Monday Aug 27, 2012

Enabling support of EUS and Fusion Apps in OUD

Since the 11gR2 release, OUD supports Enterprise User Security (EUS) for database authentication and also Fusion Apps. I'll plan to blog on that soon. Meanwhile, the R2 OUD graphical setup does not let you configure both EUS and FusionApps support at the same time.

However, it can be done manually using the dsconfig command line. The simplest way to proceed is to select EUS from the setup tool, then manually add support for Fusion Apps using dsconfig using the commands below:

- create a FA workflow element with eusWfe as next element:
dsconfig create-workflow-element \
          --set enabled:true \
          --set next-workflow-element:Eus0 \
          --type fa \
          --element-name faWfe


- modify the workflow so that it starts from your FA workflow element instead of Eus:
dsconfig set-workflow-prop \
          --workflow-name userRoot0 \
          --set workflow-element:faWfe

 Note: the configuration changes may slightly differ in case multiple databases/suffixes are configured on OUD.


Tuesday Aug 21, 2012

Shortcuts to download Oracle IDM and OUD 11g R2

Oracle Identity Management 11g R2 is now available for download from Oracle edelivery. It is sometimes a bit difficult to quickly find the right link to OUD R2, so here is the 7-steps procedure:

  1. Go to the edelivery portal , login and accept the legal aggrements if any
  2. Select "Oracle Fusion Middleware" from  the Product Pack menu
  3. Select Linux x86-64 from the Platform menu (no matter what target platform you plan to use, as the OUD link does not appear yet for some supported platforms)
  4. Click GO
  5. In the search result table, select "Oracle Fusion Middleware Identity Management 11g R2 Media Pack"
  6. Click on Continue.
  7. Locate "Oracle Unified Directory 11g (11.1.2.0.0)" in the list (close to the end) then download the 152M  file (V33641-01.zip)

 That's it!


Thursday Aug 16, 2012

Using execution context ID (ECID)

Execution context ID (ECID) is a unique identifier to correlate events or requests associated with the same transation across several components.

The ECID value for a particular request is generated at the first layer and is passed down to the subsequent layers. The ECID value is logged (and auditable) in each product involved in the transaction. ECID allows an administrator to track the end-to-end flow of a particular request across the product stack.

ECID are supported by OUD and can be used to track LDAP requests from the client down to the ultimate LDAP server processing the request (inclusing LDAP access layer/proxy if any).

When performing a LDAP operation, a client can pass a ECID using the LDAP control extension 2.16.840.1.113894.1.8.31 . This ECID is logged by OUD. The OUD server generates a ECID in case none is present in the incoming request.

ECID are logged in the "Oracle Access Logger". By default, this logger is disabled. To enable it, run the command below:

dsconfig set-log-publisher-prop \
         --publisher-name Oracle\ Access\ Logger \
         --set enabled:true\
         --hostname prehnite \
         --port <admin port>\
         --bindDN cn=Directory\ Manager \
         --bindPassword ****** \
         --no-prompt

Here is a sniplet of the Oracle access log:

[2012-08-16T16:10:26.770+02:00] [OUD] [TRACE] [OUD-24641559] [PROTOCOL] [host: prehnite] [nwaddr: 10.166.70.62] [tid: 25] [userId: sduloutr] [ecid: 10.166.70.62:37126:1345126226770:39,0] [category: REQ] [conn: -1] [op: 80] [msgID: 81] [dn: o=example] [type: synchronization] MODIFY

The administrator can then search the logs using a particular ECID value. Audit logs can be queried for a given ECID through Oracle BI Publisher’s audit reports. For example, if you send an LDAP request to Oracle Virtual Directory front-ending Oracle Unified Directory, an ECID associated with the LDAP request is present in the OVD diagnostic logs and audit logs; similarly, when the query reaches OUD, OUD includes the same ECID in its diagnostic logs and audit reports.

Tuesday Aug 07, 2012

OUD 11gR2 documentation available on OTN

Following the annoucement of  the R2 release, the Oracle Identity Management 11g R2 (11.1.2) is now available on OTN here.

Documentation for Oracle Unified Directory (OUD) 11gR2 (11.1.2) is available here.

Certification matrix is available at  http://www.oracle.com/technetwork/middleware/id-mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

Monitoring OUD with VisualVM

VisualVM is a visual tool integrating several commandline JDK tools and lightweight profiling capabilities. Designed for both production and development time use, it further enhances the capability of monitoring and performance analysis for the Java SE platform.

Here are the steps to use VisualVM to monitor Oracle Unified Directory: 

#1 Download the latest release of VisualVM from http://visualvm.java.net/

#2 Enable the MBeans plugin as described in  http://visualvm.java.net/mbeans_tab.html to take advantage of the statistics exposed by OUD

#3 Enable JMX on OUD

  1. Start the server.

  2. Enable the JMX Connection Handler and set the port number to be used with JMX.

    Choose a port that is not in use and to which the user that is running the server has access rights.

    $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
      set-connection-handler-prop --handler-name "JMX Connection Handler" \
      --set enabled:true --set listen-port:1689
    
  3. Add the JMX read, write, and notify privileges to the root DN.

    $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
      set-root-dn-prop \
      --add default-root-privilege-name:jmx-read \
      --add default-root-privilege-name:jmx-write \
      --add default-root-privilege-name:jmx-notify
    
  4. Restart the server.

#4 Connect to OUD from VisualVM

To connect VisualVMto a server instance, click on File/Add JMX Connection. The following fields are required:

  • JMX URL:

    service:jmx:rmi:///jndi/rmi://''host'':''port''/org.opends.server.protocols.jmx.client-unknown

    • host is a host name, an IPv4 numeric host address, or an IPv6 numeric address enclosed in square brackets.

    • port is the decimal port number of the JMX connector.

    The default JMX URL is:

    service:jmx:rmi:///jndi/rmi://198.51.100.0:1689/org.opends.server.protocols.jmx.client-unknown

  • User Name. A valid LDAP user name.

    The default Directory Manager user name is cn=Directory Manager.

  • Password. The user's LDAP password.

#5 Browse MBeans attributes

Go to the right panel then select the MBean tab and navigate in the MBean tree. You can get access to the OUD config, monitoring information & statistics and all the convenient java metrics.


Note: You can plot those JMX numeric values in VisualVM that appear in bold. To do so, double-clicking on numeric attribute values will display a chart that plots changes in that numeric value.





Monday Aug 06, 2012

OUD Database Indexes & Performance Tuning

Oracle Unified Directory (OUD) database indexes enable (search) directory requests  to be processed efficiently. 

Indexes are files that contain lists of values, where each value is associated with a list of entry identifiers to suffixes in the directory server database. When the directory server processes a search request, it searches the database using the list of entry identifiers in the indexes, thus speeding up the search. If indexes did not exist, the directory server would have to look up each entry in the database, which dramatically degrades performance.

First of all, unindexed searches are rejected by default unless the (authenticated)  user has the privilege to perform them because unindexed searches  may negatively impact overall directory performances. In some circumstances, unindexed searches are a valid approach, so it is possible to explicitely  assign the unindexed-search privilege to a user or a group of user. A user attempting to perform an unindexed search gets the message "you do not have sufficient privileges to perform an unindexed search".

Note that unindexed searches always complete sucessfully when the amount of entries in the database does not exceed the value if index-entry-limit (4000 by default), which is unlikely to be seen in real deployments.

The verify-index command can be used to check the consistency between the index and entry data within the directory server database. This command also provides information about the number of index keys that have reached the index entry limit (See below).

The rebuild-index command can be used to rebuild an index. It is useful in the following cases:

  • When the index-entry-limit property of an index changes

  • When a new index is created

The index-entry-limit tuning parameter (known as AllIDs threshold in Oracle Directory Server Entreprise Edition) controls the maximum numbers of entries kept in an index record as scaning the whole database may become a more efficient option when the number of entries associated with a given index value becomes huge.

Tuning indexes upfront may not be an obvious task, that's the reason why OUD provides you with  both  static and  dynamic index analyser tools:

The static analyser is delivered as part of the dbtest tool.  The dbtest list-index-status -n <dbName> -b <dbSuffix> command let you figure out how many entries are associated with each index value, and tune index-entry-limit when needed..

The dynamic analyser can be used to monitor live search filters received by OUD and corresponding  index usage: Live index analysis must be first enabled at the database level. At that point, subsequent searches hitting OUD are analysed and the corresponding statistics are kept in memory.  Statistics can be retrieved from the in-memory suffix cn=monitor as part of the database environmenent entry.

To enable live index data collection, run  the following command:

$ dsconfig set-workflow-element-prop --element-name userRoot  --set index-filter-analyzer-enabled:true  --set max-entries:100 -h localhost -p 4444 -D cn=directory\ manager -w <password>

The set-max-entries parameter controls how many statistical records are kept in memory.

To retrieve the results, run the following search:

$ ldapsearch -p 1389 -D cn=directory\ manager -w <password>  -b "cn=<dbName> Database Environment,cn=monitor"  "(objectclass=*)"  filter-usefilter-use: (description=*) hits:2 maxmatches:-1 message:presence index type is disabled for the description attribute

Important note:  It is not recommanded to enable statistic collection in a production system for a long time as it consumes ressources.

It is also possible to use the operational attribute debugsearchindex to figure out which entries are targetted by each component of a LDAP search filter. This is a lightweight yet convenient way to debug index-related issues.

$ ./ldapsearch -p 11389 -b "o=example" -D "cn=directory manager" -w *** "(&(uid=user.9*)(objectclass=*))" debugsearchindex
dn: cn=debugsearch
debugsearchindex: filter=(&(objectClass=*)[NOT-INDEXED](uid=user.9*)[COUNT:111]) [COUNT:111] scope=wholeSubtree[LIMIT-EXCEEDED:4101] final=[COUNT:111] 


Saturday Jun 09, 2012

New convenient Information Center about OUD in My Oracle Support

A new "Information Center" dedicated to Oracle Unified Directory is available from the Oracle Support Site. This page provides you with all the useful links and news related to the product, including technical articles, docs, licensing info and the latest patches available. To access it, log into MOS (My Oracle Support) at http://support.oracle.com,  search for 1418884.2 doc id in the search field on the front page, then click on the "Information Center : Overview Oracle Unified Directory (OUD)" link.

Friday Jun 08, 2012

OUD 11gR1 Certification Matrix

For those of you who needs the Oracle Unified Directory Certification Matrix and have hard times to find it, here is THE link:  Certification Matrix

Wednesday May 02, 2012

Cohabitation/Migration ODSEE->OUD: privileges

OUD provides a privilege subsystem, which can be used to define capabilities that will be granted to users. The privilege subsystem works in conjunction with the access control implementation in the process of determining whether a user will be allowed to perform a certain operation.

In general, default OUD access control settings are stricter than ODSEE. Appropriate privileges must be added to achieve behavior that is equivalent to that of ODSEE. For instance, by default, OUD ACIs don’t allow users to reset another users’s password. Alternatively, it is possible to disable the privilege subsystem.

By default, normal users are not granted any of the privileges listed above. Therefore, if a user should be allowed to perform any of the associated operations, they must be granted the appropriate privileges. This can be done by adding the ds-privilege-name operational attribute to the user's entry. ds-privilege-name is a multivalued attribute, and if a user is to be given multiple privileges, then a separate value should be used for each one. When the virtual attribute subsystem is in place, it should also be possible to grant privileges to groups of users automatically by making ds-privilege-name a virtual attribute in those user entries.

As an example, the following modification can be used to add the proxied-auth privilege to the user cn=Proxy User,dc=example,dc=com:

dn: cn=Proxy User,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth

Granting privileges explictely to users may not be the optimal solution when OUD and ODSEE cohabit in a replication topology as the OUD-specific ds-privilege-name would be replicated by to ODSEE, so privileges can also be assign implicitely to a set of user based on group membership for example, using the notion of virtual attribute. I'll cover Virtual attribute in a subsequent post.

Alternatively, It is possible to disable those privileges leading to aci behavioral differences between OUD and ODSEE. For instance, the  unindexed-search privilege can be disabled  so that users can perform un-indexed searches. A privilege (unindex search checking in the example below) can be disabled using the following command:

dsconfig
set-global-configuration-prop  --add \
disabled-privilege: unindexed-search -n

The list of OUD privileges is available here.

Cohabitation/Migration ODSEE->OUD: schema checking

By default, OUD schema scheck is stricter than ODSEE.  Schema checking is key for data sanity, however this might cause some trouble when "incorrect" data have to be imported into OUD or when incorrect data are replicated from ODSEE.

Generally speaking, it is not recommanded to disable schema checking and the data should be fixed whenever possible before import and on the ODSEE side when ODSEE and OU cohabit in the same replication topology. In some cases, this is not possible, so some specific checks can be disabled to accomodate with common inconsistency:

Structural object class unicity

Per LDAP standard, every LDAP entry must contain exactly one structural object class.  In many deployments, some LDAP entries contain 0 or more than 1 objectclass and several LDAP server implementations do not enforce this. By default OUD does. Such check can be relaxed w/o know adverse effect by using the command below:

dsconfig set-global-configuration-prop --set \
single-structural-objectclass-behavior:accept -n

Attribute type names containing invalid characters

A few customers defined their own attribute types, using forbidden characters, e.g undercores, or leading digit in attribute names and/or in attribute type extensions (e.g 4you;x_bad_extension). Such check can be relaxed using the command below:

dsconfig set-global-configuration-prop --set \
allow-attribute-name-exceptions:true -n

 Zero-length attribute value

Zero-length attribute values (that is, an empty string) is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it. Empty string can be explicitely allowed on a per LDAP syntax basis, using the example below for DirectoryString syntax:

dsconfig set-attribute-syntax-prop --syntax-name Directory\ String \
--set allow-zero-length-values:true -n

Monday Apr 30, 2012

Cohabitation/Migration ODSEE->OUD: dn-based search resource limits

Oracle Unified Directory 11g Release 1 (11.1.1) provides a mechanism to replicate data between Oracle Directory Server Enterprise Edition and Oracle Unified Directory. Depending on the ODSEE features used, the OUD configuration may need to be adapted to provide the same service transparently to client application.

Both ODSEE and OUD provide ways to control ressources used by a directory user. The following limits are provided by OUD at the global configuration level:

  • ds-cfg-size-limit specifies the maximum number of entries that can be returned to the client during a single search operation.
  • ds-cfg-time-limit specifies the maximum length of time that should be spent processing a single search operation
  • ds-cfg-lookthrough-limit specifies the maximum number of entries that the Directory Server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria.
  • ds-cfg-idle-time-limit specifies the maximum length of time that a client connection may remain established since its last completed operation

The corresponding configuration attributes in ODSEE are search-size-limit, search-time-limit, look-through-limit, idle-timeout.  Such configuration mapping is automatically provided by tools like ds2oud.

Server limits for search operations can also be controlled using special operational attribute values assoaicted with the user binding to the directory. These attributes are stored as part of the directory data, so they are replicated between ODSEE and OUD.  Attribute names (and sometimes values) vary so the OUD configuration need to be extended to deal with that:

DSEE entries may contain the following resource limit attributes: nsSizeLimit, nsTimeLimit, nsLookThroughLimit, nsIdleTimeout. Corresponding attributes on OUD are ds-rlim-size-limit, ds-rlim-time-limit, ds-rlim-lookthrough-limit,ds-rlim-idle-time-limit.In order to replicate the functionality correctly, the OUD schema (02-config.ldif) must be modified so that each DSEE attribute name related to resource limits is declared as an alias name for each corresponding OUD attribute. An alias can be declared in an attributeType declaration as below:

attributeTypes: ( 1.3.6.1.4.1.26027.1.1.244 NAME ( 'ds-pwp-password-policy-dn' 'alias-for-ds-pwp-password-policy-dn')

On DSEE, -1 is used to disable a resource limit. On OUD, 0 is used. One way to address this difference is to create a virtual attribute on OUD to override the content of the OUD attribute when the value of the DSEE attribute is equals to -1. A virtual attribute must be created for the 4 attributes mentioned, as described below:

dsconfig create-virtual-attribute --name "mapping nsSizeLimit "
--type user-defined --set attribute-type:ds-rlim-size-limit \
--set filter:”(nsSizeLimit=-1)” \
--set conflict-behavior:virtual-overrides-real \
--set value:"0"
--set enabled:true
dsconfig create-virtual-attribute --name "mapping nsTimeLimit " 
--type user-defined --set attribute-type:ds-rlim-time-limit \
--set filter:”(nsTimeLimit=-1)”\
--set conflict-behavior:virtual-overrides-real \
--set value:"0"
--set enabled:true
dsconfig create-virtual-attribute
--name "mapping nsLookthroughLimit" 
--type user-defined 
--set attribute-type:ds-rlim-lookthrough-limit 
--set filter:”(nsLookthroughLimit=-1)”
--set conflict-behavior:virtual-overrides-real
--set value:"0"
--set enabled:true
dsconfig create-virtual-attribute --name "mapping nsIdleTimeout " \
--type user-defined --set attribute-type:ds-rlim-idle-time-limit \
--set filter:”(nsIdleTimeout=-1)”\
--set conflict-behavior:virtual-overrides-real \
--set value:"0"
--set enabled:true

More information about account-based resource limits is available here.

Thursday Apr 19, 2012

Optimized Solution for Oracle Unified Directory

Oracle Optimized Solution for Oracle Unified Directory is a complete solution - Software and Harware engineered to work together.

It implements Oracle Unified Directory software on Oracle's SPARC T4 servers to provide highly available and extremely high performance directory services for the entire enterprise infrastructure and applications. The solution is architected, optimized, and tested to deliver simplicity, performance, security, and savings in enterprise environments.

 More details available at http://www.oracle.com/us/solutions/1571310

Wednesday Feb 08, 2012

Oracle Unified Directory Root DSE entry and schema

The root DSE entry (empty dn) is often used by LDAP client applications to discover directory services capabilities.  For instance, attribute namingContexts gives indications about the suffixes managed by the directoy server instance. All these attributes are flagged as OPERATIONAL, so, they should not be returned to client applications unless they are explicitely specified in the search attribute list.

OUD strictly adheres to LDAP standards so these attributes are not returned by default. In Oracle Directory Server Entreprise Edition (ODSEE), these attributes are treated as standard ones and are systematically returned to client applications. Applications depending on the ODSEE behaviour might be impacted as many of them do no specify any search attribute list. To make OUD behave like ODSEE with regards to the access of rootDSEE attributes, run the following command:

dsconfig set-root-dse-backend-prop --set show-all-attributes:true

To make OUD treat schema operational attribute like user attributes, run the following too:

dsconfig set-workflow-element-prop --element-name schema --set show-all-attributes:true


Installing Oracle Unified Directory in silent mode

By default, the OUD installer runs in GUI mode. Alternatively, it is possible to install and setup OUD in silent mode.

First, download the OUD bits, then run the installer in silent mode. Last but not least setup/configure OUD in silent mode as well.

To run the installer in silent mode, either run it in GUI mode on your laptop or any system with a GUI and record your answers so that you can replya them on another system in silent mode. Alternatively, you can build a response file manually for OUD.

To record your answers, run the installer with the option -record, e.g

./runInstaller -record -destinationFile /tmp/OUD.rsp
To the installer with an existing response file (silent mode)
./runInstaller -silent -responseFile /tmp/OUD.rsp

A response file template is available at the end of this post. You need to change values for ORACLE_HOME and MIDDLEWARE_HOME.

After this install, you can setup oud in cli mode (oud-setup), either interactive or in batch.

oud-setup --cli --no-prompt -D "cn=directory manager" -j $PASS_FILE -p $PORT1 --adminConnectorPort $APORT1 --noPropertiesFile


More info available at http://docs.oracle.com/cd/E22289_01/html/821-1274/ds-cli-setup.html#scrolltoc

 --- template file for the OUD installer

[ENGINE]

#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0

[GENERIC]

#Set this to true if you wish to specify a directory where latest updates are downloaded. This option would use the software updates from the specified directory
SPECIFY_DOWNLOAD_LOCATION=false

#
SKIP_SOFTWARE_UPDATES=true

#If the Software updates are already downloaded and available on your local system, then specify the path to the directory where these patches are available and set SPECIFY_DOWNLOAD_LOCATION to true
SOFTWARE_UPDATES_DOWNLOAD_LOCATION=

#Provide the Oracle Home location. The location has to be the immediate child under the specified Middleware Home location. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. The location has to be an empty directory or a valid SOA Oracle Home.
ORACLE_HOME=/u01/app/oracle/middleware/OUD

#Provide existing Middleware Home location.
MIDDLEWARE_HOME=/u01/app/oracle/middleware/

#
CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0


[SYSTEM]


[APPLICATIONS]


[RELATIONSHIPS]

Monday Aug 01, 2011

Oracle Unified DIrectory 11G announced.

Oracle Unified Directory (aka OUD) is an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities.

The product can be downloaded from http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html

The OUD documentation is live on OTN, at this URL. http://download.oracle.com/docs/cd/E22289_01

For more info, have a look at the official press release.

About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today