Simple Paged Results Manipulation," at http://www.ietf.org.
Sorting and paging may be used together.
The As of Oracle Internet Directory g (10.1.4.0.1), you can obtain sorted results from an LDAP search, as described by IETF RFC 2891. You request sorted results by passing a control of type 1.2.840.113556.1.4.473 to the search function. The server returns a response control is of type 1.2.840.113556.1.4.474. Error processing and other details are described in RFC 2891. implementation of RFC 2696 has the following limitations:
-
The number of entries in a page might be less than the page size if an ACI partially blocks some entries from the search results.
-
The paging response control does not contain the total entry count estimation. The return value is always 0.
Using Password Policies
The Oracle Internet Directory natively supports a rich set of policies governing passwords.
See Managing Password Policies in Oracle Fusion Middleware Administrator’s Guide for Oracle Internet Directory. You should design your applications to interact with the directory's password policies at runtime and handle any resulting events gracefully. Oracle Internet Directory provides several mechanisms to allow clients to interact with the server's password policies.
This section contains the following topics:
Provisioning User
If your application provisions its own users in the directory, you should test passwords for acceptability by the server before committing the new user entry into the directory.
You can test a password by using the following custom control:
EffectivePolicyControl
::= SEQUENCE {
controlType 2.16.840.1.113894.1.8.29,
criticality BOOLEAN DEFAULT FALSE,
controlValue testPassword
}
testPassword ::= OCTET STRING (optional)
Package this control as part of an LDAP base search, where the base DN is that of the user entry being tested. The entry does not need to exist in the directory at the time. The server returns the LDAP entry describing the applicable password policy, assuming the entity performing the search has the access rights to view the password policy entry. Providing the desired password as the optional testPassword parameter results in the directory server returning the following response control:
PasswordValidationControl
::= SEQUENCE {
controlType 2.16.840.1.113894.1.8.32,
criticality BOOLEAN DEFAULT FALSE,
controlValue validationResult
}
validationResult ::= OCTET STRING
Your client application can parse the validationResult to determine whether the password is accepted by the server ("Success") or the reason it has been rejected. The error message is the same as that generated during a failed LDAP modify operation on userpassword.
Handling User Authentication
The user authentication process is performed within the directory server.
There are two main categories:
Performing LDAP Bind/Compare Operation-Based Authentication
This refers to authentication performed on the standard userpassword attribute. The entire authentication process is performed within the directory server, and appropriate internal events are generated to update various account states as necessary.
The traditional use of this type of authentication is in an unsophisticated protocol. The application performs either an LDAP bind or compare operation against the server and checks for success. It handles all other cases as authentication failures.
When an authentication attempt fails, an application can determine the cause and either take action to remedy the situation or to expose the cause to the end user so that the end user can take an action to remedy the situation. This enhances the user experience and reduces administrative overhead. To retrieve such cause information during an LDAP Bind/Compare operation, you use the following LDAP control:
PasswordStatusRequestControl
::= SEQUENCE {
controlType 2.16.840.1.113894.1.8.6,
criticality BOOLEAN DEFAULT FALSE,
}
When packaged as part of the LDAP Bind/Compare operation request, this control is processed by the server and causes the generation of a response control. The actual response control depends on the situation. See the password response controls in Table 3-3. Cases include imminent password expiration, number of grace logins remaining, password expired, and account locked.
Performing LDAP Search Operation-Based Authentication
This refers to authentication performed against other authentication tokens, such as password verifiers, maintained as part of a user entry. The token may be retrieved by the application. The authentication process occurs within the application and outside the scope of the directory server. Therefore in LDAP search-based authentications, the directory does not implicitly know the result of the authentication attempt.
If an application performs its own authentication after retrieving an authentication token from the directory, then none of the state-related policies are effective. Without these policies, scenarios such as locked accounts aren't enforceable, and users with expired accounts can still authenticate against the application.
The Oracle Internet Directory provides two mechanism that allow such an application to leverage the state related policy framework already present in the directory server. They are described in the following sections:
Checking and Enforcing State Policies at Authentication Time
You use the following custom control to enable this feature:
AccountStatusRequestControl
::= SEQUENCE {
controlType 2.16.840.1.113894.1.8.16,
criticality BOOLEAN DEFAULT FALSE,
}
When this control is packaged with the LDAP search operation associated with the authentication process, Oracle Internet Directory processes this control and returns a response control to inform the client application of account state related information like account lockout, password expiration etc. See the password response controls in Table 3-3. The application can then parse and enforce the results.
While this addresses the issue of how the policies can be enforced by the client application, another fundamental application requirement is as follows:
Communicating to the Directory of Authentication Success/Failure
Oracle Internet Directory provides this ability through the virtual attribute: orclAccountStatusEvent.
This attribute is available on all user entries as a virtual attribute. That is, it has no disk footprint. However, modify operations can be applied on it. By default, a directory ships with restricted access to this attribute, so you must ask the directory administrator to grant your application identity write access on the attribute for the relevant user population.
You communicate authentication success or failure to the directory by modifying this attribute to hold UserAccountEvent. The following LDIF illustrates this.
dn: UserDN changetype: modify replace: orclAccountStatusEvent orclAccountStatusEvent: UserAccountEvent
The Oracle Internet Directory understands the following values for UserAccountEvent:
UserAccountEvent = 1 (Authentication Success) UserAccountEvent = 2 (Authentication Failure)
Upon receipt of these events, the Oracle Internet Directory invokes the same logic that is invoked during an authentication/success failure of an LDAP bind or compare operation, thereby updating the necessary account states.
In this way, you can leverage the existing account state related infrastructure available in the Oracle Internet Directory to secure your application.
About User Account Maintenance
User account maintenance and its interaction with password policies occur mostly around periodic password modifications. We recommend that applications utilize the EffectivePolicyControl described above to retrieve the effective policy and parse it to generate a message guiding the end user to the password construction requirements. Furthermore, we encourage the usage of the "test" capabilities encapsulated in this control to direct the end user towards the cause behind a modification failure. Handling these situations within the application reduces administrative overhead.
Secondly, there are a multitude of use-cases requiring a user to change his or her password upon next logon. The Oracle Internet Directory natively triggers this requirement when the pwdmustchange password policy element is enabled and a userpassword undergoes a non-self modification. However, in the event that an explicit trigger of this requirement is needed, the Oracle Internet Directory supports it also via the orclAccountStatusEvent attribute described above. The relevant events are:
UserAccountEvent = 3 (Require Password Reset on next Logon) UserAccountEvent = 4 (Clear Password Reset Requirement)
If the application has an administrative interface, this functionality may be desirable and can be exposed to the administrator.