Tuesday Sep 25, 2012

OUD as a OAM Identity Store

Since 11gR2, OUD can be used natively as a OAM Identity Store. Select  "OUD: Oracle Unified Directory" as Store Type as described here.

As an alternate solution, you can also configure OVD as Identity Store with OAM and then configure LDAP adapter for OVD with OUD details.Configuring Identity store for OAM is documented here. Choose "OVD: Oracle Virtual Directory" as store type and provide store details as per the document. Configuring LDAP adapter for OVD is documented here. Provide your OUD details required as per the document.

Friday Sep 21, 2012

Creating a new naming context in OUD

A naming context (also known as a directory suffix) is a DN that identifies the top entry in a locally held directory hierarchy.

A new naming context can be created using ODSM, the OUD gui admin console, as described in http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/server_config.htm#CBDGCJGF

It can also be created using the dsconfig command line as described below: Creation of a new naming context consists in 3 steps:

First create a Local Backend Workflow element (myNewDb in this exemple) ,  responsible for the naming context base dn, e.g o=example.

dsconfig create-workflow-element \
          --set base-dn:o=example \
          --set enabled:true \
          --type db-local-backend \
          --element-name myNewDb \
          --hostname <your host> \
          --port <admin port> \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \

Second, create a Workflow element (workFlowForMyNewDb in this exemple) associated with the Local Backend Workflow element. WorkFlow elements are used to route LDAP requests to the appropriate database, based on the target base dn.

dsconfig create-workflow \
          --set base-dn:o=example \
          --set enabled:true \
          --set workflow-element:myNewDb \
          --type generic \
          --workflow-name workFlowForMyNewDb \
          --hostname <your host name> \
          --port <admin port>\
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \

Then, the workflow element must be made visible outside of the directory, i.e added to the internal "routing table". This is done by adding the Workflow to the appropriate Network Group. A Network group  is used to classify incoming client connections and route requests to workflows.

dsconfig set-network-group-prop \
          --group-name network-group \
          --add workflow:workFlowForMyNewDb \
          --hostname <your hostname> \
          --port <admin port>\
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \

At that stage, it is possible to import entries to the new naming context o=example.

Wednesday Sep 12, 2012

Fuzzing for Security

Yesterday, I attended an internal workshop about ethical hacking. Hacking skills like fuzzing can be used to quantitatively assess and measure security threats in software.  Fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by injecting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered.

A fuzzer is a program that generates and injects random (and in general faulty) input to an application. Its main purpose is to make things easier and automated.

There are typically two methods for producing fuzz data that is sent to a target, Generation or Mutation. Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is simple and dumb as sending random bytes, swapping bytes or much smarter by knowing good values and combining them in interesting ways.

Mutation on the other hand starts out with a known good "template" which is then modified. However, nothing that is not present in the "template" or "seed" will be produced.

Generally fuzzers are good at finding buffer overflow, DoS, SQL Injection, Format String bugs etc. They do a poor job at finding vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the program to crash.  Fuzzing is simple and offers a high benefit-to-cost ratio but does not replace other proven testing techniques.

What is your computer doing over the week-end ?

I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« September 2012 »