Before You Begin
This 15-minute tutorial shows you how to configure and verify the HideEntriesByFilter Workflow Element (WFE) for Oracle Unified Directory 12c (12.2.1.4.0). This demonstrates how to transition HideEntriesByFilter functionality from OVD 11g to OUD 12c.
Background
The HideEntriesByFilter workflow element enables you to control
in fine detail which entries are returned for particular
searches using its ldap-filter
, ldap-url
,
and excluded-ldap-url
configuration parameters.
This HideEntriesByFilter workflow element enables you to
explicitly control which entries are returned.
What Do You Need?
- An environment with:
- At least 16 GB of physical memory
- Oracle Enterprise Linux 6.6 or later with access to the Internet
- A basic understanding of Linux
This tutorial assumes that you have already installed and configured the following:
- Oracle Unified Directory 12c (12.2.1.4.0) (OUD)
- The ovdoud_hebf.ldif sample data should be loaded to this OUD instance.
- This OBE assumes that the following environment
variables are defined:
OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
OUD_INSTANCES=/u01/app/oracle/config/oud_instances
Configure Hide Entries By Filter Workflow Element
- Navigate to the
OUD_ORACLE_HOME
directory, where the Oracle Unified Directory software is installed. Run theoud-setup
utility from the command line to setup an Oracle Unified Directory server instance.
The output should look similar to this:# cd $OUD_ORACLE_HOME # export INSTANCE_NAME=../../config/oud_instances/oud_hebf # ./oud-setup -i -n -p 1389 \ -D "cn=Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ --adminConnectorPort 4444 \ -l ~/ovdoud_hebf.ldif
Note: TheOracle Unified Directory 12.2.1.4.0 Please wait while the setup program initializes... Creating instance directory /u01/app/oracle/config/oud_instances/oud_hebf/OUD.....Done. See /u01/app/oracle/config/oud_instances/oud_hebf/OUD/logs/oud-setup for a detailed log of this operation. Configuring Directory Server ..... Done. Importing LDIF file /home/oracle/ovdoud_hebf.ldif ........ Processed 15 entries, imported 15, skipped 0, rejected 0 and migrated 0 in 0 seconds (average rate 15.8/sec) Starting Directory Server ........ Done. To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/oud_hebf/OUD/bin/status
/home/oracle/pwd.txt
should contain the password that you want to assign to your OUD Administrator. - Create the HideEntriesByFilter workflow element, using the
dsconfig
command with the following key parameters.
- enabled:
true
- workflow element:
hebf
- ldap-filter:
(|(uid=bandrews)(uid=sjones))
- This parameter defines the filter you will apply to your search. - type:
hide-entries-by-filter
- next-workflow-element:
userRoot
Create a generic workflow# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n create-workflow-element \ --set enabled:true \ --set next-workflow-element:userRoot \ --set ldap-filter:"(|(uid=bandrews)(uid=sjones))" \ --type hide-entries-by-filter \ --element-name hebf \ --hostname host.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
HEBF-workflow
and assign thehebf
workflow element to this.
Create a network group and assign the# ./dsconfig -X -n create-workflow \ --workflow-name HEBF-workflow \ --set enabled:true \ --set base-dn:dc=example,dc=com \ --set workflow-element:hebf \ --type generic \ --hostname host.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
HEBF-workflow
element created in the previous step.
# ./dsconfig -X -n set-network-group-prop \ --group-name network-group \ --set workflow:HEBF-workflow \ --hostname host.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- enabled:
- Fetch the values of all the properties of the
hebf
work flow element using thedsconfig
utility. If you notice below by default, the value of theapply-for-admin
flag is set tofalse
for this workflow element.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n get-workflow-element-prop \ --element-name hebf \ --hostname host.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
Verify Operation of the HideEntriesByFilter Workflow Element With ldap-filter
- Launch a terminal window as oracle and enter the following
LDAP search command to list the user entries from the OUD
server instance.
Theldap-filter
with the value(|(uid=bandrews)(uid=sjones))
is not active for this OUD instance since the current value of theapply-for-admin
flag isfalse
. Hence the ldapsearch command lists all the user entries of the OUD instance.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./ldapsearch -h localhost \ -p 1389 \ -D cn="Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ -s sub "(objectclass=*)"
UnFiltered Output
- Execute
./dsconfig
command to set the value ofapply-for-admin
flag totrue
in thishebf
Hide Entries By Filter work flow element.
# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n set-workflow-element-prop \ --advanced --element-name hebf \ --set apply-for-admin:true \ --hostname host.example.com \ --port 4444 \ --bindPasswordFile ~/pwd.txt \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --no-prompt \ --trustAll
- Enter the following
LDAP search command to list the user entries from the OUD
server instance.
Theldap-filter
with the value(|(uid=bandrews)(uid=sjones))
is active for this OUD instance since the current value of theapply-for-admin
flag istrue
. Hence the ldapsearch command lists only the user entries matching the filter value.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./ldapsearch -h localhost \ -p 1389 \ -D cn="Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ -s sub "(objectclass=*)"
Filtered Output
Verify Operation of the HideEntriesByFilter Workflow Element With ldap-url
- Launch a terminal window as
oracle
. Execute thedsconfig
command to reset the value ofldap-filter
, and define the new value forldap-url
property toldap:///ou=people,dc=example,dc=com
.
# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n set-workflow-element-prop \ --element-name hebf \ --set ldap-url:"ldap:///ou=people,dc=example,dc=com" \ --reset ldap-filter \ --hostname host.example.com \ --port 4444 \ --bindPasswordFile ~/pwd.txt \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --no-prompt \ --trustAll
- Fetch the latest values of all the properties of the
hebf
workflow element using thedsconfig
utility. If you notice below theldap-filter
value is reset, theldap-url
value is defined, and the value of theapply-for-admin
flag istrue
for this workflow element.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n get-workflow-element-prop \ --element-name hebf \ --hostname host.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Launch a terminal window as
oracle
and enter the following LDAP search command to list the user entries from thisoud_hebf
instance.
The filterldap-url
with the valueou=people,dc=example,dc=com
is active for this OUD instance since the current value of theapply-for-admin
flag istrue
. Hence the ldapsearch command lists the user entries matching with this filter value.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./ldapsearch -h localhost \ -p 1389 \ -D cn="Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ -s sub "(objectclass=*)"
Filtered Output
- Execute the command in
step 2
of previous topic to set theapply-for-admin
flag tofalse
. Now, Launch a terminal window asoracle
and enter the following LDAP search command to list the user entries.
The filterldap-url
with the valueou=people,dc=example,dc=com
is not active for this OUD instance, since the current value of theapply-for-admin
flag isfalse
. Hence the ldapsearch command returns all entries in the DIT.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./ldapsearch -h localhost \ -p 1389 \ -D cn="Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ -s sub "(objectclass=*)"
UnFiltered Output
Verify Operation of the HideEntriesByFilter Workflow Element With excluded-ldap-url
- Launch a terminal window as
oracle
and use thedsconfig
command, to reset the value ofldap-url
, and define the new value forexcluded-ldap-url
toldap:///ou=people,dc=example,dc=com
.
# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n set-workflow-element-prop \ --element-name hebf \ --set excluded-ldap-url:"ldap:///ou=people,dc=example,dc=com" \ --reset ldap-url \ --hostname host.example.com \ --port 4444 \ --bindPasswordFile ~/pwd.txt \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --no-prompt \ --trustAll
- Fetch the latest values of all the properties of the
hebf
workflow element using thedsconfig
utility. If you notice below theldap-url
value is reset, theexcluded-ldap-url
value is defined, and the value of theapply-for-admin
flag istrue
for this workflow element.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./dsconfig -X -n get-workflow-element-prop \ --element-name hebf \ --hostname host.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Launch a terminal window as
oracle
and enter the following LDAP search command to list the user entries from thisoud_hebf
instance.
The filterexcluded-ldap-url
with the valueou=people,dc=example,dc=com
is not active for this OUD instance since the current value of theapply-for-admin
flag isfalse
. Hence the ldapsearch command lists all the user entries irrespective of the filter value.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./ldapsearch -h localhost \ -p 1389 \ -D cn="Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ -s sub "(objectclass=*)"
UnFiltered Output
- Execute the command in
step 2
of previoustopic
2
to set theapply-for-admin
flag totrue
. Now, Launch a terminal window asoracle
and enter the following LDAP search command to list the user entries.
The filterexcluded-ldap-url
with the valueou=people,dc=example,dc=com
is active for this OUD instance since the current value of theapply-for-admin
flag istrue
. Hence the ldapsearch command lists all DIT entries other than the user entries matching theexcluded-ldap-url
filter value.
The output should look similar to this:# cd $OUD_INSTANCES/oud_hebf/OUD/bin # ./ldapsearch -h localhost \ -p 1389 \ -D cn="Directory Manager" \ -j ~/pwd.txt \ -b dc=example,dc=com \ -s sub "(objectclass=*)"
Filtered Output
Want to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.