INTRODUCTION What is a Web-Enabled Database? Problem and its Importance Two-tier Architecture Three-tier Architecture Need for a compatible centralized directory service REPRESENTATIVE EXAMPLE NASA maintains a very huge database of users. Two-tier cannot be applied because of sensitive information. Three-tier suits it but querying is complex X.500 (Directory Service) is now used. RELATED WORKS The three-tier architecture implementation With new requirements of Internet computing and new e-business technologies, there is a growing need for a common infrastructure to serve as a foundation for management and configuration of all data and resources on the network What could be the solution to this countless increase?? RELATED WORKS ..contd A directory service provides a key part of this common foundation, by providing a centralized vehicle for managing and configuring distributed, Heterogeneous networks most organizations today are not looking for another directory service Organizations are facing security concerns such as how to expose only the information they want to, as well as access control RELATED WORKS ..contd decentralized, incompatible directory services do not make it easy to articulate and enforce security policies There are many different ways to provide a Centralized directory service directory services are local, providing service to a restricted context , other services are global, providing service to a much broader context, RELATED WORKS ..contd. One useful directory service is the X.500. . Called the Directory Access Protocol (DAP), it is layered on top of the Open Systems Interconnection (OSI) protocol stack LIMITATIONS There is a need for a X.500 type of directory Internet runs over TCP/IP X.500 runs over OSI Need to include the features of X.500 in a new directory service and still run over TCP/IP The Directory Access Protocol (DAP) was improved into a Lightweight Directory Access Protocol (LDAP). SOLUTION- LDAP All Internet applications have a common problem: Security . Also the need for centralization. The solution is Directory Services which can be used to administer Internet, intranet or extranet. It should also reduce the total cost and points of failure ( because of 3 tier architecture) Lightweight Directory Access Protocol (LDAP) represents the emerging solution SOLUTION - OID Many LDAP compliant directories are Oracle Internet Directory(OID), Microsoft Active Directory, Novell Directory Service and the Netscape Directory Server. Chosen Directory is the Oracle Internet Directory Features Scalable: It scales to support over half a billion real-world directory entries High Availability: administrators have the ability to administer the directory from other server to perform functions Secure: It offers comprehensive and flexible support for directory access control. . OID implements three levels of user authentication SOLUTION-ILLUSTRATION Example of a person say “X” staying in Columbia The method he uses to reveal his details in India to a known person The Intermediate involved here in another place, say Chicago SOLUTION- CLIENT ACCESS TO A DATABASE A Client initiates a connect request providing a connect identifier The connect identifier retrieves a connect descriptor (eg. Port number hostname, protocol, instance,…) stored in Oracle Internet Directory, which is sent back to the client. The client makes the connect request to the address provided in the connect descriptor.\ A listener receives the request and directs it to the server SOLUTION-LDAP The concept of Oracle Internet Directory, a virtual directory, is an additional feature to this architecture to enhance its security An LDAP directory service provides a number of stringent security mechanisms. Directory users must first authenticate themselves to the directory using either a username and password or an SSL/X.509 release 3 certificate (through a bind operation). Once the user has been authenticated, the information he can access is still further constrained by using an access control list. SOLUTION-IMPLEMENTATION OF LDAP Directory Information Tree SOLUTION-AUTHENTICATION AND ACCESS CONTROL IN LDAP Initiation of a request by a client The LDAP searches in the OID to check whether the client actually exists or not. Accordingly it sends or doesn’t send an instance back. The privileges that are ascribed to the particular user are then enabled and sent back through the instance. It doesn’t allow unauthorized access privileges since the privileges were enabled prior to the client accessing the database. PRACTICAL IMPLEMENTATION- DATABASE CREATION Create a database Global database name: miracle1 SID: miracle1 Oracle Enterprise Edition 8.1.7 was installed in a typical installation mode the Oracle Internet Directory in the database was custom installed. CHECK THE DATABASE To check whether the database has been created and could be started or not. Use the server manager to perform administrative functions Server manager in line mode: svrmgrl ; Password: internal LISTENER The listener has to be started here. The name of the listener configured here is :LISTENER Type lsnrctl at the command prompt CONNECTION TO THE DATABASE It has to be ensured whether it is possible to logon to the database using the net service (here net8) Test Connect as system/manager LDAP STARTS To enable the creation of variables and commands of LDAP run the newldap.sql file from the svrmgrl prompt. It will create all the variables. At this stage, the server is running, the net service (miracle1.engr.sc.edu) is running and the client can connect to the database as seen from the test. OID CONFIGURATION Run a batch file postconfig.bat from the command prompt for the OID to start configuring. The OID configuration starts. MONITOR AND SERVER Start the OID monitor using the command oidmon connect=miracle1(database name) sleep =10 start. Start the LDAP server oidctl connect=miracle1.engr.sc.edu server=oidldapd instance=3 configset=5 start ORACLE DIRECTORY MANAGER Once this is started, it is now possible to add entries into the OID There are three kinds of logons – anonymous, simple and SSL. Simple login is orcladmin/welcome ORACLE DIRECTORY MANAGER ODM ADDING ENTRIES It can now be used to add entries. Entries added through the command line. ADDING ENTRIES The LDAP Data Interchange Format (LDIF ) file. NEW ENTRY The added entries NEW ENTRY New Entries ACCESS CONTROL Specifying Access Controls ACCESS CONTROL Failed attempt. CREATIONS Possibility to create new object classes as well as attributes ORACLE DIRECTORY MANAGER Schema Management CONCLUSION Lightweight Directory Access Protocol (LDAP) seems to be the most probable solution in the present scenario The database can be easily configured with LDAP than any other independent directory service LDAP offers a very good authentication service CONCLUSION Reduces the chance of a denial of service attack Example: say a billion users are there 50 million are genuine users 50 million are non-genuine LDAP also implements the access control policy of the enterprise LIMITATIONS IN LDAP The protocol cannot and will not supplant relational databases It does not offer two-phase commits, true relational structure, or a relational query language like SQL. It is not reasonable to expect LDAP to serve as a file system LIMITATIONS IN LDAP It is developed mainly to serve as a simple look-up protocol . LDAP for specific applications which involve frequent updates, etc… wouldn’t be the right choice. Research should be concentrated on developing a similar protocol, which is equally simple and able to overcome the limitations cited above. LDAP at GMU LDAP at GMU Shooooot !!!