SlideShare a Scribd company logo

Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Business Suite R12.2.5

Andrejs Karpovs, profile picture
Andrejs Karpovs

This document discusses lessons learned from implementing Oracle Unified Directory (OUD) with Oracle E-Business Suite R12.2.5. It describes the required software, provides an overview of the OUD and OAM integration steps including configuration, registration with EBS, and issues faced during implementation. The main issues covered are configuring the naming context, missing subscriber entries, default user and group bases, write permissions for DIP profiles, and OUD restrictions on unindexed searches.

Technology
1 of 65
Downloaded 121 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Most read
17
18
19
20
21
22
Most read
23
24
Most read
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
© Tieto Corporation PublicPublic Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Business Suite R12.2.5 Andrejs Karpovs Andrejs Prokopjevs
© Tieto Corporation Public About slide - Andrejs K. • Lead Oracle Apps DBA / Architect • In Oracle DB/Middleware/EBS since 2008 • Works at Tieto • Oracle Certified Master 11g • Oracle ACE • Speaker at worldwide conferences • UKOUG since 2011, • COLLABORATE since 2014, • OUGH, UKOUG_IRE • Social media • Twitter: @AndrejsKarpovs • Blog: adbaday.wordpress.com 2
© Tieto Corporation Public About slide - Andrejs P. 3 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
© Tieto Corporation PublicPublic Background Theory
© Tieto Corporation Public Clearing out the alphabet soup :) https://docs.oracle.com/middleware/11119/core/INOIM/under_in stall.htm#INOIM1024 5 OHS
© Tieto Corporation Public Integration Architecture w/ E- Business Suite 11i/R12.1 6 Oracle Virtual Directory
© Tieto Corporation Public Integration Architecture w/ E- Business Suite R12.2 7 Oracle Unified Directory or OID
© Tieto Corporation Public Oracle Unified Directory: Brief description • ldap v3 - Sun iPlanet Directory • Unified Directory Services Solution • Storage • Directory Server • Proxy • Virtualization • Virtual directory view of the different repositories • Routes data to and from the repositories • Replication • Load Balancing • OUD, OVD and DIP are part of ODS Plus • Developed entirely in Java • Embarks Java DB (OBDB JE), no need for extra Oracle DB 8
© Tieto Corporation Public Oracle Unified Directory: Replication and High Availability 9
© Tieto Corporation Public Main differences OUD OID • Clustering concept • Multiple local DBs repl. data within repl. groups • Runtime • Java • Tools • No ldapadd anymore, "ldapmodify --defaultAdd" • Backup • No PITR, full or incremental initiated by “backup” utility • SSL • All Java requirements like JKS keystores 10 • Clustering concept • Multiple instances connects w/ single Oracle DB • Runtime • C • Tools • ldapadd, ldapmodify, ldapdelete and more. • Backup • Leveraging all Oracle Database backup and recovery features • SSL • No special requirements or associated complications
© Tieto Corporation PublicPublic Implementation w/ E-Business Suite
© Tieto Corporation Public Required Software Overview • E-Business Suite R12.2.5+ (FMW 11.1.1.9, R12.AD.C.7+, patches 22098300, 21229697, 24008856) • Oracle Directory Integration Platform 11g Release 1 Patch Set 7 (11.1.1.9) for Oracle Fusion Middleware Identity Management • Oracle Unified Directory 11g Release 2 Patch Set 3 (11.1.2.3) • Oracle Directory Services Manager (ODSM) 11.1.2.3 • Weblogic Server 11g (10.3.6) • Oracle ADF 11.1.1.9 • Oracle Access Manager 11.1.2.3 • Weblogic Server 11g (10.3.6) • Repository Creation Utility 11.1.1.9 12
© Tieto Corporation Public Installation and Configuration Architecture 1 3
© Tieto Corporation Public Documentation Best Sources • Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1) • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • Oracle® Fusion Middleware Installation Guide for Oracle Identity Management • https://docs.oracle.com/middleware/11119/core/INOIM/under_install.ht m#INOIM1024 14
© Tieto Corporation Public OUD Integration Steps: Configure OUD $ echo "welcome1" > /tmp/oud_pwd $ ./oud-setup --cli --hostName myoud.domain.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 4461 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/oud_pwd --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --serverTuning 512m --offlineToolsTuning 512m --no-prompt • “generic” integration option allows you to complete the integration for EBS by creating the necessary naming context. 15
© Tieto Corporation Public OUD Integration Steps: Configure Naming Context • Very important as this will bring issues at later stages if not executed • https://docs.oracle.com/cd/E52734_01/oud/OUDAG/eus.htm#BAB GJFEE • Locate the LDIF template file at OUD_instance_dir/config/EUS/modifyRealm.ldif • Edit and replace as per your configuration: • dc=example,dc=com $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif 16
© Tieto Corporation Public • Enable the External Change Log $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 - b dc=example,dc=com --trustAll --no-prompt $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 - b cn=oraclecontext --trustAll --no-prompt • Enforce Unique UID Attribute $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop - -plugin-name "UID Unique Attribute" --set enabled:true $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop - -plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com • Configure DIP for OUD $ $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost localhost -ldapport 1389 -ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4461 • Add Access Control Instructions for OUD • See MOS note for instructions OUD Integration Steps: Further configuration 17
© Tieto Corporation Public OUD Integration Steps: Registration w/ EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch_fs • Registration script • $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory manager" • Update EBS Profile Options • Applications SSO Enable OID Identity: Enabled • Applications SSO Type: SSWA /wSSO • Applications SSO Auto Link User: Enabled • Autoconfig • Cutover • Side note: You can do this in hot mode - directly on run • Multi-node: This isn’t required to be executed on all nodes as stated in the documentation. 18
© Tieto Corporation Public OAM Integration Steps: Registration w/ EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch_fs • Install WebGate • $FND_TOP/bin/txkrun.pl -script=SetOAMReg -installWebgate=yes - webgatestagedir=/path/to/extracted/stage (where Disk1 is extracted) • Recommendation: Apply WebGate patches now • $PATCH_BASE/FMW_Home/Oracle_OAMWebGate1 • Deploy AccessGate • perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources - deployApps=accessgate • Register OAM • $FND_TOP/bin/txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD • Autoconfig • Cutover 19
© Tieto Corporation Public OAM Integration Steps: Registration w/ EBS (II) • Side note: You can do this in hot mode too - directly on run. • But beware of Bug 19817016 !!! • oaea_server1 (AccessGate) port conflict between run and patch during the fs_clone. • Solution: • Stop oaea_server1. • Run fs_clone. • Restart oaea_server1. • Next fs_clone executions will not have this conflict anymore. 20
© Tieto Corporation PublicPublic Issues faced while implementing OUD
© Tieto Corporation Public Issue #1: Configure Naming Context • OUD_instance_dir/config/EUS/modifyRealm.ldif • Documentation bug $ ls -l $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif ls: cannot access /u01/app/oracle/product/fmw11g_oud/instances/OUD_instance/config/EUS/modifyRealm.ldif: No such file or directory $ ls -l $ORACLE_HOME/config/EUS/modifyRealm.ldif -rw-r-----. 1 oracle oinstall 1608 Nov 15 2013 /u01/app/oracle/product/fmw11g_oud/Oracle_OUD1/config/EUS/modifyRealm.ldif $ • What does it fix? # cn=Common,cn=Products,cn=OracleContext orclSubscriberSearchBase: dc=com orclSubscriberNickNameAttribute: dc orclDefaultSubscriber: dc=example,dc=com # cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com orclCommonUserSearchBase: ou=people,dc=example,dc=com orclCommonGroupSearchBase: ou=groups,dc=example,dc=com • Side note: Handled automatically in 11.1.2.3.161018 22
© Tieto Corporation Public Issue #2: No Subscriber found • Let’s query the naming context we created. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn” dn: cn=OracleContext,dc=example,dc=com $ • Where is my naming context base entry? $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s base "(objectclass=*)" "dn” SEARCH operation failed Result Code: 32 (No Such Entry) Additional Information: The entry dc=example,dc=com specified as the search base does not exist in the Directory Server $ 23
© Tieto Corporation Public • Let’s query the naming context we created. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: dc=example,dc=com orclversion: 90600 dc: example orclsubscriberfullname: example objectClass: top objectClass: domain objectClass: orclSubscriber aci: (targetattr != "userpassword || authpassword || aci") (version 3.0; acl "Anonymous read access to dc=example, dc=com"; allow (read,search,compare) userdn = "ldap:///anyone";) $ • Optional: Add read-only ACI permission for non-super-user access (except password attributes). Example. Issue #2: Fix 24
© Tieto Corporation Public Issue #3: User and Group Base DNs • Let’s query the naming context again. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn” dn: cn=OracleContext,dc=example,dc=com $ • Where are my user and group base DNs? • Fix: $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: ou=people,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit $ 25
© Tieto Corporation Public Issue #4: Write permissions for DIP profiles • Documentation states that we need to apply these ACIs dn: dc=example,dc=com changetype: modify add: aci aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) • But DIP runtime still fails on writes • DIP profile DNs are actually running with “odipgroup” App DNs 26
© Tieto Corporation Public Issue #4: Fix $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) • Still an open issue with OID BUNDLE PATCH 11.1.1.9.160719 27
© Tieto Corporation Public Issue #5: OUD restrictions on unindexed search • There are limits when OUD allows non-super-user to do unindexed searches • None of Oracle specific attributes are indexed, like it is in OID • Example: [27/Apr/2016:01:25:45 -0700] SEARCH RES conn=381168 op=514 msgID=515 result=50 message="You do not have sufficient privileges to perform an unindexed search Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com' Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com'" nentries=0 authzDN="orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext" etime=0 28
© Tieto Corporation Public Issue #5: Fix • Fix: give a permission to your required DIP App DN. ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext changetype: modify add: ds-privilege-name ds-privilege-name: unindexed-search - add: ds-privilege-name ds-privilege-name: proxied-auth 29
© Tieto Corporation Public Issue #6: cn=changelog data timeout • By default, purge delay for replication in OUD is set to 1 day. Set it at least to 1 week $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n get-replication-server-prop -- provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n set-replication-server-prop -- provider-name "Multimaster Synchronization" --set replication-purge-delay:1w • Historical replication data retention also can be tuned $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -X -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set conflicts-historical-purge-delay:7200m 30
© Tieto Corporation PublicPublic Issues faced while implementing OAM
© Tieto Corporation Public Issue #1: EBS registration • txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD Successfully registered the WebGate with OAM Copying registration artifacts to WebGate configuration directory Automating the policy configurations... *** Log File = /u01/prod/fs1/inst/apps/prod_ebsapp01/logs/appl/rgf/TXK/txkSetOAMReg_Wed_Nov_23_15_23_46_2016.xml Failed while doing policy configurations • In the log file this will be the only actual information. <class>oracle.apps.fnd.txk.oam.UserIdentityStoreConf</class> <message>Test connection to identity server is failed. Please verify the settings and try again.</message> <class>oracle.apps.fnd.txk.oam.RegisterOAM</class> <message>Failed while updating the configurations in OAM console</message> 32
© Tieto Corporation Public • MOS reference • OAM Registration With EBS 12.2.4 Fails : ERRORMSG: Failed while automating policy configurations. (Doc ID 2186398.1) • States to check hosts / network and validate your LDAP directory connectivity from OAM, but our connection is fine. • Only LDAP tracing helped [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP ... [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 ... [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP ... [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(uid=*)" attrs="ALL” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=example,dc=com" scope=sub filter="(cn=*)" attrs="cn” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 Issue #1: EBS registration (II) 33
© Tieto Corporation Public • User Base DN and Group Base DN should have at least 1 user and 1 group created. Otherwise the OAM registration fails during the User Identity Store creation ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd dn: cn=testuser1,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: John sn: Tester cn: testuser1 uid: testuser1 userpassword: welcome1 mail: test@test.com dn: cn=admins,ou=groups,dc=example,dc=com cn: testgroup objectClass: groupOfNames objectClass: top Issue #1: Fix 34
© Tieto Corporation Public Issue #2: Config in User Identity Store • Not an issue, actually. More a recommendation • User Filter Object Classes: person • Group Name Attribute: cn • Group Filter Classes: groupofnames • Inactivity Timeout (in seconds): 60 35
© Tieto Corporation PublicPublic Unified Directory Features
© Tieto Corporation Public Usage of SSL in DIP for LDAPS (I) • OID 11.1.1.9 + DIP standard configuration handles the SSL configuration out-of-the-box. You can access OID in SSL by just changing the port field in Enterprise Manager. • Hardened procedure in OUD requires extra DIP configuration • Obtain certificate $ openssl s_client -connect myoud.domain.com:1636 -verify 5 verify depth is 5 ... Server certificate -----BEGIN CERTIFICATE----- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -----END CERTIFICATE----- 37
© Tieto Corporation Public Usage of SSL in DIP for LDAPS (II) • Create the keystore and configure it $ keytool -importcert -trustcacerts -alias OUD -file /tmp/saved_base64_ssl_certificate.txt -keystore $ORACLE_INSTANCE/config/DIP_JKS/dip.jks $ wlst.sh > connect('weblogic', 'password','t3://localhost:7001') > createCred(map="dip", key="jksKey", user="jksuser", password="changeit") > exit() $ $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute keystorelocation -val /u01/app/oracle/product/fmw11g/dip_inst1/config/DIP_JKS/dip.jks $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D weblogic $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D weblogic • For any external directory integration similar SSL trust certificate has to be imported into the DIP configured keystore 38
© Tieto Corporation Public Usage of SSL in OUD for external LDAPS connections • Same case • Add external SSL trust certificates to OUD keystore $ keytool -importcert -trustcacerts -alias MY_EXTERNAL_LDAPS -file /tmp/saved_base64_ssl_certificate.txt -keystore $ORACLE_INSTANCE/OUD/config/keystore 39
© Tieto Corporation Public External password plugins in OUD • Use case: Active Directory – passwords are not directly synced by DIP • OID has a cool feature – external password plugin • Java based module which forwards the BIND requests to external LDAP directories for authentication • OUD does not have these kind of modules, however • OUD 11.1.2.2+ • Pass Through Authentication (OUD PTA) • OUD 11.1.2.3+ • On-Demand Password • Password Translate • OUD / DIP Synchronization with Active Directory (Doc ID 1534241.1) 40
© Tieto Corporation Public External password plugins in OUD PTA (I) • How it works: • You have your Local Naming Context dc=example,dc=com with synced user entries by DIP (no userpassword / orclpassword attributes). • You configure a new Proxy Workflow and mount external LDAP Base DN. • A Workflow Element will merge both sources and use local context as user provider and external proxy context as authentication provider. 41
© Tieto Corporation Public External password plugins in OUD PTA (II) • Configure OUD LDAP extension $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create- extension --type ldap-server --extension-name proxy_extension_pta_ext_ldap --set remote-ldap-server-read-only:true --set remote-ldap-server-address:myad.example.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true --set ssl-trust-manager-provider:JKS --set enabled:true 42
© Tieto Corporation Public External password plugins in OUD PTA (III) • Configure OUD Proxy Workflow elements $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set client-cred-mode:use-specific-identity --set enabled:true --set ldap-server-extension:proxy_extension_pta_ext_ldap --set remote-ldap-server-bind-dn:cn=system_user,ou=ad_system_accounts,dc=example,dc=com --set remote-ldap-server-bind-password:password --set remote-root-dn:cn=system_user,ou=system_accounts,dc=ad,dc=example,dc=com --set remote-root-password:password --type proxy-ldap --element-name wf_element_auth_pta_ext_ldap $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set auth-provider-workflow-element:wf_element_auth_pta_ext_ldap --set enabled:true --set user-provider-workflow-element:userRoot # our default naming context created in OUD --set pta-suffix:ou=people,dc=example,dc=com --set pta-auth-suffix:ou=people,dc=example,dc=com --set pta-user-suffix:ou=people,dc=example,dc=com --type pass-through-authentication --element-name wf_element_pta_ext_ldap 43
© Tieto Corporation Public External password plugins in OUD PTA (IV) • Configure OUD Proxy Workflow $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow --workflow-name pta_ext_ldap_wf --set base-dn:ou=people,dc=example,dc=com --set enabled:true --set workflow-element:wf_element_pta_ext_ldap • Enable the new configuration $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n set-network-group-prop --group-name network-group --set enabled:true --add workflow:pta_google_openldap_wf 44
© Tieto Corporation Public External password plugins in OUD PTA (V) • Configure OUD Proxy Workflow $ ldapsearch -h localhost -p 1389 -D "cn=user1,ou=people,dc=example,dc=com" -b "cn=user1,ou=people,dc=example,dc=com" -s base "(objectclass=*)" "orclSourceObjectDN” Password for user 'cn=user1,ou=people,dc=example,dc=com': dn: cn=user1,ou=people,dc=example,dc=com orclSourceObjectDN: cn=user1,ou=People,dc=example,dc=com • It works 45
© Tieto Corporation Public On-Demand Password (I) 46 • Configure DIP plugin $ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost myad.example.com -ldapport 636 -ldapuser "cn=Directory Manager" -isldapssl true • Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control (or cli)
© Tieto Corporation Public On-Demand Password (II) 47
© Tieto Corporation Public 48 On-Demand Password (III)
© Tieto Corporation Public On-Demand Password (IV) • There used to be a mistake in documentation • https://docs.oracle.com/middleware/11119/dip/administer/odip_sync_p rof_confg.htm#OIMIG3331 49
© Tieto Corporation Public Password Translate (I) • Configure DIP plugin • $ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic - ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444 • Do not run if already run during On-Demand setup • Enable PasswordTranslation • $ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false - ldapadminport 4444 50
© Tieto Corporation Public Password Translate (II) • Configure mapping attributes (same workflow as for On- Demand option) 51
© Tieto Corporation Public Password Translate (III) • Didn’t succeed out-of the box • Unrecognized token in attribute mapping rule "orclODIPTranslatePassword" 52
© Tieto Corporation Public Password Translate (IV) • Password Sync / Translate Using DIP 11gR2PS7 (11.1.1.9.0) shows "Unrecognized token in attribute mapping rule "xxxxx"" (Doc ID 2013518.1) • Password Sync / Translate Using DIP 11gR2PS7 (11.1.1.9.0) shows "Unrecognized token in attribute mapping rule "xxxxx"" (Doc ID 2013518.1) • None of them really worked • Maybe another documentation bug, need to verify 53
© Tieto Corporation Public OUD Access Log • OUD has access log tracing similar to Apache. • It tracks everything and YOU SHOULD LOVE IT! • $ORACLE_INSTANCE/OUD/logs/access [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:35 +0200] BIND REQ conn=1939 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:35 +0200] BIND RES conn=1939 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1 [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 [25/Nov/2016:13:50:35 +0200] DISCONNECT conn=1939 reason="Client Disconnect” [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:36 +0200] BIND REQ conn=1940 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:36 +0200] BIND RES conn=1940 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=0 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=domain,dc=com" scope=sub filter="(uid=*)" attrs="ALL” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=domain,dc=com" scope=sub filter="(cn=*)" attrs="cn” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 54
© Tieto Corporation Public Virtual Attributes • An attribute which is more like a function • The best example: isMemberOf • Is true if a user is a member of a defined group • The most useful place to use: LDAP filters • Example: • OAM User Identity Store filter to allow only specific group to access your EBS • KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(isMemberOf=cn=ebs_sso_allowed_users ,ou=groups,dc=example,dc=com)) 55
© Tieto Corporation Public • How Java parameters are managed for OUD (like memory) • $ORACLE_INSTANCE/OUD/config/java.properties • Contains JDK home, parameters for runtime, parameters for offline tools, like same ldapsearch • Once the changes are applied, execute dsjavaproperties, which will apply all the changes into the executables • Example default.java-home=/u01/app/oracle/product/jdk/jre start-ds.java-args=-Xms256m -Xmx512m -d64 -XX:+UseCompressedOops -server -XX:MaxTenuringThreshold=1 - XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=55 OUD Java Parameter Management 56
© Tieto Corporation PublicPublic Performance
© Tieto Corporation Public Overview • Performance is a feature :) • Overall the OUD performance is very good • The more memory you configure – the more you get into the cache • Apply 11.1.2.3.161018. Many performance related bugs are resolved per the change log. “isMemberOf” is the top mention. • Some real problems may start only when your data size exceeds hundreds of thousands, like 400 000 user accounts. 58
© Tieto Corporation Public Indexes • Use case: DIP ApplicationToOID profile is doing Root DN sub-search looking for entries with required orclGUID, to confirm it exists • With large directories it can spin the CPU a lot • Can be indexed dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-local-db-index -- element-name userRoot --index-name orclguid --set index-type:equality rebuild-index -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -b "dc=example,dc=com" -i orclguid • If DIP bootstrap synchronized a huge amount of user accounts (ex from external directory) – full index rebuild is highly recommended rebuild-index -b "dc=example,dc=com" --rebuildAll 59
© Tieto Corporation Public Root DN based search • Same use case: DIP ApplicationToOID ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "" "(orclguid=XXXXXXXXXXXXXXXXXXXXXX)" "*" • OUD will also look into cn=changelog as it interprets it as non-hidden naming context. • Fix: No fix. This is how OUD works • Recommendation: evaluate the data size, and put the memory enough to cache as maximum as possible. • https://blogs.oracle.com/sduloutr/entry/oud_external_change_log_and • OUD - Bad Performance of a Subtree Search on the Root DSE if the External Changelog is Enabled. (Doc ID 1676998.1) 60
© Tieto Corporation Public Root DN based search (II) • If you have external directory using PTA, your search effort will be doubled, and also will become depended externally. • Root DN searches are processing every Workflow Element enabled for the network group. • Cache ! 61
© Tieto Corporation Public Data cache tuning • If your LDAP data is 1 GB in size, you can configure your OUD instance to 2 GB memory and set data cache to utilize 50 % $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password set-workflow- element-prop --element-name userRoot --set db-cache-percent:50 62
© Tieto Corporation PublicPublic Summary
© Tieto Corporation Public OUD Implementation Considerations • OUD is an interesting lightweight product • Hard to say if it’s better or worse than OID. Both OUD and OID have their own pros and cons • OUD – is a replacement product. OID is going away soon (Dec 2018 / Dec 2021). • Comparing to 11gR1, where OUD was not usable at all for Oracle stack integrations, it is now more less ready. Of course, with some nuances mentioned. • Simplified setup and configuration • It takes time to tune everything. Let us be patient 64
© Tieto Corporation PublicPublic

More Related Content

PDF
GCP Data Engineer cheatsheet
Guang Xu
 
PPTX
Oracle GoldenGate 21c New Features and Best Practices
Bobby Curtis
 
PDF
The Microsoft Well Architected Framework For Data Analytics
Stephanie Locke
 
PPT
Your tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
John Kanagaraj
 
PDF
Mutiny + quarkus
Edgar Domingues
 
PPTX
Enable GoldenGate Monitoring with OEM 12c/JAgent
Bobby Curtis
 
PPTX
Oracle Cloud Infrastructure (OCI)
emmajones88
 
PPTX
Extreme Replication - Performance Tuning Oracle GoldenGate
Bobby Curtis
 
GCP Data Engineer cheatsheet
Guang Xu
 
Oracle GoldenGate 21c New Features and Best Practices
Bobby Curtis
 
The Microsoft Well Architected Framework For Data Analytics
Stephanie Locke
 
Your tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
John Kanagaraj
 
Mutiny + quarkus
Edgar Domingues
 
Enable GoldenGate Monitoring with OEM 12c/JAgent
Bobby Curtis
 
Oracle Cloud Infrastructure (OCI)
emmajones88
 
Extreme Replication - Performance Tuning Oracle GoldenGate
Bobby Curtis
 

What's hot (20)

PDF
Event Driven Architecture
Lourens Naudé
 
PPT
Ms sql server architecture
Ajeet Singh
 
PPTX
Hit Refresh with Oracle GoldenGate Microservices
Bobby Curtis
 
PPTX
Event Driven Software Architecture Pattern
jeetendra mandal
 
PDF
Performance Tuning Oracle Weblogic Server 12c
Ajith Narayanan
 
PPTX
Dynatrace
Purnima Kurella
 
PDF
[pgday.Seoul 2022] PostgreSQL with Google Cloud
PgDay.Seoul
 
PDF
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
PDF
The Architecture of an API Platform
Johannes Ridderstedt
 
PDF
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
Amazon Web Services Korea
 
PPTX
Creation of cloud application using microsoft azure by vaishali sahare [katkar]
vaishalisahare123
 
PPTX
Service Mapping.pptx
AshishChakravarty3
 
PDF
Getting started with GCP ( Google Cloud Platform)
bigdata trunk
 
PDF
An Introduction to AWS
Ian Massingham
 
PDF
Oracle Performance Tuning Fundamentals
Enkitec
 
PPTX
Cloud Oracle
Fran Navarro
 
PPSX
Oracle Performance Tuning Fundamentals
Carlos Sierra
 
PDF
Loki - like prometheus, but for logs
Juraj Hantak
 
PPTX
Practical Enterprise Architecture - Introducing CSVLOD EA Model
Ashraf Fouad
 
PDF
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Edureka!
 
Event Driven Architecture
Lourens Naudé
 
Ms sql server architecture
Ajeet Singh
 
Hit Refresh with Oracle GoldenGate Microservices
Bobby Curtis
 
Event Driven Software Architecture Pattern
jeetendra mandal
 
Performance Tuning Oracle Weblogic Server 12c
Ajith Narayanan
 
Dynatrace
Purnima Kurella
 
[pgday.Seoul 2022] PostgreSQL with Google Cloud
PgDay.Seoul
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
The Architecture of an API Platform
Johannes Ridderstedt
 
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
Amazon Web Services Korea
 
Creation of cloud application using microsoft azure by vaishali sahare [katkar]
vaishalisahare123
 
Service Mapping.pptx
AshishChakravarty3
 
Getting started with GCP ( Google Cloud Platform)
bigdata trunk
 
An Introduction to AWS
Ian Massingham
 
Oracle Performance Tuning Fundamentals
Enkitec
 
Cloud Oracle
Fran Navarro
 
Oracle Performance Tuning Fundamentals
Carlos Sierra
 
Loki - like prometheus, but for logs
Juraj Hantak
 
Practical Enterprise Architecture - Introducing CSVLOD EA Model
Ashraf Fouad
 
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Edureka!
 
Ad

Viewers also liked (6)

PDF
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
PDF
Oam install & config
Vigilant Technologies
 
PDF
Virtual Directory
pankaj009
 
PPT
DataGuard_architecture
Moeen_uddin
 
PDF
Implementing Oracle Identity Management Using External Authentication Plug-In
Dinesh Gupta
 
PDF
Oracle 12.2 sharding learning more
Leyi (Kamus) Zhang
 
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
Oam install & config
Vigilant Technologies
 
Virtual Directory
pankaj009
 
DataGuard_architecture
Moeen_uddin
 
Implementing Oracle Identity Management Using External Authentication Plug-In
Dinesh Gupta
 
Oracle 12.2 sharding learning more
Leyi (Kamus) Zhang
 
Ad

Similar to Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Business Suite R12.2.5 (20)

PPTX
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Andrejs Prokopjevs
 
PPTX
OOW13: Next Generation Optimized Directory (CON9024)
GregOracle
 
PPTX
Con9024 next generation optimized directory - oracle unified directory - final
OracleIDM
 
PPTX
Oracle Directory Services - Customer Presentation
Delivery Centric
 
PDF
Multiple ldap implementation with ebs using oid
pasalapudi
 
PDF
TechEvent EUS, Kerberos, SSL and OUD
Trivadis
 
ODP
11g Identity Management - InSync10
Peter McLarty
 
PPTX
Oracle Identity and access management overview
kalikishoregomattam1
 
PPT
Oracle 11i OID AD Integration
Mahesh Vallampati
 
ODP
Under the Hood 11g Identity Management
InSync Conference
 
PDF
OID Install and Config
Vigilant Technologies
 
PPT
ASCC-site-report-123456430523fwje0fjewew
DngHong855117
 
PPTX
Oaug collaborate sadia_tahseen
Sadz Ta
 
PPTX
EBS-endeca-technical-considerations
Berry Clemens
 
PDF
Odi installation guide
prakashdas05
 
PDF
Oracle Enterprise Repository 11g - Quick Start Guide
Sreenivasa Setty
 
PPT
R12 d49656 gc10-apps dba 03
zeesniper
 
PDF
TechEvent Oracle 18c New Security Features
Trivadis
 
PDF
Oracle App's DBA Training Noida Delhi NCR
Shri Prakash Pandey
 
PPTX
Fusion Applications Bare Metal Provisioning - Lessons Learned
Andrejs Karpovs
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Andrejs Prokopjevs
 
OOW13: Next Generation Optimized Directory (CON9024)
GregOracle
 
Con9024 next generation optimized directory - oracle unified directory - final
OracleIDM
 
Oracle Directory Services - Customer Presentation
Delivery Centric
 
Multiple ldap implementation with ebs using oid
pasalapudi
 
TechEvent EUS, Kerberos, SSL and OUD
Trivadis
 
11g Identity Management - InSync10
Peter McLarty
 
Oracle Identity and access management overview
kalikishoregomattam1
 
Oracle 11i OID AD Integration
Mahesh Vallampati
 
Under the Hood 11g Identity Management
InSync Conference
 
OID Install and Config
Vigilant Technologies
 
ASCC-site-report-123456430523fwje0fjewew
DngHong855117
 
Oaug collaborate sadia_tahseen
Sadz Ta
 
EBS-endeca-technical-considerations
Berry Clemens
 
Odi installation guide
prakashdas05
 
Oracle Enterprise Repository 11g - Quick Start Guide
Sreenivasa Setty
 
R12 d49656 gc10-apps dba 03
zeesniper
 
TechEvent Oracle 18c New Security Features
Trivadis
 
Oracle App's DBA Training Noida Delhi NCR
Shri Prakash Pandey
 
Fusion Applications Bare Metal Provisioning - Lessons Learned
Andrejs Karpovs
 

More from Andrejs Karpovs (7)

PPTX
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
PDF
E-Business Suite Rapid Provisioning Using Latest Features Of Oracle Database 12c
Andrejs Karpovs
 
PDF
Reducing Your E-Business Suite Storage Footprint Using Oracle Advanced Compre...
Andrejs Karpovs
 
PDF
EBS on ACFS white paper
Andrejs Karpovs
 
PPTX
Oracle cloud storage and file system
Andrejs Karpovs
 
PPTX
Using ACFS as a Storage for EBS
Andrejs Karpovs
 
PPTX
Optimizing E-Business Suite Storage Using Oracle Advanced Compression
Andrejs Karpovs
 
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
E-Business Suite Rapid Provisioning Using Latest Features Of Oracle Database 12c
Andrejs Karpovs
 
Reducing Your E-Business Suite Storage Footprint Using Oracle Advanced Compre...
Andrejs Karpovs
 
EBS on ACFS white paper
Andrejs Karpovs
 
Oracle cloud storage and file system
Andrejs Karpovs
 
Using ACFS as a Storage for EBS
Andrejs Karpovs
 
Optimizing E-Business Suite Storage Using Oracle Advanced Compression
Andrejs Karpovs
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Cloud computing and distributed systems.
kkkkkhan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Business Suite R12.2.5

  • 1. © Tieto Corporation PublicPublic Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Business Suite R12.2.5 Andrejs Karpovs Andrejs Prokopjevs
  • 2. © Tieto Corporation Public About slide - Andrejs K. • Lead Oracle Apps DBA / Architect • In Oracle DB/Middleware/EBS since 2008 • Works at Tieto • Oracle Certified Master 11g • Oracle ACE • Speaker at worldwide conferences • UKOUG since 2011, • COLLABORATE since 2014, • OUGH, UKOUG_IRE • Social media • Twitter: @AndrejsKarpovs • Blog: adbaday.wordpress.com 2
  • 3. © Tieto Corporation Public About slide - Andrejs P. 3 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
  • 5. © Tieto Corporation Public Clearing out the alphabet soup :) https://docs.oracle.com/middleware/11119/core/INOIM/under_in stall.htm#INOIM1024 5 OHS
  • 6. © Tieto Corporation Public Integration Architecture w/ E- Business Suite 11i/R12.1 6 Oracle Virtual Directory
  • 7. © Tieto Corporation Public Integration Architecture w/ E- Business Suite R12.2 7 Oracle Unified Directory or OID
  • 8. © Tieto Corporation Public Oracle Unified Directory: Brief description • ldap v3 - Sun iPlanet Directory • Unified Directory Services Solution • Storage • Directory Server • Proxy • Virtualization • Virtual directory view of the different repositories • Routes data to and from the repositories • Replication • Load Balancing • OUD, OVD and DIP are part of ODS Plus • Developed entirely in Java • Embarks Java DB (OBDB JE), no need for extra Oracle DB 8
  • 9. © Tieto Corporation Public Oracle Unified Directory: Replication and High Availability 9
  • 10. © Tieto Corporation Public Main differences OUD OID • Clustering concept • Multiple local DBs repl. data within repl. groups • Runtime • Java • Tools • No ldapadd anymore, "ldapmodify --defaultAdd" • Backup • No PITR, full or incremental initiated by “backup” utility • SSL • All Java requirements like JKS keystores 10 • Clustering concept • Multiple instances connects w/ single Oracle DB • Runtime • C • Tools • ldapadd, ldapmodify, ldapdelete and more. • Backup • Leveraging all Oracle Database backup and recovery features • SSL • No special requirements or associated complications
  • 12. © Tieto Corporation Public Required Software Overview • E-Business Suite R12.2.5+ (FMW 11.1.1.9, R12.AD.C.7+, patches 22098300, 21229697, 24008856) • Oracle Directory Integration Platform 11g Release 1 Patch Set 7 (11.1.1.9) for Oracle Fusion Middleware Identity Management • Oracle Unified Directory 11g Release 2 Patch Set 3 (11.1.2.3) • Oracle Directory Services Manager (ODSM) 11.1.2.3 • Weblogic Server 11g (10.3.6) • Oracle ADF 11.1.1.9 • Oracle Access Manager 11.1.2.3 • Weblogic Server 11g (10.3.6) • Repository Creation Utility 11.1.1.9 12
  • 13. © Tieto Corporation Public Installation and Configuration Architecture 1 3
  • 14. © Tieto Corporation Public Documentation Best Sources • Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1) • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • Oracle® Fusion Middleware Installation Guide for Oracle Identity Management • https://docs.oracle.com/middleware/11119/core/INOIM/under_install.ht m#INOIM1024 14
  • 15. © Tieto Corporation Public OUD Integration Steps: Configure OUD $ echo "welcome1" > /tmp/oud_pwd $ ./oud-setup --cli --hostName myoud.domain.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 4461 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/oud_pwd --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --serverTuning 512m --offlineToolsTuning 512m --no-prompt • “generic” integration option allows you to complete the integration for EBS by creating the necessary naming context. 15
  • 16. © Tieto Corporation Public OUD Integration Steps: Configure Naming Context • Very important as this will bring issues at later stages if not executed • https://docs.oracle.com/cd/E52734_01/oud/OUDAG/eus.htm#BAB GJFEE • Locate the LDIF template file at OUD_instance_dir/config/EUS/modifyRealm.ldif • Edit and replace as per your configuration: • dc=example,dc=com $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif 16
  • 17. © Tieto Corporation Public • Enable the External Change Log $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 - b dc=example,dc=com --trustAll --no-prompt $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 - b cn=oraclecontext --trustAll --no-prompt • Enforce Unique UID Attribute $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop - -plugin-name "UID Unique Attribute" --set enabled:true $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop - -plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com • Configure DIP for OUD $ $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost localhost -ldapport 1389 -ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4461 • Add Access Control Instructions for OUD • See MOS note for instructions OUD Integration Steps: Further configuration 17
  • 18. © Tieto Corporation Public OUD Integration Steps: Registration w/ EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch_fs • Registration script • $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory manager" • Update EBS Profile Options • Applications SSO Enable OID Identity: Enabled • Applications SSO Type: SSWA /wSSO • Applications SSO Auto Link User: Enabled • Autoconfig • Cutover • Side note: You can do this in hot mode - directly on run • Multi-node: This isn’t required to be executed on all nodes as stated in the documentation. 18
  • 19. © Tieto Corporation Public OAM Integration Steps: Registration w/ EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch_fs • Install WebGate • $FND_TOP/bin/txkrun.pl -script=SetOAMReg -installWebgate=yes - webgatestagedir=/path/to/extracted/stage (where Disk1 is extracted) • Recommendation: Apply WebGate patches now • $PATCH_BASE/FMW_Home/Oracle_OAMWebGate1 • Deploy AccessGate • perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources - deployApps=accessgate • Register OAM • $FND_TOP/bin/txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD • Autoconfig • Cutover 19
  • 20. © Tieto Corporation Public OAM Integration Steps: Registration w/ EBS (II) • Side note: You can do this in hot mode too - directly on run. • But beware of Bug 19817016 !!! • oaea_server1 (AccessGate) port conflict between run and patch during the fs_clone. • Solution: • Stop oaea_server1. • Run fs_clone. • Restart oaea_server1. • Next fs_clone executions will not have this conflict anymore. 20
  • 21. © Tieto Corporation PublicPublic Issues faced while implementing OUD
  • 22. © Tieto Corporation Public Issue #1: Configure Naming Context • OUD_instance_dir/config/EUS/modifyRealm.ldif • Documentation bug $ ls -l $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif ls: cannot access /u01/app/oracle/product/fmw11g_oud/instances/OUD_instance/config/EUS/modifyRealm.ldif: No such file or directory $ ls -l $ORACLE_HOME/config/EUS/modifyRealm.ldif -rw-r-----. 1 oracle oinstall 1608 Nov 15 2013 /u01/app/oracle/product/fmw11g_oud/Oracle_OUD1/config/EUS/modifyRealm.ldif $ • What does it fix? # cn=Common,cn=Products,cn=OracleContext orclSubscriberSearchBase: dc=com orclSubscriberNickNameAttribute: dc orclDefaultSubscriber: dc=example,dc=com # cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com orclCommonUserSearchBase: ou=people,dc=example,dc=com orclCommonGroupSearchBase: ou=groups,dc=example,dc=com • Side note: Handled automatically in 11.1.2.3.161018 22
  • 23. © Tieto Corporation Public Issue #2: No Subscriber found • Let’s query the naming context we created. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn” dn: cn=OracleContext,dc=example,dc=com $ • Where is my naming context base entry? $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s base "(objectclass=*)" "dn” SEARCH operation failed Result Code: 32 (No Such Entry) Additional Information: The entry dc=example,dc=com specified as the search base does not exist in the Directory Server $ 23
  • 24. © Tieto Corporation Public • Let’s query the naming context we created. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: dc=example,dc=com orclversion: 90600 dc: example orclsubscriberfullname: example objectClass: top objectClass: domain objectClass: orclSubscriber aci: (targetattr != "userpassword || authpassword || aci") (version 3.0; acl "Anonymous read access to dc=example, dc=com"; allow (read,search,compare) userdn = "ldap:///anyone";) $ • Optional: Add read-only ACI permission for non-super-user access (except password attributes). Example. Issue #2: Fix 24
  • 25. © Tieto Corporation Public Issue #3: User and Group Base DNs • Let’s query the naming context again. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn” dn: cn=OracleContext,dc=example,dc=com $ • Where are my user and group base DNs? • Fix: $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: ou=people,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit $ 25
  • 26. © Tieto Corporation Public Issue #4: Write permissions for DIP profiles • Documentation states that we need to apply these ACIs dn: dc=example,dc=com changetype: modify add: aci aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) • But DIP runtime still fails on writes • DIP profile DNs are actually running with “odipgroup” App DNs 26
  • 27. © Tieto Corporation Public Issue #4: Fix $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) • Still an open issue with OID BUNDLE PATCH 11.1.1.9.160719 27
  • 28. © Tieto Corporation Public Issue #5: OUD restrictions on unindexed search • There are limits when OUD allows non-super-user to do unindexed searches • None of Oracle specific attributes are indexed, like it is in OID • Example: [27/Apr/2016:01:25:45 -0700] SEARCH RES conn=381168 op=514 msgID=515 result=50 message="You do not have sufficient privileges to perform an unindexed search Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com' Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com'" nentries=0 authzDN="orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext" etime=0 28
  • 29. © Tieto Corporation Public Issue #5: Fix • Fix: give a permission to your required DIP App DN. ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext changetype: modify add: ds-privilege-name ds-privilege-name: unindexed-search - add: ds-privilege-name ds-privilege-name: proxied-auth 29
  • 30. © Tieto Corporation Public Issue #6: cn=changelog data timeout • By default, purge delay for replication in OUD is set to 1 day. Set it at least to 1 week $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n get-replication-server-prop -- provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n set-replication-server-prop -- provider-name "Multimaster Synchronization" --set replication-purge-delay:1w • Historical replication data retention also can be tuned $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -X -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set conflicts-historical-purge-delay:7200m 30
  • 31. © Tieto Corporation PublicPublic Issues faced while implementing OAM
  • 32. © Tieto Corporation Public Issue #1: EBS registration • txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD Successfully registered the WebGate with OAM Copying registration artifacts to WebGate configuration directory Automating the policy configurations... *** Log File = /u01/prod/fs1/inst/apps/prod_ebsapp01/logs/appl/rgf/TXK/txkSetOAMReg_Wed_Nov_23_15_23_46_2016.xml Failed while doing policy configurations • In the log file this will be the only actual information. <class>oracle.apps.fnd.txk.oam.UserIdentityStoreConf</class> <message>Test connection to identity server is failed. Please verify the settings and try again.</message> <class>oracle.apps.fnd.txk.oam.RegisterOAM</class> <message>Failed while updating the configurations in OAM console</message> 32
  • 33. © Tieto Corporation Public • MOS reference • OAM Registration With EBS 12.2.4 Fails : ERRORMSG: Failed while automating policy configurations. (Doc ID 2186398.1) • States to check hosts / network and validate your LDAP directory connectivity from OAM, but our connection is fine. • Only LDAP tracing helped [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP ... [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 ... [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP ... [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(uid=*)" attrs="ALL” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=example,dc=com" scope=sub filter="(cn=*)" attrs="cn” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 Issue #1: EBS registration (II) 33
  • 34. © Tieto Corporation Public • User Base DN and Group Base DN should have at least 1 user and 1 group created. Otherwise the OAM registration fails during the User Identity Store creation ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd dn: cn=testuser1,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: John sn: Tester cn: testuser1 uid: testuser1 userpassword: welcome1 mail: test@test.com dn: cn=admins,ou=groups,dc=example,dc=com cn: testgroup objectClass: groupOfNames objectClass: top Issue #1: Fix 34
  • 35. © Tieto Corporation Public Issue #2: Config in User Identity Store • Not an issue, actually. More a recommendation • User Filter Object Classes: person • Group Name Attribute: cn • Group Filter Classes: groupofnames • Inactivity Timeout (in seconds): 60 35
  • 37. © Tieto Corporation Public Usage of SSL in DIP for LDAPS (I) • OID 11.1.1.9 + DIP standard configuration handles the SSL configuration out-of-the-box. You can access OID in SSL by just changing the port field in Enterprise Manager. • Hardened procedure in OUD requires extra DIP configuration • Obtain certificate $ openssl s_client -connect myoud.domain.com:1636 -verify 5 verify depth is 5 ... Server certificate -----BEGIN CERTIFICATE----- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -----END CERTIFICATE----- 37
  • 38. © Tieto Corporation Public Usage of SSL in DIP for LDAPS (II) • Create the keystore and configure it $ keytool -importcert -trustcacerts -alias OUD -file /tmp/saved_base64_ssl_certificate.txt -keystore $ORACLE_INSTANCE/config/DIP_JKS/dip.jks $ wlst.sh > connect('weblogic', 'password','t3://localhost:7001') > createCred(map="dip", key="jksKey", user="jksuser", password="changeit") > exit() $ $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute keystorelocation -val /u01/app/oracle/product/fmw11g/dip_inst1/config/DIP_JKS/dip.jks $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D weblogic $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D weblogic • For any external directory integration similar SSL trust certificate has to be imported into the DIP configured keystore 38
  • 39. © Tieto Corporation Public Usage of SSL in OUD for external LDAPS connections • Same case • Add external SSL trust certificates to OUD keystore $ keytool -importcert -trustcacerts -alias MY_EXTERNAL_LDAPS -file /tmp/saved_base64_ssl_certificate.txt -keystore $ORACLE_INSTANCE/OUD/config/keystore 39
  • 40. © Tieto Corporation Public External password plugins in OUD • Use case: Active Directory – passwords are not directly synced by DIP • OID has a cool feature – external password plugin • Java based module which forwards the BIND requests to external LDAP directories for authentication • OUD does not have these kind of modules, however • OUD 11.1.2.2+ • Pass Through Authentication (OUD PTA) • OUD 11.1.2.3+ • On-Demand Password • Password Translate • OUD / DIP Synchronization with Active Directory (Doc ID 1534241.1) 40
  • 41. © Tieto Corporation Public External password plugins in OUD PTA (I) • How it works: • You have your Local Naming Context dc=example,dc=com with synced user entries by DIP (no userpassword / orclpassword attributes). • You configure a new Proxy Workflow and mount external LDAP Base DN. • A Workflow Element will merge both sources and use local context as user provider and external proxy context as authentication provider. 41
  • 42. © Tieto Corporation Public External password plugins in OUD PTA (II) • Configure OUD LDAP extension $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create- extension --type ldap-server --extension-name proxy_extension_pta_ext_ldap --set remote-ldap-server-read-only:true --set remote-ldap-server-address:myad.example.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true --set ssl-trust-manager-provider:JKS --set enabled:true 42
  • 43. © Tieto Corporation Public External password plugins in OUD PTA (III) • Configure OUD Proxy Workflow elements $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set client-cred-mode:use-specific-identity --set enabled:true --set ldap-server-extension:proxy_extension_pta_ext_ldap --set remote-ldap-server-bind-dn:cn=system_user,ou=ad_system_accounts,dc=example,dc=com --set remote-ldap-server-bind-password:password --set remote-root-dn:cn=system_user,ou=system_accounts,dc=ad,dc=example,dc=com --set remote-root-password:password --type proxy-ldap --element-name wf_element_auth_pta_ext_ldap $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set auth-provider-workflow-element:wf_element_auth_pta_ext_ldap --set enabled:true --set user-provider-workflow-element:userRoot # our default naming context created in OUD --set pta-suffix:ou=people,dc=example,dc=com --set pta-auth-suffix:ou=people,dc=example,dc=com --set pta-user-suffix:ou=people,dc=example,dc=com --type pass-through-authentication --element-name wf_element_pta_ext_ldap 43
  • 44. © Tieto Corporation Public External password plugins in OUD PTA (IV) • Configure OUD Proxy Workflow $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow --workflow-name pta_ext_ldap_wf --set base-dn:ou=people,dc=example,dc=com --set enabled:true --set workflow-element:wf_element_pta_ext_ldap • Enable the new configuration $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n set-network-group-prop --group-name network-group --set enabled:true --add workflow:pta_google_openldap_wf 44
  • 45. © Tieto Corporation Public External password plugins in OUD PTA (V) • Configure OUD Proxy Workflow $ ldapsearch -h localhost -p 1389 -D "cn=user1,ou=people,dc=example,dc=com" -b "cn=user1,ou=people,dc=example,dc=com" -s base "(objectclass=*)" "orclSourceObjectDN” Password for user 'cn=user1,ou=people,dc=example,dc=com': dn: cn=user1,ou=people,dc=example,dc=com orclSourceObjectDN: cn=user1,ou=People,dc=example,dc=com • It works 45
  • 46. © Tieto Corporation Public On-Demand Password (I) 46 • Configure DIP plugin $ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost myad.example.com -ldapport 636 -ldapuser "cn=Directory Manager" -isldapssl true • Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control (or cli)
  • 49. © Tieto Corporation Public On-Demand Password (IV) • There used to be a mistake in documentation • https://docs.oracle.com/middleware/11119/dip/administer/odip_sync_p rof_confg.htm#OIMIG3331 49
  • 50. © Tieto Corporation Public Password Translate (I) • Configure DIP plugin • $ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic - ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444 • Do not run if already run during On-Demand setup • Enable PasswordTranslation • $ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false - ldapadminport 4444 50
  • 51. © Tieto Corporation Public Password Translate (II) • Configure mapping attributes (same workflow as for On- Demand option) 51
  • 52. © Tieto Corporation Public Password Translate (III) • Didn’t succeed out-of the box • Unrecognized token in attribute mapping rule "orclODIPTranslatePassword" 52
  • 53. © Tieto Corporation Public Password Translate (IV) • Password Sync / Translate Using DIP 11gR2PS7 (11.1.1.9.0) shows "Unrecognized token in attribute mapping rule "xxxxx"" (Doc ID 2013518.1) • Password Sync / Translate Using DIP 11gR2PS7 (11.1.1.9.0) shows "Unrecognized token in attribute mapping rule "xxxxx"" (Doc ID 2013518.1) • None of them really worked • Maybe another documentation bug, need to verify 53
  • 54. © Tieto Corporation Public OUD Access Log • OUD has access log tracing similar to Apache. • It tracks everything and YOU SHOULD LOVE IT! • $ORACLE_INSTANCE/OUD/logs/access [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:35 +0200] BIND REQ conn=1939 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:35 +0200] BIND RES conn=1939 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1 [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 [25/Nov/2016:13:50:35 +0200] DISCONNECT conn=1939 reason="Client Disconnect” [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:36 +0200] BIND REQ conn=1940 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:36 +0200] BIND RES conn=1940 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=0 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=domain,dc=com" scope=sub filter="(uid=*)" attrs="ALL” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=domain,dc=com" scope=sub filter="(cn=*)" attrs="cn” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 54
  • 55. © Tieto Corporation Public Virtual Attributes • An attribute which is more like a function • The best example: isMemberOf • Is true if a user is a member of a defined group • The most useful place to use: LDAP filters • Example: • OAM User Identity Store filter to allow only specific group to access your EBS • KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(isMemberOf=cn=ebs_sso_allowed_users ,ou=groups,dc=example,dc=com)) 55
  • 56. © Tieto Corporation Public • How Java parameters are managed for OUD (like memory) • $ORACLE_INSTANCE/OUD/config/java.properties • Contains JDK home, parameters for runtime, parameters for offline tools, like same ldapsearch • Once the changes are applied, execute dsjavaproperties, which will apply all the changes into the executables • Example default.java-home=/u01/app/oracle/product/jdk/jre start-ds.java-args=-Xms256m -Xmx512m -d64 -XX:+UseCompressedOops -server -XX:MaxTenuringThreshold=1 - XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=55 OUD Java Parameter Management 56
  • 58. © Tieto Corporation Public Overview • Performance is a feature :) • Overall the OUD performance is very good • The more memory you configure – the more you get into the cache • Apply 11.1.2.3.161018. Many performance related bugs are resolved per the change log. “isMemberOf” is the top mention. • Some real problems may start only when your data size exceeds hundreds of thousands, like 400 000 user accounts. 58
  • 59. © Tieto Corporation Public Indexes • Use case: DIP ApplicationToOID profile is doing Root DN sub-search looking for entries with required orclGUID, to confirm it exists • With large directories it can spin the CPU a lot • Can be indexed dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-local-db-index -- element-name userRoot --index-name orclguid --set index-type:equality rebuild-index -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -b "dc=example,dc=com" -i orclguid • If DIP bootstrap synchronized a huge amount of user accounts (ex from external directory) – full index rebuild is highly recommended rebuild-index -b "dc=example,dc=com" --rebuildAll 59
  • 60. © Tieto Corporation Public Root DN based search • Same use case: DIP ApplicationToOID ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "" "(orclguid=XXXXXXXXXXXXXXXXXXXXXX)" "*" • OUD will also look into cn=changelog as it interprets it as non-hidden naming context. • Fix: No fix. This is how OUD works • Recommendation: evaluate the data size, and put the memory enough to cache as maximum as possible. • https://blogs.oracle.com/sduloutr/entry/oud_external_change_log_and • OUD - Bad Performance of a Subtree Search on the Root DSE if the External Changelog is Enabled. (Doc ID 1676998.1) 60
  • 61. © Tieto Corporation Public Root DN based search (II) • If you have external directory using PTA, your search effort will be doubled, and also will become depended externally. • Root DN searches are processing every Workflow Element enabled for the network group. • Cache ! 61
  • 62. © Tieto Corporation Public Data cache tuning • If your LDAP data is 1 GB in size, you can configure your OUD instance to 2 GB memory and set data cache to utilize 50 % $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password set-workflow- element-prop --element-name userRoot --set db-cache-percent:50 62
  • 64. © Tieto Corporation Public OUD Implementation Considerations • OUD is an interesting lightweight product • Hard to say if it’s better or worse than OID. Both OUD and OID have their own pros and cons • OUD – is a replacement product. OID is going away soon (Dec 2018 / Dec 2021). • Comparing to 11gR1, where OUD was not usable at all for Oracle stack integrations, it is now more less ready. Of course, with some nuances mentioned. • Simplified setup and configuration • It takes time to tune everything. Let us be patient 64