3 Understanding Oracle Virtual Directory Routing 3-1 3 Understanding Oracle Virtual Directory Routing This chapter describes Oracle Virtual Directory routing and includes the following topics: ■ What is Routing? ■ Understanding Routing Settings 3.1 What is Routing? In a traditional directory server, multiple databases are defined and each are responsible for part of the directory tree namespace and selection is determined strictly on namespace comparison. In a virtual directory, since it is possible to have multiple adapters sharing the same namespace, selection is more complex—yet more controllable. Routing is the process by which Oracle Virtual Directory decides which adapter should be selected for an LDAP operation. Routing is applied to all adapters regardless of type and serves several purposes, including: ■ limiting the number of adapters selected to just the ones which contain the requested client data and are relevant to the current LDAP operation. ■ enabling you to design for complex environments. ■ enabling you to tune Oracle Virtual Directory to implement a more secure, higher-performing configuration by reducing the number of adapters for a particular transaction. Routing controls adapter selection by examining not just the basic DN namespace, but also other aspects of transaction information including DN pattern matching, LDAP filters, attributes filters, and query filters. At its most basic level, Oracle Virtual Directory can select adapters through a process of adapter suffix comparison. The adapter suffix comparison involves looking at any particular search base or entry DN, such as with add, modify, delete, and rename, and then comparing it with the suffix root of each adapter. Depending on the scope, Oracle Virtual Directory can determine if one or more adapters was impacted by any particular query. Adapter suffix comparison works well with a small number of adapters, however, more flexible decisions are usually required—where routing is explicitly important. Routing lets administrators teach Oracle Virtual Directory about proxied data sources in the form of routing intelligence. Routing allows Oracle Virtual Directory to further qualify directory operations and send them to the specific places where they are needed, which helps keep existing directories from being overloaded with irrelevant 3-2 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory operations and keeps partners from seeing queries that are not related to their own directory. The Oracle Virtual Directory routing process analyzes LDAP client search filters in addition to traditional adapter suffix comparison and further refines eligible adapters for processing. Routing Example Consider the example virtual directory structure shown in Figure 3–1 that has the following four adapters configured: ■ Adapter 0 forms the root of the directory tree and maps to o=AppView. This adapter holds the virtual root of the tree and local entries such as access control groups. ■ Adapters 1-3 map each directory source to positions beneath the ou=People branch of the new application tree. Figure 3–1 Example Virtual Directory Structure For example, say an application that uses the directory in Figure 3–1 has little intelligence regarding a directory service and it was originally designed for a single business and does not understand that multiple business user groups may be using the same application. Instead of expecting a varied and diverse directory tree structure, the application only searches the directory from one common directory hierarchy point or one common base. For this example, say the application only searches the directory from ou=People,o=AppView. When a user enters a login credential such as jim.smithdivisionB.com, the application issues the following search: ■ base : ou=People,o=AppView ■ scope : subtree ■ filter : uid=jim.smithdivisionb.com After receiving this query, Oracle Virtual Directory automatically selects all adapters eligible for this query. Since the query is at the base of the tree, all adapters are selected, leading to a performance problem to examine. If all the other companies exist lower in the directory structure for example, ou=DivisionB, ou=People,o=AppView, then by default, all directory sources are searched because their branches are below the parent ou=People,o=AppView. AppView Adapter 0 Groups Application People External Users C Adapter 3 Division B Adapter 2 Division A Adapter 1