Tuesday Feb 04, 2014

Binding a server to privileged port on Linux w/o running as root

This is applicable to any service using privileged ports (< 1024), for instance to run a HTTP server on port 80 or a LDAP directory server on port 389.

  • Running the server as root is not a recommended option for security reasons.
  • Using iptables to map privileged port (e.g. 389) to non-privileged port is a well-know method.
  • Updating the Linux config to put 389 on the non-privileged port list is another option.

There is another option that I use frequently, based on setcap to run OUD on port 389 in my labs:

This solution requires install and modification of a java 7 JVM specifically for OUD use.

Such configuration has security implications, as anyone running that JVM has the right to bind on privileged ports (settings are JVM wide, not restricted to a specific jar file/application), so the jvm access should be restricted to the appropriate user only (the one allowed to start OUD)

Here is the procedure:

  1. download patchelf sources from here and compile them on target Linux.
  2. install setcap package on Linux if needed
  3. install a java 7 SDK on target system e.g. /space/java/jdk1.7.0_45
  4. restrict access to that jvm (java and jre) to the appropriate user only (the one used to start OUD).
    Put in place additional security if needed.
  5. as root, run the following commands to allow java to bind as priviledged ports

    setcap cap_net_bind_service=+epi <JAVA_HOME>/bin/java
    setcap cap_net_bind_service=+epi <JAVA_HOME>/jre/bin/java


  6. - change java dynamic library loading strategy as default strategy is not compatible with setcap

    patchelf --set-rpath <JAVA_HOME>/jre/lib/amd64/jli <JAVA_HOME>/jre/bin/java
    patchelf --set-rpath <JAVA_HOME>/lib/amd64/jli <JAVA_HOME>/bin/java


  7. - Modify jvm used by oud

    edit java.properties and modify property e.g default.java-home
    run dsjavaproperties

  8. - start OUD with standard start-ds command.


Monday Jan 27, 2014

OUD 11gR2PS2 (11.1.2.2) available

Oracle Unified Directory 11gR2PS2 (11.1.2.2) is available for download at http://download.oracle.com/otn/nt/middleware/11g/111220/ofm_oud_generic_11.1.2.2.0_disk1_1of1.zip. Other IdM R2PS2 components are available at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html

Documentation for Oracle Unified Directory (OUD) 11gR2PS2 (11.1.2.2) is available at http://docs.oracle.com/cd/E49437_01/index.htm

Certification matrix is available at http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/identity-access-111220certmatrix-2105036.xlsx

Wednesday Jan 22, 2014

Migrating DSEE database indexes to OUD

Many DSEE customers declare database indexes by writting directly to the DSEE server configuration. For instance, the following LDIF sniplet creates a presence & equality index for attribute employeeNumber in the userRoot database

dn: cn=employeenumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: employeenumber
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq

It is not recommended to update the OUD configuration directly as this is not a public interface and internal configuration representation may be subject to change. It is recommended to use the dsconfig command line tool. Here is the command equivalent to the index creation above:

dsconfig -h localhost -p <admin port> -D "cn=directory manager" -j <password_file> -X -n \
  create-local-db-index \
  --backend-name userRoot \
  --index-name employeenumber\
  --set index-type:presence\
  --set index-type:equality

More about OUD index creation and management is available at http://docs.oracle.com/cd/E37116_01/admin.111210/e22648/indexing.htm#solINDEX-DATABASES  and http://docs.oracle.com/cd/E37116_01/admin.111210/e22648/managing_data.htm#solTO-CREATE-A-NEW-LOCAL-DB-INDEX

Monday Jan 20, 2014

Using OUD as a WebLogic Authentication Provider

Each WebLogic security realm must have at least one authentication provider configured. The default authentication provider (defaultAuthenticator) uses an embedded LDAP directory server to store user credentials & group membership.

Using an external authentication provider

The file-based embedded LDAP store does not scale when the number of users and group to manae grow. However, many customners favoir a centralized administration for users and groups, so you can declare an external authentication provider. The default authenticator is kept for "emergency" only to store Weblogic administrator in case the external authenticator cannot be reached as it is possible to control authenticator priority and criticality.

OUD as a Weblogic authentication provider

Such use case is certified since WebLogic 10.3.5; OUD can be used to store users and groups. Furthermore, it is possible to export existing users & groups from embedded LDAP to OUD for seamless transition.

When OUD is used an an external authentication provider, it is recommended to disable user lockout provided by WebLogic and rather rely on the password policy provided at the OUD level.

Configuring OUD as an authentication Provider

  1. In the Weblogic Console, go to Security Realms/ RealName/ Providers/ Authentication Page
  2. Click New to add a new Authentication Provider
  3. Enter a name for the provider and choose IplanetAuthenticator as the type
  4. Click OK
  5. In the Security Realms / RealName / Providers/ Authentication page, click the name of the provider you created, and select the Configuration / Provider Specific page
  6. Configure connection attributes for OUD and search bases as appropriate
  7. Update the field labeled GUID Attribute at the bottom of the page to value entryuuid
  8. Click Save

Reusing existing users & groups from embedded LDAP

To export users and groups from embedded LDAP:

First, modify credentials of the embedded LDAP server: Click <Domain> under Domain Structure on the left panel. On the right panel, click Security tab then Embedded LDAP tab, change credentials, Save and restart WebLogic

Then, perform a LDAP search on the Weblogic port as cn=admin using above credentials e.g.

ldapsearch -p 7001 -D "cn=admin" -w <password> -b "ou=myrealm,dc=<domain>" "(|(objectclass=wlsUser)(objectclass=groupOfURLs)(objectclass=groupOfUniqueNames))

Here is an exemple of entries:

dn: cn=Administrators,ou=groups,ou=myrealm,dc=dom memberURL:ldap:///ou=groups,ou=myrealm,dc=dom??sub?(&(objectclass=per son)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=dom))
objectclass
: groupOfURLs cn: Administrators


dn: uid=weblogic,ou=people,ou=myrealm,dc=dom
objectclass
: inetOrgPerson
objectclass
: organizationalPerson
objectclass
: person
objectclass
: wlsUser
cn
: weblogic
sn:
weblogic
userpassword
: {ssha}5ZFkp4qHIzfrGe8AV3naJOndwzTXC2W/
wlsMemberOf: cn=Administrators,ou=groups,ou=myrealm,dc=dom

By default, user entries are stored in oud=people while groups are stored in ou=groups in the embedded LDAP server. As you can see, the search base in the LDAP URL defining dynamic groups (e.g. Administrators) is incorrect as it searches user entries in the group container. This must be changed prior to importing entries in OUD to the following value:


memberURL:ldap:///ou=people,ou=myrealm,dc=dom??sub?(&(objectclass=per son)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=dom))

To import entries in OUD,

  1. extend OUD schema with wlsUser objectclass and wlsmemberOf attribute
    Note that I've not found the official oid for wlsmemberOf and wlsUSer so I 've used fake oid in the schema below

    attributeTypes: ( 1.3.6.1.4.1.1000 NAME ('wlsMemberOf') SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'WLS')
    objectclasses: (1.3.6.1.4.1.1001 NAME 'wlsUser' SUP top MAY (wlsMemberOf) X-ORIGIN 'WLS')
  2. Create suffix holding oud=<myreal>,dc=<domain>
  3. Allow pre-encoded password import in OUD
    dsconfig set-password-policy-prop --policy-name Default\ Password\ Policy --set allow-pre-encoded-passwords:true
  4. Allow multiple structural objectclasses per entry in OUD
    dsconfig set-global-configuration-prop --set single-structural-objectclass-behavior:accept
  5. Import entries in OUD using dsimport

Optimizing Group membership evaluation

Weblogic can determine group membership based on a configurable attribute present in user entries. If not set in the provider specific configuration (User Dynamic Group DN property), it determines membership by evaluating the URLs present in the dynamic group.

This property can be set to isMemberOf as this attribute is provided OOTB by OUD. It can also be set to wlsMemberOf when every dynamic group used is based on this attribute.


Wednesday Dec 18, 2013

Using OUD with Oracle Directory Integration Platform (DIP)

This post will guide you through configuring OUD as a DIP backend instead of OID.
Such deployment is supported since DIP 11.1.1.7.0  (PS6).

1- Install OUD and configure 1 suffix to be synchronized, e.g. dc=example,dc=com

HOST=beagle
PORT=1389
SPORT=1636
APORT=4444
ADMIN="cn=Directory Manager"
PASSWD=welcome1
PW_FILE=/tmp/pwd
echo $PASSWD > "$PW_FILE"
oud-setup --cli --hostName "$HOST" --ldapPort $PORT --ldapsPort $SPORT --adminConnectorPort 4444 --rootUserDN "$ADMIN" --rootUserPasswordFile "$PW_FILE" --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --addBaseEntry --ldifFile /home/sylvain/lib/ldif/Example.ldif --no-prompt --noPropertiesFile 

2- Configure a suffix holding DIP configuration

DIP stores its configuration in cn=Products,cn=oracleContext.
You must create and initialize a local backend holding the cn=oracleContext suffix with the commands below:

dsconfig create-workflow-element --set base-dn:cn=oraclecontext --set enabled:true --type db-local-backend --element-name myNewDb --hostname $HOST --port $APORT --bindDN "$ADMIN" --bindPasswordFile "$PW_FILE" --trustAll --no-prompt
 
dsconfig create-workflow  --set base-dn:cn=oraclecontext  --set enabled:true  --set workflow-element:myNewDb  --type generic  --workflow-name workFlowForMyNewDb  --hostname "$HOST"  --port $APORT --bindDN "$ADMIN" --bindPasswordFile "$PW_FILE" --trustAll  --no-prompt

dsconfig set-network-group-prop  --group-name network-group --add workflow:workFlowForMyNewDb --hostname $HOST --port $APORT --bindDN "$ADMIN" --bindPasswordFile "$PW_FILE" --trustAll --no-prompt

then create top entry and Products entry:

ldapmodify -a -p $PORT -h $HOST -D "$ADMIN" -w "$PASSWD" <<EOF
dn: cn=oraclecontext
objectClass: top
objectClass: container

dn: cn=Products,cn=oraclecontext
objectClass: top
objectClass: container
EOF

 

3- Enable changelogs

DIP stores its configuration in cn=Products,cn=oracleContext.OUD uses OUD changelogs for both data anc configuration to detect changes efficiently.

dsreplication enable-changelog --no-prompt --baseDN "dc=example,dc=com" --hostname "$HOST" --port $APORT --bindDN "$ADMIN" --adminPasswordFile "$PW_FILE" --trustAll

dsreplication enable-changelog --no-prompt --baseDN "cn=Products,cn=oraclecontext" --hostname "$HOST" --port $APORT --bindDN "$ADMIN" --adminPasswordFile "$PW_FILE" --trustAll

 

4- Grant access to synchronized data

ldapmodify -h localhost -p 1389 -D "$ADMIN" -w "$PASSWD" <<EOF
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; )
-
add: aci
aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";)
EOF

 

Note: Make sure to enable LDAPS port (LDAP over SSL) if you plan to synchronize userPassword with DIP as this is required for obvious security reasons.

 

5 - Install DIP

The procedure is described in http://docs.oracle.com/cd/E23943_01/install.1111/e12002/oud.htm#CHDEDHBG Make sure to Install DIP only (do not run the Configure procedure as it is OID specific)

Wednesday Dec 04, 2013

Using OUD as an OIF Federation Store

Schema extensions and specific index settings are required to use OUD as an OIF Federation Store.
These files are currently not part of the OIF delivery, so here are the files:

First, import the userFedSchemaOUD.ldif schema
Then update OUD configuration (mostly OIF-specific index creation) with the command below:
${ORACLE_HOME}/OUD/bin/dsconfig <conn params> -n -X -F userFedIndexOUD.commands

(configuration commands assume default OUD database settings. Change db name if needed in the command batch file)

Wednesday Nov 06, 2013

New Oracle White Paper about Directory Services Integration with Database Enterprise User Security

I've written a new Oracle White Paper about Directory Services Integration with
Database Enterprise User Security based on 2 recent posts, https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db and  https://blogs.oracle.com/sduloutr/entry/oud_eus_take_1_db

The official document is available at http://www.oracle.com/technetwork/database/security/dirsrv-eus-integration-133371.pdf

Tuesday Aug 27, 2013

OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing Directories

This post is the second one of a serie focusing on Enterprise User Security (EUS) and Oracle Unified DIrectory (OUD).

Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and gives you the ability to centrally manage database users and role memberships in an LDAP directory. EUS reduces administration costs and increases security.

DB Accounts Proxy-ed by OUD into existing Directories

Most enterprises already have existing corporate directories in place, and prefer the EUS implementation. An EUS implementation leverages the existing directory infrastructure and user information base without putting in place synchronization between directories. In this way, OUD acts as a real-time interpreter for Oracle database information requests to user data.

Using OUD enables the database to interact with third-party directories. OUD leverages existing user and group information in the existing third-party directory infrastructure by forwarding LDAP requests and responses back and forth to the third-party directory holding user data. User data, database meta-data such as DB registration information, user/role Mappings, and other EUS specific meta-data are stored locally in OUD, without requiring any schema changes to store EUS configuration in the existing third-party directory.

As of release 11gR2PS1, OUD is certified with EUS to support Active Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory. Working with these products, OUD eliminates user data duplication and synchronization and consequently lowers total cost of ownership (TCO).

1. Centralizing Accounts into Microsoft Active Directory

You can integrate Active Directory for password-based authentication or integrate Active Directory with Kerberos authentication.

Active Directory Integration for Password-based authentication

Such a scenario requires deployment of an additional component: the OUD Password Change Notification plug-in (oidpwdcn.dll). Microsoft uses a proprietary implementation to hash passwords in Active Directory that is incompatible with the Oracle DB requirements. The OUD Password Change Notification plug-in is notified when a password change occurs, and stores hashes in Active Directory. The oidpwdcn dll must be installed on every Active Directory domain controller.

Active Directory Schema extension is required to store the hashed passwords.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. User passwords are retrieved from the hashed password stored by the OUD Password Change Notification plug-in. EUS metadata are stored and retrieved from OUD.

The database version must be 10.1 or later as earlier versions use a different and incompatible password format.

Figure 2: EUS Account management with Active Directory

Active Directory Integration with Kerberos Authentication

In this scenario, Kerberos is used for DB authentication. EUS with DB Kerberos authentication does not require any changes to the database beyond standard EUS configuration. The database establishes a connection to OUD. OUD looks up the requested DB information in Active Directory. All database clients must be Kerberos-enabled to use this option. This capability is only supported with DB version 10.1 or higher.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. EUS metadata are stored and retrieved from OUD. Access to the hashed user password is not required, so no schema extensions and no Password Change Notification dll have to be deployed on Active Directory.

 

Figure 3: EUS Account management with Kerberos and Active Directory

2. Centralizing Accounts into ODSEE

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Oracle Directory Server Enterprise Edition (ODSEE) . EUS metadata are stored and retrieved from OUD.

This integration does not require any changes in the database (beyond what is usually required for EUS, nor for database clients that use username/password authentication.

 

Figure 4: EUS Account management with DSEE

3. Centralizing Accounts into Novell eDirectory

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Novell eDirectory. EUS metadata are retrieved from OUD.

This integration does not require any changes in the database beyond what is usually required for EUS, nor for database clients that use username/password authentication.

Using Novell eDirectory doesn’t require an Oracle password filter. You have to enable Universal Password in eDirectory, and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.

This configuration can only be used with DB versions 10.1 or higher due to incompatible password formats in earlier DB versions.

 

Figure 5: EUS Account management with DSEE

 



Thursday Apr 18, 2013

Oracle Virtual Desktop Infrastructure and Unified Directory

Oracle Virtual Desktop Infrastructure offers a complete solution for managing and providing access to virtualized desktop environments hosted in the datacenter.  Oracle Virtual Desktop Instrastructure enables organizations to simplify administration, reduce operating costs, increase the utilization of existing IT assets, and boost security by moving from a tradtional desktop environment to a virtual desktop architecture.

Typically, you configure Oracle VDI to use the information held in a corporate user directory, like Oracle Unified Directory Server.

You can use the OUD setup or the ODSM to create a suffix holding users, eg,  ou=People,dc=oscr,dc=uk,dc=oracle,dc=com using existing schema.
Then create a few user entries with the fields User Name, First Name, Last Name, User ID and User Password.  So for my account it is

User Name : Sylvain Duloutre
First Name : Sylvain
Last Name : Duloutre
User ID : sduloutr
User Password : ****

To install Virtual Desktop Infrastructure, follow the install guide, then connect to the VDI Web UI using your preferred browser. Here is a screenshot showing the setup of the VDI server :

Next are 2 screenshots showing the LDAP settings and how they map to VDI:

As you can see there isn't actually a lot of configuration to do.  You  can now login to VDI from a Sunray or from the Oracle Virtual Desktop Client using the login name and password stored in OUD.

Thanks to Rob for VDI snapshots and testing.


Thursday Apr 11, 2013

Oracle Unified Directory 11g R2 PS1 released

Oracle Identity and Access Management 11g R2 (11.1.2.1.0) is now generally available. Media is available for download on the Oracle Software Delivery Cloud (OSDC). This includes the following products:
  • Oracle Identity and Access Management
  • Oracle Entitlements Server Security Module
  • Oracle Access Manager OHS 11g WebGates
  • Oracle Access Manager IHS 7.0 WebGates
  • Oracle Access Manager Access SDK
  • Oracle Access Manager JBoss 5 Agent
  • Oracle Unified Directory
  • Oracle Enterprise Single Sign-On
  • Oracle Access Management Mobile and Social SDK

To download OUD,go to https://edelivery.oracle.com/ , select "Oracle Fusion MiddleWare" and the target platform, select  "Oracle Fusion Middleware Identity Management 11gR2 Media Pack"  then "Oracle Unified DIrectory 11g (11.1.2.1.0)"

Documentation is avilable at http://docs.oracle.com/cd/E37116_01/index.htm

Certification Matric is available at http://www.oracle.com/technetwork/middleware/id-mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

Wednesday Mar 13, 2013

ODSEE 11gR1 PS2 Released

Check our documentation set for more, including Release Notes and Certification Matrix.

Download ODSEE 11gR1 PS2 (aka 11.1.1.7.0) from here.

Tuesday Jan 15, 2013

Migration Stategy to Oracle Unified Directory

Developing a good strategy is a key element of a migration from third-party directories to OUD.
For sake of simplification, migration can be broken down in 5 steps as described below:

User Data Migration

Most companies defined some custom LDAP attributes and object classes. They use them  in conjunction with standard LDAP schema. LDAP provides a standard way to define schema extensions, so migration of user data is in general quite straight-forward:  Custom schema extensions need to be added to the OUD configuration, user data are exported from the existing directory to the standard LDIF format then re-imported into OUD. 

By default, OUD schema checking is strict, some user entries may be rejected when they do not strictly adhere with the LDAP schema. In such case, either fix the data, fix the schema or relax the corresponding schema option in OUD configuration.

Migration of passwords may cause problems if they are encrypted with non-standard algorithms. I plan to cover that in a separate post soon.

Directory Metadata Migration

Most directories, including OUD, store meta data along with the User Data. This may  include access control information (aci), collective attributes, ldap sub entries etc. Each directory vendor uses its own model, so this aspect of the migration requires attention  and must be carefully planned.

Directory Configuration Migration

Each directory has its own configuration model, so the configuration must be ported to OUD. It includes the LDAP ports the directory listen on, the LDAP naming contexts exposed, database indexes, replication settings, security settings, performance setting, etc. This can be done using OUD graphical interface (ODSM) or using command line dsconfig. This is in general quite simple to migrate the directory configuration to OUD. Special care is needed to manage migration of SSL server certificates if certificate renewal is not an option.

Dealing with hard-wired dependencies in client applications

Some LDAP client application have hard-wired dependencies on a directory vendor and/or version. For instance, an application would query the directory service version string and would take some decision based on that. Some applications may also create/update directory-specific metadata. It is quite difficult to identify such issues upfront, but it is usually good policy to classify client applications based on their LDAP traffic patterns: traffic of provisioning applications should be review first, as the probabilities to have dependencies on vendor-specific interface is higher than for application doing simple authentication.

Oracle Virtual Directory (OVD), part of the  Oracle Directory Services Plus can be used to emulate directory-specific features.

Switching from existing directory to OUD

From an operational perspective, it is key to define how the actual switch to OUD will occur: Some customers would favor export and import w/o maintaining the 2 environments in sync. This seems very simple, but this methodology cannot ensure an highly-available deployment with up-to-date entries on both sides. When this is not acceptable, synchronization tools like DIP (Directory Integration Platform) which is a part of Oracle Directory Services Plus can be used to synchronize user data.

Additional options exist to migrate from Oracle Directory Enterprise Edition (DSEE) to OUD as described here.






Monday Nov 12, 2012

Enabling EUS support in OUD 11gR2 using command line interface

Enterprise User Security (EUS) allows Oracle Database to use users & roles stored in LDAP for authentication and authorization.
Since the 11gR2 release, OUD natively supports EUS. EUS can be easily configured during OUD setup. ODSM (the graphical admin console) can also be used to enable EUS for a new suffix.

However, enabling EUS for a new suffix using command line interface is currently not documented, so here is the procedure:

Let's assume that EUS support was enabled during initial setup.
Let's o=example be the new suffix I want to use to store Enterprise users. The following sequence of command must be applied for each new suffix:

// Create a local database holding EUS context info
dsconfig create-workflow-element --set base-dn:cn=OracleContext,o=example --set enabled:true --type db-local-backend --element-name exampleContext -n
// Add a workflow element in the call path to generate on the fly attributes required by EUS
dsconfig create-workflow-element --set enabled:true --type eus-context --element-name eusContext --set next-workflow-element:exampleContext -n
// Add the context to a workflow for routing
dsconfig create-workflow --set base-dn:cn=OracleContext,o=example --set enabled:true --set workflow-element:eusContext --workflow-name exampleContext_workflow -n
//Add the new workflow to the appropriate network group
dsconfig set-network-group-prop --group-name network-group --add workflow:exampleContext_workflow -n

// Create the local database for o=example
dsconfig create-workflow-element --set base-dn:o=example --set enabled:true --type db-local-backend --element-name example -n

// Create a workflow element in the call path to the user data to generate on the fly attributes expected by EUS
dsconfig create-workflow-element --set enabled:true --set eus-realm:o=example --set next-workflow-element:example --type eus --element-name eusWfe
// Add the db to a workflow for routing
dsconfig create-workflow --set base-dn:o=example --set enabled:true --set workflow-element:eusWfe --workflow-name example_workflow -n
//Add the new workflow to the appropriate network group
dsconfig set-network-group-prop --group-name network-group --add workflow:example_workflow -n 

// Add the appropriate acis for EUS
dsconfig set-access-control-handler-prop \
          --add global-aci:'(target="ldap:///o=example")(targetattr="authpassword")(version 3.0; acl "EUS reads authpassword"; allow (read,search,compare) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)'
dsconfig set-access-control-handler-prop \
      --add global-aci:'(target="ldap:///o=example")(targetattr="orclaccountstatusevent")(version 3.0; acl "EUS writes orclaccountstatusenabled"; allow (write) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)'

Last but not least you must adapt the content of the ${OUD}/config/EUS/eusData.ldif  file with your suffix value then inport it into OUD.


Tuesday Aug 07, 2012

OUD 11gR2 documentation available on OTN

Following the annoucement of  the R2 release, the Oracle Identity Management 11g R2 (11.1.2) is now available on OTN here.

Documentation for Oracle Unified Directory (OUD) 11gR2 (11.1.2) is available here.

Certification matrix is available at  http://www.oracle.com/technetwork/middleware/id-mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

Saturday Jun 09, 2012

New convenient Information Center about OUD in My Oracle Support

A new "Information Center" dedicated to Oracle Unified Directory is available from the Oracle Support Site. This page provides you with all the useful links and news related to the product, including technical articles, docs, licensing info and the latest patches available. To access it, log into MOS (My Oracle Support) at http://support.oracle.com,  search for 1418884.2 doc id in the search field on the front page, then click on the "Information Center : Overview Oracle Unified Directory (OUD)" link.

About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today