What does a Lightweight Directory Access Protocol (LDAP) do?
As the name infers, LDAP is a directory access protocol. It is
language commonly used by LDAP clients and servers for
communication.
At its conception, LDAP was an Internet-ready implementation of an
ISO standard for directory services. Directory services, in
this context, refer primarily to specialized databases for the
storage and retrieval of distributed information not requiring a
large number of updates. Online merchandise catalogs and human
resource information such as employee name, telephone number and
email address are two examples of information suited for LDAP
applications.
The "Lightweight" component of LDAP
comes from the fact that it was designed to require a minimal amount
of networking software on the client side, making it particularly
attractive for use with online directories because it reduces the
need for entering and coordinating redundant information in multiple
services.
In the real world, LDAP offered a solution to the classic
challenges facing an increasingly distributed society:
- Administrative costs reduced by LDAP: Administrators were
required to maintain what added up to be essentially identical
information in multiple places. For example, the addition of
corporate new hires required the creation of a new user identity
on the network, a new e-mail account, addition of the user to
the HR database and issuance of individual credentials for all
applications to be used by the new employee, such as user
accounts on development, testing and production database
systems. Of course, when an employee left the company, all of
those steps had to be reversed.
- Data Inconsistencies reduced by LDAP: The above
administrative burden created the high potential for data
inconsistencies cause by multiple administrators entering
redundant information in multiple systems. It became
difficult, if not impossible, to synchronize this distributed
information across all systems. The result was data that was
inconsistent across the enterprise.
- Security issues reduced by LDAP: A necessary evil
associated with the administrative burden mentioned above was
the inevitable problem of each separate directory having its own
password policy forcing users to struggle with multiple user
names and passwords in order to access all the different system.
The LDAP standard greatly simplified management of directory
information in three ways:
- LDAP provides all users and
applications with a single, well-defined interface to an
extensible directory service. This makes it easier to rapidly
develop and deploy directory-enabled applications.
- LDAP reduces the need to enter and
coordinate redundant information in multiple services scattered
across the enterprise.
- LDAP makes it easier and more practical
to deploy Internet-ready applications
that leverage the directory.
And then along comes Oracle. LDAP has been incorporated by
Oracle in a variety of ways:
Bulk
Loading Users for Single Sign-on (SSO)
Oracle Internet Directory (OID)
As far as connecting to LDAP via PL/SQL via DBMS_LDAP, Rampant
author Dr. Timothy Hall has provided the following tips:
Running the following script as SYS will install the DBMS_LDAP
package, which is not installed by default:\
SQL> @$ORACLE_HOME/rdbms/admin/catldap.sql
Then use the init and simple_bind_s functions to connect to the
LDAP server and authenticate yourself:
l_session := DBMS_LDAP.init(hostname =>
l_ldap_host,
portnum => l_ldap_port);
l_retval :=
DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_ldap_user,
passwd => l_ldap_passwd);
The next step is to search the directory. The following is
a base query that can be modified for more complex searches:
l_attrs(1) := '*'; -- retrieve all attributes
l_retval := DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => 'objectclass=*',
attrs => l_attrs, attronly
=> 0, res => l_message);
The above search yields a list of entries. To loop through
the entries:
IF DBMS_LDAP.count_entries(ld => l_session, msg
=> l_message) > 0 THEN
-- Get all the entries
returned by our search.
l_entry :=
DBMS_LDAP.first_entry(ld => l_session,
msg => l_message);
<< entry_loop >>
WHILE l_entry IS NOT NULL LOOP
...
...
l_entry := DBMS_LDAP.next_entry(ld =>
l_session,
msg => l_entry);
END LOOP entry_loop;
END
IF;
Similarly, you can loop through the entries to find their
attributes:
l_attr_name := DBMS_LDAP.first_attribute(ld =>
l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
<< attributes_loop
>>
WHILE l_attr_name IS NOT NULL LOOP
...
...
l_attr_name :=
DBMS_LDAP.next_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
END LOOP attibutes_loop;
Likewise, you are able to loop through the attributes returned by
the above query to find their values. The values loop looks
like this:
<< values_loop >>
FOR i IN l_vals.FIRST ..
l_vals.LAST LOOP
DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' ||
l_attr_name || ' = ' || SUBSTR(l_vals(i) ,1,200));
END LOOP values_loop;
To see a full example of all of these loops combined, you can
find the full article
HERE.
 |
|
Get the Complete
Oracle SQL Tuning Information
The landmark book
"Advanced Oracle
SQL Tuning The Definitive Reference" is
filled with valuable information on Oracle SQL Tuning.
This book includes scripts and tools to hypercharge Oracle 11g
performance and you can
buy it
for 30% off directly from the publisher.
|
