Oracle Internet Directory


We have been working with Oracle's Internet Directory (OID) and DirXML lately and thought we would capture some notes on what we have run into that seem worth noting.

Background on Oracle Internet Directory#

Some information on why Oracle started using Oracle Internet Directory and the issues the Oracle Internet Directory product is intended to solve.

Oracle's Internet Directory and Oracle Databases#

The client, which is typical of many organizations, has some 200 Oracle database instances throughout their organization. Each database contains a separate user credential store. So, if a user used 100 of these database instances, they would have 100 credentials with separate passwords with or without any password control.

Use case#

Oracle Internet Directory is Oracle's methodology to solve this Use case. A user is created in Oracle's Internet Directory and assigned to an "Enterprise Role". The "Enterprise Role" is assigned to the database access desired for the Enterprise Role.

This allows the Oracle Internet Directory administrator to assign users to Enterprise Roles which could provide access to any of level, to any of the 100 database instances as desired.

The client has an existing LDAP directory, Novell's eDirectory, that is being used to provide CSO to their AD, Netware and some other applications using LDAP. However, we know of no method to allow the Oracle database instances to be able to use any other LDAP server than OID.

Oracle OID Anomalies#

We wanted to document some things we feel are anomalies. These anomalies are based on our experience and not intended to say that Oracle or any other vendor is right or wrong. We just thought these anomalies were worth noting.


There seems to be some attributes that are usually present in the inetOrgPerson class that OID does not provide.

Dynamic Groups#

OrganizationalUnit vs orclContainer#

We noticed that by default, when creating containers in OID from the provided administration toll that containers are created as orclContainer and not the "normal" organizationalUnit. Since our client's desire was to be able to allow the help desk to be able to use their existing tools to look and make some changes to OID with their tools, we wanted to use the more common organizationalUnit.

We put started a thread in (Oracle's news group) to find out if we could use organizationalUnit.

We also put a request with the client's Oracle support team. They said it was not an issue.

However, they were against us putting the groups and users in the same OU structure. They had issues when this was done as the "Enterprise Users" could not authenticate if the Users and groups were mixed. I think it is a rights thing, but if they don not know, who would?

From the news forum, it appears that it will work, but there maybe some concerns if the client wanted to use Oracle's SSO product in the future.

OID and Intruder Detection#

Some information on Oracle's OID and Intruder Detection

Account Disable#

Administratively disabled entries and for Oracle Internet Directory and NIDM Product

DirXML and Oracle (OID)#

Some information on Integrating DirXML and Oracle (OID)

More Information#

There might be more information for this subject on one of the following: