Thursday Feb 12, 2015

Sudden SSLv3-related errors in OUD explained

Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91 and above) the Java Runtime Environment has SSLv3 disabled by default. More details about this change is available at http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

Any attempt to connect to OUD with SSLv3 after applying the Java update above will fail with the error message below in the access logs:

[09/Feb/2015:12:51:48 +0100] DISCONNECT conn=102 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"
[09/Feb/2015:12:51:48 +0100] CONNECT conn=102 from=****:14123 to=****:1636 protocol=LDAPS

For testing purpose only, a procedure to re-enable SSLv3 is described in http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html howewer it is time to identify the LDAP client culprit and apply the appropriate security fix so that it uses TLS.


Monday Feb 09, 2015

How to lock every account in a LDAP subtree with OUD

Let's assume a customer would like to lock every LDAP account in a given LDAP subtree stored in Oracle Unified Directory.
An account can be locked by setting the ds-pwp-account-disabled operational to true in the accounts to lock. More about account lockout and password mpolicy is available at Managing password policies

It is possible to assign the ds-pwp-account-disabled attribute to a set of accounts using virtual attributes.Virtual attributes are attribues whose values do not exist in persistent storage but are dynamically generated in some way.

OUD Collective attribute is a mean to manage virtual attributes. More about collective attributes at using-collective-attributes '

To lock every account in the oud=people,dc=example,dc=com subtree, create the following collective attribute:

dn: cn=myattr,dc=example,dc=com
objectclass: top
objectClass: subentry
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
ds-pwp-account-disabled;collective: true
subtreespecification: {base "ou=people", minimum 1}
collectiveConflictBehavior: virtual-overrides-real

Friday Jan 30, 2015

Global Administrators with a subset of Admin Privileges

Oracle Unified Directory provides one default root DN or root user, "cn=Directory Manager". The default root DN is a user entry assigned with specialized privileges with full read and write access to all data in the server. Comparable to a Unix root user or superuser, the root DN can bypass access controls to carry out tasks on the server. The root user is defined below the "cn=Root DNs,cn=config" branch of the server atcn=Directory Manager,cn=Root DNs,cn=config. and is local to each OUD instance.  The server supports multiple root users who have their own entries and their own set of credentials on the server.

OUD also provides the notion of global administrators. Global Administrators are responsible for managing and maintaining administrative server domains in replicated environments. One Global Administrator is created when you set up replication servers using the graphical installer or the dsreplication command (you are prompted to set a user name and password for the Global Administrator) . 

The Global Administrator created for the replication exists in the cn=Administrators,cn=admin data subtree, so it is replicated and can be used with every OUD instance of a replicated topology. To view the Global Administrator entry, run the following ldapsearch command:

$ ldapsearch -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file \
  --useSSL -b "cn=Administrators,cn=admin data" -s sub "(objectclass=*)"
dn: cn=Administrators,cn=admin data
objectClass: top
objectClass: groupofurls
description: Group of identities which have full access.
cn: Administrators
memberURL: ldap:///cn=Administrators,cn=admin data??one?(objectclass=*)
dn: cn=admin,cn=Administrators,cn=admin data
objectClass: person
objectClass: top
userPassword: {SSHA}+ed1wbhcWjxtv2zJ6OHEA2TuE9n1qIJGnuR94w==
description: The Administrator that can manage all the OUD instances.
cn: admin 

The Global Administrator created for the replication exists has the full set of admin privileges. In some situations, it might be useful to create additional administrators having only a subset of admin right. For instance, a Monitor Administrator would have the privilege to read the OUD configuration but he/she would not be able to modify it.

To do so, you can create your own admin container node in the cn=admin data suffix

./ldapmodify -a -p 4444 -Z -X -D "cn=directory manager"  -w ****
dn: cn= my admins,cn=admin data
objectclass: top
objectClass: ds-cfg-branch

dn: cn=monitor,cn=my admins,cn=admin data
objectClass: person
cn: monitor
sn: monitor 
userpassword: ****

At that stage, it is possible to use these credentials (cn=monitor,cn=my admins,cn=admin data) with dsconfig. dsconfig can authenticate that user, however the "admin" won't be able to read the config as he/she does not have the privilege to do so. dsconfig reports the following error during navigation in the config:

The Administration Connector could not be modified because you do not 
have the correct authorization

Appropriate privileges must be assigned to the admin so that he/she has the right to perform the desired actions. In that example, the admin requires the config-read privilege. The bypass-acl is also required so that he/she can perform privileged actions on the configuration.

./ldapmodify -p 4444 -Z -X -D "cn=directory manager"  -w ****
dn: cn=monitor,cn=my admins,cn=admin data
changetype: modify
add: ds-privilege-name
ds-privilege-name: bypass-acl

Now the admin can read the config via dsconfig. However, any attempt to modify it would raise the following error:

The Configuration could not be modified because you do not have 
the correct authorization 


Thursday Jan 22, 2015

ODSEE 11.1.1.7.2 bundle patch available for download

ODSEE 11.1.1.7.2 Bundle Patch has been Released for Directory Server and Directory Proxy Server. (Doc ID 1962875.1)

Search for Doc ID 1962875.1 in My Oracle Support for instructions.


Wednesday Jan 21, 2015

How to get OUD to start on Linux/UNIX boot

To simplify integration of OUD with the target OS, you can use the create-rc-script command  to generate a shell script to start, stop, and restart the directory server. You can update the resulting script to suit the needs of your directory service. This command is available for UNIX or Linux systems.

So you can use this command to create RC scripts e.g. run  sudo create-rc-script -f /etc/init.d/oud -u oud.

Then run this script when the appropriate run level change on the target distribution. For instance, on OEL, run sudo chkconfig --level 3 oud on

Make sure you use the -u userName option unless you really want to run OUD as root. 

Wednesday Jan 14, 2015

Configuring OUD to Support Multiple Enterprise User Security Domains

Configuring OUD to Support Multiple Enterprise User Security Domains

If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com. You must configure OUD to support each EUS domain.

To configure OUD to support multiple EUS domains:

  1. Configure OUD as if the primary domain is the single domain containing all your users and groups.

    In this example, the primary domain is dc=ad1,dc=com.

    Complete the tasks in 28.4 Oracle Unified Directory Used as a Proxy Server for an External LDAP Directory with Enterprise User Security

  2. Configure the secondary domain.

    In this example, the secondary domain is dc=ad2,dc=com.

    For this secondary domain, complete the steps in 28.4.1.1 User Identities in Microsoft Active Directory

  3. Create a new naming context for the EUS domain, which is dc=ad2,dc=com in this example.

    Complete the steps in 28.4.2.1.2 to configure Enterprise User Security for an existing Oracle Unified Directory Proxy Server instance.

  4. Update the Oracle context with the new naming context.

    1. Create an LDIF file.

      In the following myconfig.ldif example, make the following substitutions:

      • Replace dc=ad1,dc=com with the DN of your first domain.

      • Replace orclcommonusersearchbase with the users location in the secondary domain.

      • orclcommongroupsearchbase with the groups location in the secondary domain.

      dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com
      changetype: modify
      add: orclcommonusersearchbase
      orclcommonusersearchbase: cn=users,dc=ad2,dc=com
      orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
      
    2. Update OUD configuration using the LDIF file you created in step 4a.

      ldapmodify -h oudhost -p 1389 -D "cn=directory manager" 
      
      -w password -f myconfig.ldif

Wednesday Oct 22, 2014

OUD and Referral Management with AD

Oracle Unified Directory(OUD) can be configured as a proxy to Active Directory (AD).
For instance, it is possible to define a Remote LDAP Extension in OUD pointging to Root Catalog of AD 2008.

Searches to AD would return referrals, so the appropriate OUD Network group can to be modified to  follow referrals automatically with the command below:

/dsconfig -h localhost -p 4444 -D "cn=directory manager" -j ~/.pwd  -X -n set-network-group-qos-policy-prop --group-name network-group --policy-type referral --set referral-policy:follow

In some cases, a ldapsearch with a basedn which is not local to the root catalog still returns referrals to another AD Server. 
OUD reports the following error: 

SEARCH operation failed
Result Code:  1 (Operations Error)
Additional Information:  Unable to process the operation because a referral leading to an unknown or disabled ldap-server example.com:389 was received

This error is specific to AD because AD builds referrals as follow: ldap://example.com/CN=Configuration,DC=example,DC=com.  Example.com does not systematically correspond to a LDAP host declared in the OUD proxy configuration. For security reasons, OUD follows referrals to hosts explicitely declared as LDAP server extensions in the OUD proxy configuration.

To make sure OUD is able to chase referrals, define a new ldap-server-extension with remote-ldap-server-address property set to example.com and remote-ldap-server-port set to 389. In this case, creation of a proxy workflow element is not required for this ldap-server-extension. More on ldap-server extensions at http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/proxy_config.htm#solCREATING-AN-LDAP-SERVER-EXTENSION

Friday Oct 17, 2014

Troubleshooting OUD/EUS integration: Invalid username/password; logon denied

Oracle's Enterprise User Security (EUS) enables you to store user identities in LDAP-compliant directory service for Oracle Database authentication.

Enterprise User Security enables you to centrally manage database users across the enterprise. Enterprise users are created in LDAP-compliant directory service, and can be assigned roles and privileges across various enterprise databases registered with the directory.

Users connect to Oracle Database by providing credentials that are stored in Oracle Unified Directory. The database executes LDAP search operations to query user specific authentication and authorization information.

Here are steps to troubleshoot EUS when the "Invalid username/password; login denied" is reported to DB users by EUS:

First, this error is reported in 2 cases:

  • the DB is not able to find a LDAP user that corresponds to the provided name on the DB side, 
  • the user password is invalid.
Assuming the password is correct, follow the procedure below to identify the root cause:

#1 Check EUS configuration

The database reads its configuration from the entry cn=common,cn=products,cn=oraclecontext,$BASEDN:

  • The location of users and groups is configured in the attributes orclcommonusersearchbase and orclusercommongroupsearchbase. They are referred to as users and groups containers.
  • The username supplied to sqlplus must correspond to the value of orclcommonnicknameattribute in the user entry. For instance, if I connect to sqlplus using sqlplus joe/password, and orclcommonnicknameattribute=uid, then the database will look for an entry containing the attribute uid=joe.
  • The user entry DN must start with orclcommonnamingattribute. For instance, if orclcommonnamingattribute=cn, the user entry must be cn=joeuser,<orclcommonusersearchbase>.

You can read the configuration using the following command:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=common,cn=products,cn=oraclecontext,$BASEDN  "(objectclass=*)" orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute
dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
orclcommonnicknameattribute: uid
orclcommonnamingattribute: cn

#2 Check the User Entry

You  must ensure that there is an LDAP entry in the user container that matches the username supplied by SQL+. Target LDAP entry must be an instance of inetorgperson and contain the attribute defined in orclcommonnicknameattribute:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)"                         
dn: cn=joe,ou=people,dc=eusovd,dc=com
userPassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: top
uid: joe
cn: joe
sn: joe

#3 Check the User-schema mappings

If the user entry exists and can be read by the database entry, the problem can be that there is no user-schema mapping. EUS maps the LDAP user entry to a database schema following a mapping rule that is defined in Enterprise Manager console. The mapping associates either a user DN to a schema or all users of a subtree to a schema. It can be defined at the domain level or at the database level.

#4 Check the global schema associated with the user

If there is a user-schema mapping, ensure that the schema has the CONNECT privilege.

The global schema was defined using the following commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;

Monday Oct 06, 2014

Data Adaptation again

Yet another common usage of OUD Transformations to transparently adapt some values during provisioning:

In this real use case, ODIP (Oracle Directory Integration Platform) is used to synchronize some SQL tables with OUD.
The country every user is living in is stored in an Oracle DB and is synchronized by DIP into the LDAP country attribute.
Unfortunatelly, the country name format expected by the applications on the Directory side differ from the one used on the DB side.

In this case, country name is stored in full in the DB (e.g. USA, FRANCE, ITALY) when apps that contact OUD expect standard country short form e.g. US, FR, IT.  For administrative and political reasons within the enterprise, it is not possible to create a additional mapping table in the RDBMS that could be used by a SQL JOIN to return the correct values.

OUD Tranformation Framework can be used to address that integration problem: a so-called add inbound tranformation is invoked when a new entry is created and value mapping is applied on the incoming add request before it is processed by the OUD database engine. For sake of peformance, this transformation can be configured to trigger on udates originated from DIP only, using the network group mechanism.

To create a transformation that maps USA to US and France to FR, do the following:

First create the transformation with the appropriate mappings:

dsconfig create-transformation \
--set source-attribute:country=%country%(US,USA)(FR,France)(IT,Italy) \
--type add-inbound-attribute \
--transformation-name mapCountry \
--set conflict-behavior:virtual-overrides-real 

Then stash this transformation to a Transformation Workflow element to be inserted ahead of local DB (userRoot):

dsconfig create-workflow-element \
          --set enabled:true \
          --set next-workflow-element:userRoot \
          --set transformation:mapCountry \
          --type transformations \
          --element-name mapCountry

Then put the Transformation Workflow Element to the appropriate workflow so  that it can be invoked:

dsconfig set-workflow-prop \
          --workflow-name userRoot1 \
          --set workflow-element:mapCountry

 At that stage, appropriate values are automatically stored in OUD.

Wednesday Jul 23, 2014

OUD R2PS2 Bundle Patch available

The first bundle patch for OUD 11gR2PS2 (11.1.2.2.1) is available for download from My Oracle Support.

Search for the support note 1905631.1 (Doc ID 1905631.1 : Information And Bug Listing of Oracle Unified Directory Bundle Patches: 11.1.2.2.x (11gR2PS2))  that describes its content and download instructions (patch 18662903)

Thursday Jul 10, 2014

ODSM Silent Install

If you plan to manage Oracle Unified Directory (OUD) with Oracle Directory Services Manager (ODSM), you must install and configure it as described in the Installation Guide. The installation process described rely on a Graphical User Interface. 

Here is the equivalent procedure in silent mode so that you can incorporate it in a script or automated procedure:
To make it short, you need to install OUD as described in this post, configure an application server (WebLogic), then install the ADF framework, install ODSM and add it to a weblogic domain then start WebLogic.

#1 Weblogic installation 

- download weblogic 10.3.6 from http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html
- locate wls1036_generic.jar in the delivery
- create a input file (WEBLOGIC_silent.xml) for Weblogic install (properties in bold to be customized, assuming that you install the middleware components in /local/myinstall)

<?xml version="1.0" encoding="UTF-8"?>
<bea-installer> 
<input-fields>
<data-value name="BEAHOME" value="/local/myinstall" />
<data-value name="USER_INSTALL_DIR"  value="/local/myinstall" />
<data-value name="INSTALL_NODE_MANAGER_SERVICE"   value="no" />
<data-value name="COMPONENT_PATHS" value="WebLogic Server/Core Application Server|WebLogic Server/Administration Console|WebLogic 
Server/Configuration Wizard and Upgrade Framework|WebLogic Server/Web 2.0 HTTP Pub-Sub Server|WebLogic Server/WebLogic JDBC Drivers|WebLogic 
Server/Third Party JDBC Drivers|WebLogic Server/WebLogic Server Clients|WebLogic Server/WebLogic Web Server Plugins|WebLogic Server/UDDI 
and Xquery Support|WebLogic Server/Server Examples" />
<data-value name="LOCAL_JVMS" value="/usr/lang/JAVA/jdk7_u45/linux-x64"/>
</input-fields>
</bea-installer>
- run
    wls1036_generic.jar -mode=silent -silent_xml=./WEBLOGIC_silent.xml

#2 Install ADF

- download the Oracle Application Development Framework from Oracle Technology Network (OTN) at the following location: http://www.oracle.com/technetwork/developer-tools/adf/downloads/index.html
- locate and unzip appdev.zip to target directory e.g. /local/myinstall/appdev_unzip
- create an input file (oui_install.rsp ) to install appdev (properties in bold to be customized)

[ENGINE]
 
  
#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0
 
  
[GENERIC]
 
  
#Set this to true if you wish to specify a directory where latest 
updates are downloaded. This option would use the software updates from 
the specified directory
SPECIFY_DOWNLOAD_LOCATION=false
 
  
#
SKIP_SOFTWARE_UPDATES=true
 
  
#If the Software updates are already downloaded and available on your 
local system, then specify the path to the directory where these patches 
are available and set SPECIFY_DOWNLOAD_LOCATION to true
SOFTWARE_UPDATES_DOWNLOAD_LOCATION=
 
  
#Provide the Oracle Home location. The location has to be the immediate 
child under the specified Middleware Home location. The Oracle Home 
directory name may only contain alphanumeric , hyphen (-) , dot (.) and 
underscore (_) characters, and it must begin with an alphanumeric 
character. The total length has to be less than or equal to 128 
characters. The location has to be an empty directory or a valid SOA 
Oracle Home.
ORACLE_HOME=/local/myinstall/Oracle_appdev
 
  
#Provide existing Middleware Home location.
MIDDLEWARE_HOME=/local/myinstall
 
  
#
CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0
 
  
[SYSTEM]
 
  
[APPLICATIONS]
 
  
[RELATIONSHIPS]

- install appdev (path in bold to be customized)
/local/myinstall/appdev_unzip/appdev/Disk1/runInstaller -silent -response ./oui_install.rsp -invPtrLoc /local/myinstall/appdev_unzip/oraInst.loc  -jreLoc /usr/lang/JAVA/jdk7_u45/linux-x64 -waitforcompletion

#3 Create Weblogic domain for ODSM

- Create template file (e.g create_domain.py) and customize the properties in bold.

#!/usr/bin/python
import os, sys
readTemplate(r'/local/myinstall/wlserver_10.3/common/templates/domains/wls.jar')
cd(r'/Security/base_domain/User/weblogic')
cmo.setPassword('welcome1')
cd(r'/Server/AdminServer')
cmo.setName('AdminServer')
cmo.setListenPort(7001)
cmo.setListenAddress('mylocalhost')
create('AdminServer','SSL')
cd('SSL/AdminServer')
cmo.setEnabled(true)
cmo.setListenPort(7002)
cmo.setHostnameVerificationIgnored(true)
cmo.setHostnameVerifier(None)
cmo.setTwoWaySSLEnabled(false)
writeDomain(r'/local/myinstall/WEBLOGIC_domains/ODSM')
closeTemplate()
exit()

- Run the following command to create the ODSM domain:

/local/myinstall/oracle_common/common/bin/wlst.sh /local/myinstall/create_domain.py

#4 Configure ODSM

- create template file (e.g config_odsm.py) and customize properties in bold

#!/usr/bin/python

import os, sys

readDomain('/local/myinstall/WEBLOGIC_domains/ODSM')
addTemplate(r'/local/myinstall/Oracle_OUD/common/templates/applications/oracle.odsm_11.1.1.5.0_template.jar')
updateDomain()
closeDomain()
exit()

- Run the following command:

/local/myinstall/oracle_common/common/bin/wlst.sh /local/myinstall/config_odsm.py

#5 Start Weblogic domain

/local/myinstall/WEBLOGIC_domains/ODSM/bin/startWebLogic.sh  


Tuesday Apr 15, 2014

An additional log file for OUD: server.out

The server.out file stored in <OUD_Instance>/OUD/logs may contain useful pieces of information logged very early in the OUD bootstrap process, e.g. before the logging subsystem is initialized.

This file is overriden at each restart.

The start-ds output is sent to standard output as well.  You are welcome to re-direct that output to
any log that you like overwriting the existing one or appending if you prefer.  For instance, you can redirect logs like these into their own date and time specific output file so that you can  examine each start and stop output independently.

Monday Mar 24, 2014

Deploying the IAM Suite and OUD with the Deployment Wizard

Identity & Access Management suite R2 PS2 (11.1.2.2.0) ships with a new deployment tool to automate the installation and configuration of products related to the IAM suite. This tool is named Oracle Identity and Access Management Deployment Wizard.

This tools automates the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD.

More details about this wizard on Idm.guru at http://idm.guru/access-governance/deploying-the-iam-suite-with-the-deployment-wizard/

Thursday Mar 06, 2014

Transition Guide from DSEE to OUD just published

Transition Guide from (O)DSEE to Oracle Unified Directory (OUD) was just added to the OUD doc set.
It is available at http://docs.oracle.com/cd/E49437_01/doc.111220/e51265.pdf

Other OUD documents are available at http://docs.oracle.com/cd/E49437_01/index.htm

Tuesday Feb 18, 2014

Lessons from the Field: A directory transition from DSEE 6.3.1.1 to OUD 11gR2PS1

I was recently involved in a LDAP directory services transition project, from DSEE 6.3.1.1 to OUD 11gR2PS1, for a large manufacturing enterprise. Directory service is medium-sized with a few of million LDAP entries, and is accessed by a wide range of services and applications, ranging from Corporate Directory to Identity Store for Identity Management and user management for intranet and extranet portals.

Here is an overview of the steps we followed and the issues we addressed during this project to successfully transition the infrastructure to OUD.

1. Transition Assessment

Putting in place a sound methodology and design is a key success factor for a directory migration, regardless the final migration options selected.
This assessment was conducted over a period of 3 weeks and included the following:


- Identification and formalization of the main drivers and requirements for transition
- Inventory of the current directory infrastructure, including identification of the application portfolio accessing the directory
- Identification of transition options compatible with requirements
- Estimation of transition effort
- Identification of training requirement for the staff and skills required during the transition, especially people with business knowledge of the data stored in the directory.

For this project, the 4 main drivers to migrate to OUD were:

    - native support of EUS (ability to store Oracle DB accounts used by Enterprise User Security) as deployment of EUS was a Corporate decision
    - smooth integration and official support of OUD with the Oracle Identity stack, especially OIM and OAM
    - superior scalability, able to deliver SLA required by new services to be rolled out in the coming years
    - support for global account lockout

About 10,000 applications word-wide access the directory. Among them, 10 were identified as critical for the transition, mostly provisioning applications.


Figure 1: Existing DSEE topology with 4 masters, 6 read-only replicas in each DC + 2 read-only replicas in remote branches

OUD provides several options to transition from DSEE. For this project, the DSEE and OUD topologies have to cohabit for 6 months in production as transition was planned incrementally on a geo basis. Furthermore, client applications heavily relies on password policy, so strong data consistency is required across the 2 topologies during transition. Based on that, tightly-coupled cohabitation via the replication gateway was selected. In addition to that, this strategy provides smooth and incremental transition without interruption of service.

Transition analysis and design was conducted over a period of 1 week. The goal of this critical phase was to adapt schema, configuration and data to OUD, define and automate procedures to deploy an OUD directory server able to deliver a service equivalent to existing DSEE servers in staging area. Business knowledge of directory data was really important during this phase. Transition of the replication topology was also addressed during this phase.


4 OUD servers have been deployed as a directory backbone. Actual roll-out of other OUD servers (20+ servers all over the world) will be performed incrementally over the next months.

2. Transition Analysis and Design

Transition analysis and design heavily relied on the transitioning tools provided with OUD. Transitioning to OUD implies adapting ODSEE configuration (and sometimes the data) to the OUD format.
The OUD delivery provides tools to automatically adapt ODSEE configuration and data. The few configuration elements that can't be adapted automatically are identified by the OUD diagnostic tools and require manual adaptation.

The work was broken down into the following steps:

  1. - Diagnose the DSEE deployment
  2. - Migrate the schema, configuration and data to a reference OUD instance
  3. - Validate configuration and settings
  4. - Deploy additional OUD instances in a replicated topology
  5. - Upgrade 2 DSEE masters in place to ODSEE 11gR1 PS2
  6. - Deploy Replication Gateway to make the link between the 2 topologies
  7. - Use T2P procedure (Test to Production) to roll out server configuration  in production

-

2.1 Diagnosing the DSEE deployment

OUD ships with the ds2oud tool able to diagnose DSEE configuration, schema and existing user data. You can use this tool to identify areas that are likely to require special attention during the transition.
Many of the differences spotted by this tool can be automatically migrated, especially those related to schema and server configuration. Others issues, related to advanced server configuration and user data requires manual intervention as they often require business knowledge or architectural decisions.

In order to run this tool, you must have administrative access to one running DSEE instance. For sake of security, one additional DSEE master server was deployed specifically for that purpose so that production systems are not impacted at all by this diagnostic phase.

2.2 Migrating the schema, configuration and data to a reference OUD instance


LDAP Schema
LDAP schemas were compared first. Custom schema extensions were properly imported to the OUD side. However, we faced a couple of issues with some experimental schemas, e.g. RFC 2307: OUD ships with the latest versions of the RFCs, but in this case, DSEE was using an older and incompatible version of the schema. A huge amount of existing LDAP entries were relying on the older schema, so we decided to use this old schema on OUD too.

Server Configuration
We also used ds2oud to migrate the server configuration. The -F option is used to produce a batch file containing a list of configuration changes to be applied to the OUD directory server. This batch file was reused to setup subsequent OUD servers during server roll-out.


Global parameters, database suffixes, indexes, global password policy were migrated automatically.

Note: Support of global password policy and account lockout during cohabitation of DSEE and OUD via the replication gateway requires that DSEE use the 'DS6' password policy mode. For this deployment, the DSEE topology was already using this mode, so no additional action was required on that side.

User Data
For this project, most of the transition effort was related to user data migration: LDAP was deployed more than 15 years ago. LDAP entries were provisioned over time by a huge variety of applications. The number of provisioning applications is now quite limited. However, it appeared that about 5% of the LDAP entries did not strictly conform to the LDAP schema and/or to the LDAP standard.  By default, OUD strictly enforce the LDAP standard and the LDAP schema, including attribute value syntax check. DSEE does not check attribute value syntax.

Based on that, it was decided to use that transition project to conduct a detailed data assessment and sanitization. This assessment was completed over the 1 week period as originally planned. However, it required involvement of additional stakeholders to figure out whether entries that did not match the LDAP schema were correct or incorrect from a business and application perspective.

Here are a few road blocks hit and addressed:

- Most LDAP entries contained more than one structural LDAP object class
    This non-standard setting is accepted by ODSEE but by default, it is rejected by OUD. That check was relaxed on OUD because applications creating these entries could not be modified.
- Some entries contained attribute type extensions (e.g criteria:criteria;x-custom-extension) that violate LDAP standards because they contain underscores.
    That check was relaxed on OUD as well
- Some DNs and telephoneNumber attributes contain incorrect values
    These values were cleaned up on DSEE.

Directory Metadata
The transition strategy chosen is based on the replication protocol. It provides strong data consistency and all data including directory metadata are replicated back and forth between DSEE and OUD.
For that project, directory metadata, mainly access controls, could be replication w/o any problem, However, we had to adapt directory metadata related to account-based resource limits settings:

Some DSEE entries contain the following resource limit attributes, namely nsSizeLimit, nsTimeLimit, nsLookThroughLimit, nsIdleTimeout. Corresponding attributes on OUD are ds-rlim-size-limit, ds-rlim-time-limit, ds-rlim-lookthrough-limit,ds-rlim-idle-time-limit. In order to replicate the functionality correctly, the OUD schema was modified so that each DSEE attribute name related to resource limits is declared as an alias name for each corresponding OUD attribute.

2.3 Validating OUD Configuration and Settings

A few OUD servers were deployed in staging area and configured as defined above. Then traffic from key customer applications identified during the transition assessment was redirected to the OUD infrastructure.

This phase is very important to validate the changes above and identify behavioral differences between OUD and DSEE that are not always detected automatically. We detected a few problems that required additional configuration changes on the OUD side. These changes were added to the list of configuration to be applied to OUD servers.

Here are a few road blocks hit and how we addressed them:

- Few applications were performing unindexed operations. By default, OUD reject such searches.
     For technical reasons, it was not acceptable to create the appropriate indexes to suppress unindexed searches: For this project, we recommend to disable privileges leading to aci behavioral differences between OUD and ODSEE.
- Attributes present in the rootDSE and in the schema are flagged as operational, so they are not returned to client applications unless they are explicitly specified in the search attribute list. On ODSEE, these attributes are systematically returned.        
    Client applications relied on the DSEE behavior; we had to modify the OUD configuration so that rootDSE entries are returned like user attributes
- By default, in OUD, unauthenticated users are not granted access to cn=schema nor the rootDSE.
    Appropriate access controls was added to OUD


2.4 Deploy additional instances in a replicated topology

In such medium/large replication topology, it is advisable to separate the directory server and replication server instances into separate JVMs, and to limit the number of replication servers:

- 4 instances having both Directory server and Replication Server roles are deployed, 2 in each data center.
- The number of directory server instances serving search operations could be reduced to 4 due to superior OUD performances. 
- 2 replication groups are defined so that DSs in one data center preferably connect to a RS within the same data center.
- 2 directory servers deployed in remote branches are configured as read-only replicas to conform to corporate rules. These 2 servers can connect to replication server from either data center to receive updates.

Note: Unlike DSEE topology, every directory server running in the main data centers are read-write master. The corresponding servers in DSEE handled a limited write traffic that was redirected to DSEE masters via referrals. The new OUD topology eliminates the need for referrals.

Figure 2: New OUD topology with 4 RS+DS, 4 DS in each DC + 2 read-only DS in remote branches

3 Deploying the OUD topology

The main outcome of the transition analysis and design phase is a collection of commands to be applied to set up an OUD directory server instance.
Additional OUD directory server instances were setup then configured. The Test to Production feature provided by OUD is used to clone configurations to pre-production environment.

Data are exported from DSEE (with the --opends flag) to preserve replication metadata, so that replication can be established between the 2 environments. Data are imported in a single OUD directory server, then replication was enabled between servers and database files are copied to the other servers. In the customer environment, this initialization strategy was preferred over an over-the-network full initialization.

The minimum version required for tightly coupled coexistence is ODSEE 11g Release 1 (11.1.1) for the ODSEE master that communicates directly with the replication gateway. However, the rest of the ODSEE topology does not need to be uniformly based on this version and remain in 6.x, so we upgraded 2 DSEE masters to the latest ODSEE 11gR1 PS2 (11.1.1.7.0). Instances were automatically upgraded in place without having to copy, export or import anything. An alternate solution would have been to deploy 2 new ODSEE 11g instances as replication gateway companion.

At that stage, 2 replication gateways are deployed as described in the OUD administration guide. This is the recommended setting to avoid single point of failure.

Backup strategy was adapted to reflect the new hybrid topology: In a replicated environment involving ODSEE and OUD, you must perform regular backups on the ODSEE side and on the OUD side. A backup must always be restored in the topology it is associated with.


Figure 3: Cohabitation DSEE/OUD

The current plan is to keep the DSEE-OUD cohabitation for 6 months as applications are progressively redirected to OUD.

4 Conclusion

Tightly coupled coexistence of OUD with ODSEE is achieved by deploying OUD and ODSEE in a replicated topology using the “Replication Gateway”. The replication gateway provides out-of-the-box live transition without service interruption.
This enables you to run OUD and DSEE in parallel in a mixed environment so that you can transition to OUD over time, validate your upgrade strategy application by application, and most importantly, without downtime.

Migration tools shipped with OUD addresses most of the transitioning issues. However, data cleaning and/or manual adaptation is sometimes required during this process, so some time should be allocated to address that during the transition analysis and design.


About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today