Wednesday Oct 22, 2014

OUD and Referral Management with AD

Oracle Unified Directory(OUD) can be configured as a proxy to Active Directory (AD).
For instance, it is possible to define a Remote LDAP Extension in OUD pointging to Root Catalog of AD 2008.

Searches to AD would return referrals, so the appropriate OUD Network group can to be modified to  follow referrals automatically with the command below:

/dsconfig -h localhost -p 4444 -D "cn=directory manager" -j ~/.pwd  -X -n set-network-group-qos-policy-prop --group-name network-group --policy-type referral --set referral-policy:follow

In some cases, a ldapsearch with a basedn which is not local to the root catalog still returns referrals to another AD Server. 
OUD reports the following error: 

SEARCH operation failed
Result Code:  1 (Operations Error)
Additional Information:  Unable to process the operation because a referral leading to an unknown or disabled ldap-server example.com:389 was received

This error is specific to AD because AD builds referrals as follow: ldap://example.com/CN=Configuration,DC=example,DC=com.  Example.com does not systematically correspond to a LDAP host declared in the OUD proxy configuration. For security reasons, OUD follows referrals to hosts explicitely declared as LDAP server extensions in the OUD proxy configuration.

To make sure OUD is able to chase referrals, define a new ldap-server-extension with remote-ldap-server-address property set to example.com and remote-ldap-server-port set to 389. In this case, creation of a proxy workflow element is not required for this ldap-server-extension. More on ldap-server extensions at http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/proxy_config.htm#solCREATING-AN-LDAP-SERVER-EXTENSION

Friday Oct 17, 2014

Troubleshooting OUD/EUS integration: Invalid username/password; logon denied

Oracle's Enterprise User Security (EUS) enables you to store user identities in LDAP-compliant directory service for Oracle Database authentication.

Enterprise User Security enables you to centrally manage database users across the enterprise. Enterprise users are created in LDAP-compliant directory service, and can be assigned roles and privileges across various enterprise databases registered with the directory.

Users connect to Oracle Database by providing credentials that are stored in Oracle Unified Directory. The database executes LDAP search operations to query user specific authentication and authorization information.

Here are steps to troubleshoot EUS when the "Invalid username/password; login denied" is reported to DB users by EUS:

First, this error is reported in 2 cases:

  • the DB is not able to find a LDAP user that corresponds to the provided name on the DB side, 
  • the user password is invalid.
Assuming the password is correct, follow the procedure below to identify the root cause:

#1 Check EUS configuration

The database reads its configuration from the entry cn=common,cn=products,cn=oraclecontext,$BASEDN:

  • The location of users and groups is configured in the attributes orclcommonusersearchbase and orclusercommongroupsearchbase. They are referred to as users and groups containers.
  • The username supplied to sqlplus must correspond to the value of orclcommonnicknameattribute in the user entry. For instance, if I connect to sqlplus using sqlplus joe/password, and orclcommonnicknameattribute=uid, then the database will look for an entry containing the attribute uid=joe.
  • The user entry DN must start with orclcommonnamingattribute. For instance, if orclcommonnamingattribute=cn, the user entry must be cn=joeuser,<orclcommonusersearchbase>.

You can read the configuration using the following command:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=common,cn=products,cn=oraclecontext,$BASEDN  "(objectclass=*)" orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute
dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
orclcommonnicknameattribute: uid
orclcommonnamingattribute: cn

#2 Check the User Entry

You  must ensure that there is an LDAP entry in the user container that matches the username supplied by SQL+. Target LDAP entry must be an instance of inetorgperson and contain the attribute defined in orclcommonnicknameattribute:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)"                         
dn: cn=joe,ou=people,dc=eusovd,dc=com
userPassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: top
uid: joe
cn: joe
sn: joe

#3 Check the User-schema mappings

If the user entry exists and can be read by the database entry, the problem can be that there is no user-schema mapping. EUS maps the LDAP user entry to a database schema following a mapping rule that is defined in Enterprise Manager console. The mapping associates either a user DN to a schema or all users of a subtree to a schema. It can be defined at the domain level or at the database level.

#4 Check the global schema associated with the user

If there is a user-schema mapping, ensure that the schema has the CONNECT privilege.

The global schema was defined using the following commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;

Thursday Oct 02, 2014

Using OUD Transformations to expose Operational attributes as Regular ones

Some (badly written) LDAP client applications expect to get operational attributes along with regular attributes when they search the directory w/o specifying attributes explicitely. The LDAP standards specify that operation attributes have to be explicitely requested in the search request. Alternatively, the special character + can be used to retrieve all the operational attributes w/o specifying explictely one by one.

OUD adheres to the LDAP standard, so operational attributes must be explicitely specified in a search request.
A specific option to facilitate migration from other directories can be used to expose schema related attributes (objectclasses, attributeTypes) as regular attributes. This option is described in one of my posts at https://blogs.oracle.com/sduloutr/entry/oracle_unified_directory_root_dse

However, others operational attributes are not exposed. Don't worry, OUD transformations framework can help you to solve this specific integration problem:

Say you have an client application that expects the (operational)  pwdChangedTime attribute to be returned systematically as a user attribute.

First, setup a OUD proxy. The client application in question will point to that proxy, but others applications will not be subject to the (non-standard) directory server behaviour.

Then create a Add Outbound Transformation as below:

dsconfig create-transformation \
          --set client-attribute:pwdChangedTime=%pwdChangedTime% \
          --type add-outbound-attribute \
          --transformation-name Mymap \ 


Then put that transformation to a transformation workflow element:

dsconfig create-workflow-element \
          --set enabled:true \
          --set next-workflow-element:userRoot\
          --set transformation:myMap \
          --type transformations \
          --element-name myTransfo \ 


Insert your transformation workflow element to the appropriate workflow:

dsconfig set-workflow-prop \
          --workflow-name workflow1 \
  --set workflow-element:myTransfo \ 

Update the OUD Proxy schema, so that the pwdChangedTime is no longer declared as Operational. All you need to do is remove the  Usage DirectoryOperation and the NO-USER-MODICATION flag. Either modify the schema via LDAP or use the procedure below:

stop the OUD proxy
copy default schema
cp <OUD_HOME>/config/schema/01-pwpolicy.ldif <OUD_PROXY_INSTANCE>/OUD/config/schema
edit <OUD_PROXY_INSTANCE>/OUD/config/schema and change the pwdChangedTime definition as below:

 attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime'
  DESC 'The time the password was last changed' EQUALITY generalizedTimeMatch
  ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
  SINGLE-VALUE
  X-ORIGIN 'draft-behera-ldap-password-policy' )

restart the OUD proxy

At that stage, pwdChangedTime will be returned by a LDAP search with attribute list set to * or empty. 



Thursday Apr 17, 2014

Provisioning to OUD using the OIM connector for OUD

OIM provides an extensive list of connectors, including a connector to Oracle Unified Directory (OUD). OIM Connector for OUD is described at http://docs.oracle.com/cd/E22999_01/doc.111/e28603/toc.htm

The Lookup.LDAP.UM.ProvAttrMap lookup definition maps process form fields with OUD target system attributes. This lookup definition is used for performing user provisioning operations.

For the default user fields that you can specify or modify values during provisioning operations , see Section 1.9.2.2, "User Fields for Provisioning an OUD Target System."

For example, the Process Form Field "Common Name" is mapped on cn on the OUD side.

Some specific Process Form Fields are mapped differently. For instance the "Login Disabled" Process Form Field is mapped to the __ENABLED__ keyword in the default mapping file. __ENABLED__ does not directly correspond to any OUD attribute. It is a keyword that is associated with an effective OUD attribute in the OUD Connector configuration, as described in http://docs.oracle.com/cd/E22999_01/doc.111/e28603/deploy_oud.htm#CEGDHHHH. The OUD attribute used to store account state is specified  by the enabledAttribute. By default, it is set to ds-pwp-account-disabled.

The same indirection mechanism apply to the NsuniqueID and Password Process Form Fields mapped to __UID__ and __PASSWORD__ that are provisionned to the OUD attributes defined by uidAttribute and passwordAttribute (entryUUID and userPassword by default).



Tuesday Apr 08, 2014

OUD External change log and rootDSE search

Some LDAP client applications perform subtree searches with search base set to the rootDSE (empty DN).
Oracle Unified Directory (OUD) nicely routes the search to every top level suffix automatically.

When the replication is enabled, OUD automatically publicizes all changes that have occurred in a directory server database in the cn=changelog suffix. This is particularly useful for synchronizing the LDAP directory with other subsystems.  The cn=changelog suffix may contains millions of changes depending on the modification rate on the replication topology and the change retention policy (purge delay).

Subtree searches with search base set to the rootDSE are routed to the cn=changelog suffix as well as long as the replication is enabled. In general, this is not a problem in testing/stagging area, because the changelog is almost empty. However, in production, this may have big impact on performances as this suffix may contain many entries. Furthermore, custom  indexes corresponding to client access pattern do not exist on that suffix, so they can't be used to speed up entry processing.

In order to address that problem, you can disable the so-called external changelog, without disabling the underlying replication changelog used by the replication. To do so, run the following command on the OUD servers for each user suffixes:

dsconfig -h <hostname> -p <admin port>  -D "cn=directory manager" -w <admin password> -n \
  set-external-changelog-domain-prop \
  --provider-name "Multimaster Synchronization" --domain-name <your suffix>  \
  --set enabled:false

Note: some provisoning apps may require the external changelog to synchronize with external systems. If so, keep the external changelog enabled on a couple of OUD servers and reserve them for these apps.


Monday Mar 24, 2014

Deploying the IAM Suite and OUD with the Deployment Wizard

Identity & Access Management suite R2 PS2 (11.1.2.2.0) ships with a new deployment tool to automate the installation and configuration of products related to the IAM suite. This tool is named Oracle Identity and Access Management Deployment Wizard.

This tools automates the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD.

More details about this wizard on Idm.guru at http://idm.guru/access-governance/deploying-the-iam-suite-with-the-deployment-wizard/

About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today