Virtual Identity Dialogue

Matt Flynn posted a paraphrased quote from Divya Sundaram of Motorola:

If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).

And then asked if this is a litmus test for Meta vs Virtual.

My answer is that it depends.

This is because Sundaram's statement is a false assumption though it's a common belief.

It's a common belief because people want to be "in-control" of data and feel that unless they control everything, they are not truly in control.

This of course is patently false - we have mechanisms (such as contracts) to deal with boundary control issues without needing to actually directly control everything

And this is reflected in the fact that many (if not most) virtual directory deployments - the team that runs the virtual directory does NOT own the data sources they are connecting to. They systems they connect to are often run by different teams usually with different management chains. But virtualization works because those systems are already designed to be used by external client applications with proper level of Service Level Agreements & availability.

And virtualization is a way to make the most out of these existing capabilities.

Where "meta-directory" makes the most sense is really two cases:

1 - You want to reduce the number of storage systems in particular different LDAP servers. Thus you could collapse many ADAM, Sun, Novell, openLDAP, etc into a single enterprise-class storage system such as Oracle Internet Directory.

2 - You need a standardized, provisioning system to meet business process & compliance requirements. This is the environment which Oracle Identity Manager fills.

James is on another rant. He has asked me to reply to a couple of other posts on LDAP topics, but I wanted to get clarity on one of his points.

9. I would use the same law and force Larry Ellison to make Oracle contribute more to open source. 

First - why single out Ellison and Oracle? Does he feel others like Microsoft or IBM or CA have done enough? And if so - what have they done for comparison.

Second - I would like to point our Oracle's contributions to Open Source. Most people are probably not familiar to the work we have done.

Start with our Open Source Site.

But just to give a summary:

1 - Oracle contributes heavily to Linux to help the database in particular work better. This is why we were able to offer Oracle Enterprise Linux.

2 - We have put significant effort - in terms of drivers and related work to various projects including PHP, Ruby, Spring and of course EclipseLink (aka open-source of Toplink)

3 - We effectively donated our entire next-generation UI library (ADF) to Apache to help provider a richer platform for Web applications.

4 - We doing all of the reference work for IGF in the open at openLiberty.

5 - It's now possible to run Oracle software on Amazon EC2. This is particular useful when it comes to the database - you can now have a full EE database instance running in 5 minutes without having to fiddle with any kernel or related parameters.

So James -what specifically do you want Oracle to do more of? And what would be the value for you to do so?  If you have specific items I'm happy to hear them & communicate them to the appropriate people.

5 Password Utilities That Will Make Your Life Simpler -- Not really any coding tips but since passwords will be with us for a long time - these might be helpful for you and your users. Interesting they mentioned OpenID as one of the utilities but not InfoCards.

Pete Finnigan - Oracle [database] security information -- A page with various utilities to help test your local Oracle password security and tools to help with auditing the database.

When you map a user in Enterprise User Security (EUS) - I found that you can indeed avoid mapping the user in Enterprise Security Manager (ESM) if you provide the complete syntax when creating/altering the user.

So for example:

alter user hr identified globally as 'cn=Mark Wilcox,cn=Users,dc=ovddemo,dc=com';

Should allow you to then login as Mark Wilcox using his uid value (e.g. mwilcox).

I'm sure I read that in Knox's book before but it didn't sink in until I was asked about this at OOW last week.

Apologies for this being late. Because of OOW I got a bit behind.

Passwords -- This blog post from the "Blown to Bits" blog talks about problems with passwords. On a personal level - you should have a random password. No words. Just mix of characters. From a developer perspective - do not write your own login code. Almost all frameworks now have their own login subsystem - leverage that. It will allow you to focus on code that is actually core to your business application. Or as I would think - I would not want my friend Quan writing my UI but he knows how to write awesome security code. I know my friend Josh knows how to make awesome looking UI - he shouldn't be writing my security code. And from an enterprise level - make sure you are adopting  comprehensive access products such as Oracle Access Manager suite.

"Using Yahoo! Login Mechanisms for Desktop Applications" -- If you want to use Yahoo! for user password management this might be useful to you.

Criminal probe of ex-Lottery employee Launched  -- Basically another data leak problem. Remember - when writing apps to make sure you allow for proper auditing. Also make sure to put in hooks that can allow for access controls to be written using a standard like XACML (such as provided by Oracle Entitlement Server). And if you are storing data in a database make sure the application can work with strong security measures like Oracle Database Vault and Transparent Data Encryption. And - if you managing/installing database - make sure you enable these features if your applications can support them.

Schneier On Security -- Bruce Scheier who is the expert on security - has released a new book. I believe it's a collection of his columns, so if you are a regular reader probably nothing new. However, if you are new to this field - you should get a copy. As well as his previous book Beyond Fear. Or if you are up to speed on these books - then be sure to read The Unthinkable: Who Survives When Disaster Strikes - and Why.

As I hinted out earlier - we have a new blog dedicated to business level discussion on directories. It's called Directory Service Stories and we have posted our first post on a customer related story.

The purpose of that blog in compared to mine is that we will focus on customer stories and higher level use cases. While i continue to be more technical here.

Since I'm focusing this blog more on the technical side - I thought I would try to regularly provide a set of links and commentary to security and privacy articles I find. 

"For Your Browser Only" -- Reminds developer's that if you are writing cookies from your server code to remember to mark them "HTTP Only". This dramatically reduces the surface area for cross-site scripting attacks. I would also add that other techniques - such as using a standards-based framework for authentication/session management and risk-based access control like Oracle provides via Fusion Middleware and the Access Management Suite will add extra protection.

Security Researches Uncover Spring Framework Vulnerabilities  --  Some researchers have found vulnerabilities in the popular Spring framework.

What Californians Understand About Privacy Online -- A paper showing how big the gulf is between the average person's perception of how their privacy is protected and the reality . One could of course make a joke about what do you expect from people who elect "The Terminator" their governor  but it is a real problem.

SQL Injection issue in :limit and :offset parameter -- A two-fer this week - security issues in two of the most popular frameworks out there - Spring and now Rails. I give credit to the author for trying to help raise awareness and in general I think adopting frameworks (in particular standard - whether that's "Standard" like JSF or a "standard" like Spring/Rails) make you more productive - and yes, secure.

5 Features Your Login System Must Have -- An interesting article for those who are still "rolling their own system". Of course for an enterprise - I'm not sure of any valid use case where that would be a good idea - there's too many good products out there such as Oracle Access Management Suite that can do this for you without needing to become a SSO developer. If you are working on a consumer site - then at the very least, you should adopt something like OpenID or Infocards so that you are not managing passwords.

Here is the complete list that I know of that will cover Oracle Directory Services (OVD, OID) at OOW 2008.  I am expecting to present at the first three events. I hope to make the last one, but I'm planning on presenting at the Unconference on Thursday so might be tight. I will also be at the Oracle Directory Service's booth when I'm not presenting.

Today I wanted to do good and plug our first posted OVD customer case study and highlight our new directory services blog. But just after I finally figured out how to get my posts properly posted - I got word, we had to pull the posts. It's nothing major - just that we have some central location that hosts them and then we can publicly link them.

As I used to say to my "How to build web page" students when I taught - "The only difference between a novice and a guru is the number of people who know when you screw up".

Sorry for any confusion if you followed the earlier links.

One of our sales consultants had some questions on OVD, Enterprise User Security (EUS) and Kerberos. Remember EUS is the Oracle Database feature that lets you centralize the management of user & roles to your enterprise directory. 

The database supports multiple models of authentication.

They are:

• username and password
• digital certificates (aka x.509)
• Kerberos
• RADIUS

The first three are supported by EUS. The last - RADIUS is not.

Username and password is the easiest but does mean that in EUS we have to have a MD5 or SHA1 password stored in the enterprise directory. For Active Directory we have a DLL that uses Microsoft's Password Notifier API to do this for us since AD doesn't do this automatically. For Sun (and Fedora though we haven't officially certified it) the standard userpassword attribute is already hashed properly.

If you are using Kerberos the upside is that you don't need to exchange passwords. Instead the client gets a ticket from the KDC (these days that's likely to be Microsoft AD though I have run into MIT recently) and then the ticket can be used to validate their credentials against the database (this is a simplification of Kerberos. But if you really want to know more you can read the details ). In Kerberos the database verifies the credentials. It only uses EUS to map the user to a database schema and database role.

Now to answer some specific questions - which I can update later:

Q1 - the LDAP listener is not Kerberos ( authentication ) enabled?

A1 - Correct, OVD currently does not support Kerberos authentication. This is not generally a limitation since no common LDAP client application that I'm aware of requires Kerberos authentication. Also Kerberos protocol does not easily open itself up to virtualization. Perhaps this will change when the world starts to adopt STS technologies.

Q2 - the LDAP adapter act as a client and is Kerberos enabled?

A2 - Yes, OVD can take a simple bind (e.g. username and password) from an LDAP client application and verify that password against Active Directory using Kerberos. This is useful if a company doesn't have SSL enabled on AD (but has SSL on OVD) and wants to securely validate passswords against AD.

Q3 - I can't use my Kerberos ticket ( obtained while login in to a windows domain ) to authenticate to OVD and do a query" ?

A3 - This depends because LDAP is like database - most of the time end-users are not connecting directly to the system - they use client applications. If the client application is web-based and configured to do Windows SSO - then yes. If it's a 3rd party application that cannot, then you will need to re-type your credentials. Even if we could accept Kerberos tokens - OVD (just as ANY other Kerberos enabled application) is dependent upon the client application to support it as well. This is why Kerberos never took off in great numbers prior to the release of Active Directory (which gave everyone who ran Windows a KDC whether they wanted it or not) and the Web.