Configuring the HideEntriesByFilter Workflow Element With Oracle Unified Directory 12<code>c</code>(12.2.1.4.0)

Before You Begin

This 15-minute tutorial shows you how to configure and verify the HideEntriesByFilter Workflow Element (WFE) for Oracle Unified Directory 12c (12.2.1.4.0). This demonstrates how to transition HideEntriesByFilter functionality from OVD 11g to OUD 12c.

Background

The HideEntriesByFilter workflow element enables you to control in fine detail which entries are returned for particular searches using its ldap-filter, ldap-url, and excluded-ldap-url configuration parameters. This HideEntriesByFilter workflow element enables you to explicitly control which entries are returned.

What Do You Need?

An environment with:

At least 16 GB of physical memory
Oracle Enterprise Linux 6.6 or later with access to the Internet

A basic understanding of Linux

This tutorial assumes that you have already installed and configured the following:

Oracle Unified Directory 12c (12.2.1.4.0) (OUD)
The ovdoud_hebf.ldif sample data should be loaded to this OUD instance.
This OBE assumes that the following environment variables are defined:
- OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
- OUD_INSTANCES=/u01/app/oracle/config/oud_instances

Configure Hide Entries By Filter Workflow Element

Navigate to the OUD_ORACLE_HOME directory, where the Oracle Unified Directory software is installed. Run the oud-setup utility from the command line to setup an Oracle Unified Directory server instance.

# cd $OUD_ORACLE_HOME
# export INSTANCE_NAME=../../config/oud_instances/oud_hebf
# ./oud-setup -i -n -p 1389 \
-D "cn=Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
--adminConnectorPort 4444 \
-l ~/ovdoud_hebf.ldif

The output should look similar to this:

Oracle Unified Directory 12.2.1.4.0
Please wait while the setup program initializes...
Creating instance directory /u01/app/oracle/config/oud_instances/oud_hebf/OUD.....Done.
See /u01/app/oracle/config/oud_instances/oud_hebf/OUD/logs/oud-setup for a detailed log of this operation.
Configuring Directory Server ..... Done.
Importing LDIF file /home/oracle/ovdoud_hebf.ldif ........ Processed 15 entries, imported 15, skipped 0, rejected 0 and migrated 0 in 0 seconds (average rate 15.8/sec)
Starting Directory Server ........ Done.
To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/oud_hebf/OUD/bin/status

Note: The /home/oracle/pwd.txt should contain the password that you want to assign to your OUD Administrator.

Create the HideEntriesByFilter workflow element, using the dsconfig command with the following key parameters.

enabled: true
workflow element: hebf
ldap-filter: (|(uid=bandrews)(uid=sjones)) - This parameter defines the filter you will apply to your search.
type: hide-entries-by-filter
next-workflow-element: userRoot

# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./dsconfig -X -n create-workflow-element \
--set enabled:true \
--set next-workflow-element:userRoot \
--set ldap-filter:"(|(uid=bandrews)(uid=sjones))" \
--type hide-entries-by-filter \
--element-name hebf \
--hostname host.example.com \
--port 4444 \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll

Create a generic workflow HEBF-workflow and assign the hebf workflow element to this.

# ./dsconfig -X -n create-workflow \
--workflow-name HEBF-workflow \
--set enabled:true \
--set base-dn:dc=example,dc=com \
--set workflow-element:hebf \
--type generic \
--hostname host.example.com \
--port 4444 \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll

Create a network group and assign the HEBF-workflow element created in the previous step.

# ./dsconfig -X -n set-network-group-prop \
--group-name network-group \
--set workflow:HEBF-workflow \
--hostname host.example.com \
--port 4444 \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll

Fetch the values of all the properties of the hebf work flow element using the dsconfig utility. If you notice below by default, the value of the apply-for-admin flag is set to false for this workflow element.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./dsconfig -X -n get-workflow-element-prop \
--element-name hebf \
--hostname host.example.com \
--port 4444 \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll
```
The output should look similar to this:

Description of this image

Verify Operation of the HideEntriesByFilter Workflow Element With ldap-filter

Launch a terminal window as oracle and enter the following LDAP search command to list the user entries from the OUD server instance.
The ldap-filter with the value (|(uid=bandrews)(uid=sjones)) is not active for this OUD instance since the current value of the apply-for-admin flag is false. Hence the ldapsearch command lists all the user entries of the OUD instance.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./ldapsearch -h localhost \
-p 1389 \
-D cn="Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
-s sub "(objectclass=*)"  
```
The output should look similar to this:
UnFiltered Output

Execute ./dsconfig command to set the value of apply-for-admin flag to true in this hebf Hide Entries By Filter work flow element.

# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./dsconfig -X -n set-workflow-element-prop \
--advanced --element-name hebf \
--set apply-for-admin:true  \
--hostname host.example.com \
--port 4444 \
--bindPasswordFile ~/pwd.txt \
--portProtocol LDAP \
--bindDN cn="Directory Manager"  \
--no-prompt \
--trustAll

Enter the following LDAP search command to list the user entries from the OUD server instance.
The ldap-filter with the value (|(uid=bandrews)(uid=sjones)) is active for this OUD instance since the current value of the apply-for-admin flag is true. Hence the ldapsearch command lists only the user entries matching the filter value.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./ldapsearch -h localhost \
-p 1389 \
-D cn="Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
-s sub "(objectclass=*)"  
```
The output should look similar to this:
Filtered Output

Verify Operation of the HideEntriesByFilter Workflow Element With ldap-url

Launch a terminal window as oracle. Execute the dsconfig command to reset the value of ldap-filter, and define the new value for ldap-url property to ldap:///ou=people,dc=example,dc=com.

# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
#  ./dsconfig -X -n set-workflow-element-prop \
--element-name hebf \
--set ldap-url:"ldap:///ou=people,dc=example,dc=com" \
--reset ldap-filter \
--hostname host.example.com \
--port 4444 \
--bindPasswordFile ~/pwd.txt \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--no-prompt \
--trustAll

Fetch the latest values of all the properties of the hebf workflow element using the dsconfig utility. If you notice below the ldap-filter value is reset, the ldap-url value is defined, and the value of the apply-for-admin flag is true for this workflow element.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
#  ./dsconfig -X -n get-workflow-element-prop \
--element-name hebf \
--hostname host.example.com \
--port 4444 \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll 
```
The output should look similar to this:

Description of this image
Launch a terminal window as oracle and enter the following LDAP search command to list the user entries from this oud_hebf instance.
The filter ldap-url with the value ou=people,dc=example,dc=com is active for this OUD instance since the current value of the apply-for-admin flag is true. Hence the ldapsearch command lists the user entries matching with this filter value.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./ldapsearch -h localhost \
-p 1389 \
-D cn="Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
-s sub "(objectclass=*)"  
```
The output should look similar to this:
Filtered Output
Execute the command in step 2 of previous topic to set the apply-for-admin flag to false. Now, Launch a terminal window as oracle and enter the following LDAP search command to list the user entries.
The filter ldap-url with the value ou=people,dc=example,dc=com is not active for this OUD instance, since the current value of the apply-for-admin flag is false. Hence the ldapsearch command returns all entries in the DIT.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./ldapsearch -h localhost \
-p 1389 \
-D cn="Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
-s sub "(objectclass=*)"  
```
The output should look similar to this:
UnFiltered Output

Verify Operation of the HideEntriesByFilter Workflow Element With excluded-ldap-url

Launch a terminal window as oracle and use the dsconfig command, to reset the value of ldap-url, and define the new value for excluded-ldap-url to ldap:///ou=people,dc=example,dc=com.

# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
#  ./dsconfig -X -n set-workflow-element-prop \
--element-name hebf \
--set excluded-ldap-url:"ldap:///ou=people,dc=example,dc=com" \
--reset ldap-url \
--hostname host.example.com \
--port 4444 \
--bindPasswordFile ~/pwd.txt \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--no-prompt \
--trustAll

Fetch the latest values of all the properties of the hebf workflow element using the dsconfig utility. If you notice below the ldap-url value is reset, the excluded-ldap-url value is defined, and the value of the apply-for-admin flag is true for this workflow element.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
#  ./dsconfig -X -n get-workflow-element-prop \
--element-name hebf \
--hostname host.example.com \
--port 4444 \
--portProtocol LDAP \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll 
```
The output should look similar to this:

Description of this image
Launch a terminal window as oracle and enter the following LDAP search command to list the user entries from this oud_hebf instance.
The filter excluded-ldap-url with the value ou=people,dc=example,dc=com is not active for this OUD instance since the current value of the apply-for-admin flag is false. Hence the ldapsearch command lists all the user entries irrespective of the filter value.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./ldapsearch -h localhost \
-p 1389 \
-D cn="Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
-s sub "(objectclass=*)"  
```
The output should look similar to this:
UnFiltered Output
Execute the command in step 2 of previous topic 2 to set the apply-for-admin flag to true. Now, Launch a terminal window as oracle and enter the following LDAP search command to list the user entries.
The filter excluded-ldap-url with the value ou=people,dc=example,dc=com is active for this OUD instance since the current value of the apply-for-admin flag is true. Hence the ldapsearch command lists all DIT entries other than the user entries matching the excluded-ldap-url filter value.
```
# cd $OUD_INSTANCES/oud_hebf/OUD/bin 
# ./ldapsearch -h localhost \
-p 1389 \
-D cn="Directory Manager" \
-j ~/pwd.txt \
-b dc=example,dc=com \
-s sub "(objectclass=*)"  
```
The output should look similar to this:
Filtered Output

Want to Learn More?

Oracle Fusion Middleware Configuration Reference for Oracle Unified Directory 12c (12.2.1.4.0)

Feedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.

Configuring the HideEntriesByFilter Workflow Element With Oracle Unified Directory 12c (12.2.1.4.0)