Securing Oracle Platform Security Services Access to Oracle Internet Directory

So far, the connection from the pricing application’s OPSS component within the WebLogic Server domain to the OID LDAP server is established using the cn=orcladmin user. As mentioned briefly in Chapter 8, it is generally recommended that instead a dedicated LDAP Distinguished Name (DN) be used for each client application. In a production environment, the credentials for cn=orcladmin are typically only used by LDAP directory administrators and should not be used by client applications to access the LDAP server. A client application-specific DN can be given just enough privileges to access the directory and to perform the necessary authentication, authorization, and user/group lookups for OPSS. Furthermore, the use of such a DN allows us to protect the OPSS directory subtree to be seen only by this DN. This will prevent other LDAP users from tampering with application policies and credentials stored in OPSS. It also avoids improper usage and exposure of the cn=orcladmin super user.