Identity and Access Management Glossary

Credit: many of these definitions come from Google, Wikipedia, Microsoft, and Oracle. access control item (ACI) Access control information represents the permissions that various entities or subjects have to perform operations on a given object in the directory. This information is stored in a directory as user-modifiable operational attributes, each of which is called an access control item (ACI). An ACI determines user access rights to directory data. It contains a set of rules for controlling access to entries (structural access items) and attributes (content access items). Access to both structural and content access items may be granted to one or more users or groups. access control list (ACL) A list of resources and the usernames of people who are permitted access to those resources within a computer system. An ACL is a list of access control item (ACI) attribute values that is associated with directory objects. The attribute values on that list represent the permissions that various directory user entities (or subjects) have on a given object. access control policy point (ACP) A directory entry that contains access control policy information that applies downward to all entries at lower positions in the directory information tree (DIT). This information affects the entry itself and all entries below it. account lockout A security feature that locks a user account if e.g. repeated failed logon attempts occur within a specified amount of time, based on security policy settings. ACDF Access Control Decision Function ACI See access control item (ACI). ACIA Access Control Inner Area ACID Atomicity, Consistency, Isolation, and Durability ACL See access control list (ACL). ACP See access control policy point (ACP). ACSA Access Control Specific Area Active Directory Active Directory is a Microsoft technology that provides network services, including LDAP-like directory services, Kerberos-based authentication, DNS-based naming, centralized network administration, some single sign-on, and user account synchronization. Active Directory Domain Services (AD DS) AD DS is the central location for configuration information, authentication requests, and information about all of the objects (users, groups, computers, applications) that are stored within your forest. Active Directory Rights Management Services (AD RMS) AD RMS can protect a file by identifying the rights that a user has to the file. Rights can be configured to allow a user to open, modify, print, forward, or take other actions with the rights-managed information. Active Directory Federation Services (AD FS) Authenticate users from partner organizations. Grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization. Active Directory Certificate Services (AD CS) AD CS binds the identity of a person, device, or service to a private key. Storing the certificate and private key within Active Directory helps securely protect the identity, and Active Directory becomes the centralized location for retrieving the appropriate information when an application places a request. Active Directory Lightweight Directory Services (AD LDS) A light-weight implementation of Active Directory, including an identical API, but without the need to create domains or domain controllers. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). ADDMD Administration Directory Management Domain administrative area (of a directory server) A subtree on a directory server whose entries are under the control of a single administrative authority. The designated administrator controls each entry in that administrative area, as well as the directory schema, access control list (ACL), and attributes for those entries. Advanced Encryption Standard (AES) Advanced Encryption Standard (AES) is a symmetric cryptography algorithm that is intended to replace Data Encryption Standard (DES). AES is a Federal Information Processing Standard (FIPS) for the encryption of commercial and government data. AES See Advanced Encryption Standard (AES). anonymous authentication The process by which a directory authenticates a user without requiring a user name and password combination. Each anonymous user then exercises the privileges specified for anonymous users. API See application programming interface (API). application programming interface (API) A series of software routines and development tools that comprise an interface between a computer application and lower-level services and functions (such as the operating system, device drivers, and other software applications). APIs serve as building blocks for programmers putting together software applications. application service provider Application Service Providers (ASPs) are third-party entities that manage and distribute software-based services and solutions to customers across a wide area network from a central data center. In essence, ASPs are a way for companies to outsource some or almost all aspects of their information technology needs. ASN.1 Abstract Syntax Notation One (ASN.1) is an International Telecommunication Union (ITU) notation used to define the syntax of information data. ASN.1 is used to describe structured information, typically information that is to be conveyed across some communications medium. It is widely used in the specification of Internet protocols. asymmetric algorithm A cryptographic algorithm that uses different keys for encryption and decryption. See also: public key cryptography. asymmetric cryptography See public key cryptography. attribute Directory attributes hold a specific data element such as a name, phone number, or job title. Each directory entry is comprised of a set of attributes, each of which belongs to an object class. Moreover, each attribute has both a type, which describes the kind of information in the attribute, and a value, which contains the actual data. attribute type Attribute types specify information about a data element, such as the data type, maximum length, and whether it is single-valued or multivalued. The attribute type provides the real-world meaning for a value, and specifies the rules for creating and storing specific pieces of data, such as a name or an e-mail address. attribute value Attribute values are the actual data contained within an attribute for a particular entry. For example, for the attribute type email, an attribute value might be authentication The process of verifying the identity claimed by an entity based on its credentials. Authentication of a user is generally based on something the user knows or has (for example, a password or a certificate). Authentication of an electronic message involves the use of some kind of system (such as public key cryptography) to ensure that a file or message which claims to originate from a given individual or company actually does, and a check based on the contents of a message to ensure that it was not modified in transit. authorization The process of granting or denying access to a service or network resource. Most security systems are based on a two step process. The first stage is authentication, in which a user proves his or her identity. The second stage is authorization, in which a user is allowed to access various resources based on his or her identity and the defined authorization policy. authorization policy Authorization policy describes how access to a protected resource is governed. Policy maps identities and objects to collections of rights according to some system model. For example, a particular authorization policy might state that users can access a sales report only if they belong to the sales group. AuthSub AuthSub is an authentication proxy service that allows your web applications to get access to Google Apps services (such as Calendar, DocList, and Spreadsheets APIs) without having to handle the user's account login information directly. AVA Attribute Value Assertion AuthcId Authentication Identity AuthzId Authorization Identity basic authentication An authentication protocol supported by most browsers in which a Web server authenticates an entity with an encoded user name and password passed via data transmissions. Basic authentication is sometimes called plaintext authentication because the base-64 encoding can be decoded by anyone with a freely available decoding utility. Note that encoding is not the same as encryption. BCP See best current practice (BCP). Basic Encoding Rules (BER) The standard rules for encoding data units set forth in ASN.1. BER is sometimes incorrectly paired with ASN.1, which applies only to the abstract syntax description language, not the encoding technique. BER See Basic Encoding Rules (BER). best current practice (BCP) A Best Current Practice (BCP) means that a certain manner of proceeding is in general the most logical choice -- a de facto standard of sorts. This expression is often used in the context of computer programs and their implementation, as well as that of network protocols and their specifications. A Best Current Practice is only a noncommittal suggestion, as is to be proceeded in a certain case. It is thus more flexible than a standard: As requirements and conditions change, from time to time, another manner of proceeding can be more promising, and subsequently implemented. Should the requirements permanently change, a BCP should be revised. BCP is also the name of a numbered document series published by the Internet Engineering Task Force. binding In networking, binding is the establishment of a logical connection between communicating entities. In the case of LDAP, binding refers to the process of authenticating to the directory. The formal set of rules for carrying a SOAP message within or on top of another protocol (underlying protocol) for the purpose of exchange is also called a binding. BSD Authentication BSD Authentication is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache. This serves a similar purpose as Pluggable Authentication Modules (PAM) on other operating systems such as Linux, FreeBSD and NetBSD. CA See Certificate Authority (CA). CA certificate A Certificate Authority (CA) signs all certificates that it issues with its private key. The corresponding Certificate Authority's public key is itself contained within a certificate, called a CA Certificate (also referred to as a root certificate). A browser must contain the CA Certificate in its list of trusted root certificates in order to trust messages signed by the CA's private key. cache Generally refers to an amount of quickly accessible memory in your computer. However, on the Web it more commonly refers to where the browser stores downloaded files and graphics on the user's computer. CCITT International Telegraph and Telephone Consultative Committee CER Canonical Encoding Rules certificate A certificate is a specially formatted data structure that associates a public key with the identity of its owner. A certificate is issued by a Certificate Authority (CA). It contains the name, serial number, expiration dates, and public key of a particular entity. The certificate is digitally signed by the issuing CA so that a recipient can verify that the certificate is real. Most digital certificates conform to the X.509 standard. Certificate Authority (CA) A Certificate Authority (CA) is a trusted third party that issues, renews, and revokes digital certificates. The CA essentially vouches for a entity's identity, and may delegate the verification of an applicant to a Registration Authority (RA). Some well known Certificate Authorities (CAs) include Digital Signature Trust, Thawte, and VeriSign. certificate chain An ordered list of certificates containing one or more pairs of a user certificate and its associated CA certificate. certificate management protocol (CMP) Certificate Management Protocol (CMP) handles all relevant aspects of certificate creation and management. CMP supports interactions between public key infrastructure (PKI)) components, such as the Certificate Authority (CA), Registration Authority (RA), and the user or application that is issued a certificate. certificate request message format (CRMF) Certificate Request Message Format (CRMF) is a format used for messages related to the life-cycle management of X.509 certificates, as described in the RFC 2511 specification. certificate revocation list (CRL) A Certificate Revocation List (CRL) is a list of digital certificates which have been revoked by the Certificate Authority (CA) that issued them. change logs Typically these are files that record changes made to software, website, database, etc. ciphertext Ciphertext is the result of applying a cryptographic algorithm to readable data (plaintext) in order to render the data unreadable by all entities except those in possession of the appropriate key. circle of trust A circle of trust is a federation of service providers and identity providers that have business relationships based on Liberty Alliance architecture and operational agreements, and with whom users can transact business in a secure and apparently seamless environment. claim A claim is a declaration made by an entity (for example, a name, identity, key, group, and so on). client SSL certificates A type of certificate used to identify a client machine to a server through Secure Sockets Layer (SSL) (client authentication). cluster A collection of interconnected usable whole computers that is used as a single computing resource. Hardware clusters provide high availability and scalability. CMP See certificate management protocol (CMP). CMS See Cryptographic Message Syntax (CMS). CN Common Name code signing certificates A type of certificate used to identify the entity who signed a Java program, Java Script, or other signed file. COmanage: Collaborative Organization Management Platform COmanage is the Collaborative Organization Management Platform developed by the Internet2 Middleware Initiative. It is designed to allow collaborative organizations to use key collaboration tools in a secure and effective framework. It enables collaboration-centric identity v. application or tool-centric identity. The intent is to externalize identity management, as well as authentication and authorization services (group membership, privilege management, etc.), into the COmanage platform for use by various collaborative applications. concurrency The ability to handle multiple requests simultaneously. Threads and processes are examples of concurrency mechanisms. concurrent clients The total number of clients that have established a session with Oracle Internet Directory. concurrent operations The number of operations that are being executed on Oracle Internet Directory from all of the concurrent clients. Note that this is not necessarily the same as the concurrent clients, because some of the clients may be keeping their sessions idle. confidentiality In cryptography, confidentiality (also known as privacy) is the ability to prevent unauthorized entities from reading data. This is typically achieved through encryption. consumer A directory server that is the destination of replication updates. Sometimes called a slave. contention Competition for resources. context prefix The distinguished name (DN) of the root of a naming context. COSINE Co-operation and Open Systems Interconnection in Europe CRL See certificate revocation list (CRL). CRMF See certificate request message format (CRMF). cryptographic algorithm A cryptographic algorithm is a defined sequence of processes to convert readable data (plaintext) to unreadable data (ciphertext) and vice versa. These conversions require some secret knowledge, normally contained in a key. Examples of cryptographic algorithms include DES, AES, Blowfish, and RSA. Cryptographic Message Syntax (CMS) A syntax defined in RFC 3369 for signing, digesting, authenticating, and encrypting digital messages. DACD Directory Access Control Domain DAP Directory Access Protocol data integrity The guarantee that the contents of the message received were not altered from the contents of the original message sent. See also: integrity. DC Domain Component default identity management realm In a hosted environment, one enterprise (e.g. an application service provider) makes software components available to multiple other enterprises and stores information for them. In such hosted environments, the enterprise performing the hosting is called the default identity management realm, and the enterprises that are hosted are each associated with their own identity management realm in the directory information tree (DIT). default knowledge reference A knowledge reference that is returned when the base object is not in the directory, and the operation is performed in a naming context not held locally by the server. A default knowledge reference typically sends the user to a server that has more knowledge about the directory partitioning arrangement. delegated administrator In a hosted environment, one enterprise (e.g. an application service provider) makes software components available to multiple other enterprises and stores information for them. In such an environment, a global administrator performs activities that span the entire directory. Other administrators-- called delegated administrators-- may exercise roles in specific identity management realms, or for specific applications. DER See Distinguished Encoding Rules (DER). DIB See directory information base (DIB). digest See message digest. digital certificate See certificate. digital signature A digital signature is the result of a two-step process applied to a given block of data. First, a hash function is applied to the data to obtain a result. Second, that result is encrypted using the signer's private key. Digital signatures can be used to ensure integrity, message authentication, and non-repudiation of data. Examples of digital signature algorithms include DSA, RSA, and ECDSA. Digital Signature Algorithm (DSA) The Digital Signature Algorithm (DSA) is an asymmetric algorithm that is used as part of the Digital Signature Standard (DSS). It cannot be used for encryption, only for digital signatures. The algorithm produces a pair of large numbers that enable the authentication of the signatory, and consequently, the integrity of the data attached. DSA is used both in generating and verifying digital signatures. See also: Elliptic Curve Digital Signature Algorithm (ECDSA). directory information base (DIB) The complete set of all information held in the directory. The DIB consists of entries that are related to each other hierarchically in a directory information tree (DIT). directory information tree (DIT) A hierarchical tree-like structure consisting of the distinguished names (DNs) of the entries. directory naming context See naming context. directory provisioning profile A special kind of directory integration profile that describes the nature of provisioning-related notifications to be sent to directory-enabled applications. directory replication group (DRG) The directory servers participating in a replication agreement. directory server instance A discrete invocation of a directory server. Different invocations of a directory server, each started with the same or different configuration set entries and startup flags, are said to be different directory server instances. directory synchronization profile A special kind of directory integration profile that describes how synchronization is carried out between Oracle Internet Directory and an external system. directory system agent (DSA) The X.500 term for a directory server. directory-specific entry (DSE) An entry specific to a directory server. Different directory servers may hold the same directory information tree (DIT) name, but have different contents—that is, the contents can be specific to the directory holding it. A DSE is an entry with contents specific to the directory server holding it. directory user agent (DUA) The software that accesses a directory service on behalf of the directory user. The directory user may be a person or another software element. DIS See directory integration and provisioning server. DISP Directory Information Shadowing Protocol Distinguished Encoding Rules (DER) Distinguished Encoding Rules (DER) are a set of rules for encoding ASN.1 objects in byte-sequences. DER is a special case of Basic Encoding Rules (BER). distinguished name (DN) A X.500 distinguished name (DN) is a unique name for a node in a directory tree. A DN is used to provide a unique name for a person or any other directory entry. A DN is a concatenation of selected attributes from each node in the tree along the path from the root node to the named entry's node. For example, in LDAP notation, the DN for a person named John Smith working at Oracle's US office would be: "cn=John Smith, ou=People, o=Oracle, c=us". The DN provides a way of selecting any object in a directory. Components include CN (common name), DC (domain content), OU (organizational unit), etc. relative distiguished name (RDN) DIT See directory information tree (DIT). DMD Directory Management Domain DMO Doman Management Organization DN See distinguished name (DN). DNS Domain Name System Document Type Definition (DTD) A Document Type Definition (DTD) is a document that specifies constraints on the tags and tag sequences that are valid for a given XML document. DTDs follow the rules of Simple Generalized Markup Language (SGML), the parent language of XML. domain component attribute The domain component (dc) attribute can be used in constructing a distinguished name (DN) from a domain name. For example, using a domain name such as "", one could construct a DN beginning with "dc=oracle, dc=com", and then use this DN as the root of its subtree of directory information. DOP Directory Operational Binding Management Protocol DRG See directory replication group (DRG). DSA See Digital Signature Algorithm (DSA) or directory system agent (DSA). DSE See directory-specific entry (DSE). DSAIT DSA Information Tree DSP Directory System Protocol DTD See Document Type Definition (DTD). DUA Directory User Agent encryption Encryption is the process of converting plaintext to ciphertext by applying a cryptographic algorithm. encryption certificate An encryption certificate is a certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmission, or to establish or exchange a session key for these same purposes. end-to-end security This is a property of message-level security that is established when a message traverses multiple applications within and between business entities and is secure over its full route through and between the business entities. entry (in a directory) An entry is a unique record in a directory that describes an object, such as a person. An entry consists of attributes and their associated attribute values, as dictated by the object class that describes that entry object. All entries in an LDAP directory structure are uniquely identified through their distinguished name (DN). EXOP Extended Operation export agent A software agent that exports data out of an application, database, directory, etc. See export data file. export file The file that contains data exported by an export agent. external agent A directory integration agent that is independent of an application or server, e.g. to provide scheduling, mapping, or error handling services for the application or server. An external agent is typically used when a third party solution is integrated. external application Applications that do not delegate authentication to a single sign on (SSO) server. Instead, they display HTML login forms that ask for application user names and passwords. failover The process of failure recognition and recovery. fan-out replication Also called a point-to-point replication, a type of replication in which a supplier replicates directly to a consumer. That consumer can then replicate to one or more other consumers. The replication can be either full or partial. Federal Information Processing Standards (FIPS) Federal Information Processing Standards (FIPS) are standards for information processing issued by the US government Department of Commerce's National Institute of Standards and Technology (NIST). federated identity management (FIM) The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains. FIM makes it possible for an authenticated user to be recognized and take part in personalized services across multiple domains. It avoids pitfalls of centralized storage of personal information, while allowing users to link identity information between different accounts. Federated identity requires two key components: trust and standards. The trust model of federated identity management is based on circle of trust. The standards are defined by the Liberty Alliance Project. federation A federation is a group of entities (companies and organizations) that have a shared user base, and have agreed to provide identity and authorization tokens so that their users only have to logon once to access all of the services in their circle of trust. Within the federation, at least one entity serves as the identity provider who is responsible for authenticating users. Entities that provide services to the user are referred to as service providers. filter A filter is an expression that defines the entries to be returned from a request or search on a directory. Filters are typically expressed as DNs, for example: cn=susie smith,o=acme,c=us. FIM See federated identity management (FIM). FIPS See Federal Information Processing Standards (FIPS). forced authentication The act of forcing a user to reauthenticate if he or she has been idle for a preconfigured amount of time. Oracle Application Server Single Sign-On enables you to specify a global user inactivity timeout. This feature is intended for installations that have sensitive applications. Geneva software by Microsoft Microsoft's code-name "Geneva Framework" is really Windows Identity Foundation, and "Geneva Server" is Active Directory Federation Services 2.0. GET (URL authentication) An authentication method whereby login credentials are submitted as part of the login URL. Cf. POST. global administrator In a hosted environment, one enterprise (e.g. an application service provider) makes software components available to multiple other enterprises and stores information for them. In such an environment, a global administrator performs activities that span the entire directory. global unique identifier (GUID) An identifier generated by the system and inserted into an entry when the entry is added to the directory. In a multimaster replicated environment, the GUID, not the DN, uniquely identifies an entry. The GUID of an entry cannot be modified by a user. globalization support Multilanguage support, which may use internationalization (I18N) and localization (L10N). globally unique user ID A numeric string that uniquely identifies a user. A person may change or add user names, passwords, and distinguished names, but her globally unique user ID always remains the same. grace login A login occurring within the specified period before password expiration. group search base In a default directory information tree (DIT), the node in the identity management realm under which all the groups can be found. Grouper Groups Management Toolkit Internet2's Grouper Groups Management Toolkit enables project managers, departments, institutions and end users to create and manage institutional and personal groups. It puts control of a group in the hands of its steward and enables the person to manage the membership and what resources it can access. See Shibboleth System. GSER Generic String Encoding Rules GSS-API Generic Security Service Application Program Interface guest user One who is not an anonymous user, and, at the same time, does not have a specific user entry. GUID See global unique identifier (GUID). handshake A protocol two computers use to initiate a communication session. hash A number generated from a string of text with an algorithm. The hash value is substantially smaller than the text itself. Hash numbers are used for security and for faster access to data. See also: hash function. hash function In cryptography, a hash function or one-way hash function is an algorithm that produces a given value when applied to a given block of data. The result of a hash function can be used to ensure the integrity of a given block of data. For a hash function to be considered secure, it must be very difficult, given a known data block and a known result, to produce another data block that produces the same result. Hashed Message Authentication Code (HMAC) Hashed Message Authentication Code (HMAC) is a hash function technique used to create a secret hash function output. This strengthens existing hash functions such as MD5 and SHA. It is used in transport layer security (TLS). HMAC See Hashed Message Authentication Code (HMAC). HOB Hierarchical Operational Binding Higgins project by Eclipse Foundation ? I-D Internet-Draft IA5 International Alphabet 5 IAB Internet Architecture Board IANA Internet Assigned Numbers Authority ID Identification (or Identifier) identity management The process by which the complete security lifecycle for network entities is managed in an organization. It typically refers to the management of an organization's application users, where steps in the security life cycle include account creation, suspension, privilege modification, and account deletion. The network entities managed may also include devices, processes, applications, or anything else that needs to interact in a networked environment. Entities managed by an identity management process may also include users outside of the organization, for example customers, trading partners, or web services. identity management realm A collection of identities, all of which are governed by the same administrative policies. In an enterprise, all employees having access to the intranet may belong to one realm, while all external users who access the public applications of the enterprise may belong to another realm. An identity management realm is represented in the directory by a specific entry with a special object class associated with it. identity provider These are organizations recognized by the members of a circle of trust as the entity responsible for authenticating users and providing the digital identity information of users to other parties in a federation. Identity providers enter into partnerships with service providers and provide services that follow agreed-upon practices set by all parties in a federation. IDN Internationalized Domain Name IDNA Internationalized Domain Names in Applications IESG Internet Engineering Steering Group IETF Internet Engineering Task Force Identity Metasystem Interoperability Version 1.0 Developed by Organization for the Advancement of Structured Information Standards. For levels of assurance 1 through 3 as defined by NIST Publication 800-63. import agent An agent that imports data into an application, database, directory, etc. import file The file containing the data imported by an import agent. Information Card Architectures (ICAs) aka Info Cards E.g. a swipe card. Provides phishing-resistant authentication. Microsoft is publishing information card software called "Geneva". integrity In cryptography, integrity is the ability to detect if data has been modified by entities that are not authorized to modify it. Internet Engineering Task Force (IETF) The principal body engaged in the development of new Internet standard specifications. It is an international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. IP Internet Protocol IPsec IP Security IPv4 Internet Protocol, version 4 IPv6 Internet Protocol, version 6 ISO International Standards Organization ITU International Telecommunications Union ITU-T International Telecommunications Union \- Telecom Standardization Sector key (cryptography) A key is a data structure that contains some secret knowledge necessary to successfully encrypt or decrypt a given block of data. The larger the key, the harder it is to crack a block of encrypted data. For example, a 256-bit key is more secure than a 128-bit key. key pair (cryptography) A public key and its associated private key. See also: public/private key pair. Keys to the Kingdom Shorthand name for this problem: if you use a single credential, and it gets lost or stolen, it unlocks everything. knowledge reference The access information (name and address) for a remote directory system agent (DSA) and the name of the directory information tree (DIT) subtree that the remote DSA holds. Knowledge references are also called referrals. Kuali Identity Management (KIM) Kuali Identity Management (KIM) provides central identity and access management services. It also provides management features for Identity, Groups, Roles, Permissions, and their relationships with each other. All integration with KIM is through a simple and consistent service API (Java or Web Services). latency The time a client has to wait for a given directory operation to complete. Latency can be defined as wasted time. In networking discussions, latency is defined as the travel time of a packet from source to destination. LDAP See Lightweight Directory Access Protocol (LDAP). LDAP Data Interchange Format (LDIF) A common, text-based format for exchanging directory data between systems. The set of standards for formatting an input file for any of the LDAP command-line utilities. LDIF See LDAP Data Interchange Format (LDIF). legacy application Older application that typically cannot be modified to use newer protocols. Liberty Alliance The Liberty Alliance Project is an alliance of more than 150 companies, non-profit, and government organizations from around the globe. The consortium is committed to developing an open standard for federated network identity that supports all current and emerging network devices. The Liberty Alliance is the only global body working to define and drive open technology standards, privacy, and business guidelines for federated identity management (FIM). Lightweight Directory Access Protocol (LDAP) A set of protocols for accessing information in directories. LDAP supports TCP/IP, which is necessary for any type of Internet access. Its framework of design conventions supports industry-standard directory products, such as Oracle Internet Directory. Because it is a simpler version of the X.500 standard, LDAP is sometimes called X.500 light. LDAP Data Interchange Format (LDIF) Represents LDAP entries in text, in a human-readable format. Allows easy modification of data. Tools: ldbmcat converts ldbm database to ldif, ldif2ldbm converts ldif back to ldbm database. logical host A host name and IP address that is mapped to a physical host, typically in a cluster of servers. The physical host impersonates the host name and IP address of the logical host. MAC See message authentication code (MAC). man-in-the-middle attack A security attack characterized by the third-party, surreptitious interception of a message. The third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and retransmits it to the originally-intended recipient—all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication. matching rule (in LDAP search) In a search or compare operation, determines equality between the attribute value sought and the attribute value stored. For example, matching rules associated with the telephoneNumber attribute could cause "(650) 123-4567" to be matched with either "(650) 123-4567" or "6501234567" or both. When you create an attribute, you associate a matching rule with it. MD5 Message Digest Five (MD5) is a message digest hash function. The algorithm processes input text and creates a 128-bit message digest which is unique to the message and can be used to verify data integrity. metadirectory A directory solution that shares information between all enterprise directories, integrating them into one virtual directory. It centralizes administration, thereby reducing administrative costs. It synchronizes data between directories, thereby ensuring that it is consistent and up-to-date across the enterprise. message authentication The process of verifying that a particular message came from a particular entity. See also: authentication. message authentication code (MAC) The Message Authentication Code (MAC) is a result of a two-step process applied to a given block of data. First, the result of a hash function is obtained. Second, that result is encrypted using a secret key. The MAC can be used to authenticate the source of a given block of data. message digest The result of a hash function. See also: hash. MODDN Modify Distiguished Name MODRDN Modify Relative Distinguished Name multimaster replication Also called peer-to-peer or n-way replication, a type of replication that enables multiple sites, acting as equals, to manage groups of replicated data. In a multimaster replication environment, each node is both a supplier and a consumer node, and the entire directory is replicated on each node. naming context A subtree that resides entirely on one server. It must be contiguous, that is, it must begin at an entry that serves as the top of the subtree, and extend downward to either leaf entries or knowledge references (also called referrals) to subordinate naming contexts. It can range in size from a single entry to the entire directory information tree (DIT). native agent An agent that runs under the control of a given application, database, directory, etc. It is in contrast to an external agent. net service name A simple name for a service that resolves to a connect descriptor. Users initiate a connect request by passing a user name and password along with a net service name in a connect string for the service to which they wish to connect. NHOB Non-specific Hierarchical Operational Binding nickname attribute The attribute used to uniquely identify a user in the entire directory. The default value for this is uid. Applications use this to resolve a simple user name to the complete distinguished name. The user nickname attribute cannot be multi-valued—that is, a given user cannot have multiple nicknames stored under the same attribute name. non-repudiation In cryptography, the ability to prove that a given digital signature was produced with a given entity's private key, and that a message was sent untampered at a given point in time. NSAP Network Service Access Point NSSR Non-specific Subordinate Reference OASIS Organization for the Advancement of Structured Information Standards. OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards. OAuth OAuth enables you to permit one website to connect to another website. For example, you can have an account on Twitter for your news and an account on Flickr for your photos. You can use OAuth to connect Flickr to Twitter, so you can easily share your photos on Twitter. Twitter will redirect you to Flickr which will ask you "Twitter wants to access your Flickr photos. Ok?”, and then back to Twitter. object class In LDAP, object classes are used to group information. Typically an object class models a real-world object such as a person or a server. Each directory entry belongs to one or more object classes. The object class determines the attributes that make up an entry. One object class can be derived from another, thereby inheriting some of the characteristics of the other class. OCSP See Online Certificate Status Protocol (OCSP). OID Object Identifier One-way Trust vs. Two-way Trust
One-way trust Users from Site A can use Site B. Users from Site B cannot access Site A.
Two-way trust Users from Site A can use Site B, and vice versa.
Online Certificate Status Protocol (OCSP) Online Certificate Status Protocol (OCSP) is one of two common schemes for checking the validity of digital certificates. The other, older method, which OCSP has superseded in some scenarios, is certificate revocation list (CRL). OCSP is specified in RFC 2560. OpenID OpenID gives you a username and password that you can use on many popular websites. For example, you can get an OpenID username and password from Now when you go to, you can choose to sign in with your Yahoo OpenID. Flickr will automatically connect you to Yahoo, where you sign in, and then you can use Flickr. Oracle Internet Directory Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of an Oracle Database. Oracle Application Server Single Sign-On OracleAS Single Sign-On consists of program logic that enables you to log in securely to applications such as expense reports, mail, and benefits. These applications take two forms: partner applications and external applications. In both cases, you gain access to several applications by authenticating only once. Oracle Call Interface (OCI) An application programming interface (API) that enables you to create applications that use the native procedures or function calls of a third-generation language to access an Oracle Database server and control all phases of SQL statement execution. Oracle Certificate Authority Oracle Application Server Certificate Authority is a Certificate Authority (CA) for use within your Oracle Application Server environment. OracleAS Certificate Authority uses Oracle Internet Directory as the storage repository for certificates. OracleAS Certificate Authority integration with OracleAS Single Sign-On and Oracle Internet Directory provides seamless certificate provisioning mechanisms for applications relying on them. A user provisioned in Oracle Internet Directory and authenticated in OracleAS Single Sign-On can choose to request a digital certificate from OracleAS Certificate Authority. Oracle CMS Oracle CMS implements the IETF Cryptographic Message Syntax (CMS) protocol. CMS defines data protection schemes that allow for secure message envelopes. Oracle Delegated Administration Services A set of individual, pre-defined services—called Oracle Delegated Administration Services units—for performing directory operations on behalf of a user. Oracle Internet Directory Self-Service Console makes it easier to develop and deploy administration solutions for both Oracle and third-party applications that use Oracle Internet Directory. Oracle Directory Integration and Provisioning A collection of interfaces and services for integrating multiple directories by using Oracle Internet Directory and several associated plug-ins and connectors. A feature of Oracle Internet Directory that enables an enterprise to use an external user repository to authenticate to Oracle products. In an Oracle Directory Integration and Provisioning environment, a server daemon process that monitors Oracle Internet Directory for change events and takes action based on the information present in the directory integration profile. Oracle Directory Integration Platform A component of Oracle Internet Directory. It is a framework developed to integrate applications around a central LDAP directory like Oracle Internet Directory. Oracle Directory Manager A Java-based tool with a graphical user interface for administering Oracle Internet Directory. Oracle Enterprise Manager A separate Oracle product that combines a graphical console, agents, common services, and tools to provide an integrated and comprehensive systems management platform for managing Oracle products. Oracle Identity Management An infrastructure enabling deployments to manage centrally and securely all enterprise identities and their access to various applications in the enterprise. Oracle Internet Directory A general purpose directory service that enables retrieval of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of the Oracle Database. Oracle Liberty SDK Oracle Liberty SDK implements the Liberty Alliance Project specifications enabling federated single sign-on between third-party Liberty-compliant applications. Oracle Net Services The foundation of the Oracle family of networking products, allowing services and their client applications to reside on different computers and communicate. The main function of Oracle Net Services is to establish network sessions and transfer data between a client application and a server. Oracle Net Services is located on each computer in the network. Once a network session is established, Oracle Net Services acts as a data courier for the client and the server. Oracle SAML Oracle SAML provides a framework for the exchange of security credentials among disparate systems and applications in an XML-based format as outlined in the OASIS specification for the Security Assertions Markup Language (SAML). Oracle Security Engine Oracle Security Engine extends Oracle Crypto by offering X.509 based certificate management functions. Oracle Security Engine is a superset of Oracle Crypto. Oracle S/MIME Oracle S/MIME implements the Secure/Multipurpose Internet Mail Extension (S/MIME) specifications from the Internet Engineering Task Force (IETF) for secure e-mail. Oracle Wallet Manager A Java-based application that security administrators use to manage public-key security credentials on clients and servers. See also: Oracle Advanced Security Administrator's Guide. OracleAS Portal An OracleAS Single Sign-On partner application that provides a mechanism for integrating files, images, applications, and Web sites. The External Applications portlet provides access to external applications. OSI Open Systems Interconnection PAM: Pluggable Authentication Modules Pluggable Authentication Modules (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independent of the underlying authentication scheme. PAM is standardized as the X/Open Single Sign-on (XSSO) standard. A criticism is that PAM on its own cannot implement Kerberos, the most common type of SSO used in Unix environments. BSD Authentication partition (in a directory) A unique, non-overlapping directory naming context that is stored on one directory server. partner application An application that delegates the authentication function to an authentication server, for example to provide single sign on (SSO). This type of application spares users from reauthenticating by accepting mod_osso headers. PDU Protocol Data Unit peer-to-peer replication Also called multimaster replication or n-way replication. A type of replication that enables multiple sites, acting as equals, to manage groups of replicated data. In such a replication environment, each node is both a supplier and a consumer node, and the entire directory is replicated on each node. PKCS The Public Key Cryptography Standards (PKCS) are specifications produced by RSA Laboratories. PKI See public key infrastructure (PKI). plaintext Plaintext is readable data prior to a transformation to ciphertext using encryption, or readable data that is the result of a transformation from ciphertext using decryption. point-to-point replication Also called fan-out replication is a type of replication in which a supplier replicates directly to a consumer. That consumer can then replicate to one or more other consumers. The replication can be either full or partial. policy precedence Policies are applied to incoming requests in the order that they are displayed on the main policy page. When a policy processor module parses policies, those that appear toward the top of the policy list are applied to requests first. Those that appear toward the bottom of the list are applied last and take precedence over the others. Only enabled policies are applied to incoming requests. POSIX Portable Operating System Interface for UNIX. A set of programming interface standards governing how to write application source code so that the applications are portable between operating systems. A series of standards being developed by the Internet Engineering Task Force (IETF). POST (URL authentication) An authentication method whereby login credentials are submitted within the body of the login form. Cf. GET. PRDMD Private Directory Management Domain private key A private key is the secret key in a public/private key pair used in public key cryptography. An entity uses its private key to decrypt data that has been encrypted with its public key. The entity can also use its private key to create digital signatures. The security of data encrypted with the entity's public key as well as signatures created by the private key depends on the private key remaining secret. provisioned applications Applications in an environment where user and group information is centralized in a directory server. These applications are typically interested in changes to that information in the directory server. provisioning The process of providing users with access to applications and other resources that may be available in an enterprise environment. provisioning agent An application or process that translates directory-specific provisioning events to external or third-party application-specific events. provisioning integration profile A special kind of directory integration profile that describes the nature of provisioning-related notifications that a directory server sends to the directory-enabled applications. proxy server A server between a client application, such as a web browser, and a real server. It intercepts all requests to the real server to see if it can fulfil the requests itself. If not, it forwards the request to the real server. Proxies can be used for load balancing and as an extra layer of security. proxy user A kind of user typically employed in an environment with a middle tier such as a firewall. In such an environment, the end user authenticates to the middle tier. The middle tier then logs into the directory on the end user's behalf. A proxy user has the privilege to switch identities and, once it has logged into the directory, switches to the end user's identity. It then performs operations on the end user's behalf, using the authorization appropriate to that particular end user. public key A public key is the non-secret key in a public/private key pair used in public key cryptography. A public key allows entities to encrypt data that can only then be decrypted with the public key's owner using the corresponding private key. A public key can also be used to verify digital signatures created with the corresponding private key. public key cryptography Public key cryptography (also known as asymmetric cryptography) uses two keys, one public and the other private. These keys are called a key pair. The private key must be kept secret, while the public key can be transmitted to any party. The private key and the public key are mathematically related. A message that is signed by a private key can be verified by the corresponding public key. Similarly, a message encrypted by the public key can be decrypted by the private key. This method ensures privacy because only the owner of the private key can decrypt the message. public key encryption The process in which the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using the recipient's private key. public key infrastructure (PKI) A public key infrastructure (PKI) is a system that manages the issuing, distribution, and authentication of public keys and private keys. A PKI typically comprises the following components: