LDAP and the Oracle Internet Directory

by Jonathan Gennick
09/21/2000

Chances are you've been hearing a lot lately about a relatively new product from Oracle called the Oracle Internet Directory. I know that I've heard a lot about it, enough so that I finally decided to do some reading and see what all the fuss is about. It turns out that the Oracle Internet Directory is Oracle's implementation of an LDAP-based directory server, and it holds some interesting possibilities for use in an Oracle environment.

What is LDAP?

Before answering the question: "What is LDAP?", let me briefly talk about what a directory service really is. A directory is simply something that you use in order to look up and find information. In the physical world, you probably use directories every day. A very common example of a directory is your telephone book. If you need your friend's phone number, you look up his (or her) entry in the phone book, and there you will find the phone number to use. Another common directory is the building directory, which you often encounter when you enter the lobby of a large building. How else would you know which floor to visit?

Electronic directories sometimes serve purposes that are very similar to those served by physical directories. An email directory, for example, may let you use a fellow employee's name in order to look up his email address. Directories can also serve other purposes. They can be used to find out what servers are on your network. They can be used to find network printers that are available to you. The Oracle data dictionary tables, which hold user information, can be thought of as a directory.

	The Oracle Internet Directory is Oracle's implementation of an LDAP-based directory server, and it holds some interesting possibilities for use in an Oracle environment.

Using a separate directory for each different email system, fileserver, database server, or whatever, quickly leads to a high maintenance burden. As employees come and go, you'll find yourself needing to make the same changes in multiple directories. Consequently, there's been a great deal of interest over the years in developing a common directory technology that can be used across many different applications. Years ago, a common directory technology known as X.500 was developed by the International Standards Organization. Unfortunately, X.500 directories were not easy to implement, and accessing an X.500 directory from a client was not easy either. LDAP was designed to remedy these problems. LDAP is an acronym that stands for Lightweight Directory Access Protocol. It's a lightweight directory access protocol, originally developed at the University of Michigan, that runs over TCP/IP and allows you to access an LDAP-compliant directory service, or an X.500 directory service.

LDAP directories are based on the concept of an entry. An LDAP directory contains entries for one or more types of objects. Each object type has a set of attributes associated with it, and each entry contains values for these attributes. Figure 1 illustrates this concept:

Figure 1. LDAP directory entries contain values for one or more attributes.

One of the great things about LDAP is that you can create your own object types and attributes. This allows you to use LDAP directories for a wide variety of creative purposes.

Who is Using LDAP and Why?

Because it's easy to implement, LDAP is becoming a widely used directory services standard. In 1996, Netscape led a coalition of 40 companies in announcing support for LDAP in their products. Netscape has since developed their own LDAP server known as the Netscape Directory Server. One creative application of this technology supports roaming access for Netscape Navigator users. In your Netscape Navigator Preferences window, you can specify an LDAP directory server that Navigator will use to store all your bookmarks and other preferences.

	LDAP is an acronym that stands for Lightweight Directory Access Protocol.

The Globus Project, a multi-institutional collaboration headed by Argonne National Laboratory and the University of Southern California's Information Sciences Institute, makes extensive use of LDAP, and in some rather unique ways. The purpose of the Globus Project is to develop fundamental technology in support of computational grids. These grids allow software applications to make use of computing resources that are owned and managed by diverse organizations in a wide variety of locations. Globus uses LDAP as the basis for their Metacomputing Directory Service. Not only does Globus use LDAP as a look-up resource, they also frequently update their directory to reflect the status of the various computational resources on their grid.

Finally, Oracle is beginning to support and use LDAP. Release 8.1.6 contain an LDAP naming adaptor for Net8. This allows you to define net service names in an LDAP directory instead of the traditional tnsnames.ora file. Another planned use for LDAP in the Oracle world is to support single sign-on. Instead of defining the same user over-and-over again in different databases, you will be able to define a user once in an LDAP directory. Information about a user's roles and privileges will be stored in the directory. The user will authenticate to the directory, and once that has been done, the user will be able to connect to any Oracle database that he has been authorized to use without having to supply a database-specific username and password.

So What is this Oracle Internet Directory?

The Oracle Internet Directory is a version 3 compliant LDAP server that uses the Oracle database as a repository for directory entries. By using the Oracle database as the repository, you gain advantages in terms of scalability and reliability. The Oracle Internet Directory should be as scalable as the database itself, and Oracle claims the potential for one Oracle Internet Directory server to support hundreds of millions of entries.

Oracle Internet Directory also benefits from Oracle's high availability and replication features. Through the use of multimaster replication, you can keep two or more directory servers in sync with one another. If one server goes down, the others remain available, allowing directory administration and look-up activity to continue unabated.

The Future

I believe the Oracle Internet Directory will play an increasingly important role in an Oracle environment. At the very least, I see it eventually superceding the use of Oracle Names for net service name resolution. LDAP is a standards-based, open protocol. Oracle Names is not. LDAP also has many applications beyond its use with Net8. Spend some time with LDAP and the Oracle Internet Directory. Learn about the technology, and Oracle's implementation of it. I think you'll like what you see, and chances are you'll be seeing it more and more.

I'm very interested in learning more about how people in an Oracle environment are using LDAP, and the Oracle Internet Directory in particular. If you are an Oracle Internet Directory user, I'd love to hear from you. You can contact me by email at

Return to: oracle.oreilly.com

© 2013, O’Reilly Media, Inc.

(707) 827-7019 (800) 889-8969

All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.