Migrating DSEE database indexes to OUD

Many DSEE customers declare database indexes by writting directly to the DSEE server configuration. For instance, the following LDIF sniplet creates a presence & equality index for attribute employeeNumber in the userRoot database

dn: cn=employeenumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: employeenumber
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq

It is not recommended to update the OUD configuration directly as this is not a public interface and internal configuration representation may be subject to change. It is recommended to use the dsconfig command line tool. Here is the command equivalent to the index creation above:

dsconfig -h localhost -p <admin port> -D "cn=directory manager" -j <password_file> -X -n \
  create-local-db-index \
  --backend-name userRoot \
  --index-name employeenumber\
  --set index-type:presence\
  --set index-type:equality

More about OUD index creation and management is available at http://docs.oracle.com/cd/E37116_01/admin.111210/e22648/indexing.htm#solINDEX-DATABASES  and http://docs.oracle.com/cd/E37116_01/admin.111210/e22648/managing_data.htm#solTO-CREATE-A-NEW-LOCAL-DB-INDEX

Oracle Unified Directory 11g R2 PS1 released

By Sylvain Duloutre on Apr 11, 2013

Oracle Identity and Access Management 11g R2 (11.1.2.1.0) is now generally available. Media is available for download on the Oracle Software Delivery Cloud (OSDC). This includes the following products:

  • Oracle Identity and Access Management
  • Oracle Entitlements Server Security Module
  • Oracle Access Manager OHS 11g WebGates
  • Oracle Access Manager IHS 7.0 WebGates
  • Oracle Access Manager Access SDK
  • Oracle Access Manager JBoss 5 Agent
  • Oracle Unified Directory
  • Oracle Enterprise Single Sign-On
  • Oracle Access Management Mobile and Social SDK

To download OUD,go to https://edelivery.oracle.com/ , select “Oracle Fusion MiddleWare” and the target platform, select  “Oracle Fusion Middleware Identity Management 11gR2 Media Pack”  then “Oracle Unified DIrectory 11g (11.1.2.1.0)”

Documentation is avilable at http://docs.oracle.com/cd/E37116_01/index.htm

Certification Matric is available at http://www.oracle.com/technetwork/middleware/id-mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

Enabling EUS support in OUD 11gR2 using command line interface

Enterprise User Security (EUS) allows Oracle Database to use users & roles stored in LDAP for authentication and authorization.
Since the 11gR2 release, OUD natively supports EUS. EUS can be easily configured during OUD setup. ODSM (the graphical admin console) can also be used to enable EUS for a new suffix.

However, enabling EUS for a new suffix using command line interface is currently not documented, so here is the procedure:

Let’s assume that EUS support was enabled during initial setup.
Let’s o=example be the new suffix I want to use to store Enterprise users. The following sequence of command must be applied for each new suffix:

// Create a local database holding EUS context info
dsconfig create-workflow-element –set base-dn:cn=OracleContext,o=example –set enabled:true –type db-local-backend –element-name exampleContext -n
// Add a workflow element in the call path to generate on the fly attributes required by EUS
dsconfig create-workflow-element –set enabled:true –type eus-context –element-name eusContext –set next-workflow-element:exampleContext -n
// Add the context to a workflow for routing
dsconfig create-workflow –set base-dn:cn=OracleContext,o=example –set enabled:true –set workflow-element:eusContext –workflow-name exampleContext_workflow -n
//Add the new workflow to the appropriate network group
dsconfig set-network-group-prop –group-name network-group –add workflow:exampleContext_workflow -n

// Create the local database for o=example
dsconfig create-workflow-element –set base-dn:o=example –set enabled:true –type db-local-backend –element-name example -n

// Create a workflow element in the call path to the user data to generate on the fly attributes expected by EUS
dsconfig create-workflow-element –set enabled:true –set eus-realm:o=example –set next-workflow-element:example –type eus –element-name eusWfe
// Add the db to a workflow for routing
dsconfig create-workflow –set base-dn:o=example –set enabled:true –set workflow-element:eusWfe –workflow-name example_workflow -n
//Add the new workflow to the appropriate network group
dsconfig set-network-group-prop –group-name network-group –add workflow:example_workflow -n 

// Add the appropriate acis for EUS
dsconfig set-access-control-handler-prop \
–add global-aci:'(target=“ldap:///o=example”)(targetattr=”authpassword”)(version 3.0; acl “EUS reads authpassword”; allow (read,search,compare) userdn=“ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))”;)’
dsconfig set-access-control-handler-prop \
–add global-aci:'(target=“ldap:///o=example”)(targetattr=”orclaccountstatusevent”)(version 3.0; acl “EUS writes orclaccountstatusenabled”; allow (write) userdn=“ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))”;)’

Last but not least you must adapt the content of the ${OUD}/config/EUS/eusData.ldif  file with your suffix value then inport it into OUD.

Shortcuts to download Oracle IDM and OUD 11g R2

Oracle Identity Management 11g R2 is now available for download from Oracle edelivery. It is sometimes a bit difficult to quickly find the right link to OUD R2, so here is the 7-steps procedure:

  1. Go to the edelivery portal , login and accept the legal aggrements if any
  2. Select “Oracle Fusion Middleware” from  the Product Pack menu
  3. Select Linux x86-64 from the Platform menu (no matter what target platform you plan to use, as the OUD link does not appear yet for some supported platforms)
  4. Click GO
  5. In the search result table, select “Oracle Fusion Middleware Identity Management 11g R2 Media Pack
  6. Click on Continue.
  7. Locate “Oracle Unified Directory 11g (11.1.2.0.0)” in the list (close to the end) then download the 152M  file (V33641-01.zip)

That’s it!

Cohabitation/Migration ODSEE->OUD: privileges

OUD provides a privilege subsystem, which can be used to define capabilities that will be granted to users. The privilege subsystem works in conjunction with the access control implementation in the process of determining whether a user will be allowed to perform a certain operation.

In general, default OUD access control settings are stricter than ODSEE. Appropriate privileges must be added to achieve behavior that is equivalent to that of ODSEE. For instance, by default, OUD ACIs don’t allow users to reset another users’s password. Alternatively, it is possible to disable the privilege subsystem.

By default, normal users are not granted any of the privileges listed above. Therefore, if a user should be allowed to perform any of the associated operations, they must be granted the appropriate privileges. This can be done by adding the ds-privilege-name operational attribute to the user’s entry. ds-privilege-name is a multivalued attribute, and if a user is to be given multiple privileges, then a separate value should be used for each one. When the virtual attribute subsystem is in place, it should also be possible to grant privileges to groups of users automatically by making ds-privilege-name a virtual attribute in those user entries.

As an example, the following modification can be used to add the proxied-auth privilege to the usercn=Proxy User,dc=example,dc=com:

dn: cn=Proxy User,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth

Granting privileges explictely to users may not be the optimal solution when OUD and ODSEE cohabit in a replication topology as the OUD-specific ds-privilege-name would be replicated by to ODSEE, so privileges can also be assign implicitely to a set of user based on group membership for example, using the notion of virtual attribute. I’ll cover Virtual attribute in a subsequent post.

Alternatively, It is possible to disable those privileges leading to aci behavioral differences between OUD and ODSEE. For instance, the  unindexed-search privilege can be disabled  so that users can perform un-indexed searches. A privilege (unindex search checking in the example below) can be disabled using the following command:

dsconfig set-global-configuration-prop  –add \
disabled-privilege: unindexed-search -n

The list of OUD privileges is available here.

Cohabitation/Migration ODSEE->OUD: dn-based search resource limits

Oracle Unified Directory 11g Release 1 (11.1.1) provides a mechanism to replicate data between Oracle Directory Server Enterprise Edition and Oracle Unified Directory. Depending on the ODSEE features used, the OUD configuration may need to be adapted to provide the same service transparently to client application.

Both ODSEE and OUD provide ways to control ressources used by a directory user. The following limits are provided by OUD at the global configuration level:

  • ds-cfg-size-limit specifies the maximum number of entries that can be returned to the client during a single search operation.
  • ds-cfg-time-limit specifies the maximum length of time that should be spent processing a single search operation
  • ds-cfg-lookthrough-limit specifies the maximum number of entries that the Directory Server should “look through” in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria.
  • ds-cfg-idle-time-limit specifies the maximum length of time that a client connection may remain established since its last completed operation

The corresponding configuration attributes in ODSEE are search-size-limit, search-time-limit, look-through-limit, idle-timeout.  Such configuration mapping is automatically provided by tools like ds2oud.

Server limits for search operations can also be controlled using special operational attribute values assoaicted with the user binding to the directory. These attributes are stored as part of the directory data, so they are replicated between ODSEE and OUD.  Attribute names (and sometimes values) vary so the OUD configuration need to be extended to deal with that:

DSEE entries may contain the following resource limit attributes: nsSizeLimit, nsTimeLimit, nsLookThroughLimit, nsIdleTimeout. Corresponding attributes on OUD are ds-rlim-size-limit, ds-rlim-time-limit, ds-rlim-lookthrough-limit,ds-rlim-idle-time-limit.In order to replicate the functionality correctly, the OUD schema (02-config.ldif) must be modified so that each DSEE attribute name related to resource limits is declared as an alias name for each corresponding OUD attribute. An alias can be declared in an attributeType declaration as below:

attributeTypes: ( 1.3.6.1.4.1.26027.1.1.244 NAME ( ‘ds-pwp-password-policy-dn’ ‘alias-for-ds-pwp-password-policy-dn’)

On DSEE, -1 is used to disable a resource limit. On OUD, 0 is used. One way to address this difference is to create a virtual attribute on OUD to override the content of the OUD attribute when the value of the DSEE attribute is equals to -1. A virtual attribute must be created for the 4 attributes mentioned, as described below:

dsconfig create-virtual-attribute –name “mapping nsSizeLimit ”
–type user-defined –set attribute-type:ds-rlim-size-limit \
–set filter:”(nsSizeLimit=-1)” \
–set conflict-behavior:virtual-overrides-real \
–set value:”0″–set enabled:true

dsconfig create-virtual-attribute –name “mapping nsTimeLimit ” –type user-defined –set attribute-type:ds-rlim-time-limit \
–set filter:”(nsTimeLimit=-1)”\
–set conflict-behavior:virtual-overrides-real \
–set value:”0″ –set enabled:true

dsconfig create-virtual-attribute –name “mapping nsLookthroughLimit” \
–type user-defined –set attribute-type:ds-rlim-lookthrough-limit \
–set filter:”(nsLookthroughLimit=-1)” \
–set conflict-behavior:virtual-overrides-real –set value:”0″ –set enabled:true

dsconfig create-virtual-attribute –name “mapping nsIdleTimeout ” \
–type user-defined –set attribute-type:ds-rlim-idle-time-limit \
–set filter:”(nsIdleTimeout=-1)”\
–set conflict-behavior:virtual-overrides-real \
–set value:”0″ –set enabled:true

More information about account-based resource limits is available here.

Installing Oracle Unified Directory in silent mode

By default, the OUD installer runs in GUI mode. Alternatively, it is possible to install and setup OUD in silent mode.

First, download the OUD bits, then run the installer in silent mode. Last but not least setup/configure OUD in silent mode as well.

To run the installer in silent mode, either run it in GUI mode on your laptop or any system with a GUI and record your answers so that you can replya them on another system in silent mode. Alternatively, you can build a response file manually for OUD.

To record your answers, run the installer with the option -record, e.g

./runInstaller -record -destinationFile /tmp/OUD.rsp

To the installer with an existing response file (silent mode)

./runInstaller -silent -responseFile /tmp/OUD.rsp

A response file template is available at the end of this post. You need to change values for ORACLE_HOME and MIDDLEWARE_HOME.

After this install, you can setup oud in cli mode (oud-setup), either interactive or in batch.

oud-setup –cli –no-prompt -D “cn=directory manager” -j $PASS_FILE -p $PORT1 –adminConnectorPort $APORT1 –noPropertiesFile
More info available at http://docs.oracle.com/cd/E22289_01/html/821-1274/ds-cli-setup.html#scrolltoc

Oracle Unified Directory 11G announced.

Oracle Unified Directory (aka OUD) is an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities.

The product can be downloaded from http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html

The OUD documentation is live on OTN, at this URL. http://download.oracle.com/docs/cd/E22289_01

For more info, have a look at the official press release.