12 Understanding Oracle Unified Directory Mapping

This chapter describes Oracle Unified Directory mapping and includes the following topics:

12.1 An Overview of Identity Mappers

Identity Mappers are responsible for establishing a mapping between an identifier string provided by a client, and the entry for the user that corresponds to that identifier. Identity Mappers are used to process several SASL mechanisms to map an authentication ID (for instance, a Kerberos principal when using GSSAPI) to a directory user. They are also used when processing requests with the proxied authorization control.

Oracle Unified Directory supports multiple SASL identity mappers. For example, you can define Identity Mapper1 for a user xyz and Identity Mapper2 for the remaining users. This is beneficial when using GSSAPI where users with different domains, such as @example.com and @oracle.com require different identity mappers.

Oracle Unified Directory also provides support for an identifier string that is a bind ID and not a DN. However, this is applicable for simple binds only. The key idea is that a client should be able to specify any attribute in the simple bind that is allowed by the corresponding Identity Mapper. Consider the following examples:

ldapsearch -D "user@example.com" -w password -b "" objectclass=*

In this example, bind ID is the e-mail ID of the user.

12.2 Supported Identity Mappers

The following Identity Mappers are available in the server:

12.2.1 Exact Match Identity Mapper

The Exact Match Identity Mapper maps an identifier string to a user entry by searching for the entry containing a specified attribute whose value is the provided identifier. For example, the user name provided by the client for DIGEST-MD5 authentication must match the value of the uid attribute. Note that this attribute must be specified in the identity mapper configuration.

This is primarily used in simple binds and all SASL binds except GSSAPI.

12.2.2 Match And Replace Identity Mapper

The Match And Replace Identity Mapper provides a way to use a regular expression to translate the provided identifier when searching for the appropriate user entry.

This may be used, for example, if the provided identifier is expected to be an e-mail address or Kerberos principal, but only the user name (the part preceding the @ symbol) should be used in the mapping process. Note that a replacement is made only if all or part of the provided ID string matches the given match pattern. If no part of the ID string matches the provided pattern, the given ID string is used without any alteration.

This is primarily used in GSSAPI binds.

12.3 Components of Identity Mappers

The following components have a direct aggregation relation to Identity Mappers:

12.3.1 Global Configuration

The Global Configuration contains properties that affect the overall operation of the Oracle Unified Directory.

12.3.2 Network Group

The Network Group is used to classify incoming client connections and route requests to workflows.

12.4 Configuring Identity Mappers

Identity Mappers are configured at the following instances:

  • Network Group

  • Global Configuration

To summarize, each Network Group has one or more Identity and Certificate mappers, which are used to map identities specific to that network group. If an identity or certificate mapper is not defined at the network-group level, then a global identity mapper is used as the default setting.

This section contains the following topics:

12.4.1 Configuring Global Identity Mappers

Identity mappers are configured by default at the global level. However, if you want to configure an identity mapper globally, then run the following command:

dsconfig set-global-configuration-prop --add "generic-identity-mapper:Exact Match"

The preceding command is based on the assumption that the Exact Match identity mapper already exists. This identity mapper is provided by default in the configuration.

12.4.2 Configuring Network Group Identity Mappers

For an existing default network group called network-group configure the generic-identity-mapper as follows:

dsconfig set-network-group-prop --group-name network-group --set "generic-identity-mapper:Exact Match"

The preceding command is based on the assumption that the Exact Match identity mapper already exists. This identity mapper is provided by default in the configuration.

12.5 Selecting Identity Mappers

Normally, one identity mapper is defined per network group. The generic-identity-mapper defines an identity mapper that applies to all but GSSAPI binds. The gssapi-identity-mapper defines the one that applies to GSSAPI binds only.

As described earlier, the exact match and match and replace identity mappers are generally used as generic-identity-mapper and gssapi-identity-mapper respectively. However, you can select a different combination based on your requirement.

12.6 Ordering Identity Mappers

An identity mapper is selected based on the regex pattern; therefore there is a possibility that a conflict might arise when multiple identity mappers are defined. So, it becomes imperative to define the order in which identity mappers are evaluated in the network group.

You can define priorities for the conflicting identity mappers to resolve this conflict. If a conflict arises, the identity mapper with the lowest priority is selected and used for mapping. If identity mappers have equal priority, then the behavior is undefined.

Run the following command to define priority:

dsconfig -h hostname -p admin_port -D USER set-identity-mapper-prop --mapper-name "Exact Match" --set "priority:2"

A lower priority value implies higher priority. Priority for network groups is also determined in a similar fashion.