SlideShare a Scribd company logo

Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition)

Download as PPTX, PDF
ā€¢ā€¢
A
Andrejs Prokopjevs

1. The documentation incorrectly referenced the location of the modifyRealm.ldif template file needed to configure the naming context. 2. The subscriber entry for the naming context was not automatically created, requiring it to be manually added. 3. The user and group base DNs were not created, needing to be manually added. 4. The documented ACIs for Directory Integration Platform write permissions were insufficient, requiring additional permissions to be added. 5. Oracle Unified Directory places restrictions on unindexed searches by non-super users that could impact some Oracle applications.

Presentations & Public Speaking
1 of 56
Downloaded 50 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Most read
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Most read
47
48
49
50
51
52
53
Most read
54
55
56
Oracle Unified Directory. Lessons learnt. Is it worth moving from OID? ANDREJS PROKOPJEVS Lead Applications Database Consultant
About me Ā© 2016 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. ā€œIn loveā€ with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
ABOUT PYTHIAN Pythianā€™s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete Ā© 2016 Pythian 3
TECHNICAL EXPERTISE Ā© 2016 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 Ā© 2016 Pythian 5
Agenda ā€¢ What is Oracle Unified Directory? ā€¢ Quick overview of integration process with Oracle E-Business Suite R12.2.5. ā€¢ Issues faced while implementing OUD. ā€¢ Features that deserve a note. ā€¢ Performance tuning considerations. Ā© 2016 Pythian 6
What is Oracle Unified Directory? Ā© 2016 Pythian 7
What is Oracle Unified Directory? ā€¢ LDAP v3 compliant directory. Ex Sun iPlanet Directory. ā€¢ Completely runs on Java. ā€¢ New generation of Oracle Directory Services since 11gR2. ā€¢ Announced product replacement of Oracle Internet Directory. ā€¢ Features: ā€¢ Storage ā€¢ Proxy and Load Balancing ā€¢ Virtualization ā€¢ Synchronization and Replication ā€¢ Data is stored in JavaDB (Oracle Berkeley DB Java Edition). ā€¢ Licensed under Oracle Directory Services Plus license. ā€¢ Supports known features like Enterprise User Security and TNS store. Ā© 2016 Pythian 8
What is Oracle Unified Directory? ā€¢ Proxy - Load balancing. ā€¢ LDAP data can be shared and distributed. Ā© 2016 Pythian 9 OUD in Load Balancer (Proxy) mode LDAP client OUD directory 2 OUD directory 1 OUD directory 3
What is Oracle Unified Directory? ā€¢ Proxy ā€“ mapping of external directories, like Active Directory. Ā© 2016 Pythian 10 OUD Proxy mode with attribute virtualization LDAP client MS Active Directory
What is Oracle Unified Directory? ā€¢ Replication and High Availability. ā€¢ Same instance can share multiple roles like Storage and be a replication server. Ā© 2016 Pythian 11 OUD Replication Server 2 OUD directory 4 OUD directory 3 OUD Replication Server 1 OUD directory 2 OUD directory 1 Replication group 1 Replication group 2 Replication group 3
Oracle Internet Directory comparison ā€¢ Oracle Unified Directory ā€¢ Runtime ā–Ŗ Java ā€¢ Storage ā–Ŗ JavaDB, local disk storage ā€¢ Clustering concept ā–Ŗ Multiple instances within replication group ā€¢ Proxy / Virtualization ā–Ŗ Native support ā€¢ Tools ā–Ŗ No ldapadd anymore, instead there is "ldapmodify --defaultAdd" ā€¢ Backups ā–Ŗ No PITR, full or incremental snapshots initiated by the backup utility. Ā© 2016 Pythian 12 ā€¢ Oracle Internet Directory ā€¢ Runtime ā–Ŗ C ā€¢ Storage ā–Ŗ Oracle Database as metadata repository ā€¢ Clustering concept ā–Ŗ Multiple instances connected to one common Oracle database ā€¢ Proxy / Virtualization ā–Ŗ Not supported ā–Ŗ Requires Oracle Virtual Directory ā€¢ Tools ā–Ŗ Standard set of tools (ldapadd, ldapmodify, ldapdelete, etc) ā€¢ Backups ā–Ŗ Full PITR supported by Oracle Database.
Oracle E-Business Suite integration overview Ā© 2016 Pythian 13
Software requirements ā€¢ E-Business Suite R12.2.5+ ā€¢ FMW 11.1.1.9 ā€¢ R12.AD.C.7+ ā€¢ Patches 22098300, 21229697, and 24008856 ā€¢ Oracle Unified Directory 11.1.2.3 ā€¢ Being deployed into a separate Fusion Middleware Home. ā€¢ Oracle Directory Services Manager (ODSM) 11.1.2.3 ā–Ŗ Weblogic Server 10.3.6 ā–Ŗ Oracle ADF 11.1.1.9 ā€¢ Repository Creation Utility 11.1.1.9 ā€¢ Oracle Directory Integration Platform 11.1.1.9 ā€¢ Oracle Access Manager 11.1.2.3 Ā© 2016 Pythian 14
Documentation reference ā€¢ Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1) ā€¢ Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) ā€¢ Installation Guide for Oracle Identity Management ā€¢ https://docs.oracle.com/middleware/11119/core/INOIM/under_install.htm#INOIM1024 Ā© 2016 Pythian 15
Configure OUD ā€¢ Create the OUD instance. $ echo "welcome1" > /tmp/oud_pwd $ ./oud-setup --cli --hostName myoud.domain.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 4461 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/oud_pwd --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --serverTuning 512m --offlineToolsTuning 512m --no-prompt ā€¢ ā€œgenericā€ integration option creates the necessary naming context, required for EBS integration. Ā© 2016 Pythian 16
Configure Naming Context ā€¢ Modify the realm default user and group base DN references. ā€¢ Very important as this will bring issues at later stages, if not executed. ā€¢ Reference: ā–Ŗ https://docs.oracle.com/cd/E52734_01/oud/OUDAG/eus.htm#BABGJFEE ā€¢ Locate the LDIF template and edit the naming context you configured. ā€¢ Execute it after correction. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif Ā© 2016 Pythian 17
Configure DIP with OUD ā€¢ Enable the External Change Log $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b dc=example,dc=com --trustAll --no-prompt $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b cn=oraclecontext --trustAll --no-prompt ā€¢ Enforce Unique UID Attribute $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set enabled:true $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com ā€¢ Configure DIP for OUD $ $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost localhost -ldapport 1389 -ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4461 Ā© 2016 Pythian 18
Registration with Oracle EBS ā€¢ Start EBS Online Patching Cycle (adop phase=prepare) ā€¢ Run all the actions against patch filesystem ā€¢ Register OUD: $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory manager" ā€¢ Update EBS Profile Options ā€¢ Autoconfig ā€¢ Cutover ā€¢ Side note: ā€¢ You can do all this in hot mode directly on run file system. ā€¢ Multi-node: This isnā€™t required to be executed on all nodes as stated in the documentation. Ā© 2016 Pythian 19
Registration with Oracle EBS ā€¢ Start EBS Online Patching Cycle (adop phase=prepare) ā€¢ Run all the actions against patch filesystem ā€¢ Install WebGate ā–Ŗ Recommendation: Apply WebGate latest BP patch ā€¢ Deploy AccessGate perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -deployApps=accessgate ā€¢ Register OAM $FND_TOP/bin/txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD ā€¢ Autoconfig ā€¢ Cutover Ā© 2016 Pythian 20
Registration with Oracle EBS ā€¢ Side note: ā€¢ You can do all this in hot mode directly on run file system. ā€¢ But beware of Bug 19817016 !!! ā–Ŗ oaea_server1 (AccessGate) port conflict between run and patch during the fs_clone. ā€¢ Solution: ā–Ŗ Stop oaea_server1. ā–Ŗ Run fs_clone. ā–Ŗ Restart oaea_server1. ā–Ŗ Next fs_clone executions will not have this conflict anymore. Ā© 2016 Pythian 21
Issues faced while implementing OUD Ā© 2016 Pythian 22
Issue #1: Configure Naming Context ā€¢ $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif $ ls -l $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif ls: cannot access /u01/app/oracle/product/fmw11g_oud/instances/OUD_instance/config/EUS/modifyRealm.ldif: No such file or directory $ ls -l $ORACLE_HOME/config/EUS/modifyRealm.ldif -rw-r-----. 1 oracle oinstall 1608 Nov 15 2013 /u01/app/oracle/product/fmw11g_oud/Oracle_OUD1/config/EUS/modifyRealm.ldif $ ā€¢ Documentation bug. ā€¢ Is deployed only with ā€œ--integration EUSā€, but still available under Oracle Home Ā© 2016 Pythian 23
Issue #1: Configure Naming Context ā€¢ What does it fix? # cn=Common,cn=Products,cn=OracleContext orclSubscriberSearchBase: dc=com orclSubscriberNickNameAttribute: dc orclDefaultSubscriber: dc=example,dc=com # cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com orclCommonUserSearchBase: ou=people,dc=example,dc=com orclCommonGroupSearchBase: ou=groups,dc=example,dc=com ā€¢ Side note: Handled automatically since 11.1.2.3.161018 BP Ā© 2016 Pythian 24
Issue #2: No Subscriber found ā€¢ Letā€™s query the naming context we created. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ ā€¢ Where is my naming context base entry? $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s base "(objectclass=*)" "dn" SEARCH operation failed Result Code: 32 (No Such Entry) Additional Information: The entry dc=example,dc=com specified as the search base does not exist in the Directory Server $ Ā© 2016 Pythian 25
Issue #2: No Subscriber found ā€¢ Fix: Manually create the Naming Context base DN as subscriber. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd ā€“defaultAdd dn: dc=example,dc=com objectClass: top objectClass: domain objectclass: orclSubscriber dc: example orclversion: 90600 orclsubscriberfullname: example aci: (targetattr != "userpassword || authpassword || aci") (version 3.0; acl "Anonymous read access to dc=example, dc=com"; allow (read,search,compare) userdn = "ldap:///anyone";) ā€¢ Optional: Add read-only ACI permission for non-super-user access (except password attributes). Ā© 2016 Pythian 26
Issue #3: User and Group Base DNs ā€¢ Letā€™s query the naming context again. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ ā€¢ Where are my user and group base DNs? Ā© 2016 Pythian 27
Issue #3: User and Group Base DNs ā€¢ Fix: Manually create the base DN entries. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd ā€“defaultAdd dn: ou=people,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit Ā© 2016 Pythian 28
Issue #4: Write permissions for DIP profiles ā€¢ Documentation states that we need to apply these ACIs: dn: dc=example,dc=com changetype: modify add: aci aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) ā€¢ But DIP runtime still fails on writes. Ā© 2016 Pythian 29
Issue #4: Write permissions for DIP profiles ā€¢ Fix: Add few more ACI permissions. ā€¢ DIP profiles are actually running with ā€œodipgroupā€ App DN members. dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) Ā© 2016 Pythian 30
Issue #5: OUD restrictions on unindexed search ā€¢ There are limits when OUD allows non-super-user to do unindexed searches. ā€¢ None of OID specific attributes are indexed by default. ā€¢ Example: search per ā€œorcguidā€ attribute filter. [27/Apr/2016:01:25:45 -0700] SEARCH RES conn=381168 op=514 msgID=515 result=50 message="You do not have sufficient privileges to perform an unindexed search Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com' Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com'" nentries=0 authzDN="orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext" etime=0 Ā© 2016 Pythian 31
Issue #5: OUD restrictions on unindexed search ā€¢ Fix: Give a permission to your required non-super-user. ā€¢ For DIP ā€“ required for each subscriber app DN. ā€¢ Example: $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext changetype: modify add: ds-privilege-name ds-privilege-name: unindexed-search - add: ds-privilege-name ds-privilege-name: proxied-auth Ā© 2016 Pythian 32
Issue #6: cn=changelog data timeout ā€¢ By default, purge delay for replication in OUD is set to 1 day. ā€¢ Set it to 1 week, at least. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n get-replication-server-prop --provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n set-replication-server-prop --provider-name "Multimaster Synchronization" --set replication-purge-delay:1w ā€¢ Historical replication data retention also can be tuned. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -X -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set conflicts-historical-purge-delay:7200m Ā© 2016 Pythian 33
Issues faced while implementing OAM with OUD Ā© 2016 Pythian 34
Issue #1: EBS registration ā€¢ Test connection to identity server is failing. ā€¢ But network is fine, LDAP connection is working. $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD ... Failed while doing policy configurations In the log file this will be the only actual information. <class>oracle.apps.fnd.txk.oam.UserIdentityStoreConf</class> <message>Test connection to identity server is failed. Please verify the settings and try again.</message> <class>oracle.apps.fnd.txk.oam.RegisterOAM</class> <message>Failed while updating the configurations in OAM console</message> Ā© 2016 Pythian 35
Issue #1: EBS registration ā€¢ Only LDAP trace helped. [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2... [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(uid=*)" attrs="ALL" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=example,dc=com" scope=sub filter="(cn=*)" attrs="cn" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 Ā© 2016 Pythian 36
Issue #1: EBS registration ā€¢ Fix: User Base DN and Group Base DN should have at least 1 user and 1 group created. ā€¢ In OID cn=orcladmin and cn=public are being seeded by default. dn: cn=testuser1,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: John sn: Testercn: testuser1 uid: testuser1 userpassword: welcome1 mail: test@test.com dn: cn=admins,ou=groups,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: testgroup Ā© 2016 Pythian 37
Issue #2: Configuration of the User Identity Store ā€¢ Not an issue, actually. More a recommendation. ā€¢ These parameters are not set by default. ā€¢ User Filter Object Classes: person ā€¢ Group Name Attribute: cn ā€¢ Group Filter Classes: groupofnames ā€¢ Inactivity Timeout (in seconds): 60 Ā© 2016 Pythian 38
Features that deserve a note. Ā© 2016 Pythian 39
SSL ā€¢ RIP SSL no-auth mode ā€¢ Only SSL server or client-server authentication. ā€¢ JSSE - Java Secure Socket Extension. ā€¢ And this is good ! ā€¢ Default keystore: $ORACLE_INSTANCE/OUD/config/keystore Ā© 2016 Pythian 40
SSL - small comment about DIP ā€¢ By default, DIP is configured with non-SSL. ā€¢ SSL only mode is required if passwords are provisioned from external directories. ā€¢ Requires a JKS keystore configuration with OUD server certificate imported. $ keytool -importcert -trustcacerts -alias OUD -file /tmp/oud_server_certificate_b64.txt -keystore $ORACLE_INSTANCE/config/DIP_JKS/dip.jks $ wlst.sh > connect('t3://localhost:7001') > createCred(map="dip", key="jksKey", user="jksuser", password="changeit") $ $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute keystorelocation - val /u01/app/oracle/product/fmw11g/dip_inst1/config/DIP_JKS/dip.jks $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D weblogic $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D weblogic Ā© 2016 Pythian 41
External password plugins in OUD ā€¢ Use case: Active Directory ā€“ passwords are not directly synced by DIP. ā€¢ OID has a cool feature ā€“ external password plugin. ā€¢ Java based module which forwards the BIND requests to external LDAP directories for authentication. ā€¢ OUD does not have these kind of modules, however there are alternatives. ā€¢ Pass Through Authentication (OUD 11.1.2.2+) ā€¢ On-Demand Password and Password Translate (OUD 11.1.2.3+) ā€¢ OUD / DIP Synchronization with Active Directory (Doc ID 1534241.1) Ā© 2016 Pythian 42
Pass Through Authentication ā€¢ How it works: Proxy mode workflow. ā€¢ You have your Local Naming Context ā€œdc=example,dc=comā€ with synced user entries by DIP (no userpassword / orclpassword attributes). ā€¢ New Proxy Workflow is configured to mount external LDAP Base DN. ā€¢ A Workflow Element will merge both sources and use local context as user provider and external proxy context as authentication provider. Ā© 2016 Pythian 43
Pass Through Authentication ā€¢ Configure OUD LDAP extension. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-extension --type ldap-server --extension-name proxy_extension_pta_ext_ldap --set remote-ldap-server-read-only:true --set remote-ldap-server-address:myad.example.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true --set ssl-trust-manager-provider:JKS --set enabled:true Ā© 2016 Pythian 44
Pass Through Authentication ā€¢ Configure OUD Proxy Workflow elements. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set client-cred-mode:use-specific-identity --set enabled:true --set ldap-server-extension:proxy_extension_pta_ext_ldap --set remote-ldap-server-bind-dn:cn=system_user,ou=ad_system_accounts,dc=example,dc=com --set remote-ldap-server-bind-password:password --set remote-root-dn:cn=system_user,ou=system_accounts,dc=ad,dc=example,dc=com --set remote-root-password:password --type proxy-ldap --element-name wf_element_auth_pta_ext_ldap $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set auth-provider-workflow-element:wf_element_auth_pta_ext_ldap --set enabled:true --set user-provider-workflow-element:userRoot # our default naming context created --set pta-suffix:ou=people,dc=example,dc=com --set pta-auth-suffix:ou=people,dc=example,dc=com --set pta-user-suffix:ou=people,dc=example,dc=com --type pass-through-authentication --element-name wf_element_pta_ext_ldap Ā© 2016 Pythian 45
Pass Through Authentication ā€¢ Configure OUD Proxy Workflow. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow --workflow-name pta_ext_ldap_wf --set base-dn:ou=people,dc=example,dc=com --set enabled:true --set workflow-element:wf_element_pta_ext_ldap ā€¢ Enable the new configuration. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n set-network-group-prop --group-name network-group --set enabled:true --add workflow:pta_google_openldap_wf Ā© 2016 Pythian 46
Pass Through Authentication ā€¢ It works. $ ldapsearch -h localhost -p 1389 -D "cn=user1,ou=people,dc=example,dc=com" -b "cn=user1,ou=people,dc=example,dc=com" -s base "(objectclass=*)" "orclSourceObjectDN" Password for user 'cn=user1,ou=people,dc=example,dc=com': dn: cn=user1,ou=people,dc=example,dc=com orclSourceObjectDN: cn=user1,ou=People,dc=example,dc=com $ ā€¢ Some illustration. Ā© 2016 Pythian 47 Local Storage MS AD Proxy Workflow BINDUser and Attributes LDAP User Entry DN, virtually merged
OUD Access Log ā€¢ OUD has access log tracing similar to Apache. ā€¢ It tracks everything and YOU SHOULD LOVE IT! ā€¢ $ORACLE_INSTANCE/OUD/logs/access [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:35 +0200] BIND REQ conn=1939 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:35 +0200] BIND RES conn=1939 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1 [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 [25/Nov/2016:13:50:35 +0200] DISCONNECT conn=1939 reason="Client Disconnectā€ [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:36 +0200] BIND REQ conn=1940 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:36 +0200] BIND RES conn=1940 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=0 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=domain,dc=com" scope=sub filter="(uid=*)" attrs="ALLā€ [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=domain,dc=com" scope=sub filter="(cn=*)" attrs="cnā€ [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 Ā© 2016 Pythian 48
Virtual Attributes ā€¢ An attribute which is more like a function. ā€¢ The best example: isMemberOf ā€¢ Is true if a user is a member of a defined group ā€¢ The most useful place to use: LDAP filters ā€¢ Example: OAM User Identity Store filter to allow only specific group to access your application. ā€¢ KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(isMemberOf=cn=ebs_sso_allowed_users,ou=groups,dc=exam ple,dc=com)) Ā© 2016 Pythian 49
Performance tuning considerations Ā© 2016 Pythian 50
Overview ā€¢ Performance is a feature. ļŠ ā€¢ Overall the OUD performance is good. ā€¢ The more memory you configure ā€“ the more you get into the cache. ā€¢ Always try to apply the latest PSU BP. Many performance related bugs are resolved per the change log in every bundle. ā€¢ Some real problems to look at may start only when your data size exceeds hundreds of thousands, like 400 000 user accounts. Ā© 2016 Pythian 51
Indexes ā€¢ OUD is not indexing by default most of the common OID attributes. ā€¢ Example: DIP ApplicationToOID profile is doing Root DN sub-search looking for entries with required orclGUID, to confirm it exists. ā€¢ With large directories it can spin the CPU a lot. Can be indexed. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-local-db-index -- element-name userRoot --index-name orclguid --set index-type:equality $ rebuild-index -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -b "dc=example,dc=com" - i orclguid ā€¢ If DIP bootstrap has synchronized a huge amount of new user accounts (ex from external directory) ā€“ full index rebuild is highly recommended. $ rebuild-index -b "dc=example,dc=com" --rebuildAll Ā© 2016 Pythian 52
Root DN based search ā€¢ Same use case: DIP ApplicationToOID $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "" "(orclguid=XXXXXXXXXXXXXXXXXXXXXX)" "*" ā€¢ OUD will also look into ā€œcn=changelogā€ as it interprets it as non-hidden naming context. ā€¢ This is how OUD works. ā€¢ Recommendation: evaluate the data size, and put the memory enough to cache as maximum as possible. ā€¢ https://blogs.oracle.com/sduloutr/entry/oud_external_change_log_and ā€¢ OUD - Bad Performance of a Subtree Search on the Root DSE if the External Changelog is Enabled. (Doc ID 1676998.1) ā€¢ With PTA add here your external Proxy Workflow Element as well. Ā© 2016 Pythian 53
Data cache tuning ā€¢ If your LDAP data is 1 GB in size, you can configure your OUD instance to 2 GB memory and set data cache to utilize 50 %. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password set-workflow-element-prop --element- name userRoot --set db-cache-percent:50 ā€¢ Cache as much as possible !!! Ā© 2016 Pythian 54
Summary ā€¢ OUD is an interesting lightweight product. ā€¢ Hard to say if itā€™s better or worse than OID. Both OUD and OID have their own pros and cons. ā€¢ OUD ā€“ is a replacement product. OID is going away soon (Dec 2018 / Dec 2021). ā€¢ Comparing to 11gR1, where OUD was not usable at all for all main integration use cases, it is now more less ready. Of course, with some nuances mentioned. ā€¢ Simplified setup and configuration. ā€¢ It takes time to tune everything. Let us be patient. There is a potential. Ā© 2016 Pythian 55
THANK YOU Q & A Ā© 2016 Pythian 56

More Related Content

What's hot (20)

PDF
MySQL/MariaDB Proxy Software Test
I Goo Lee
Ā 
PPTX
Airflow - a data flow engine
Walter Liu
Ā 
PDF
Introduction to MongoDB
Mike Dirolf
Ā 
PDF
Postgresql database administration volume 1
Federico Campoli
Ā 
PPTX
Evening out the uneven: dealing with skew in Flink
Flink Forward
Ā 
PDF
Distributed Locking in Kubernetes
Rafał Leszko
Ā 
PPTX
Zabbix
pundir5
Ā 
PPTX
Introduction to NoSQL Databases
Derek Stainer
Ā 
PPTX
Running Airflow Workflows as ETL Processes on Hadoop
clairvoyantllc
Ā 
PDF
High Concurrency Architecture at TIKI
Nghia Minh
Ā 
PDF
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Databricks
Ā 
PPTX
Distributed Applications with Apache Zookeeper
Alex Ehrnschwender
Ā 
PDF
Zabbix Monitoring Platform
Seyedmajid Etehadi
Ā 
PDF
Airflow Intro-1.pdf
BagustTriCahyo1
Ā 
PDF
Designing Apache Hudi for Incremental Processing With Vinoth Chandar and Etha...
HostedbyConfluent
Ā 
PPTX
Practical learnings from running thousands of Flink jobs
Flink Forward
Ā 
PDF
Intro to HBase
alexbaranau
Ā 
PPTX
From cache to in-memory data grid. Introduction to Hazelcast.
Taras Matyashovsky
Ā 
PPTX
Getting started with postgresql
botsplash.com
Ā 
PDF
Apache Airflow
Knoldus Inc.
Ā 
MySQL/MariaDB Proxy Software Test
I Goo Lee
Ā 
Airflow - a data flow engine
Walter Liu
Ā 
Introduction to MongoDB
Mike Dirolf
Ā 
Postgresql database administration volume 1
Federico Campoli
Ā 
Evening out the uneven: dealing with skew in Flink
Flink Forward
Ā 
Distributed Locking in Kubernetes
Rafał Leszko
Ā 
Zabbix
pundir5
Ā 
Introduction to NoSQL Databases
Derek Stainer
Ā 
Running Airflow Workflows as ETL Processes on Hadoop
clairvoyantllc
Ā 
High Concurrency Architecture at TIKI
Nghia Minh
Ā 
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Databricks
Ā 
Distributed Applications with Apache Zookeeper
Alex Ehrnschwender
Ā 
Zabbix Monitoring Platform
Seyedmajid Etehadi
Ā 
Airflow Intro-1.pdf
BagustTriCahyo1
Ā 
Designing Apache Hudi for Incremental Processing With Vinoth Chandar and Etha...
HostedbyConfluent
Ā 
Practical learnings from running thousands of Flink jobs
Flink Forward
Ā 
Intro to HBase
alexbaranau
Ā 
From cache to in-memory data grid. Introduction to Hazelcast.
Taras Matyashovsky
Ā 
Getting started with postgresql
botsplash.com
Ā 
Apache Airflow
Knoldus Inc.
Ā 

Similar to Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition) (20)

PDF
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Andrejs Karpovs
Ā 
PPTX
OOW13: Next Generation Optimized Directory (CON9024)
GregOracle
Ā 
PPTX
Con9024 next generation optimized directory - oracle unified directory - final
OracleIDM
Ā 
PPTX
Oracle Directory Services - Customer Presentation
Delivery Centric
Ā 
PDF
Oracle DB 11g R2 Research (Installation, Users and Privileges, Audit Trail, E...
Duc Lai Trung Minh
Ā 
PDF
Implementing Oracle Identity Management Using External Authentication Plug-In
Dinesh Gupta
Ā 
ODP
11g Identity Management - InSync10
Peter McLarty
Ā 
PDF
OID Install and Config
Vigilant Technologies
Ā 
ODP
Under the Hood 11g Identity Management
InSync Conference
Ā 
PDF
Multiple ldap implementation with ebs using oid
pasalapudi
Ā 
PDF
AIOUG - Groundbreakers - Jul 2019 - 19 Troubleshooting Tips and Tricks for Da...
Sandesh Rao
Ā 
PPTX
Oracle Identity and access management overview
kalikishoregomattam1
Ā 
PDF
TechEvent EUS, Kerberos, SSL and OUD
Trivadis
Ā 
PPT
Oracle 11i OID AD Integration
Mahesh Vallampati
Ā 
PPT
ASCC-site-report-123456430523fwje0fjewew
DngHong855117
Ā 
PDF
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
Trivadis
Ā 
PPTX
OEM13c_PPT.pptx
SDPL Technologies
Ā 
PDF
Oracle Enterprise Repository 11g - Quick Start Guide
Sreenivasa Setty
Ā 
PDF
AUSOUG - NZOUG - Groundbreakers - Jun 2019 - 19 Troubleshooting Tips and Tric...
Sandesh Rao
Ā 
PPT
R12 d49656 gc10-apps dba 03
zeesniper
Ā 
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Andrejs Karpovs
Ā 
OOW13: Next Generation Optimized Directory (CON9024)
GregOracle
Ā 
Con9024 next generation optimized directory - oracle unified directory - final
OracleIDM
Ā 
Oracle Directory Services - Customer Presentation
Delivery Centric
Ā 
Oracle DB 11g R2 Research (Installation, Users and Privileges, Audit Trail, E...
Duc Lai Trung Minh
Ā 
Implementing Oracle Identity Management Using External Authentication Plug-In
Dinesh Gupta
Ā 
11g Identity Management - InSync10
Peter McLarty
Ā 
OID Install and Config
Vigilant Technologies
Ā 
Under the Hood 11g Identity Management
InSync Conference
Ā 
Multiple ldap implementation with ebs using oid
pasalapudi
Ā 
AIOUG - Groundbreakers - Jul 2019 - 19 Troubleshooting Tips and Tricks for Da...
Sandesh Rao
Ā 
Oracle Identity and access management overview
kalikishoregomattam1
Ā 
TechEvent EUS, Kerberos, SSL and OUD
Trivadis
Ā 
Oracle 11i OID AD Integration
Mahesh Vallampati
Ā 
ASCC-site-report-123456430523fwje0fjewew
DngHong855117
Ā 
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
Trivadis
Ā 
OEM13c_PPT.pptx
SDPL Technologies
Ā 
Oracle Enterprise Repository 11g - Quick Start Guide
Sreenivasa Setty
Ā 
AUSOUG - NZOUG - Groundbreakers - Jun 2019 - 19 Troubleshooting Tips and Tric...
Sandesh Rao
Ā 
R12 d49656 gc10-apps dba 03
zeesniper
Ā 
Ad

More from Andrejs Prokopjevs (8)

PPTX
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Andrejs Prokopjevs
Ā 
PPTX
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
Ā 
PPTX
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Andrejs Prokopjevs
Ā 
PPTX
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
Ā 
PPTX
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Andrejs Prokopjevs
Ā 
PPTX
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
Ā 
PDF
Running Oracle EBS in the cloud (UKOUG APPS16 edition)
Andrejs Prokopjevs
Ā 
PDF
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
Ā 
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Andrejs Prokopjevs
Ā 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
Ā 
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Andrejs Prokopjevs
Ā 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
Ā 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Andrejs Prokopjevs
Ā 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
Ā 
Running Oracle EBS in the cloud (UKOUG APPS16 edition)
Andrejs Prokopjevs
Ā 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
Ā 
Ad

Recently uploaded (20)

PPTX
DPIC Assingment_1.pptx.pptx for presentation
yashwork2607
Ā 
PPTX
2025-07-27 Abraham 09 (shared slides).pptx
Dale Wells
Ā 
PDF
Something I m waiting to tell you By Shravya Bhinder
patelprushti2007
Ā 
PPTX
Building a Strong and Ethical Digital Professional Identity
khalyaniramjan49
Ā 
PDF
Pesticides | Natural Pesticides | Methods of control | Types of pesticides | ...
Home
Ā 
PPTX
Renters' Rights and PBSA. How the bill will impact on the sector
Nick Emms
Ā 
DOCX
Ss Peter & Paul Choir Formation Training
kiambutownshipsecond
Ā 
PPTX
How do Company Analysis Short Term and Long Term Investment.pptx
auntorkhastagirpujan
Ā 
PPTX
milgram study as level psychology core study (social approach)
dinhminhthu1405
Ā 
PPTX
Design Tips to Help Non-Visual Visitors Stay Safe Online
Daniela Napoli
Ā 
PDF
Green Natural Green House Presentation (2).pdf
SaeedOsman6
Ā 
PPTX
ā€œMastering Digital Professionalism: Your Online ImageĀ Mattersā€
ramjankhalyani
Ā 
PPTX
India Energy and Utility Sector Landscape
Anand Akshay
Ā 
PPTX
THE school_exposure_presentation[1].pptx
sayanmondal3500
Ā 
PPTX
Introductions to artificial intelligence
rakshjain77
Ā 
PDF
Chapter-52-Relationship-between-countries-at-different-levels-of-development-...
dinhminhthu1405
Ā 
PDF
Securing Africaā€™s future: Technology, culture and the changing face of threat
Kayode Fayemi
Ā 
PPTX
Mastering the DevOps Certification: CI/CD, Governance & Monitoring Made Simple
shubhamsharma994585
Ā 
PPTX
Iconic Destinations in India: Explore Heritage and Beauty
dhorashankar
Ā 
PPTX
Ocean_and_Freshwater_Awareness_Presentation.pptx
Suhaira9
Ā 
DPIC Assingment_1.pptx.pptx for presentation
yashwork2607
Ā 
2025-07-27 Abraham 09 (shared slides).pptx
Dale Wells
Ā 
Something I m waiting to tell you By Shravya Bhinder
patelprushti2007
Ā 
Building a Strong and Ethical Digital Professional Identity
khalyaniramjan49
Ā 
Pesticides | Natural Pesticides | Methods of control | Types of pesticides | ...
Home
Ā 
Renters' Rights and PBSA. How the bill will impact on the sector
Nick Emms
Ā 
Ss Peter & Paul Choir Formation Training
kiambutownshipsecond
Ā 
How do Company Analysis Short Term and Long Term Investment.pptx
auntorkhastagirpujan
Ā 
milgram study as level psychology core study (social approach)
dinhminhthu1405
Ā 
Design Tips to Help Non-Visual Visitors Stay Safe Online
Daniela Napoli
Ā 
Green Natural Green House Presentation (2).pdf
SaeedOsman6
Ā 
ā€œMastering Digital Professionalism: Your Online ImageĀ Mattersā€
ramjankhalyani
Ā 
India Energy and Utility Sector Landscape
Anand Akshay
Ā 
THE school_exposure_presentation[1].pptx
sayanmondal3500
Ā 
Introductions to artificial intelligence
rakshjain77
Ā 
Chapter-52-Relationship-between-countries-at-different-levels-of-development-...
dinhminhthu1405
Ā 
Securing Africaā€™s future: Technology, culture and the changing face of threat
Kayode Fayemi
Ā 
Mastering the DevOps Certification: CI/CD, Governance & Monitoring Made Simple
shubhamsharma994585
Ā 
Iconic Destinations in India: Explore Heritage and Beauty
dhorashankar
Ā 
Ocean_and_Freshwater_Awareness_Presentation.pptx
Suhaira9
Ā 

Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition)

  • 1. Oracle Unified Directory. Lessons learnt. Is it worth moving from OID? ANDREJS PROKOPJEVS Lead Applications Database Consultant
  • 2. About me Ā© 2016 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. ā€œIn loveā€ with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs [email protected] https://www.pythian.com/blog/author/prokopjevs/
  • 3. ABOUT PYTHIAN Pythianā€™s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete Ā© 2016 Pythian 3
  • 4. TECHNICAL EXPERTISE Ā© 2016 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
  • 5. Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 Ā© 2016 Pythian 5
  • 6. Agenda ā€¢ What is Oracle Unified Directory? ā€¢ Quick overview of integration process with Oracle E-Business Suite R12.2.5. ā€¢ Issues faced while implementing OUD. ā€¢ Features that deserve a note. ā€¢ Performance tuning considerations. Ā© 2016 Pythian 6
  • 7. What is Oracle Unified Directory? Ā© 2016 Pythian 7
  • 8. What is Oracle Unified Directory? ā€¢ LDAP v3 compliant directory. Ex Sun iPlanet Directory. ā€¢ Completely runs on Java. ā€¢ New generation of Oracle Directory Services since 11gR2. ā€¢ Announced product replacement of Oracle Internet Directory. ā€¢ Features: ā€¢ Storage ā€¢ Proxy and Load Balancing ā€¢ Virtualization ā€¢ Synchronization and Replication ā€¢ Data is stored in JavaDB (Oracle Berkeley DB Java Edition). ā€¢ Licensed under Oracle Directory Services Plus license. ā€¢ Supports known features like Enterprise User Security and TNS store. Ā© 2016 Pythian 8
  • 9. What is Oracle Unified Directory? ā€¢ Proxy - Load balancing. ā€¢ LDAP data can be shared and distributed. Ā© 2016 Pythian 9 OUD in Load Balancer (Proxy) mode LDAP client OUD directory 2 OUD directory 1 OUD directory 3
  • 10. What is Oracle Unified Directory? ā€¢ Proxy ā€“ mapping of external directories, like Active Directory. Ā© 2016 Pythian 10 OUD Proxy mode with attribute virtualization LDAP client MS Active Directory
  • 11. What is Oracle Unified Directory? ā€¢ Replication and High Availability. ā€¢ Same instance can share multiple roles like Storage and be a replication server. Ā© 2016 Pythian 11 OUD Replication Server 2 OUD directory 4 OUD directory 3 OUD Replication Server 1 OUD directory 2 OUD directory 1 Replication group 1 Replication group 2 Replication group 3
  • 12. Oracle Internet Directory comparison ā€¢ Oracle Unified Directory ā€¢ Runtime ā–Ŗ Java ā€¢ Storage ā–Ŗ JavaDB, local disk storage ā€¢ Clustering concept ā–Ŗ Multiple instances within replication group ā€¢ Proxy / Virtualization ā–Ŗ Native support ā€¢ Tools ā–Ŗ No ldapadd anymore, instead there is "ldapmodify --defaultAdd" ā€¢ Backups ā–Ŗ No PITR, full or incremental snapshots initiated by the backup utility. Ā© 2016 Pythian 12 ā€¢ Oracle Internet Directory ā€¢ Runtime ā–Ŗ C ā€¢ Storage ā–Ŗ Oracle Database as metadata repository ā€¢ Clustering concept ā–Ŗ Multiple instances connected to one common Oracle database ā€¢ Proxy / Virtualization ā–Ŗ Not supported ā–Ŗ Requires Oracle Virtual Directory ā€¢ Tools ā–Ŗ Standard set of tools (ldapadd, ldapmodify, ldapdelete, etc) ā€¢ Backups ā–Ŗ Full PITR supported by Oracle Database.
  • 13. Oracle E-Business Suite integration overview Ā© 2016 Pythian 13
  • 14. Software requirements ā€¢ E-Business Suite R12.2.5+ ā€¢ FMW 11.1.1.9 ā€¢ R12.AD.C.7+ ā€¢ Patches 22098300, 21229697, and 24008856 ā€¢ Oracle Unified Directory 11.1.2.3 ā€¢ Being deployed into a separate Fusion Middleware Home. ā€¢ Oracle Directory Services Manager (ODSM) 11.1.2.3 ā–Ŗ Weblogic Server 10.3.6 ā–Ŗ Oracle ADF 11.1.1.9 ā€¢ Repository Creation Utility 11.1.1.9 ā€¢ Oracle Directory Integration Platform 11.1.1.9 ā€¢ Oracle Access Manager 11.1.2.3 Ā© 2016 Pythian 14
  • 15. Documentation reference ā€¢ Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1) ā€¢ Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) ā€¢ Installation Guide for Oracle Identity Management ā€¢ https://docs.oracle.com/middleware/11119/core/INOIM/under_install.htm#INOIM1024 Ā© 2016 Pythian 15
  • 16. Configure OUD ā€¢ Create the OUD instance. $ echo "welcome1" > /tmp/oud_pwd $ ./oud-setup --cli --hostName myoud.domain.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 4461 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/oud_pwd --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --serverTuning 512m --offlineToolsTuning 512m --no-prompt ā€¢ ā€œgenericā€ integration option creates the necessary naming context, required for EBS integration. Ā© 2016 Pythian 16
  • 17. Configure Naming Context ā€¢ Modify the realm default user and group base DN references. ā€¢ Very important as this will bring issues at later stages, if not executed. ā€¢ Reference: ā–Ŗ https://docs.oracle.com/cd/E52734_01/oud/OUDAG/eus.htm#BABGJFEE ā€¢ Locate the LDIF template and edit the naming context you configured. ā€¢ Execute it after correction. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif Ā© 2016 Pythian 17
  • 18. Configure DIP with OUD ā€¢ Enable the External Change Log $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b dc=example,dc=com --trustAll --no-prompt $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b cn=oraclecontext --trustAll --no-prompt ā€¢ Enforce Unique UID Attribute $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set enabled:true $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com ā€¢ Configure DIP for OUD $ $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost localhost -ldapport 1389 -ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4461 Ā© 2016 Pythian 18
  • 19. Registration with Oracle EBS ā€¢ Start EBS Online Patching Cycle (adop phase=prepare) ā€¢ Run all the actions against patch filesystem ā€¢ Register OUD: $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory manager" ā€¢ Update EBS Profile Options ā€¢ Autoconfig ā€¢ Cutover ā€¢ Side note: ā€¢ You can do all this in hot mode directly on run file system. ā€¢ Multi-node: This isnā€™t required to be executed on all nodes as stated in the documentation. Ā© 2016 Pythian 19
  • 20. Registration with Oracle EBS ā€¢ Start EBS Online Patching Cycle (adop phase=prepare) ā€¢ Run all the actions against patch filesystem ā€¢ Install WebGate ā–Ŗ Recommendation: Apply WebGate latest BP patch ā€¢ Deploy AccessGate perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -deployApps=accessgate ā€¢ Register OAM $FND_TOP/bin/txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD ā€¢ Autoconfig ā€¢ Cutover Ā© 2016 Pythian 20
  • 21. Registration with Oracle EBS ā€¢ Side note: ā€¢ You can do all this in hot mode directly on run file system. ā€¢ But beware of Bug 19817016 !!! ā–Ŗ oaea_server1 (AccessGate) port conflict between run and patch during the fs_clone. ā€¢ Solution: ā–Ŗ Stop oaea_server1. ā–Ŗ Run fs_clone. ā–Ŗ Restart oaea_server1. ā–Ŗ Next fs_clone executions will not have this conflict anymore. Ā© 2016 Pythian 21
  • 22. Issues faced while implementing OUD Ā© 2016 Pythian 22
  • 23. Issue #1: Configure Naming Context ā€¢ $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif $ ls -l $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif ls: cannot access /u01/app/oracle/product/fmw11g_oud/instances/OUD_instance/config/EUS/modifyRealm.ldif: No such file or directory $ ls -l $ORACLE_HOME/config/EUS/modifyRealm.ldif -rw-r-----. 1 oracle oinstall 1608 Nov 15 2013 /u01/app/oracle/product/fmw11g_oud/Oracle_OUD1/config/EUS/modifyRealm.ldif $ ā€¢ Documentation bug. ā€¢ Is deployed only with ā€œ--integration EUSā€, but still available under Oracle Home Ā© 2016 Pythian 23
  • 24. Issue #1: Configure Naming Context ā€¢ What does it fix? # cn=Common,cn=Products,cn=OracleContext orclSubscriberSearchBase: dc=com orclSubscriberNickNameAttribute: dc orclDefaultSubscriber: dc=example,dc=com # cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com orclCommonUserSearchBase: ou=people,dc=example,dc=com orclCommonGroupSearchBase: ou=groups,dc=example,dc=com ā€¢ Side note: Handled automatically since 11.1.2.3.161018 BP Ā© 2016 Pythian 24
  • 25. Issue #2: No Subscriber found ā€¢ Letā€™s query the naming context we created. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ ā€¢ Where is my naming context base entry? $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s base "(objectclass=*)" "dn" SEARCH operation failed Result Code: 32 (No Such Entry) Additional Information: The entry dc=example,dc=com specified as the search base does not exist in the Directory Server $ Ā© 2016 Pythian 25
  • 26. Issue #2: No Subscriber found ā€¢ Fix: Manually create the Naming Context base DN as subscriber. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd ā€“defaultAdd dn: dc=example,dc=com objectClass: top objectClass: domain objectclass: orclSubscriber dc: example orclversion: 90600 orclsubscriberfullname: example aci: (targetattr != "userpassword || authpassword || aci") (version 3.0; acl "Anonymous read access to dc=example, dc=com"; allow (read,search,compare) userdn = "ldap:///anyone";) ā€¢ Optional: Add read-only ACI permission for non-super-user access (except password attributes). Ā© 2016 Pythian 26
  • 27. Issue #3: User and Group Base DNs ā€¢ Letā€™s query the naming context again. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ ā€¢ Where are my user and group base DNs? Ā© 2016 Pythian 27
  • 28. Issue #3: User and Group Base DNs ā€¢ Fix: Manually create the base DN entries. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd ā€“defaultAdd dn: ou=people,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit Ā© 2016 Pythian 28
  • 29. Issue #4: Write permissions for DIP profiles ā€¢ Documentation states that we need to apply these ACIs: dn: dc=example,dc=com changetype: modify add: aci aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) ā€¢ But DIP runtime still fails on writes. Ā© 2016 Pythian 29
  • 30. Issue #4: Write permissions for DIP profiles ā€¢ Fix: Add few more ACI permissions. ā€¢ DIP profiles are actually running with ā€œodipgroupā€ App DN members. dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) Ā© 2016 Pythian 30
  • 31. Issue #5: OUD restrictions on unindexed search ā€¢ There are limits when OUD allows non-super-user to do unindexed searches. ā€¢ None of OID specific attributes are indexed by default. ā€¢ Example: search per ā€œorcguidā€ attribute filter. [27/Apr/2016:01:25:45 -0700] SEARCH RES conn=381168 op=514 msgID=515 result=50 message="You do not have sufficient privileges to perform an unindexed search Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com' Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com'" nentries=0 authzDN="orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext" etime=0 Ā© 2016 Pythian 31
  • 32. Issue #5: OUD restrictions on unindexed search ā€¢ Fix: Give a permission to your required non-super-user. ā€¢ For DIP ā€“ required for each subscriber app DN. ā€¢ Example: $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext changetype: modify add: ds-privilege-name ds-privilege-name: unindexed-search - add: ds-privilege-name ds-privilege-name: proxied-auth Ā© 2016 Pythian 32
  • 33. Issue #6: cn=changelog data timeout ā€¢ By default, purge delay for replication in OUD is set to 1 day. ā€¢ Set it to 1 week, at least. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n get-replication-server-prop --provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n set-replication-server-prop --provider-name "Multimaster Synchronization" --set replication-purge-delay:1w ā€¢ Historical replication data retention also can be tuned. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -X -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set conflicts-historical-purge-delay:7200m Ā© 2016 Pythian 33
  • 34. Issues faced while implementing OAM with OUD Ā© 2016 Pythian 34
  • 35. Issue #1: EBS registration ā€¢ Test connection to identity server is failing. ā€¢ But network is fine, LDAP connection is working. $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD ... Failed while doing policy configurations In the log file this will be the only actual information. <class>oracle.apps.fnd.txk.oam.UserIdentityStoreConf</class> <message>Test connection to identity server is failed. Please verify the settings and try again.</message> <class>oracle.apps.fnd.txk.oam.RegisterOAM</class> <message>Failed while updating the configurations in OAM console</message> Ā© 2016 Pythian 35
  • 36. Issue #1: EBS registration ā€¢ Only LDAP trace helped. [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2... [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(uid=*)" attrs="ALL" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=example,dc=com" scope=sub filter="(cn=*)" attrs="cn" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 Ā© 2016 Pythian 36
  • 37. Issue #1: EBS registration ā€¢ Fix: User Base DN and Group Base DN should have at least 1 user and 1 group created. ā€¢ In OID cn=orcladmin and cn=public are being seeded by default. dn: cn=testuser1,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: John sn: Testercn: testuser1 uid: testuser1 userpassword: welcome1 mail: [email protected] dn: cn=admins,ou=groups,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: testgroup Ā© 2016 Pythian 37
  • 38. Issue #2: Configuration of the User Identity Store ā€¢ Not an issue, actually. More a recommendation. ā€¢ These parameters are not set by default. ā€¢ User Filter Object Classes: person ā€¢ Group Name Attribute: cn ā€¢ Group Filter Classes: groupofnames ā€¢ Inactivity Timeout (in seconds): 60 Ā© 2016 Pythian 38
  • 39. Features that deserve a note. Ā© 2016 Pythian 39
  • 40. SSL ā€¢ RIP SSL no-auth mode ā€¢ Only SSL server or client-server authentication. ā€¢ JSSE - Java Secure Socket Extension. ā€¢ And this is good ! ā€¢ Default keystore: $ORACLE_INSTANCE/OUD/config/keystore Ā© 2016 Pythian 40
  • 41. SSL - small comment about DIP ā€¢ By default, DIP is configured with non-SSL. ā€¢ SSL only mode is required if passwords are provisioned from external directories. ā€¢ Requires a JKS keystore configuration with OUD server certificate imported. $ keytool -importcert -trustcacerts -alias OUD -file /tmp/oud_server_certificate_b64.txt -keystore $ORACLE_INSTANCE/config/DIP_JKS/dip.jks $ wlst.sh > connect('t3://localhost:7001') > createCred(map="dip", key="jksKey", user="jksuser", password="changeit") $ $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute keystorelocation - val /u01/app/oracle/product/fmw11g/dip_inst1/config/DIP_JKS/dip.jks $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D weblogic $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D weblogic Ā© 2016 Pythian 41
  • 42. External password plugins in OUD ā€¢ Use case: Active Directory ā€“ passwords are not directly synced by DIP. ā€¢ OID has a cool feature ā€“ external password plugin. ā€¢ Java based module which forwards the BIND requests to external LDAP directories for authentication. ā€¢ OUD does not have these kind of modules, however there are alternatives. ā€¢ Pass Through Authentication (OUD 11.1.2.2+) ā€¢ On-Demand Password and Password Translate (OUD 11.1.2.3+) ā€¢ OUD / DIP Synchronization with Active Directory (Doc ID 1534241.1) Ā© 2016 Pythian 42
  • 43. Pass Through Authentication ā€¢ How it works: Proxy mode workflow. ā€¢ You have your Local Naming Context ā€œdc=example,dc=comā€ with synced user entries by DIP (no userpassword / orclpassword attributes). ā€¢ New Proxy Workflow is configured to mount external LDAP Base DN. ā€¢ A Workflow Element will merge both sources and use local context as user provider and external proxy context as authentication provider. Ā© 2016 Pythian 43
  • 44. Pass Through Authentication ā€¢ Configure OUD LDAP extension. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-extension --type ldap-server --extension-name proxy_extension_pta_ext_ldap --set remote-ldap-server-read-only:true --set remote-ldap-server-address:myad.example.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true --set ssl-trust-manager-provider:JKS --set enabled:true Ā© 2016 Pythian 44
  • 45. Pass Through Authentication ā€¢ Configure OUD Proxy Workflow elements. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set client-cred-mode:use-specific-identity --set enabled:true --set ldap-server-extension:proxy_extension_pta_ext_ldap --set remote-ldap-server-bind-dn:cn=system_user,ou=ad_system_accounts,dc=example,dc=com --set remote-ldap-server-bind-password:password --set remote-root-dn:cn=system_user,ou=system_accounts,dc=ad,dc=example,dc=com --set remote-root-password:password --type proxy-ldap --element-name wf_element_auth_pta_ext_ldap $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set auth-provider-workflow-element:wf_element_auth_pta_ext_ldap --set enabled:true --set user-provider-workflow-element:userRoot # our default naming context created --set pta-suffix:ou=people,dc=example,dc=com --set pta-auth-suffix:ou=people,dc=example,dc=com --set pta-user-suffix:ou=people,dc=example,dc=com --type pass-through-authentication --element-name wf_element_pta_ext_ldap Ā© 2016 Pythian 45
  • 46. Pass Through Authentication ā€¢ Configure OUD Proxy Workflow. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow --workflow-name pta_ext_ldap_wf --set base-dn:ou=people,dc=example,dc=com --set enabled:true --set workflow-element:wf_element_pta_ext_ldap ā€¢ Enable the new configuration. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n set-network-group-prop --group-name network-group --set enabled:true --add workflow:pta_google_openldap_wf Ā© 2016 Pythian 46
  • 47. Pass Through Authentication ā€¢ It works. $ ldapsearch -h localhost -p 1389 -D "cn=user1,ou=people,dc=example,dc=com" -b "cn=user1,ou=people,dc=example,dc=com" -s base "(objectclass=*)" "orclSourceObjectDN" Password for user 'cn=user1,ou=people,dc=example,dc=com': dn: cn=user1,ou=people,dc=example,dc=com orclSourceObjectDN: cn=user1,ou=People,dc=example,dc=com $ ā€¢ Some illustration. Ā© 2016 Pythian 47 Local Storage MS AD Proxy Workflow BINDUser and Attributes LDAP User Entry DN, virtually merged
  • 48. OUD Access Log ā€¢ OUD has access log tracing similar to Apache. ā€¢ It tracks everything and YOU SHOULD LOVE IT! ā€¢ $ORACLE_INSTANCE/OUD/logs/access [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:35 +0200] BIND REQ conn=1939 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:35 +0200] BIND RES conn=1939 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1 [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 [25/Nov/2016:13:50:35 +0200] DISCONNECT conn=1939 reason="Client Disconnectā€ [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:36 +0200] BIND REQ conn=1940 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:36 +0200] BIND RES conn=1940 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=0 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=domain,dc=com" scope=sub filter="(uid=*)" attrs="ALLā€ [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=domain,dc=com" scope=sub filter="(cn=*)" attrs="cnā€ [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 Ā© 2016 Pythian 48
  • 49. Virtual Attributes ā€¢ An attribute which is more like a function. ā€¢ The best example: isMemberOf ā€¢ Is true if a user is a member of a defined group ā€¢ The most useful place to use: LDAP filters ā€¢ Example: OAM User Identity Store filter to allow only specific group to access your application. ā€¢ KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(isMemberOf=cn=ebs_sso_allowed_users,ou=groups,dc=exam ple,dc=com)) Ā© 2016 Pythian 49
  • 51. Overview ā€¢ Performance is a feature. ļŠ ā€¢ Overall the OUD performance is good. ā€¢ The more memory you configure ā€“ the more you get into the cache. ā€¢ Always try to apply the latest PSU BP. Many performance related bugs are resolved per the change log in every bundle. ā€¢ Some real problems to look at may start only when your data size exceeds hundreds of thousands, like 400 000 user accounts. Ā© 2016 Pythian 51
  • 52. Indexes ā€¢ OUD is not indexing by default most of the common OID attributes. ā€¢ Example: DIP ApplicationToOID profile is doing Root DN sub-search looking for entries with required orclGUID, to confirm it exists. ā€¢ With large directories it can spin the CPU a lot. Can be indexed. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-local-db-index -- element-name userRoot --index-name orclguid --set index-type:equality $ rebuild-index -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -b "dc=example,dc=com" - i orclguid ā€¢ If DIP bootstrap has synchronized a huge amount of new user accounts (ex from external directory) ā€“ full index rebuild is highly recommended. $ rebuild-index -b "dc=example,dc=com" --rebuildAll Ā© 2016 Pythian 52
  • 53. Root DN based search ā€¢ Same use case: DIP ApplicationToOID $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "" "(orclguid=XXXXXXXXXXXXXXXXXXXXXX)" "*" ā€¢ OUD will also look into ā€œcn=changelogā€ as it interprets it as non-hidden naming context. ā€¢ This is how OUD works. ā€¢ Recommendation: evaluate the data size, and put the memory enough to cache as maximum as possible. ā€¢ https://blogs.oracle.com/sduloutr/entry/oud_external_change_log_and ā€¢ OUD - Bad Performance of a Subtree Search on the Root DSE if the External Changelog is Enabled. (Doc ID 1676998.1) ā€¢ With PTA add here your external Proxy Workflow Element as well. Ā© 2016 Pythian 53
  • 54. Data cache tuning ā€¢ If your LDAP data is 1 GB in size, you can configure your OUD instance to 2 GB memory and set data cache to utilize 50 %. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password set-workflow-element-prop --element- name userRoot --set db-cache-percent:50 ā€¢ Cache as much as possible !!! Ā© 2016 Pythian 54
  • 55. Summary ā€¢ OUD is an interesting lightweight product. ā€¢ Hard to say if itā€™s better or worse than OID. Both OUD and OID have their own pros and cons. ā€¢ OUD ā€“ is a replacement product. OID is going away soon (Dec 2018 / Dec 2021). ā€¢ Comparing to 11gR1, where OUD was not usable at all for all main integration use cases, it is now more less ready. Of course, with some nuances mentioned. ā€¢ Simplified setup and configuration. ā€¢ It takes time to tune everything. Let us be patient. There is a potential. Ā© 2016 Pythian 55
  • 56. THANK YOU Q & A Ā© 2016 Pythian 56