14 Installing and Configuring Oracle Unified Directory
Create a new, highly available Oracle Unified Directory (OUD) deployment inside a Kubernetes cluster.
This chapter includes the following topics:
- Configuring Oracle Unified Directory
Oracle Unified Directory is an LDAP compliant directory which you can use as a standalone entity or with other Oracle Identity and Access Management components. - Setting Up a Product Specific Work Directory
Before you begin the installation, you should have already downloaded and staged the Oracle Unified Directory Service Manager container image or should be using the Oracle Container Registry and the code repository. - About Deploying Oracle Unified Directory
Oracle recommends you to use Helm to create and configure Oracle Unified Directory (OUD). - Creating a Kubernetes Namespace
You have to create a namespace to contain all the objects for Oracle Unified Directory. - Creating a Container Registry Secret
Oracle recommends that you use a container registry. If you use a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry. - Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image fromhub.docker.com
which contains third-party images such ashelm
,kubectl
, andlogstash
. These commands are used by the OUD cron job to test for pods that are stuck in theTerminating
state, and restart them if necessary. - Creating Configuration Files
Before beginning the deployment of OUD, you need to create a series of configuration files. These files are used to configure and seed the data required by OAM and OIG. - Creating OUD Containers
Create the server overrides file first and then use theHelm
command to create the OUD containers. - Creating External Access to OUD
By default, the OUD deployment gets created with all the components configured as ClusterIP services. This means that the Oracle Unified Directory components are visible only within the Kubernetes cluster. - Centralized Monitoring Using Grafana and Prometheus
There is no specific metric collection for OUD. However, you can monitor the OUD pods using the standard Kubernetes Dashboard in Kibana. - Centralized Log File Monitoring Using Elasticsearch and Kibana
If you are using Elasticsearch and Kibana, you can configure a Logstash pod to send the log files to the centralized Elasticsearch/Kibana console. Before you configure the Logstash pod, ensure that you have access to a centralized Elasticsearch deployment.
Parent topic: Configuring the Enterprise Deployment
Configuring Oracle Unified Directory
Oracle Unified Directory is an LDAP compliant directory which you can use as a standalone entity or with other Oracle Identity and Access Management components.
This chapter describes how you can install Oracle Unified Directory inside a Kubernetes cluster. The chapter also explains how you can seed the directory with data required by other Oracle Identity and Access Manager components.
After deploying OUD, if the Kubernetes node, where the OUD pod(s)
is/are running, goes down after the pod eviction time-out, the pod(s) do not
get evicted but move to a Terminating
state. The pod(s)
then remain in that state forever. To avoid this problem, a cron job is
created during the OUD deployment process, which checks for any pods in the
Terminating
state, deletes them, and then starts
the pod again. The cron job requires access to images on
hub.docker.com
. Therefore, you should create a
Kubernetes secret to enable access to these images.
This job ensures that you always have the number of OUD instances running as you
have specified in the helm
configuration file.
Note:
- If you upgrade your container, you should recopy
the
helm
charts to the persistent volume. - If you change your Helm/Kubernetes version, you should update
the
helm
file with the revised versions.
Parent topic: Installing and Configuring Oracle Unified Directory
Sizing Guidelines
When deploying OUD, you can use the following information as reference for the initial system sizing. For more information about sizing, see Deep Dive into Oracle Unified Directory 12.2.1.4.0 Performance.
System Size | Number of Users | Memory | JVM Heap Size (Min) | JVM Heap Size (Max) |
---|---|---|---|---|
Development | - | 2GB | 1GB | 2GB |
Small | 5000 | 8GB | 4GB | 8GB |
Medium | 50000 | 16GB | 8GB | 16GB |
Large | 2 Million | 64GB | 16GB | 64GB |
Parent topic: Configuring Oracle Unified Directory
Kubernetes/Ingress Services
After you configure OUD, the following OUD services will be available on each worker node:
Table 14-1 OUD Services on Each Worker Node
Service | Type | Service Port | Mapped Port |
---|---|---|---|
OUD LDAP |
NodePort |
31389 |
1389 |
OUD LDAPS |
Node Port |
31636 |
636 |
OUD ADMIN |
NodePort |
30777 |
80 |
Note:
OUD randomly picks its own Kubernetes service port. The numbers given in this table are only examples.Parent topic: Configuring Oracle Unified Directory
Variables Used in this Chapter
The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment.
Variables are formatted as <VARIABLE_NAME>. The following table provides the values you should set for each of these variables.
Table 14-2 The Variables to be Changed
Variable | Sample Value | Description |
---|---|---|
<WORKDIR> |
|
The location where you want to create the working directory for OUD. |
<REGISTRY_ADDRESS> |
iad.ocir.io/<mytenancy> |
The location of the registry. If you use the Oracle
container registry, the value will be
|
<REG_USER> |
mytenancy/oracleidentitycloudservice/myemail@email.com |
The user id you use to log in to the registry. If you are use the Oracle container registry, this value will be your Oracle single sign-on user name. |
<REG_PWD> |
<password> |
The registry user password. |
<OUD_REPOSITORY> |
|
The name of the OUD software repository. If you have downloaded and staged a container image,
this value will be: If you are using the Oracle container registry, the
value will
be: If you are using a container registry, the value
will be the name of the registry with the product name:
|
<OUD_VER> |
|
The version of the image you want to use. This will be the version you have downloaded and staged either locally or in the container registry. |
<DH_USER> |
username |
The Docker user name for |
<DH_PWD> |
mypassword |
The Docker password for
|
<OUDNS> |
oudns |
The name of the OUD namespace. |
<PVSERVER> |
mynfsserver.example.com |
The name of the NFS server. Note: This name should be resolvable inside the Kubernetes cluster. |
<OUD_SHARE> |
/exports/IAMPVS/oudpv |
The NFS mount point for the OUD persistent volume. |
<OUD_CONFIG_SHARE> |
/exports/IAMPVS/oudconfigpv |
The NFS mount point for the OUD config persistent volume. |
<OUD_LOCAL_SHARE> |
|
The local directory where <OUD_CONFIG_SHARE> is mounted. Used to hold seed files. |
<LDAP_SEARCHBASE> |
dc=example,dc=com |
The directory tree for your organization. This is where all the data is stored. |
<LDAP_GROUP_SEARCHBASE> |
cn=Groups,dc=example,dc=com |
The location in the directory where groups/roles are stored. |
<LDAP_USER_SEARCHBASE> |
cn=Users,dc=example,dc=com |
The location in the directory where names of users are stored. |
<LDAP_RESERVE_SEARCHBASE> |
cn=Reserve,dc=example,dc=com |
Set this to the name of the reservation container in OIG. Kept for legacy reasons. |
<LDAP_ADMIN_USER> |
cn=oudadmin |
The user name of the directory administrator. |
<LDAP_ADMIN_PWD> |
password |
The password of the directory administrator. |
<LDAP_OAMLDAP_USER> |
oamLDAP |
The name of a user that OAM will use to connect to the directory for validating logins. |
<LDAP_OIGLDAP_USER> |
oimLDAP |
The name of a user that OIG will use to connect to the directory to manage users. |
<LDAP_OAMADMIN_USER> |
oamadmin |
The name of the user you want to administer OAM. |
<LDAP_WLSADMIN_USER> |
weblogic_iam |
The name of the user you want to use to administer the domain. |
<LDAP_XELSYSADM_USER> |
xelsysadm |
The name of the user you want to create for administering OIG. |
<LDAP_USER_PWD> |
<password> |
The password you want to assign to the user names you are creating. IDM on Kubernetes expects this to be the same for each account. You can change this to different values post deployment, if required. |
<LDAP_OIGADMIN_GRP> |
OIMAdministrators |
The name of the group consisting of the names of the administrators of OIG. |
<LDAP_WLSADMIN_GRP> |
WLSAdministrators |
Users assigned to this role will be able to log in to the WebLogic Administration Console and FMW Control. |
<LDAP_OAMADMIN_GRP> |
OAMAdministrators |
Users assigned to this role will be able to log in to the OAM Administration Console and configure OAM. |
<LDAP_SYSTEMIDS> |
systemids |
The name of a container where you want to store system ids. User names placed in this container are not subject to OIM reconciliation or password aging. This container is reserved for users such as <LDAP_OAMLDAP_USER> and <LDAP_OIGLDAP_USER>. |
<OUD_PWD_EXPIRY> |
2024-01-02 |
The date on which the password for the user accounts will expire. The date should be in the YYYY-MM-DD format. |
<OUD_LDAP_K8> |
|
Port to use for OUD LDAP requests. Note: This value must be within the Kubernetes service port range. |
<OUD_LDAPS_K8> |
|
Port to use for OUD LDAPS requests. Note: This value must be within the Kubernetes service port range. |
<OUD_PREFIX> |
|
|
<OUD_REPLICAS> |
1 |
The number of OUD replica instances you want to create. |
<REGION> |
example |
This is the top level region and is usually the first part of the search base. |
<HELM_VER> |
- |
The version of Helm you are running. You can obtain it by using
the command: Only the first three indices are required. For example: 3.5.4. |
<KUBERNETES_VER> |
- |
The version of Kubernetes you are running. You can obtain it by
using the command: Only the first three indices are required. For example: 1.20.6. |
<ELK_HOST> |
|
The host and port of the centralized Elasticsearch deployment. This host can be inside the Kubernetes cluster or external to it. This host is used only when Elasticsearch is used. |
<ELK_VER> |
|
The version of Elasticsearch you want to use. |
<ELK_USER_PWD> |
< |
The password assigned to the ELK user. See Creating a Role and a User for Logstash. |
Parent topic: Configuring Oracle Unified Directory
Setting Up a Product Specific Work Directory
Before you begin the installation, you should have already downloaded and staged the Oracle Unified Directory Service Manager container image or should be using the Oracle Container Registry and the code repository.
See Identifying and Obtaining Software Distributions for an Enterprise Deployment. This section describes the procedure to copy the downloaded sample deployment scripts to a temporary working directory for OUD.
Parent topic: Installing and Configuring Oracle Unified Directory
About Deploying Oracle Unified Directory
Oracle recommends you to use Helm to create and configure Oracle Unified Directory (OUD).
- Deploy several OUD servers and set up replication between those containers (there should be more than one container for high availability).
- Create NodePort or Ingress services if you require access to the OUD directory outside of the Kubernetes cluster.
- Configure OUD to support Oracle Identity and Access Management.
Traditionally, the process of configuring OUD to support Oracle Identity and Access
Management has been through the use of the Oracle Identity and Access Management tool
'idmConfigTool
'. This tool is used after you have installed and
configured OUD and deployed OAM or OIG. If you want to use the traditional method of
preparing and seeding the directory, the option is available but is not discussed in
this guide.
For information on using idmConfigTool
to configure OUD,
see Preparing an Existing LDAP Directory.
The traditional method of configuring OUD includes the following steps:
- Deploy OUD.
- Deploy OAM or OIG.
- Log in to the OAM/OIG container.
- Run the
idmConfigTool
commands. See Preparing an Existing LDAP Directory.
The method discussed in this guide is to create seed datafiles and to provide these as input into the OUD creation process.
Parent topic: Installing and Configuring Oracle Unified Directory
Creating a Kubernetes Namespace
You have to create a namespace to contain all the objects for Oracle Unified Directory.
kubectl create namespace oudns
namespace/oudns created
Parent topic: Installing and Configuring Oracle Unified Directory
Creating a Container Registry Secret
Oracle recommends that you use a container registry. If you use a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry.
If you have staged your container images locally, there is no need to perform this step.
kubectl create secret -n <OUDNS> docker-registry regcred --docker-server=<REGISTRY_ADDRESS> --docker-username=<REG_USER> --docker-password=<REG_PWD>
kubectl create secret -n oudns docker-registry regcred --docker-server=iad.ocir.io/mytenancy --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>
Parent topic: Installing and Configuring Oracle Unified Directory
Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image from
hub.docker.com
which contains third-party images such as helm
, kubectl
, and
logstash
. These commands are used by the OUD cron job to test for pods
that are stuck in the Terminating
state, and restart them if
necessary.
Note:
If you are pulling the images from your own container registry, then this step is not required.You should have an account on hub.docker.com
. If you
want to stage the images in your own repository, you can do so and modify the
helm
override file as appropriate.
To create a Kubernetes secret for hub.docker.com
, use the following
command:
$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="<DH_USER>" --docker-password="<DH_PWD>" --namespace=<OUDNS>
$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="username" --docker-password="<mypassword>" --namespace=oudns
Parent topic: Installing and Configuring Oracle Unified Directory
Creating Configuration Files
Before beginning the deployment of OUD, you need to create a series of configuration files. These files are used to configure and seed the data required by OAM and OIG.
The entries in the files are based on the standard Enterprise Deployment Guide naming conventions. If you want to use alternative names for these entries, edit the files per your organizational requirements.
Parent topic: Installing and Configuring Oracle Unified Directory
Creating the Schema Extensions File
This file is used to extend the OUD schema with Oracle Access Manager Object Classes. You can skip this section if you are not deploying Oracle Access Manager.
Create the 99-user.ldif
file with the contents as shown
in the Sample of the Schema Extension File.
All information should remain the same. If you have no plans to use Oracle Access Manager, you do not require this file.
Parent topic: Creating Configuration Files
Creating the Seeding File
This file is used to seed OUD with the names of Users and Groups required by Oracle Access Manager and Oracle Identity Governance.
Create a file called base.ldif
with the contents as shown in
the Sample of the Seeding File.
You should perform a global search and replace on this file to make it specific to your organization. To make things easier, the sample file has a number of variables inserted to help you identify the entries that need to be changed. Each variable is enclosed in '<>'. For the list of variables used, see Variables Used in this Chapter.
Note:
This file contains all the entries for Oracle Access Manager and Oracle Identity Governance. If you are not deploying any of these products, you can amend this file as per your requirements. It is provided here as an example and to make deployment of a full suite simpler.Perform a global search and replace to change these entries.
Note:
Do not change the values for the following variables:- <DenySSORead ACI>
- <AllowSSORead ACI>
- <AllowSSOAll ACI>
Parent topic: Creating Configuration Files
Setting Passwords
You can set user passwords in the file by providing a value for the LDAP attribute: userPassword.
Passwords entered as plain text will be encrypted upon loading. For ease of use, you can search for the term <PASSWORD> in the file, for the entries you have to provide.
Parent topic: Creating Configuration Files
Creating OUD Containers
Create the server overrides file first and then use the Helm
command to create the OUD
containers.
- Creating a Server Overrides File
- Changing the OUD Heap Size
- Enabling Assured Replication
- Creating Containers
- Troubleshooting the OUD Instances
Parent topic: Installing and Configuring Oracle Unified Directory
Creating a Server Overrides File
helm
override file to customize the deployment based on your deployment needs. This file is used to
determine how the OUD pods will be created. You can specify the following details in this
file:
- The container images to use.
- The number of replicas to create.
- The number of resources to allocate to each pod.
- The base DN to create.
- An
ldif
file to load to seed the OUD data. - An
ldif
file to create the schema extensions. - The access control lists (ACLs) to create.
- The indexes that need to be created on each pod (base and replicas).
- Any specific
ds_config
commands you want to run at pod instantiation.
Create this file by substituting values from Table 14-2.
The following is a sample override file for OUD.
/workdir/OUD/override_oud.yaml
Note:
You can find a sample of this file along with the sample files you downloaded from GitHub. It will be located in/workdir/fmw-kubernetes/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oud
.
- CPU measured in CPU cores. Value of 1 = 1 CPU core or 1 virtual core.
- Memory is measured in standard units 1G = 1GB.
- CPU measured in CPU cycles. Value of 1000m = 1 CPU core or 1 virtual core.
- Memory is measured in standard units 1G = 1GB.
The server tuning values should not conflict with these values.
image:
repository: <OUD_REPOSITORY>
tag: <OUD_VER>
pullPolicy: IfNotPresent
busybox:
image: docker.io/busybox
imagePullSecrets:
- name: regcred
oudConfig:
baseDN: <LDAP_SEARCHBASE>
rootUserDN: <LDAP_ADMIN_USER>
rootUserPassword: <LDAP_ADMIN_PWD>
sleepBeforeConfig: 1300
resources:
limits:
cpu: 1
memory: 2Gi
requests:
cpu: 500m
memory: 1Gi
persistence:
type: networkstorage
networkstorage:
nfs:
server: <PVSERVER>
path: <OUD_SHARE>
size: 30Gi
configVolume:
enabled: true
type: networkstorage
networkstorage:
nfs:
server: <PVSERVER>
path: <OUD_CONFIG_SHARE>
mountPath: /u01/oracle/config-input
replicaCount: <OUD_REPLICAS>
ingress:
enabled: false
type: nginx
tlsEnabled: true
cronJob:
kubectlImage:
repository: bitnami/kubectl
tag: <KUBERNETES_VER>
pullPolicy: IfNotPresent
imagePullSecrets:
- name: dockercred
baseOUD:
envVars:
- name: schemaConfigFile_1
value: /u01/oracle/config-input/99-user.ldif
- name: restartAfterSchemaConfig
value: "true"
- name: importLdif_1
value: --append --replaceExisting --includeBranch ${baseDN} --backendID userRoot --ldifFile /u01/oracle/config-input/base.ldif --rejectFile /u01/oracle/config-input/rejects.ldif --skipFile /u01/oracle/config-input/skip.ldif
- name: serverTuning
value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
- name: dsconfig_1
value: set-global-configuration-prop --set lookthrough-limit:75000
- name: dsconfig_2
value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
- name: dsconfig_3
value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_4
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"<LDAP_OIGADMIN_GRP> control access\"; allow(read) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_5
value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_6
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_7
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_8
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: dsconfig_9
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: dsconfig_10
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_11
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_12
value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_13
value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality
- name: dsconfig_14
value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_15
value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_16
value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_17
value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality
- name: dsconfig_18
value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality
- name: dsconfig_19
value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_20
value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_21
value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality
- name: dsconfig_22
value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_23
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_24
value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_25
value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_26
value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality
- name: dsconfig_27
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_28
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_29
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_30
value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_31
value: list-local-db-indexes --element-name userRoot
- name: rebuildIndex_1
value: --rebuildAll
- name: restartAfterRebuildIndex
value: "true"
replOUD:
envVars:
- name: serverTuning
value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
- name: dsconfig_1
value: set-global-configuration-prop --set lookthrough-limit:75000
- name: dsconfig_2
value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
- name: dsconfig_3
value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_4
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_5
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_6
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: dsconfig_7
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: post_dsreplication_dsconfig_2
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_3
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_4
value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_5
value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality
- name: post_dsreplication_dsconfig_6
value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_7
value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_8
value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_9
value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality
- name: post_dsreplication_dsconfig_10
value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality
- name: post_dsreplication_dsconfig_11
value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_12
value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_13
value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality
- name: post_dsreplication_dsconfig_14
value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_15
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_16
value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_17
value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_18
value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality
- name: post_dsreplication_dsconfig_19
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_20
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_21
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_22
value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_23
value: list-local-db-indexes --element-name userRoot
- name: rebuildIndex_1
value: --rebuildAll
- name: restartAfterRebuildIndex
value: "true"
image:
repository: oracle/oud
tag: 12.2.1.4-jdk8-ol7-220411.1613
pullPolicy: IfNotPresent
busybox:
image: docker.io/busybox
imagePullSecrets:
- name: regcred
oudConfig:
baseDN: dc=example,dc=com
rootUserDN: cn=oudadmin
rootUserPassword: password
sleepBeforeConfig: 1300
persistence:
type: networkstorage
networkstorage:
nfs:
server: mynfsserver.example.com
path: /exports/IAMPVS/oudpv
size: 30Gi
configVolume:
enabled: true
type: networkstorage
networkstorage:
nfs:
server: mynfsserver.example.com
path: /exports/IAMPVS/oudconfigpv
mountPath: /u01/oracle/config-input
replicaCount: 1
ingress:
enabled: false
type: nginx
tlsEnabled: true
cronJob:
kubectlImage:
repository: bitnami/kubectl
tag: <KUBERNETES_VER>
pullPolicy: IfNotPresent
imagePullSecrets:
- name: dockercred
baseOUD:
envVars:
- name: schemaConfigFile_1
value: /u01/oracle/config-input/99-user.ldif
- name: restartAfterSchemaConfig
value: "true"
- name: importLdif_1
value: --append --replaceExisting --includeBranch ${baseDN} --backendID userRoot --ldifFile /u01/oracle/config-input/base.ldif --rejectFile /u01/oracle/config-input/rejects.ldif --skipFile /u01/oracle/config-input/skip.ldif
- name: serverTuning
value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
- name: dsconfig_1
value: set-global-configuration-prop --set lookthrough-limit:75000
- name: dsconfig_2
value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
- name: dsconfig_3
value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_4
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"<LDAP_OIGADMIN_GRP> control access\"; allow(read) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_5
value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_6
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_7
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_8
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: dsconfig_9
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: dsconfig_10
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_11
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_12
value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_13
value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality
- name: dsconfig_14
value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_15
value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_16
value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_17
value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality
- name: dsconfig_18
value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality
- name: dsconfig_19
value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_20
value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_21
value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality
- name: dsconfig_22
value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_23
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_24
value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_25
value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_26
value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality
- name: dsconfig_27
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_28
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_29
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_30
value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: dsconfig_31
value: list-local-db-indexes --element-name userRoot
- name: rebuildIndex_1
value: --rebuildAll
- name: restartAfterRebuildIndex
value: "true"
replOUD:
envVars:
- name: serverTuning
value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
- name: dsconfig_1
value: set-global-configuration-prop --set lookthrough-limit:75000
- name: dsconfig_2
value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
- name: dsconfig_3
value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
- name: dsconfig_4
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_5
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
- name: dsconfig_6
value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: dsconfig_7
value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
- name: post_dsreplication_dsconfig_2
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_3
value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_4
value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_5
value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality
- name: post_dsreplication_dsconfig_6
value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_7
value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_8
value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_9
value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality
- name: post_dsreplication_dsconfig_10
value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality
- name: post_dsreplication_dsconfig_11
value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_12
value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_13
value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality
- name: post_dsreplication_dsconfig_14
value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_15
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_16
value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_17
value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_18
value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality
- name: post_dsreplication_dsconfig_19
value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_20
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_21
value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_22
value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
- name: post_dsreplication_dsconfig_23
value: list-local-db-indexes --element-name userRoot
- name: rebuildIndex_1
value: --rebuildAll
- name: restartAfterRebuildIndex
value: "true"
Only the first three indices are required for <KUBERNETES_VER>
. For example: 1.20.6.
If the organization prevents access to the internet for public images, you can host
the kubectl
image in your own registry and update the repository value in the
file above to match this value.
Note:
If you want to enable Enterprise User Security (EUS) integration in OUD, add the following line in theoudConfig
section:oudConfig:
integration: eus
- Lines dsconfig_1 to
dsconfig_30 from the
baseOUD
section of the file. - Lines post_dsreplication_dsconfig_2 to
post_dsreplication_dsconfig_22 from the
replOUD
section of the file. - <schemaConfigFile_1> from the Server Overrides file if you do not want to extend the schema definition for Oracle Access Manager.
Parent topic: Creating OUD Containers
Changing the OUD Heap Size
Instructions for tuning OUD is beyond the scope of this guide. For maximum and minimum heap size recommendations for OUD, see Sizing Guidelines.
To modify the heap size of an OUD instance, set Xms
to the minimum heap
size and Xmx
to the maximum heap size in the
serverTuning
section of the Server Overrides file.
For example, to set the values for a small system, the entry would be as follows:
- name: serverTuning
value: -Xms4096m -Xmx8192m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
For more information about the performance tuning recommendations, see Deep Dive into Oracle Unified Directory 12.2.1.4.0 Performance.
Parent topic: Creating OUD Containers
Enabling Assured Replication
If you want to enable assured replication between the OUD instances, add the
following content to the replOUD
section of the
override_oud.yaml
file:
replOUD:
envVars:
- name: post_dsreplication_dsconfig_1
value: set-replication-domain-prop --domain-name ${baseDN} --advanced --set assured-type:safe-read
- name: execCmd_1
value: /u01/oracle/user_projects/${OUD_INSTANCE_NAME}/OUD/bin/dsconfig --no-prompt --hostname ${sourceHost} --port ${adminConnectorPort} --bindDN "${rootUserDN}" --bindPasswordFile /u01/oracle/user_projects/${OUD_INSTANCE_NAME}/admin/rootPwdFile.txt --trustAll set-replication-domain-prop --domain-name ${baseDN} --advanced --set assured-type:safe-read --set assured-sd-level:2 --set assured-timeout:5s --provider-name "Multimaster Synchronization"
Parent topic: Creating OUD Containers
Creating Containers
After you create the Helm Override file, you now need to create the OUD
containers using the helm
command.
helm
command will:
- Create OUD instances
- Add OAM Schema Extensions
- Seed OAM/OIG users and groups
- Update the OUD change log permissions
- Create additional OUD indexes
- Rebuild OUD indexes
- Create Kubernetes services for OUD
cd /workdir/OUD/samples/kubernetes/helm
helm install --namespace <OUDNS> --values /workdir/OUD/override_oud.yaml <OUD_PREFIX> oud-ds-rs
helm install --namespace oudns --values /workdir/OUD/override_oud.yaml edg oud-ds-rs
Note:
edg
is used to prefix
each of the OUD instances. It can be any value.
Parent topic: Creating OUD Containers
Troubleshooting the OUD Instances
You can monitor the creation of each OUD instance using the following commands:
kubectl -n oudns get all -o wide
Only when you see each container with the status READY 1/1 and Status =
Running
will the installation and configuration be complete.
kubectl get pod -n oudns
kubectl describe pod -n oudns
Container Logs
kubectl logs edg-oud-ds-rs-0 -n oudns
Review the skips.ldif
and rejects.ldif
files
that are created after the OUD servers are initialized. These files are created when the
base.ldif
and 99-user.ldif
files are loaded.
The OUD servers start even if there are errors but all of the data is not loaded causing
problems down the road for other product integrations. You may not see the errors by
reviewing only the OUD logs.
Parent topic: Creating OUD Containers
Creating External Access to OUD
By default, the OUD deployment gets created with all the components configured as ClusterIP services. This means that the Oracle Unified Directory components are visible only within the Kubernetes cluster.
If you are going to access the cluster only from within Kubernetes, then this is sufficient. However, if you want to interact with Oracle Unified Directory from outside of Kubernetes, you should create either an Ingress Controller service or individual NodePort services.
Parent topic: Installing and Configuring Oracle Unified Directory
Creating the Kubernetes NodePort Services
To create the native Kubernetes NodePort Services, you have to perform the steps provided in this section. If you want to expose the OUD services using an Ingress controller, see Installing and Configuring Ingress Controller.
Creating an LDAP NodePort Service
Parent topic: Creating the Kubernetes NodePort Services
Centralized Monitoring Using Grafana and Prometheus
There is no specific metric collection for OUD. However, you can monitor the OUD pods using the standard Kubernetes Dashboard in Kibana.
Parent topic: Installing and Configuring Oracle Unified Directory
Centralized Log File Monitoring Using Elasticsearch and Kibana
- OUD persistent volume, so it can be loaded by the Logstash pod to hunt for log files.
- The location of the log files in the persistent volumes.
- The location of the centralized Elasticsearch.
To configure the Logstash pod, perform the following steps. The assumption
is that you have an Elasticsearch running inside the Kubernetes cluster, in a namespace
called elkns
.
- Creating a Secret for Elasticsearch
- Creating a Configuration Map for ELK Certificate
- Configuring Log File Monitoring for OUD
Parent topic: Installing and Configuring Oracle Unified Directory
Creating a Secret for Elasticsearch
Logstash requires credentials to connect to the elasticsearch deployment. These credentials are stored in Kubernetes as a secret.
kubectl create secret generic elasticsearch-pw-elastic -n <OUDNS> --from-literal password=<ELK_APIKEY>
kubectl create secret generic elasticsearch-pw-elastic -n oudns --from-literal password=afshfashfkahf5f
kubectl create secret generic elasticsearch-pw-elastic -n <OUDNS> --from-literal password=<ELK_PWD>
kubectl create secret generic elasticsearch-pw-elastic -n oudns --from-literal password=mypassword
kubectl get secret elasticsearch-es-elastic-user -n <ELKNS> -o go-template='{{.data.elastic | base64decode}}'
Creating a Configuration Map for ELK Certificate
If you have configured a production ready Elasticsearch deployment, you would have configured SSL. Logstash needs to trust the Elasticsearch certificate to be able to communicate with it. To enable this trust, you should create a configuration map with the contents of the Elasticsearch certificate.
You would have already saved the Elasticsearch self-signed certificate. See Copying the Elasticsearch Certificate. If you have a production certificate you can use that instead.
Create the configuration map using the certificate, run the following command:
kubectl create configmap elk-cert --from-file=<WORKDIR>/ELK/elk.crt -n <OUDNS>
kubectl create configmap elk-cert --from-file=/workdir/ELK/elk.crt -n oudns
Configuring Log File Monitoring for OUD
Complete the following steps to configure log file monitoring:
Creating a Configuration Map for Logstash
Logstash looks for log files in the OUD installations and sends them to the centralized Elasticsearch. The configuration map is used to instruct Logstash where the log files reside and where to send them.
Parent topic: Configuring Log File Monitoring for OUD
Creating a Logstash Deployment
Parent topic: Configuring Log File Monitoring for OUD