Friday Sep 21, 2012

Creating a new naming context in OUD

A naming context (also known as a directory suffix) is a DN that identifies the top entry in a locally held directory hierarchy.

A new naming context can be created using ODSM, the OUD gui admin console, as described in http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/server_config.htm#CBDGCJGF

It can also be created using the dsconfig command line as described below: Creation of a new naming context consists in 3 steps:

First create a Local Backend Workflow element (myNewDb in this exemple) ,  responsible for the naming context base dn, e.g o=example.


dsconfig create-workflow-element \
          --set base-dn:o=example \
          --set enabled:true \
          --type db-local-backend \
          --element-name myNewDb \
          --hostname <your host> \
          --port <admin port> \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \
          --no-prompt

Second, create a Workflow element (workFlowForMyNewDb in this exemple) associated with the Local Backend Workflow element. WorkFlow elements are used to route LDAP requests to the appropriate database, based on the target base dn.

dsconfig create-workflow \
          --set base-dn:o=example \
          --set enabled:true \
          --set workflow-element:myNewDb \
          --type generic \
          --workflow-name workFlowForMyNewDb \
          --hostname <your host name> \
          --port <admin port>\
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \
          --no-prompt

Then, the workflow element must be made visible outside of the directory, i.e added to the internal "routing table". This is done by adding the Workflow to the appropriate Network Group. A Network group  is used to classify incoming client connections and route requests to workflows.

dsconfig set-network-group-prop \
          --group-name network-group \
          --add workflow:workFlowForMyNewDb \
          --hostname <your hostname> \
          --port <admin port>\
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \
          --no-prompt

At that stage, it is possible to import entries to the new naming context o=example.


Thursday Aug 16, 2012

Using execution context ID (ECID)

Execution context ID (ECID) is a unique identifier to correlate events or requests associated with the same transation across several components.

The ECID value for a particular request is generated at the first layer and is passed down to the subsequent layers. The ECID value is logged (and auditable) in each product involved in the transaction. ECID allows an administrator to track the end-to-end flow of a particular request across the product stack.

ECID are supported by OUD and can be used to track LDAP requests from the client down to the ultimate LDAP server processing the request (inclusing LDAP access layer/proxy if any).

When performing a LDAP operation, a client can pass a ECID using the LDAP control extension 2.16.840.1.113894.1.8.31 . This ECID is logged by OUD. The OUD server generates a ECID in case none is present in the incoming request.

ECID are logged in the "Oracle Access Logger". By default, this logger is disabled. To enable it, run the command below:

dsconfig set-log-publisher-prop \
         --publisher-name Oracle\ Access\ Logger \
         --set enabled:true\
         --hostname prehnite \
         --port <admin port>\
         --bindDN cn=Directory\ Manager \
         --bindPassword ****** \
         --no-prompt

Here is a sniplet of the Oracle access log:

[2012-08-16T16:10:26.770+02:00] [OUD] [TRACE] [OUD-24641559] [PROTOCOL] [host: prehnite] [nwaddr: 10.166.70.62] [tid: 25] [userId: sduloutr] [ecid: 10.166.70.62:37126:1345126226770:39,0] [category: REQ] [conn: -1] [op: 80] [msgID: 81] [dn: o=example] [type: synchronization] MODIFY

The administrator can then search the logs using a particular ECID value. Audit logs can be queried for a given ECID through Oracle BI Publisher’s audit reports. For example, if you send an LDAP request to Oracle Virtual Directory front-ending Oracle Unified Directory, an ECID associated with the LDAP request is present in the OVD diagnostic logs and audit logs; similarly, when the query reaches OUD, OUD includes the same ECID in its diagnostic logs and audit reports.

About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today