Generic Importer for rapid development of misc. data import in SailPoint IdentityIQ

The Generic Importer is a new framework which allows for the rapid development of miscellaneous data imports into SailPoint IdentityIQ. It basically abstracts away from the data source so business rules implemented using the data are source agnostic.

Read the full post at

Enterprise Manager Cloud Control and eusm issues: AuthenticationException

Very useful for 12c users…

Florence Blanc-Renaud's technical spot

Enterprise Manager Cloud Control is a web-based interface that allows to administer Enterprise User Security. When connecting to  OUD server, the interface may complain about an invalid password even though the credentials are correct.

The same problem happens with eusm 12c (the command-line tool delivered with Oracle Database):

$ eusm listDomains realm_dn=dc=example,dc=com ldap_host=$ldap_host ldap_port=1389 ldap_user_dn="cn=directory manager" ldap_user_password=****
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

If OUD access log shows the following error:

The server was not able to find any user entries for the provided username of cn=directory manager

then the fix is provided in Oracle Identity Management Suite Bundle Patch (22085294), or Oracle Identity Management Suite Bundle Patch (22085274)  depending on your OUD version.

The connection method between Enterprise Manager Cloud Control and OUD (or eusm 12c and OUD) is using SASL/DIGEST-MD5 authentication instead of a simple BIND. SASL/DIGEST-MD5 requires the password to be stored in…

View original post 148 more words

Using OUD plugin for SAML authentication with OAM against users stored in SQLServer

Here is a practical example about how to use a custom OUD plugin to speed up deployment of an Identity Management solution for a fraction of the price compared to developing a custom connector:

The use-case is to enable SAML authentication as an IDP where some of the users are stored in a SQLServer database and some in AD (external users in DB, internal users in AD).

The customer is planning to have OAM authenticate the users and perform the role of a SAML IDP doing LDAP authentication for users stored in the database and Kerberos for the users stored in AD. In order to allow OAM to authenticate users that are stored in the database, OUD can be deployed as a RDBMS proxy thanks to the RDBMS workflow element feature, so that users stored in a database table are exposed as a LDAP tree that OAM will authenticate against.

Problem is with the password field in the database that is hashed in a specific way.

The trick is to deploy a custom OUD plugin component ahead of the RDBMS workflow element. That plugin is responsible for processing bind requests only. Upon reception of a bind request against a user stored in SQLServer, the custon plugin retrieves the user entry containing hashed password and salt, accesses the plain text password provided in the bind request, and performs the password comparison based on custom logic.

Design, dev and testing took me a couple of days, much simpler and cost effective than adding support for this new source in OAM/OIM.

Oracle E-Business Suite certified with Unified Directory

Oracle Unified Directory 11gR2 Patchset 3 ( is now certified for use with Oracle E-Business Suite Release 12.2.

Oracle Unified Directory 11gR2 Patchset 3 ( (along with Directory Integration Platform 11gR1 Patchset 7 ( can be integrated with Oracle Access Manager 11gR2 Patchset 3 ( as a single sign-on solution. For availability and other information on Oracle Unified Directory, refer to the articles listed in the documentation section below.

Generational Garbage Collection with IBM JVM for Oracle Unified Directory

A main difference between IBM J9 JVM and Oracle JVM is that IBM’s JVM has different heap structure than Oracle’s JVM. By default IBM JVM (java 6) does not use Generational Garbage Collector. Such setting has adverse effects on OUD as OUD allocates a huge numbers of transient objects. Using the default IBM JVM settings lead to full garbage collections that freezes the directory services.


I recommend to use generational heap structure systematically with OUD. This can be enabled by the JVM option

OUD provides a means of configuring the Java Virtual Machine (JVM) and Java options for each command-line utility and for the directory server itself. The Java configuration is provided in a properties file, located at instance-dir/OUD/config/ The configuration specified in this file is taken into account each time the dsjavaproperties command is run. If you do not run the dsjavaproperties command, the properties file is ignored. More about JVM param settings at

To use the gencon garbage collector policy for a specific OUD instance, do the following:

Edit the file located at instance-dir/OUD/config/
Add -Xgcpolicy:gencon at the end of the line starting with start-ds
Run instance-dir/OUD/bin/dsjavaproperties
Restart the OUD instance

Migration from OID to OUD: Adapting EUS metadata

Enterprise User Security is an important component of Oracle Database Enterprise Edition. It enables you to address administrative and security challenges for a large number of enterprise database users by centralizing users and roles in a LDAP directory.

It is possible to use either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) as LDAP repository for EUS.

To migrate from OID to OUD,
– enable EUS support in OUD
– copy your user and groups in <your_context)
– copy across EUS metadata (in cn=oracleContext,<your suffix)

EUS metadata as stored in OID must be slighly adapted before being impoorted to OUD otherwise the DB won’t be able to authenticate against OUD and will raise the following error:

ORA-28043: invalid bind credentials for DB-OID connection

Migrating the DB entry from OID to OUD requires some specific steps for SASL/DIGEST-MD5 authentication. In OID, the password hash used for SASL/DIGEST-MD5 authentication is stored in authpassword;oid, with the {SASL/MD5} prefix.
In OUD, this must be stored in orclcommonrpwdattribute with the {SASL-MD5} prefix.

For instance:

ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(cn=orcl11g)” authpassword
dn: cn=orcl11g,cn=oraclecontext,dc=example,dc=com
authpassword;oid: {SASL/MD5}ola+G+GFsSeiu6QcRiAh9g==
authpassword;oid: {SASL/MD5-DN}3UeqmU5Axd+XVAM9Lxf28g==
authpassword;oid: {SASL/MD5-U}BD6uyBcSiFbGtlPzq6TtUA==

ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(objectclass=orcldbserver)” orclcommonrpwdattribute
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclcommonrpwdattribute: {SASL-MD5}ola+G+GFsSeiu6QcRiAh9g==

Integrating OUD in Monitoring Frameworks: Service Users

Oracle Unified Directory is an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities.

It can be monitored and integrated in various Monitoring Solutions including Oracle Enterprise Manager, via a dedicated plugin that provides performance monitoring of hundreds of directory metrics, raise alerts based on thresholds and provides rich out-of-the-box reports. By default, monitoring data are retrieved from OUD over LDAPS from the OUD administration port.

In order to use this method, it is recommended to define a dedicated directory user with read privilege on monitoring statistics and configuration. Such user can either be a so-called Root User or a Global Admin User. Root Users are local to a OUD instance and have some special privileges. Global Admin Users are quite similar to Root Users except that they are replicated across OUD servers, so this is more convenient if you want to monitor several OUD instances.

The following rights and privileges are required to access monitoring data and config:  Read access on cn=config and cn=monitor naming contexts and config-read privilege.

Root Users automatically inherit a bunch of default privileges, much more than what is strictly needed to monitor OUD, so unnecessary privileges must be removed and read access must be granted. To create a Root User called “cn=monitor” with sufficient privileges , do the following

./ldapmodify  -h <hostname> -p <adminport> \
-D "cn=Directory Manager" -w <password> -X --useSSL  <<EOF
dn : cn=monitor,cn=Root DNs,cn=config
changetype: add
objectclass: inetOrgPerson
objectclass: person
objectclass: ds-cfg-root-dn-user
objectclass: top
userPassword: <password>
ds-cfg-alternate-bind-dn: cn=monitor
cn: monitor
sn: monitor

Let’s remove unnecessary privileges (basically all but config-read)

./ldapmodify  -h <hostname> -p <adminport> \
-D "cn=Directory Manager" -w <password> -X --useSSL <<EOF
dn : cn=monitor,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -config-write
ds-privilege-name: -modify-acl
ds-privilege-name: -ldif-import
ds-privilege-name: -ldif-export
ds-privilege-name: -backend-backup
ds-privilege-name: -backend-restore
ds-privilege-name: -server-shutdown
ds-privilege-name: -server-restart
ds-privilege-name: -disconnect-client
ds-privilege-name: -cancel-request
ds-privilege-name: -unindexed-search
ds-privilege-name: -password-reset
ds-privilege-name: -update-schema
ds-privilege-name: -privilege-change
ds-privilege-name: -bypass-acl

If you prefer to use Global Admin Users, do the following:

./ldapmodify  -h <hostname> -p <adminport> \ 
-D "cn=Directory Manager" -w <password> -X --useSSL <<EOF
dn : cn=monitor,cn=Administrators,cn=admin data
changetype: add
objectclass: person
objectclass: top
userPassword: <password>
cn: monitor
sn: monitor

Let’s add config-read privilege:

./ldapmodify  -h <hostname> -p <adminport> -D "cn=Directory Manager" -w <password> -X -Z <<EOF
dn : cn=monitor,cn=Administrators,cn=admin data
changetype: modify
add: ds-privilege-name
ds-privilege-name: config-read

No matter what User type you choose to use, you need to grant read access to the config and the monitoring information using OUD global acis:
For Root Users, add the following acis using dsconfig: Start dsconfig, select Authentication and Authorization, then Access Control Handler and add the 2 following global acis:

(target="ldap:///cn=config")(targetattr="*")(version 3.0; acl "Monitor config access"; allow (read,search) \
  userdn="ldap:///cn=monitor,cn=Root DNs,cn=config";)
(target="ldap:///cn=monitor")(targetattr="*")(version 3.0; acl "Monitor access"; allow (read,search) \
  userdn="ldap:///cn=monitor,cn=Root DNs,cn=config";)

For Global Admin Users, here are the corresponding acis:

(target="ldap:///cn=config")(targetattr="*")(version 3.0; acl "Monitor config access"; allow (read,search) \
  userdn="ldap:///cn=monitor,cn=administrators,cn=admin data";) 
(target="ldap:///cn=monitor")(targetattr="*")(version 3.0; acl "Monitor access"; allow (read,search) \
  userdn="ldap:///cn=monitor,cn=administrators,cn=admin data";)

At that stage, config and monitoring stats are available from the OUD admin port to the cn=monitor user (if you choose to use Root Users) or to cn=monitor,cn=administrators,cn=admin data (for Global Admins).:

OUD Directory Server vs Replication Server: Who Cares ?

Oracle Unified Directory replication model relies on 2 logical components, Directory Servers and Replication Servers. Directory Servers contain user data, pushes changes to replication changed and get updates from replication servers. Replication Server stores replication changes, they receive changes to directory servers and forward them to the rest of the topology.

By default, you don’t need to care about Replication Servers. Replication Servers and internal components managed automatically: a Replication Server is autimatically configured in each OUD DIrectory Server process when replication is configured.

OUD Replication Server and Directory Servers are NOT equivalent to DSEE Suppliers and Consumers. By default, every replicated OUD is a Read-Write Supplier/Master.

When do you need to know about replication servers? – Primarily, when full network connectivity cannot be guarantied across every instance as every Replication Server must be able to communicate to each other. – Optionally, Replication Servers and DIrectory Servers can be separated to optimize resource usage in large OUD topologies (10’s of instances) – To enable external changelog service on a standalone OUD instance (for instance in a test environment) as a Replication Server is required is such case.