Installing and Configuring Oracle Unified Directory

14 Installing and Configuring Oracle Unified Directory

Create a new, highly available Oracle Unified Directory (OUD) deployment inside a Kubernetes cluster.

This chapter includes the following topics:

Configuring Oracle Unified Directory
Oracle Unified Directory is an LDAP compliant directory which you can use as a standalone entity or with other Oracle Identity and Access Management components.
Setting Up a Product Specific Work Directory
Before you begin the installation, you should have already downloaded and staged the Oracle Unified Directory Service Manager container image or should be using the Oracle Container Registry and the code repository.
About Deploying Oracle Unified Directory
Oracle recommends you to use Helm to create and configure Oracle Unified Directory (OUD).
Creating a Kubernetes Namespace
You have to create a namespace to contain all the objects for Oracle Unified Directory.
Creating a Container Registry Secret
Oracle recommends that you use a container registry. If you use a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry.
Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image from hub.docker.com which contains third-party images such as helm, kubectl, and logstash. These commands are used by the OUD cron job to test for pods that are stuck in the Terminating state, and restart them if necessary.
Creating Configuration Files
Before beginning the deployment of OUD, you need to create a series of configuration files. These files are used to configure and seed the data required by OAM and OIG.
Creating OUD Containers
Create the server overrides file first and then use the Helm command to create the OUD containers.
Creating External Access to OUD
By default, the OUD deployment gets created with all the components configured as ClusterIP services. This means that the Oracle Unified Directory components are visible only within the Kubernetes cluster.
Centralized Monitoring Using Grafana and Prometheus
There is no specific metric collection for OUD. However, you can monitor the OUD pods using the standard Kubernetes Dashboard in Kibana.
Centralized Log File Monitoring Using Elasticsearch and Kibana
If you are using Elasticsearch and Kibana, you can configure a Logstash pod to send the log files to the centralized Elasticsearch/Kibana console. Before you configure the Logstash pod, ensure that you have access to a centralized Elasticsearch deployment.

Parent topic: Configuring the Enterprise Deployment

Configuring Oracle Unified Directory

Oracle Unified Directory is an LDAP compliant directory which you can use as a standalone entity or with other Oracle Identity and Access Management components.

This chapter describes how you can install Oracle Unified Directory inside a Kubernetes cluster. The chapter also explains how you can seed the directory with data required by other Oracle Identity and Access Manager components.

After deploying OUD, if the Kubernetes node, where the OUD pod(s) is/are running, goes down after the pod eviction time-out, the pod(s) do not get evicted but move to a Terminating state. The pod(s) then remain in that state forever. To avoid this problem, a cron job is created during the OUD deployment process, which checks for any pods in the Terminating state, deletes them, and then starts the pod again. The cron job requires access to images on hub.docker.com. Therefore, you should create a Kubernetes secret to enable access to these images.

This job ensures that you always have the number of OUD instances running as you have specified in the helm configuration file.

Note:

If you upgrade your container, you should recopy the helm charts to the persistent volume.
If you change your Helm/Kubernetes version, you should update the helm file with the revised versions.

Parent topic: Installing and Configuring Oracle Unified Directory

Sizing Guidelines

When deploying OUD, you can use the following information as reference for the initial system sizing. For more information about sizing, see Deep Dive into Oracle Unified Directory 12.2.1.4.0 Performance.

System Size	Number of Users	Memory	JVM Heap Size (Min)	JVM Heap Size (Max)
Development	-	2GB	1GB	2GB
Small	5000	8GB	4GB	8GB
Medium	50000	16GB	8GB	16GB
Large	2 Million	64GB	16GB	64GB

Parent topic: Configuring Oracle Unified Directory

Kubernetes/Ingress Services

After you configure OUD, the following OUD services will be available on each worker node:

Table 14-1 OUD Services on Each Worker Node

Service	Type	Service Port	Mapped Port
OUD LDAP	NodePort	31389	1389
OUD LDAPS	Node Port	31636	636
OUD ADMIN	NodePort	30777	80

Note:

OUD randomly picks its own Kubernetes service port. The numbers given in this table are only examples.

Parent topic: Configuring Oracle Unified Directory

Variables Used in this Chapter

The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment.

Variables are formatted as <VARIABLE_NAME>. The following table provides the values you should set for each of these variables.

Table 14-2 The Variables to be Changed

Variable	Sample Value	Description
<WORKDIR>	`/workdir/OUD`	The location where you want to create the working directory for OUD.
<REGISTRY_ADDRESS>	`iad.ocir.io/<mytenancy>`	The location of the registry. If you use the Oracle container registry, the value will be `container-registry.oracle.com/middleware/oud_cpu`.
<REG_USER>	`mytenancy/oracleidentitycloudservice/myemail@email.com`	The user id you use to log in to the registry. If you are use the Oracle container registry, this value will be your Oracle single sign-on user name.
<REG_PWD>	<password>	The registry user password.
<OUD_REPOSITORY>	`oracle/oud` `local/oracle/oud` `container-registry.oracle.com/middleware/oud_cpu` `<REGISTRY_ADDRESS>/oracle/oud`	The name of the OUD software repository. If you have downloaded and staged a container image, this value will be: `oracle/oud`. If you are using OLCNE, the value will be `local/oracle/oud`. If you are using the Oracle container registry, the value will be:`container-registry.oracle.com/middleware/oud_cpu`. If you are using a container registry, the value will be the name of the registry with the product name: `<REGISTRY_ADDRESS>/oracle/oud`.
<OUD_VER>	`12.2.1.4-jdk8-ol7-220411.1613` or latest	The version of the image you want to use. This will be the version you have downloaded and staged either locally or in the container registry.
<DH_USER>	username	The Docker user name for`hub.docker.com`. Used for CronJob images.
<DH_PWD>	mypassword	The Docker password for `hub.docker.com`. Used for CronJob images.
<OUDNS>	`oudns`	The name of the OUD namespace.
<PVSERVER>	`mynfsserver.example.com`	The name of the NFS server. Note: This name should be resolvable inside the Kubernetes cluster.
<OUD_SHARE>	`/exports/IAMPVS/oudpv`	The NFS mount point for the OUD persistent volume.
<OUD_CONFIG_SHARE>	`/exports/IAMPVS/oudconfigpv`	The NFS mount point for the OUD config persistent volume.
<OUD_LOCAL_SHARE>	`/nfs_volumes/oudconfigpv`	The local directory where <OUD_CONFIG_SHARE> is mounted. Used to hold seed files.
<LDAP_SEARCHBASE>	`dc=example,dc=com`	The directory tree for your organization. This is where all the data is stored.
<LDAP_GROUP_SEARCHBASE>	`cn=Groups,dc=example,dc=com`	The location in the directory where groups/roles are stored.
<LDAP_USER_SEARCHBASE>	`cn=Users,dc=example,dc=com`	The location in the directory where names of users are stored.
<LDAP_RESERVE_SEARCHBASE>	`cn=Reserve,dc=example,dc=com`	Set this to the name of the reservation container in OIG. Kept for legacy reasons.
<LDAP_ADMIN_USER>	`cn=oudadmin`	The user name of the directory administrator.
<LDAP_ADMIN_PWD>	`password`	The password of the directory administrator.
<LDAP_OAMLDAP_USER>	`oamLDAP`	The name of a user that OAM will use to connect to the directory for validating logins.
<LDAP_OIGLDAP_USER>	`oimLDAP`	The name of a user that OIG will use to connect to the directory to manage users.
<LDAP_OAMADMIN_USER>	`oamadmin`	The name of the user you want to administer OAM.
<LDAP_WLSADMIN_USER>	`weblogic_iam`	The name of the user you want to use to administer the domain.
<LDAP_XELSYSADM_USER>	`xelsysadm`	The name of the user you want to create for administering OIG.
<LDAP_USER_PWD>	<password>	The password you want to assign to the user names you are creating. IDM on Kubernetes expects this to be the same for each account. You can change this to different values post deployment, if required.
<LDAP_OIGADMIN_GRP>	`OIMAdministrators`	The name of the group consisting of the names of the administrators of OIG.
<LDAP_WLSADMIN_GRP>	`WLSAdministrators`	Users assigned to this role will be able to log in to the WebLogic Administration Console and FMW Control.
<LDAP_OAMADMIN_GRP>	`OAMAdministrators`	Users assigned to this role will be able to log in to the OAM Administration Console and configure OAM.
<LDAP_SYSTEMIDS>	`systemids`	The name of a container where you want to store system ids. User names placed in this container are not subject to OIM reconciliation or password aging. This container is reserved for users such as <LDAP_OAMLDAP_USER> and <LDAP_OIGLDAP_USER>.
<OUD_PWD_EXPIRY>	`2024-01-02`	The date on which the password for the user accounts will expire. The date should be in the YYYY-MM-DD format.
<OUD_LDAP_K8>	`31389`	Port to use for OUD LDAP requests. Note: This value must be within the Kubernetes service port range.
<OUD_LDAPS_K8>	`31636`	Port to use for OUD LDAPS requests. Note: This value must be within the Kubernetes service port range.
<OUD_PREFIX>	`edg`
<OUD_REPLICAS>	`1`	The number of OUD replica instances you want to create.
<REGION>	`example`	This is the top level region and is usually the first part of the search base.
<HELM_VER>	-	The version of Helm you are running. You can obtain it by using the command: `helm version --short` Only the first three indices are required. For example: `3.5.4`.
<KUBERNETES_VER>	-	The version of Kubernetes you are running. You can obtain it by using the command: `kubectl version --short=true \| grep Server`. Only the first three indices are required. For example: `1.20.6`.
<ELK_HOST>	`https://elasticsearch-es-http.elkns.svc:9200`	The host and port of the centralized Elasticsearch deployment. This host can be inside the Kubernetes cluster or external to it. This host is used only when Elasticsearch is used.
<ELK_VER>	`8.11.0`	The version of Elasticsearch you want to use.
<ELK_USER_PWD>	<`password`>	The password assigned to the ELK user. See Creating a Role and a User for Logstash.

Parent topic: Configuring Oracle Unified Directory

Setting Up a Product Specific Work Directory

Before you begin the installation, you should have already downloaded and staged the Oracle Unified Directory Service Manager container image or should be using the Oracle Container Registry and the code repository.

See Identifying and Obtaining Software Distributions for an Enterprise Deployment. This section describes the procedure to copy the downloaded sample deployment scripts to a temporary working directory for OUD.

Create a temporary working directory as the install user. The install user should have kubectl access to the Kubernetes cluster.
```
mkdir <WORKDIR>
```
For example:
```
mkdir /workdir/OUD
```
Change the directory to this location:
```
cd /workdir/OUD
```
Note:
The same set of sample files are used by several products in this guide. To avoid having to download them each time, the files are staged in a non-product specific working directory.

Copy the sample scripts to your work directory.

cp -R <work_dir>/fmw-kubernetes/OracleUnifiedDirectory /<WORKDIR>/samples

For example:

cp -R /workdir/fmw-kubernetes/OracleUnifiedDirectory /workdir/OUD/samples

Parent topic: Installing and Configuring Oracle Unified Directory

About Deploying Oracle Unified Directory

Oracle recommends you to use Helm to create and configure Oracle Unified Directory (OUD).

To deploy OUD:

Deploy several OUD servers and set up replication between those containers (there should be more than one container for high availability).
Create NodePort or Ingress services if you require access to the OUD directory outside of the Kubernetes cluster.
Configure OUD to support Oracle Identity and Access Management.

Traditionally, the process of configuring OUD to support Oracle Identity and Access Management has been through the use of the Oracle Identity and Access Management tool 'idmConfigTool'. This tool is used after you have installed and configured OUD and deployed OAM or OIG. If you want to use the traditional method of preparing and seeding the directory, the option is available but is not discussed in this guide.

For information on using idmConfigTool to configure OUD, see Preparing an Existing LDAP Directory.

The traditional method of configuring OUD includes the following steps:

Deploy OUD.
Deploy OAM or OIG.
Log in to the OAM/OIG container.
Run the idmConfigTool commands. See Preparing an Existing LDAP Directory.

The method discussed in this guide is to create seed datafiles and to provide these as input into the OUD creation process.

Parent topic: Installing and Configuring Oracle Unified Directory

Creating a Kubernetes Namespace

You have to create a namespace to contain all the objects for Oracle Unified Directory.

To create a namespace, run the following command:

kubectl create namespace oudns

The output appears as follows:

namespace/oudns created

Parent topic: Installing and Configuring Oracle Unified Directory

Creating a Container Registry Secret

Oracle recommends that you use a container registry. If you use a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry.

If you have staged your container images locally, there is no need to perform this step.

To create a container registry secret, use the following command:

kubectl create secret -n <OUDNS> docker-registry regcred --docker-server=<REGISTRY_ADDRESS> --docker-username=<REG_USER> --docker-password=<REG_PWD>

For example:

kubectl create secret -n oudns docker-registry regcred --docker-server=iad.ocir.io/mytenancy --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>

Parent topic: Installing and Configuring Oracle Unified Directory

Creating a Kubernetes Secret for Docker Hub Images

This secret allows Kubernetes to pull an image from hub.docker.com which contains third-party images such as helm, kubectl, and logstash. These commands are used by the OUD cron job to test for pods that are stuck in the Terminating state, and restart them if necessary.

Note:

If you are pulling the images from your own container registry, then this step is not required.

You should have an account on hub.docker.com. If you want to stage the images in your own repository, you can do so and modify the helm override file as appropriate.

To create a Kubernetes secret for hub.docker.com, use the following command:

$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="<DH_USER>" --docker-password="<DH_PWD>" --namespace=<OUDNS>

For example:

$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="username" --docker-password="<mypassword>" --namespace=oudns

Parent topic: Installing and Configuring Oracle Unified Directory

Creating Configuration Files

Before beginning the deployment of OUD, you need to create a series of configuration files. These files are used to configure and seed the data required by OAM and OIG.

The entries in the files are based on the standard Enterprise Deployment Guide naming conventions. If you want to use alternative names for these entries, edit the files per your organizational requirements.

Parent topic: Installing and Configuring Oracle Unified Directory

Creating the Schema Extensions File

This file is used to extend the OUD schema with Oracle Access Manager Object Classes. You can skip this section if you are not deploying Oracle Access Manager.

Create the 99-user.ldif file with the contents as shown in the Sample of the Schema Extension File.

All information should remain the same. If you have no plans to use Oracle Access Manager, you do not require this file.

Parent topic: Creating Configuration Files

Creating the Seeding File

This file is used to seed OUD with the names of Users and Groups required by Oracle Access Manager and Oracle Identity Governance.

Create a file called base.ldif with the contents as shown in the Sample of the Seeding File.

You should perform a global search and replace on this file to make it specific to your organization. To make things easier, the sample file has a number of variables inserted to help you identify the entries that need to be changed. Each variable is enclosed in '<>'. For the list of variables used, see Variables Used in this Chapter.

Note:

This file contains all the entries for Oracle Access Manager and Oracle Identity Governance. If you are not deploying any of these products, you can amend this file as per your requirements. It is provided here as an example and to make deployment of a full suite simpler.

Perform a global search and replace to change these entries.

Note:

Do not change the values for the following variables:

<DenySSORead ACI>
<AllowSSORead ACI>
<AllowSSOAll ACI>

Parent topic: Creating Configuration Files

Setting Passwords

You can set user passwords in the file by providing a value for the LDAP attribute: userPassword.

Passwords entered as plain text will be encrypted upon loading. For ease of use, you can search for the term <PASSWORD> in the file, for the entries you have to provide.

Parent topic: Creating Configuration Files

Creating OUD Containers

Create the server overrides file first and then use the Helm command to create the OUD containers.

Parent topic: Installing and Configuring Oracle Unified Directory

Creating a Server Overrides File

OUD containers are deployed using Helm. You must create a helm override file to customize the deployment based on your deployment needs. This file is used to determine how the OUD pods will be created. You can specify the following details in this file:

The container images to use.
The number of replicas to create.
The number of resources to allocate to each pod.
The base DN to create.
An ldif file to load to seed the OUD data.
An ldif file to create the schema extensions.
The access control lists (ACLs) to create.
The indexes that need to be created on each pod (base and replicas).
Any specific ds_config commands you want to run at pod instantiation.

Create this file by substituting values from Table 14-2.

The following is a sample override file for OUD.

/workdir/OUD/override_oud.yaml

Note:

You can find a sample of this file along with the sample files you downloaded from GitHub. It will be located in /workdir/fmw-kubernetes/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oud.

A resource limit is defined as the maximum resources allowed for each pod:

CPU measured in CPU cores. Value of 1 = 1 CPU core or 1 virtual core.
Memory is measured in standard units 1G = 1GB.

Resources are the initial startup values added to the pod:

CPU measured in CPU cycles. Value of 1000m = 1 CPU core or 1 virtual core.
Memory is measured in standard units 1G = 1GB.

The server tuning values should not conflict with these values.

image:
  repository: <OUD_REPOSITORY>
  tag: <OUD_VER>
  pullPolicy: IfNotPresent

busybox: 
  image: docker.io/busybox

imagePullSecrets:
  - name: regcred
oudConfig:
  baseDN: <LDAP_SEARCHBASE>
  rootUserDN: <LDAP_ADMIN_USER>
  rootUserPassword: <LDAP_ADMIN_PWD>
  sleepBeforeConfig: 1300
  resources:
    limits:
      cpu: 1
      memory: 2Gi
    requests:
      cpu: 500m
      memory: 1Gi

persistence:
  type: networkstorage
  networkstorage:
    nfs:
      server: <PVSERVER>
      path: <OUD_SHARE>
  size: 30Gi

configVolume:
  enabled: true
  type: networkstorage
  networkstorage:
    nfs:
      server: <PVSERVER>
      path: <OUD_CONFIG_SHARE>
  mountPath: /u01/oracle/config-input

replicaCount: <OUD_REPLICAS>

ingress:
  enabled: false
  type: nginx
  tlsEnabled: true

cronJob:
  kubectlImage:
    repository: bitnami/kubectl
    tag: <KUBERNETES_VER>
    pullPolicy: IfNotPresent
  imagePullSecrets:
    - name: dockercred

baseOUD:
  envVars:
    - name: schemaConfigFile_1
      value: /u01/oracle/config-input/99-user.ldif
    - name: restartAfterSchemaConfig
      value: "true"
    - name: importLdif_1
      value: --append --replaceExisting --includeBranch ${baseDN} --backendID userRoot --ldifFile /u01/oracle/config-input/base.ldif --rejectFile /u01/oracle/config-input/rejects.ldif --skipFile /u01/oracle/config-input/skip.ldif
    - name: serverTuning
      value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
    - name: dsconfig_1
      value: set-global-configuration-prop --set lookthrough-limit:75000
    - name: dsconfig_2
      value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_3
      value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)" 
    - name: dsconfig_4
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"<LDAP_OIGADMIN_GRP> control access\"; allow(read)  groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
    - name: dsconfig_5
      value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
    - name: dsconfig_6
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_7
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_8
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_9
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_10
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_11
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_12
      value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_13
      value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality  
    - name: dsconfig_14
      value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_15
      value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_16
      value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_17
      value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality 
    - name: dsconfig_18
      value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality 
    - name: dsconfig_19
      value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_20
      value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_21
      value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality 
    - name: dsconfig_22
      value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_23
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_24
      value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_25
      value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_26
      value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality 
    - name: dsconfig_27
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_28
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_29
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_30
      value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_31
      value: list-local-db-indexes --element-name userRoot 
    - name: rebuildIndex_1
      value: --rebuildAll 
    - name: restartAfterRebuildIndex
      value: "true"

replOUD:
  envVars:
    - name: serverTuning
      value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
    - name: dsconfig_1
      value: set-global-configuration-prop --set lookthrough-limit:75000
    - name: dsconfig_2
      value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_3
      value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
    - name: dsconfig_4
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_5
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_6
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_7
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: post_dsreplication_dsconfig_2
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_3
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_4
      value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_5
      value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality
    - name: post_dsreplication_dsconfig_6
      value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_7
      value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_8
      value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_9
      value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality
    - name: post_dsreplication_dsconfig_10
      value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality
    - name: post_dsreplication_dsconfig_11
      value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_12
      value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_13
      value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality
    - name: post_dsreplication_dsconfig_14
      value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_15
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_16
      value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_17
      value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_18
      value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality
    - name: post_dsreplication_dsconfig_19
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_20
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_21
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_22
      value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_23
      value: list-local-db-indexes --element-name userRoot
    - name: rebuildIndex_1
      value: --rebuildAll
    - name: restartAfterRebuildIndex
      value: "true"

For example:

image:
  repository: oracle/oud
  tag: 12.2.1.4-jdk8-ol7-220411.1613
  pullPolicy: IfNotPresent

busybox: 
  image: docker.io/busybox

imagePullSecrets:
  - name: regcred
oudConfig:
  baseDN: dc=example,dc=com
  rootUserDN: cn=oudadmin
  rootUserPassword: password
  sleepBeforeConfig: 1300

persistence:
  type: networkstorage
  networkstorage:
    nfs:
      server: mynfsserver.example.com
      path: /exports/IAMPVS/oudpv
  size: 30Gi

configVolume:
  enabled: true
  type: networkstorage
  networkstorage:
    nfs:
      server: mynfsserver.example.com
      path: /exports/IAMPVS/oudconfigpv
  mountPath: /u01/oracle/config-input

replicaCount: 1

ingress:
  enabled: false
  type: nginx
  tlsEnabled: true

cronJob:
  kubectlImage:
    repository: bitnami/kubectl
    tag: <KUBERNETES_VER>
    pullPolicy: IfNotPresent
  imagePullSecrets:
    - name: dockercred

baseOUD:
  envVars:
    - name: schemaConfigFile_1
      value: /u01/oracle/config-input/99-user.ldif
    - name: restartAfterSchemaConfig
      value: "true"
    - name: importLdif_1
      value: --append --replaceExisting --includeBranch ${baseDN} --backendID userRoot --ldifFile /u01/oracle/config-input/base.ldif --rejectFile /u01/oracle/config-input/rejects.ldif --skipFile /u01/oracle/config-input/skip.ldif
    - name: serverTuning
      value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
    - name: dsconfig_1
      value: set-global-configuration-prop --set lookthrough-limit:75000
    - name: dsconfig_2
      value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_3
      value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)" 
    - name: dsconfig_4
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"<LDAP_OIGADMIN_GRP> control access\"; allow(read)  groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
    - name: dsconfig_5
      value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
    - name: dsconfig_6
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_7
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_8
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_9
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_10
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_11
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_12
      value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_13
      value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality  
    - name: dsconfig_14
      value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_15
      value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_16
      value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_17
      value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality 
    - name: dsconfig_18
      value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality 
    - name: dsconfig_19
      value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_20
      value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_21
      value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality 
    - name: dsconfig_22
      value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_23
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_24
      value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_25
      value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_26
      value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality 
    - name: dsconfig_27
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_28
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_29
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_30
      value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: dsconfig_31
      value: list-local-db-indexes --element-name userRoot 
    - name: rebuildIndex_1
      value: --rebuildAll 
    - name: restartAfterRebuildIndex
      value: "true"

replOUD:
  envVars:
    - name: serverTuning
      value: -Xms1024m -Xmx2048m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60
    - name: dsconfig_1
      value: set-global-configuration-prop --set lookthrough-limit:75000
    - name: dsconfig_2
      value: set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_3
      value: set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=<LDAP_OIGADMIN_GRP>,cn=groups,${baseDN}\";)"
    - name: dsconfig_4
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_5
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\") (version 3.0; acl \"Authenticated users control access\"; allow(read) userdn=\"ldap:///all\";)"
    - name: dsconfig_6
      value: set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: dsconfig_7
      value: set-access-control-handler-prop --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)"
    - name: post_dsreplication_dsconfig_2
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGranter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_3
      value: create-local-db-index --element-name userRoot --index-name orclImpersonationGrantee --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_4
      value: create-local-db-index --element-name userRoot --index-name obid --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_5
      value: create-local-db-index --element-name userRoot --index-name oblocationdn --set index-type:equality
    - name: post_dsreplication_dsconfig_6
      value: create-local-db-index --element-name userRoot --index-name oblocationname --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_7
      value: create-local-db-index --element-name userRoot --index-name oblocationtitle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_8
      value: create-local-db-index --element-name userRoot --index-name obrectangle --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_9
      value: create-local-db-index --element-name userRoot --index-name obdirectreports --set index-type:equality
    - name: post_dsreplication_dsconfig_10
      value: create-local-db-index --element-name userRoot --index-name obindirectmanager --set index-type:equality
    - name: post_dsreplication_dsconfig_11
      value: create-local-db-index --element-name userRoot --index-name obuseraccountcontrol --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_12
      value: create-local-db-index --element-name userRoot --index-name obobjectclass --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_13
      value: create-local-db-index --element-name userRoot --index-name obparentlocationdn --set index-type:equality
    - name: post_dsreplication_dsconfig_14
      value: create-local-db-index --element-name userRoot --index-name obgroupcreator --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_15
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptiontype --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_16
      value: create-local-db-index --element-name userRoot --index-name obgroupdynamicfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_17
      value: create-local-db-index --element-name userRoot --index-name obgroupexpandeddynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_18
      value: create-local-db-index --element-name userRoot --index-name obgroupadministrator --set index-type:equality
    - name: post_dsreplication_dsconfig_19
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscriptionfilter --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_20
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribemessage --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_21
      value: create-local-db-index --element-name userRoot --index-name obgroupsubscribenotification --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_22
      value: create-local-db-index --element-name userRoot --index-name obgrouppuredynamic --set index-type:equality --set index-type:presence --set index-type:substring
    - name: post_dsreplication_dsconfig_23
      value: list-local-db-indexes --element-name userRoot
    - name: rebuildIndex_1
      value: --rebuildAll
    - name: restartAfterRebuildIndex
      value: "true"

Only the first three indices are required for <KUBERNETES_VER>. For example: 1.20.6.

If the organization prevents access to the internet for public images, you can host the kubectl image in your own registry and update the repository value in the file above to match this value.

Note:

If you want to enable Enterprise User Security (EUS) integration in OUD, add the following line in the oudConfig section:

oudConfig:
  integration: eus

If you are not using OAM, you can remove the following:

Lines dsconfig_1 to dsconfig_30 from the baseOUD section of the file.
Lines post_dsreplication_dsconfig_2 to post_dsreplication_dsconfig_22 from the replOUD section of the file.
<schemaConfigFile_1> from the Server Overrides file if you do not want to extend the schema definition for Oracle Access Manager.

Parent topic: Creating OUD Containers

Changing the OUD Heap Size

Instructions for tuning OUD is beyond the scope of this guide. For maximum and minimum heap size recommendations for OUD, see Sizing Guidelines.

To modify the heap size of an OUD instance, set Xms to the minimum heap size and Xmx to the maximum heap size in the serverTuning section of the Server Overrides file.

For example, to set the values for a small system, the entry would be as follows:

- name: serverTuning
value: -Xms4096m -Xmx8192m -d64 -XX:+UseCompressedOops -server -Xmn1g -XX:MaxTenuringThreshold=1 -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=60

For more information about the performance tuning recommendations, see Deep Dive into Oracle Unified Directory 12.2.1.4.0 Performance.

Parent topic: Creating OUD Containers

Enabling Assured Replication

If you want to enable assured replication between the OUD instances, add the following content to the replOUD section of the override_oud.yaml file:

replOUD:
  envVars:
    - name: post_dsreplication_dsconfig_1
      value: set-replication-domain-prop --domain-name ${baseDN} --advanced --set assured-type:safe-read
    - name: execCmd_1
      value: /u01/oracle/user_projects/${OUD_INSTANCE_NAME}/OUD/bin/dsconfig --no-prompt --hostname ${sourceHost} --port ${adminConnectorPort} --bindDN "${rootUserDN}" --bindPasswordFile /u01/oracle/user_projects/${OUD_INSTANCE_NAME}/admin/rootPwdFile.txt --trustAll set-replication-domain-prop --domain-name ${baseDN} --advanced --set assured-type:safe-read --set assured-sd-level:2 --set assured-timeout:5s --provider-name "Multimaster Synchronization"

Parent topic: Creating OUD Containers

Creating Containers

After you create the Helm Override file, you now need to create the OUD containers using the helm command.

The helm command will:

Create OUD instances
Add OAM Schema Extensions
Seed OAM/OIG users and groups
Update the OUD change log permissions
Create additional OUD indexes
Rebuild OUD indexes
Create Kubernetes services for OUD

To create containers, use the following command:

cd /workdir/OUD/samples/kubernetes/helm

helm install --namespace <OUDNS> --values /workdir/OUD/override_oud.yaml <OUD_PREFIX> oud-ds-rs

For example:

helm install --namespace oudns --values /workdir/OUD/override_oud.yaml edg oud-ds-rs

Note:

edg is used to prefix each of the OUD instances. It can be any value.

Parent topic: Creating OUD Containers

Troubleshooting the OUD Instances

You can monitor the creation of each OUD instance using the following commands:

Objects created in the namespace:

kubectl -n oudns get all -o wide

Only when you see each container with the status READY 1/1 and Status = Running will the installation and configuration be complete.

If you do not see objects being created, use the following command to check the issue:

kubectl get pod -n oudns

For a detailed description, use:

kubectl describe pod -n oudns

Container Logs

To view the progress of each container as it is being created, use a command similar to:

kubectl logs edg-oud-ds-rs-0 -n oudns

Review the skips.ldif and rejects.ldif files that are created after the OUD servers are initialized. These files are created when the base.ldif and 99-user.ldif files are loaded. The OUD servers start even if there are errors but all of the data is not loaded causing problems down the road for other product integrations. You may not see the errors by reviewing only the OUD logs.

Parent topic: Creating OUD Containers

Creating External Access to OUD

By default, the OUD deployment gets created with all the components configured as ClusterIP services. This means that the Oracle Unified Directory components are visible only within the Kubernetes cluster.

If you are going to access the cluster only from within Kubernetes, then this is sufficient. However, if you want to interact with Oracle Unified Directory from outside of Kubernetes, you should create either an Ingress Controller service or individual NodePort services.

Creating the Kubernetes NodePort Services

Parent topic: Installing and Configuring Oracle Unified Directory

Creating the Kubernetes NodePort Services

To create the native Kubernetes NodePort Services, you have to perform the steps provided in this section. If you want to expose the OUD services using an Ingress controller, see Installing and Configuring Ingress Controller.

Creating an LDAP NodePort Service

Parent topic: Creating External Access to OUD

Creating an LDAP NodePort Service

To create an LDAP NodePort Service:

Create a text file called /workdir/OUD/oud_nodeport.yaml with the following content:

kind: Service
apiVersion: v1
metadata:
  name: <OUD_PREFIX>-oud-ds-rs-lbr-ldap-nodeport
  namespace: <OUDNS>
spec:
  type: NodePort
  selector:
    app.kubernetes.io/instance: <OUD_PREFIX>
    app.kubernetes.io/name: oud-ds-rs
  ports:
    - name: ldap
      targetPort: 1389
      port: 1389
      nodePort: <OUD_LDAP_K8>
      protocol: TCP
    - name: ldaps
      targetPort: 1636
      port: 1636
      nodePort: <OUD_LDAPS_K8>
      protocol: TCP

For example:

kind: Service
apiVersion: v1
metadata:
  name: oud-edg-oud-ds-rs-lbr-ldap-nodeport
  namespace: oudns
spec:
  type: NodePort
  selector:
    app.kubernetes.io/instance: oud-edg
    app.kubernetes.io/name: oud-ds-rs
  ports:
    - name: ldap
      targetPort: 1389
      port: 1389
      nodePort: 31389
      protocol: TCP
    - name: ldaps
      targetPort: 1636
      port: 1636
      nodePort: 31636
      protocol: TCP

Create the service using the following command:

kubectl create -f /workdir/OUD/oud_nodeport.yaml

The output appears as follows:

service/edg--oud-ds-rs-lbr-ldap-nodeport created

Parent topic: Creating the Kubernetes NodePort Services

Centralized Monitoring Using Grafana and Prometheus

There is no specific metric collection for OUD. However, you can monitor the OUD pods using the standard Kubernetes Dashboard in Kibana.

Parent topic: Installing and Configuring Oracle Unified Directory

Centralized Log File Monitoring Using Elasticsearch and Kibana

If you are using Elasticsearch and Kibana, you can configure a Logstash pod to send the log files to the centralized Elasticsearch/Kibana console. Before you configure the Logstash pod, ensure that you have access to a centralized Elasticsearch deployment.

OUD persistent volume, so it can be loaded by the Logstash pod to hunt for log files.
The location of the log files in the persistent volumes.
The location of the centralized Elasticsearch.

To configure the Logstash pod, perform the following steps. The assumption is that you have an Elasticsearch running inside the Kubernetes cluster, in a namespace called elkns.

Parent topic: Installing and Configuring Oracle Unified Directory

Creating a Secret for Elasticsearch

Logstash requires credentials to connect to the elasticsearch deployment. These credentials are stored in Kubernetes as a secret.

If your Elasticsearch uses an API key for authentication, then use the following command:

kubectl create secret generic elasticsearch-pw-elastic -n <OUDNS> --from-literal password=<ELK_APIKEY>

For example:

kubectl create secret generic elasticsearch-pw-elastic -n oudns --from-literal password=afshfashfkahf5f

If Elasticsearch uses a user name and password for authentication, then use the following command:

kubectl create secret generic elasticsearch-pw-elastic -n <OUDNS> --from-literal password=<ELK_PWD>

For example:

kubectl create secret generic elasticsearch-pw-elastic -n oudns --from-literal password=mypassword

You can find the Elasticsearch password using the following command:

kubectl get secret elasticsearch-es-elastic-user -n <ELKNS> -o go-template='{{.data.elastic | base64decode}}'

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Creating a Configuration Map for ELK Certificate

If you have configured a production ready Elasticsearch deployment, you would have configured SSL. Logstash needs to trust the Elasticsearch certificate to be able to communicate with it. To enable this trust, you should create a configuration map with the contents of the Elasticsearch certificate.

You would have already saved the Elasticsearch self-signed certificate. See Copying the Elasticsearch Certificate. If you have a production certificate you can use that instead.

Create the configuration map using the certificate, run the following command:

kubectl create configmap elk-cert --from-file=<WORKDIR>/ELK/elk.crt -n <OUDNS>

For example:

kubectl create configmap elk-cert --from-file=/workdir/ELK/elk.crt -n oudns

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Configuring Log File Monitoring for OUD

Complete the following steps to configure log file monitoring:

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Creating a Configuration Map for Logstash

Logstash looks for log files in the OUD installations and sends them to the centralized Elasticsearch. The configuration map is used to instruct Logstash where the log files reside and where to send them.

Create a file called <WORKDIR>/OUD/logstash_cm.yaml with the following contents:

apiVersion: v1
kind: ConfigMap
metadata:
 name: oud-logstash-configmap
 namespace: <OUDNS>
data:
 logstash.yaml: |
 #http.host: "0.0.0.0"
 logstash-config.conf: |
   input {
      file {
       path => "/u01/oracle/user_projects/oud-ds-rs-*/logs/*.log"
       type => "setup-logs"
       start_position => beginning
       sincedb_path => "/dev/null"
      }
      file {
       path => "/u01/oracle/user_projects/oud-ds-rs-*/OUD/logs/*.log"
       type => "access-logs"
       start_position => beginning
       sincedb_path => "/dev/null"
      }
     }
     filter {
      if [type] == "setup-logs" {
       grok {
        match => [ "message", "<%{DATA:log_timestamp}> <%{WORD:log_level}> <%{WORD:thread}> <%{HOSTNAME:hostname}> <%{HOSTNAME:servername}> <%{DATA:timer}> <<%{DATA:kernel}>> <> <%{DATA:uuid}> <%{NUMBER:timestamp}> <%{DATA:misc}> <%{DATA:log_number}> <%{DATA:log_message}>" ]
        }
       }
      if [type] == "access-logs" {
       grok {
        match => [ "message", "\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:component}\] \[%{LOGLEVEL:loglevel}\] \[%{DATA:misc}\] \[%{DATA:logtype}\] \[%{DATA:host}\] \[%{DATA:nwaddr}\] %{GREEDYDATA:message}" ]
        }
       }
      if "_grokparsefailure" in [tags] {
       mutate {
        remove_tag => [ "_grokparsefailure" ]
        }
       }
      }
   output {
    elasticsearch {
     hosts => ["<ELK_HOST>"]
     cacert => '/usr/share/logstash/config/certs/elk.crt'
     user => "<ELK_USER>"
     password => "<ELK_USER_PWD>"
     index => "oudlogs-000001"
     ssl => true
     ssl_certificate_verification => false
    }
   }

Save the file.

Create the configuration map using the following command:

kubectl create -f <WORKDIR>/OUD/logstash_cm.yaml

For example:

kubectl create -f /workdir/OUD/logstash_cm.yaml

Validate that the configuration map has been created by using the following command:
```
kubectl get cm -n <OUDNS>
```
You should see oud-logstash-configmap in the list of configuration maps.

Parent topic: Configuring Log File Monitoring for OUD

Creating a Logstash Deployment

After you create the configuration map, you can create the Logstash deployment. This deployment resides in the OUD namespace.

Create a file called <WORKDIR>/OUD/logstash.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oud-logstash
  namespace: <OUDNS>
spec:
  selector:
    matchLabels:
      k8s-app: logstash
  template: # create pods using pod definition in this template
    metadata:
      labels:
        k8s-app: logstash
    spec:
      imagePullSecrets:
      - name: dockercred
      containers:
      - command:
        - logstash
        image: logstash:<ELK_VER>
        imagePullPolicy: IfNotPresent
        name: oud-logstash
        env:
        - name: ELASTICSEARCH_PASSWORD
          valueFrom:
            secretKeyRef:
              name: elasticsearch-pw-elastic
              key: password
        ports:
        - containerPort: 5044
          name: logstash
        volumeMounts:
        - mountPath: /u01/oracle/user_projects
          name: oud-storage-volume
        - name: shared-logs
          mountPath: /shared-logs
        - mountPath: /usr/share/logstash/pipeline/
          name: oud-logstash-pipeline
        - mountPath: /usr/share/logstash/config/certs
          name: elk-cert
      volumes:
      - configMap:
          defaultMode: 420
          items:
          - key: logstash-config.conf
            path: logstash-config.conf
          name: oud-logstash-configmap
        name: oud-logstash-pipeline
      - configMap:
          defaultMode: 420
          items:
          - key: ca.crt
            path: elk.crt
          name: elk-cert
      - name: oud-storage-volume
        persistentVolumeClaim:
          claimName: <OUD_POD_PREFIX>-oud-ds-rs-pvc
      - name: shared-logs
        emptyDir: {}

Note:

If you are using your own registry, include the registry name in the image tag. If you have created a regcred secret for your registry, replace the imagePullSecrets name with the secret name you created. For example: regcred.

Save the file.
Create the Logstash deployment by using the following command:
```
kubectl create -f <WORKDIR>/OUD/logstash.yaml
```
For example:
```
kubectl create -f /workdir/OUD/logstash.yaml
```
You can now create a pod called logstash by using the following command:
```
kubectl get pod -n oudns
```
Your logs will now be available in the Kibana console.

Parent topic: Configuring Log File Monitoring for OUD