Post on 31-Dec-2015
INTRODUCTION
What is a Web-Enabled Database?
Problem and its Importance
Two-tier Architecture
Three-tier Architecture
Need for a compatible centralized directory service
REPRESENTATIVE EXAMPLE
NASA maintains a very huge database of users.
Two-tier cannot be applied because of sensitive
information.
Three-tier suits it but querying is complex
X.500 (Directory Service) is now used.
RELATED WORKS
The three-tier architecture implementation
With new requirements of Internet computing and new e-
business technologies, there is a growing need for a
common infrastructure to serve as a foundation for
management and configuration of all data and resources on
the network
What could be the solution to this countless increase??
RELATED WORKS ..contd
A directory service provides a key part of this common
foundation, by providing a centralized vehicle for managing
and configuring distributed, Heterogeneous networks
most organizations today are not looking for another directory
service
Organizations are facing security concerns such as how to
expose only the information they want to, as well as access
control
RELATED WORKS ..contd
decentralized, incompatible directory services do not
make it easy to articulate and enforce security policies
There are many different ways to provide a Centralized
directory service
directory services are local, providing service to a
restricted context , other services are global, providing
service to a much broader context,
RELATED WORKS ..contd.
One useful directory service is the X.500.
. Called the Directory Access Protocol (DAP), it is
layered on top of the Open Systems Interconnection
(OSI) protocol stack
LIMITATIONS
There is a need for a X.500 type of directory
Internet runs over TCP/IP
X.500 runs over OSI
Need to include the features of X.500 in a new directory
service and still run over TCP/IP
The Directory Access Protocol (DAP) was improved into a
Lightweight Directory Access Protocol (LDAP).
SOLUTION- LDAP
All Internet applications have a common problem: Security .
Also the need for centralization.
The solution is Directory Services which can be used to
administer Internet, intranet or extranet.
It should also reduce the total cost and points of failure
( because of 3 tier architecture)
Lightweight Directory Access Protocol (LDAP) represents
the emerging solution
SOLUTION - OID
Many LDAP compliant directories are Oracle Internet
Directory(OID), Microsoft Active Directory, Novell Directory
Service and the Netscape Directory Server.
Chosen Directory is the Oracle Internet Directory
Features
Scalable: It scales to support over half a billion real-world directory entries
High Availability: administrators have the ability to administer the directory from
other server to perform functions
Secure: It offers comprehensive and flexible support for directory access control. .
OID implements three levels of user authentication
SOLUTION-ILLUSTRATION
Example of a person say “X” staying in Columbia
The method he uses to reveal his details in India to a known person
The Intermediate involved here in another place, say Chicago
SOLUTION- CLIENT ACCESS TO A DATABASE
A Client initiates a connect request providing a connect
identifier
The connect identifier retrieves a connect descriptor (eg.
Port number hostname, protocol, instance,…) stored in
Oracle Internet Directory, which is sent back to the client.
The client makes the connect request to the address
provided in the connect descriptor.\
A listener receives the request and directs it to the server
SOLUTION-LDAP
The concept of Oracle Internet Directory, a virtual
directory, is an additional feature to this architecture to
enhance its security An LDAP directory service provides a
number of stringent security mechanisms. Directory users
must first authenticate themselves to the directory using
either a username and password or an SSL/X.509 release 3
certificate (through a bind operation).
Once the user has been authenticated, the information he
can access is still further constrained by using an access
control list.
SOLUTION-IMPLEMENTATION OF LDAP
Directory Information Tree
SOLUTION-AUTHENTICATION AND ACCESS CONTROL IN LDAP
Initiation of a request by a client
The LDAP searches in the OID to check whether the client
actually exists or not.
Accordingly it sends or doesn’t send an instance back.
The privileges that are ascribed to the particular user are
then enabled and sent back through the instance.
It doesn’t allow unauthorized access privileges since the
privileges were enabled prior to the client accessing the
database.
PRACTICAL IMPLEMENTATION- DATABASE CREATION
Create a database
Global database name: miracle1
SID: miracle1
Oracle Enterprise Edition 8.1.7 was installed in a typical
installation mode
the Oracle Internet Directory in the database was custom
installed.
CHECK THE DATABASE
To check whether the database has been created and could be started or not.
Use the server manager to perform administrative functions
Server manager in line mode: svrmgrl ; Password: internal
LISTENER
The listener has to be started here.
The name of the listener configured here is :LISTENER
Type lsnrctl at the command prompt
CONNECTION TO THE DATABASE
It has to be ensured whether it is possible to logon to the database using the net service (here net8)
Test
Connect as system/manager
LDAP STARTS
To enable the creation of variables and commands of
LDAP run the newldap.sql file from the svrmgrl prompt.
It will create all the variables.
At this stage, the server is running, the net service
(miracle1.engr.sc.edu) is running and the client can
connect to the database as seen from the test.
OID CONFIGURATION
Run a batch file postconfig.bat from the command prompt for the OID to start configuring.
The OID configuration starts.
MONITOR AND SERVER
Start the OID monitor using the commandoidmon connect=miracle1(database name) sleep =10 start.
Start the LDAP server oidctl connect=miracle1.engr.sc.edu server=oidldapd instance=3 configset=5 start
ORACLE DIRECTORY MANAGER
Once this is started, it is now possible to add entries into
the OID
There are three kinds of logons – anonymous, simple and
SSL.
Simple login is orcladmin/welcome
ORACLE DIRECTORY MANAGER
ODM
ADDING ENTRIES
It can now be used to add entries.
Entries added through the command line.
ADDING ENTRIES
The LDAP Data Interchange Format (LDIF ) file.
NEW ENTRY
The added entries
NEW ENTRY
New Entries
ACCESS CONTROL
Specifying Access Controls
ACCESS CONTROL
Failed attempt.
CREATIONS
Possibility to create new object classes as well as attributes
ORACLE DIRECTORY MANAGER
Schema Management
CONCLUSION
Lightweight Directory Access Protocol (LDAP) seems to
be the most probable solution in the present scenario
The database can be easily configured with LDAP than
any other independent directory service
LDAP offers a very good authentication service
CONCLUSION
Reduces the chance of a denial of service attack
Example: say a billion users are there
50 million are genuine users
50 million are non-genuine
LDAP also implements the access control policy of the
enterprise
LIMITATIONS IN LDAP
The protocol cannot and will not supplant relational
databases
It does not offer two-phase commits, true relational
structure, or a relational query language like SQL.
It is not reasonable to expect LDAP to serve as a file
system
LIMITATIONS IN LDAP
It is developed mainly to serve as a simple look-up
protocol .
LDAP for specific applications which involve frequent
updates, etc… wouldn’t be the right choice.
Research should be concentrated on developing a similar
protocol, which is equally simple and able to overcome the
limitations cited above.
LDAP at GMU
LDAP at GMU
Shooooot !!!