INTRODUCTION

What is a Web-Enabled Database?

Problem and its Importance

Two-tier Architecture

Three-tier Architecture

Need for a compatible centralized directory service

REPRESENTATIVE EXAMPLE

NASA maintains a very huge database of users.

Two-tier cannot be applied because of sensitive

information.

Three-tier suits it but querying is complex

X.500 (Directory Service) is now used.

RELATED WORKS

The three-tier architecture implementation

With new requirements of Internet computing and new e-

business technologies, there is a growing need for a

common infrastructure to serve as a foundation for

management and configuration of all data and resources on

the network

What could be the solution to this countless increase??

RELATED WORKS ..contd

A directory service provides a key part of this common

foundation, by providing a centralized vehicle for managing

and configuring distributed, Heterogeneous networks

most organizations today are not looking for another directory

service

Organizations are facing security concerns such as how to

expose only the information they want to, as well as access

control

RELATED WORKS ..contd

decentralized, incompatible directory services do not

make it easy to articulate and enforce security policies

There are many different ways to provide a Centralized

directory service

directory services are local, providing service to a

restricted context , other services are global, providing

service to a much broader context,

RELATED WORKS ..contd.

One useful directory service is the X.500.

. Called the Directory Access Protocol (DAP), it is

layered on top of the Open Systems Interconnection

(OSI) protocol stack

LIMITATIONS

There is a need for a X.500 type of directory

Internet runs over TCP/IP

X.500 runs over OSI

Need to include the features of X.500 in a new directory

service and still run over TCP/IP

The Directory Access Protocol (DAP) was improved into a

Lightweight Directory Access Protocol (LDAP).

SOLUTION- LDAP

All Internet applications have a common problem: Security .

Also the need for centralization.

The solution is Directory Services which can be used to

administer Internet, intranet or extranet.

It should also reduce the total cost and points of failure

( because of 3 tier architecture)

Lightweight Directory Access Protocol (LDAP) represents

the emerging solution

SOLUTION - OID

Many LDAP compliant directories are Oracle Internet

Directory(OID), Microsoft Active Directory, Novell Directory

Service and the Netscape Directory Server.

Chosen Directory is the Oracle Internet Directory

Features

Scalable: It scales to support over half a billion real-world directory entries

High Availability: administrators have the ability to administer the directory from

other server to perform functions

Secure: It offers comprehensive and flexible support for directory access control. .

OID implements three levels of user authentication

SOLUTION-ILLUSTRATION

Example of a person say “X” staying in Columbia

The method he uses to reveal his details in India to a known person

The Intermediate involved here in another place, say Chicago

SOLUTION- CLIENT ACCESS TO A DATABASE

A Client initiates a connect request providing a connect

identifier

The connect identifier retrieves a connect descriptor (eg.

Port number hostname, protocol, instance,…) stored in

Oracle Internet Directory, which is sent back to the client.

The client makes the connect request to the address

provided in the connect descriptor.\

A listener receives the request and directs it to the server

SOLUTION-LDAP

The concept of Oracle Internet Directory, a virtual

directory, is an additional feature to this architecture to

enhance its security An LDAP directory service provides a

number of stringent security mechanisms. Directory users

must first authenticate themselves to the directory using

either a username and password or an SSL/X.509 release 3

certificate (through a bind operation).

Once the user has been authenticated, the information he

can access is still further constrained by using an access

control list.

SOLUTION-IMPLEMENTATION OF LDAP

Directory Information Tree

SOLUTION-AUTHENTICATION AND ACCESS CONTROL IN LDAP

Initiation of a request by a client

The LDAP searches in the OID to check whether the client

actually exists or not.

Accordingly it sends or doesn’t send an instance back.

The privileges that are ascribed to the particular user are

then enabled and sent back through the instance.

It doesn’t allow unauthorized access privileges since the

privileges were enabled prior to the client accessing the

database.

PRACTICAL IMPLEMENTATION- DATABASE CREATION

Create a database

Global database name: miracle1

SID: miracle1

Oracle Enterprise Edition 8.1.7 was installed in a typical

installation mode

the Oracle Internet Directory in the database was custom

installed.

CHECK THE DATABASE

To check whether the database has been created and could be started or not.

Use the server manager to perform administrative functions

Server manager in line mode: svrmgrl ; Password: internal

LISTENER

The listener has to be started here.

The name of the listener configured here is :LISTENER

Type lsnrctl at the command prompt

CONNECTION TO THE DATABASE

It has to be ensured whether it is possible to logon to the database using the net service (here net8)

Test

Connect as system/manager

LDAP STARTS

To enable the creation of variables and commands of

LDAP run the newldap.sql file from the svrmgrl prompt.

It will create all the variables.

At this stage, the server is running, the net service

(miracle1.engr.sc.edu) is running and the client can

connect to the database as seen from the test.

OID CONFIGURATION

Run a batch file postconfig.bat from the command prompt for the OID to start configuring.

The OID configuration starts.

MONITOR AND SERVER

Start the OID monitor using the commandoidmon connect=miracle1(database name) sleep =10 start.

Start the LDAP server oidctl connect=miracle1.engr.sc.edu server=oidldapd instance=3 configset=5 start

ORACLE DIRECTORY MANAGER

Once this is started, it is now possible to add entries into

the OID

There are three kinds of logons – anonymous, simple and

SSL.

Simple login is orcladmin/welcome

ORACLE DIRECTORY MANAGER

ODM

ADDING ENTRIES

It can now be used to add entries.

Entries added through the command line.

ADDING ENTRIES

The LDAP Data Interchange Format (LDIF ) file.

NEW ENTRY

The added entries

NEW ENTRY

New Entries

ACCESS CONTROL

Specifying Access Controls

ACCESS CONTROL

Failed attempt.

CREATIONS

Possibility to create new object classes as well as attributes

ORACLE DIRECTORY MANAGER

Schema Management

CONCLUSION

Lightweight Directory Access Protocol (LDAP) seems to

be the most probable solution in the present scenario

The database can be easily configured with LDAP than

any other independent directory service

LDAP offers a very good authentication service

CONCLUSION

Reduces the chance of a denial of service attack

Example: say a billion users are there

50 million are genuine users

50 million are non-genuine

LDAP also implements the access control policy of the

enterprise

LIMITATIONS IN LDAP

The protocol cannot and will not supplant relational

databases

It does not offer two-phase commits, true relational

structure, or a relational query language like SQL.

It is not reasonable to expect LDAP to serve as a file

system

LIMITATIONS IN LDAP

It is developed mainly to serve as a simple look-up

protocol .

LDAP for specific applications which involve frequent

updates, etc… wouldn’t be the right choice.

Research should be concentrated on developing a similar

protocol, which is equally simple and able to overcome the

limitations cited above.

LDAP at GMU

LDAP at GMU

Shooooot !!!