23 Configuring Integration Using the Proxy
dsconfig
or Oracle Unified Directory Services Manager (OUDSM).Note:
If you configure a load balancing or distribution topology while setting up a proxy instance, then many of these elements are automatically configured.
Note:
In some cases, you can choose to configure integration using dsconfig
or Oracle Unified Directory Services Manager (OUDSM).
-
For information about using the
dsconfig
command, see Managing the Server Configuration Using dsconfig. -
For information about using OUDSM, see Accessing Oracle Unified Directory Using OUDSM.
23.1 Retrieving All Attribute Values from an Active Directory Server
Oracle Unified Directory supports Microsoft Active Directory paging, which enables you to retrieve a complete range of attribute values from the Microsoft Active Directory server.
This section describes how to configure Microsoft Active Directory paging as a workflow element that is relevant only if the leaf of the workflow element chain is connected to an Active Directory server. It also describes how to configure an optional list of attributes to reduce the processing of scanning attributes to detect the range option.
Note:
To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus
license.
The topics in this section include:
Note:
For more information about Microsoft Active Directory paging, see Understanding How to Retrieve All Attribute Values from an Active Directory Server.
23.1.1 Configuring Active Directory Paging Workflow Elements
Use the following example as a basis for configuring an Active Directory paging workflow element.
This example creates an Active Directory paging workflow element named ad-paging-we1
that points to the LDAP proxy workflow, proxy-we1
.
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \ create-workflow-element --element-name ad-paging-we1 --type ad-paging \ --set next-workflow-element:proxy-we1 --set enabled:true
23.1.2 Scanning Specific Attributes Returned by an Active Directory
To improve efficiency, you can configure the Active Directory paging workflow element to scan only specific attributes by setting the multi-valued handled-attributes
property of the workflow element. You can add as many values for this property as required.
By default all attributes are scanned. This can have a direct impact on performance. To reduce the performance impact, list only the attributes that need to be scanned as values of the handled-attributes
property.
The following example modifies the workflow element created in the previous example to scan only for the memberOf
attribute:
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \ set-workflow-element-prop --element-name ad-paging-we1 \ --set handled-attributes:memberOf
23.2 About Integrating with Enterprise User Security Databases
You can integrate Oracle Unified Directory and Enterprise User Security to leverage user identities stored in an LDAP-compliant directory service without any additional synchronization.
When integrated with Enterprise User Security, Oracle Unified Directory supports the following:
-
Microsoft Active Directory
-
Novell eDirectory
-
Oracle Unified Directory
-
Oracle Directory Server Enterprise Edition
For more information about Oracle Enterprise User Security, see Introducing Enterprise User Security in the Oracle Database Enterprise User Security Administrator's Guide. For detailed instructions on configuring Oracle Unified Directory and Enterprise User Security to work together, see Integrating Oracle Unified Directory with Oracle Enterprise User Security.
23.3 Updating User Passwords Stored in Active Directory
The Ad Password workflow element enables Oracle Unified Directory LDAP client applications to update user passwords stored in Microsoft Active Directory and Active Directory Lightweight Directory Services (AD LDS) using the LDAP protocol.
For an overview of the Ad Password workflow element, see Overview of Enabling LDAP Clients to Update User Passwords Stored in Active Directory.
The following topics describe how to configure an Ad Password workflow element and its required components:
Note:
The examples in this section uses the dsconfig
command-line utility to create and configure the Ad Password workflow element and its required components. The descriptions of these examples mention key options and properties you must set.
For the description of all dsconfig
subcommands and options, see Oracle Unified Directory Command-Line Interface Reference.
23.3.1 Setting Up an Oracle Unified Directory Proxy Server
The Ad Password workflow element requires an Oracle Unified Directory proxy server as the interface between LDAP clients and the Active Directory or AD LDS server.
The example in this section applies to both use cases described in Creating and Configuring an Ad Password Workflow Element.
To setup a proxy server instance using command-line tools on a UNIX or Linux system:
On Windows systems, run the oud-proxy-setup.bat
script.
For more information, see Setting up Oracle Unified Directory as a Proxy Server in Installing Oracle Unified Directory.
23.3.2 Creating and Configuring an Ad Password Workflow Element
You can create and configure Ad password workflow element when SSL is Required for Only Password Modifications and for all LDAP operations.
The following topics explain how to create and configure Ad password workflow element:
23.3.2.1 Creating and Configuring an Ad Password Workflow Element
When you create and configure an Ad Password workflow element and its supporting components, you have two choices.
The two choices are:
-
SSL is Required for Only Password Modifications
For this use case, you must define the Ad Password workflow element with both the
secure-proxy-workflow-element
andnext-workflow-element
properties. Thesecure-proxy-workflow-element
must use an LDAP server extension configured withremote-ldap-server-ssl-policy
set toalways
.In this use case, operations to modify a password will be routed to the
secure-proxy-workflow-element
and will take place over SSL. Operations not related to password modifications will be routed to thenext-workflow-element
and will take place over a non-SSL connection.See Configuring an Ad Password Workflow Element When SSL is Required for Only Password Modifications.
-
SSL is Required for All LDAP Operations
For this use case, your proxy LDAP workflow element must point to an LDAP server extension that always uses SSL (
remote-ldap-server-ssl-policy
set toalways
). You can define the Ad Password workflow element with only anext-workflow-element
property. All operations will then be routed to thenext-workflow-element
and will take place over SSL.See Configuring an Ad Password Workflow Element When SSL is Required for All LDAP Operations.
23.3.2.2 Configuring an Ad Password Workflow Element When SSL is Required for Only Password Modifications
The following tasks create and configure an Ad Password workflow element and its required components when an SSL connection to the Active Directory or AD LDS server is required only for LDAP operations that perform password modifications. Other LDAP operations are performed over a non-SSL connection.
These tasks include:
23.3.2.2.1 Creating the LDAP Server Extensions
This use case requires two LDAP server extensions to communicate with the remote Active Directory or AD LDS server:
-
An LDAP server extension for LDAP operations that do not require an SSL connection.
To create an LDAP server extension that does not require an SSL connection from the LDAP clients to the Active Directory or AD LDS server:
$ dsconfig create-extension \ --set enabled:true \ --set remote-ldap-server-address:adserver.example.com \ --set remote-ldap-server-port:389 \ --set remote-ldap-server-ssl-port:636 \ --type ldap-server \ --extension-name adserver \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
remote-ldap-server-ssl-policy
is not set in this command, so the default value ofnever
specifies a non-SSL connection. -
extension-name
is set toadserver
for a non-SSL connection. -
enabled
must be set totrue
to enable the LDAP server extension for use in the server.
and
-
-
An LDAP server extension for LDAP operations that require an SSL connection.
To create an LDAP server extension that requires an SSL connection from the LDAP clients to the Active Directory or AD LDS server:
$ dsconfig create-extension \ --set enabled:true \ --set remote-ldap-server-address:adserver.example.com \ --set remote-ldap-server-ssl-policy:always \ --set remote-ldap-server-port:389 \ --set remote-ldap-server-ssl-port:636 \ --set ssl-trust-all:true \ --type ldap-server \ --extension-name adsecureserver \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
remote-ldap-server-ssl-policy
is set toalways
, so an SSL connection is always used to access the Active Directory or AD LDS server -
extension-name
is set toadsecureserver
to indicate an SSL connection. -
enabled
must be set totrue
to enable the LDAP server extension for use in the server.
-
23.3.2.2.2 Creating the Proxy LDAP Workflow Elements
This use case requires two proxy LDAP workflow elements to communicate with the remote Active Directory or AD LDS server:
-
A proxy LDAP workflow element for LDAP operations that do not require an SSL connection to the Active Directory or AD LDS server.
To create a proxy LDAP workflow element that does not require an SSL connection from the LDAP clients to the Active Directory or AD LDS server:
$ dsconfig create-workflow-element \ --set client-cred-mode:use-client-identity \ --set enabled:true \ --set ldap-server-extension:adserver \ --type proxy-ldap \ --element-name adproxy \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
client-cred-mode
is set to theuse-client-identity
bind mode, which specifies that the proxy will connect to the Active Directory or AD LDS server with the same credentials used by the client to connect to the proxy. -
element-name
specifies the name of the proxy LDAP workflow element asadproxy
. -
ldap-server-extension
specifies the name of the LDAP server extension asadserver
. -
enabled
must be set totrue
to enable the Ad Password workflow element for use in the server.
and
-
-
A secure proxy LDAP workflow element for LDAP operations that require an SSL connection to the Active Directory or AD LDS server.
To create a secure proxy LDAP workflow element that uses an SSL connection from the LDAP clients to the Active Directory or AD LDS server:
$ dsconfig create-workflow-element \ --set client-cred-mode:use-client-identity \ --set enabled:true \ --set ldap-server-extension:adsecureserver \ --type proxy-ldap \ --element-name adsecureproxy \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
client-cred-mode
is set to theuse-client-identity
bind mode, which specifies that the proxy will connect to the Active Directory or AD LDS server with the same credentials used by the client to connect to the proxy. -
element-name
specifies the name of the secure proxy LDAP workflow element asadsecureproxy
. -
ldap-server-extension
specifies the name of the LDAP server extension asadsecureserver
. -
enabled
must be set totrue
to enable the proxy LDAP workflow element for use in the server.
-
23.3.2.2.3 Creating an Ad Password Workflow Element
This use case requires an Ad Password workflow element that can handle LDAP operations that support both SSL and non-SSL connections to the Active Directory or AD LDS server.
To create this Ad Password workflow element:
$ dsconfig create-workflow-element \ --set enabled:true \ --set next-workflow-element:adproxy \ --set secure-proxy-workflow-element:adsecureproxy \ --type ad-password \ --element-name ADPasswordWFE \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
type
must bead-password
. -
element-name
specifies the workflow name asADPasswordWFE
. -
next-workflow-element
routes LDAP operations to the proxy LDAP workflow element namedadproxy
, which routes operations over a non-SSL connection. -
secure-proxy-workflow-element
routes LDAP operations to the proxy LDAP workflow element namedadsecureproxy
, which then routes operations over an SSL connection. -
enabled
must be set totrue
to enable the Ad Password workflow element for use in the server.
23.3.2.3 Configuring an Ad Password Workflow Element When SSL is Required for All LDAP Operations
The following configuration tasks create and configure the components for an Ad Password workflow element when all LDAP operations between the LDAP clients and Active Directory or AD LDS server must be performed over an SSL connection:
23.3.2.3.1 Creating an LDAP Server Extension
The Ad Password workflow element requires an LDAP server extension to communicate with the remote Active Directory or AD LDS server.
To create an LDAP server extension that always uses an SSL connection:
$ dsconfig create-extension \ --set enabled:true \ --set remote-ldap-server-address:adserver.example.com \ --set remote-ldap-server-port:389 \ --set remote-ldap-server-ssl-port:636 \ --set remote-ldap-server-ssl-policy:always \ --set ssl-trust-all:true \ --type ldap-server \ --extension-name adsecureserver \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
type
must beldap-server
. -
extension-name
defines the name of the new extension asadsecureserver
. -
remote-ldap-server-ssl-policy
property is set toalways
, so that all connections made from the proxy to the remote Active Directory or AD LDS server will use SSL, regardless of how clients connect to the proxy server. -
enabled
must be set totrue
to enable the LDAP server extension for use in the server.
23.3.2.3.2 Creating a Proxy LDAP Workflow Element
This use case requires a secure proxy LDAP workflow element to communicate with the remote Active Directory or AD LDS server over SSL.
To create a secure proxy LDAP workflow element:
$ dsconfig create-workflow-element \ --set client-cred-mode:use-client-identity \ --set enabled:true \ --set ldap-server-extension:adsecureserver \ --type proxy-ldap \ --element-name adsecureproxy \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
type
must beproxy-ldap
. -
element-name
specifies the name of the new proxy LDAP workflow element asadsecureproxy
. -
ldap-server-extension
is set toadsecureserver
, which is the name of the LDAP server extension with theremote-ldap-server-ssl-policy
property set toalways
. -
client-cred-mode
is set touse-client-identity
, which specifies that the proxy will connect to the Active Directory or AD LDS server with the same credentials used by the client to connect to the proxy. -
enabled
must be set totrue
to enable the proxy LDAP workflow element for use in the server.
23.3.2.3.3 Creating an Ad Password Workflow Element
This use case requires an Ad Password workflow element that can handle LDAP operations that always require an SSL connection to the Active Directory or AD LDS server.
This Ad Password workflow element requires only the next-workflow-element
property. All operations will take place over an SSL connection.
To create this Ad Password workflow element:
$ dsconfig create-workflow-element \ --set enabled:true \ --set next-workflow-element:adsecureproxy \ --type ad-password \ --element-name ADPasswordWFE \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
next-workflow-element
property is set to the secure proxy LDAP workflow element namedadsecureproxy
. -
type
must bead-password
. -
element-name
is set toADPasswordWFE
. -
enabled
must be set totrue
to enable the Ad Password workflow element for use in the server.
23.3.3 Creating a Workflow for the Ad Password Workflow Element
The Ad Password workflow element must be associated with a workflow.
The following example applies to both use cases described in Creating and Configuring an Ad Password Workflow Element.
To create a workflow for the Ad Password workflow element:
$ dsconfig create-workflow \ --set base-dn:dc=example,dc=com \ --set enabled:true \ --set workflow-element:ADPasswordWFE \ --type generic \ --workflow-name adworkflow \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
In this example:
-
workflow-element
is set to the Ad Password workflow element namedADPasswordWFE
. -
workflow-name
is set toadworkflow
. -
enabled
must be set totrue
to enable the Ad Password workflow element for use in the server.
23.3.4 Adding the Workflow to a Network Group
Network groups are the single entry point of client requests to Oracle Unified Directory. A workflow must be registered with at least one network group, although it can be attached to several network groups.
You must add the workflow from the previous task to either an existing network group or a new network group.
The following example applies to both use cases described in Creating and Configuring an Ad Password Workflow Element. It adds the adworkflow
workflow to the default network group (network-group
).
$ dsconfig set-network-group-prop \ --group-name network-group \ --add workflow:adworkflow \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN cn=directory\ manager \ --bindPasswordFile pwd.txt \ --no-prompt
23.4 Overview of Configuring Pass-Through Authentication
You can implement pass-through authentication by using dsconfig
command and OUDSM.
The following topics describe how to implement pass-through authentication:
23.4.1 Configuring Pass-Through Authentication
To configure Pass-Through Authentication, you need to know prerequisites and best practices information.
Note:
To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus
license.
Note:
For more information about pass-through authentication, see Understanding Pass-Through Authentication.
To implement pass-through authentication:
23.4.2 Prerequisites for Configuring Pass-Through Authentication
Ensure these prerequisites before you start configuring Pass-Through Authentication.
Before attempting to implement pass-through authentication, read Understanding Pass-Through Authentication. In addition, you must keep the following steps in mind while configuring pass-through authentication:
23.4.3 Best Practices for Configuring Pass-Through Authentication
Oracle Unified Directory recommends the following best practices to configure pass-through authentication:
-
If you are using different suffixes for user-provider workflow element and authentication-provider workflow element, then it is recommended to define virtual ACIs to protect your data. Your virtual ACIs are defined using
pta-suffix
. -
If the authentication provider is a Kerberos workflow element, then you should not specify any join rule or authentication suffix.
-
If the authentication provider is a Proxy workflow element, then you are required to configure a
remote-root-dn
. -
If the user provider is a Proxy workflow element, then you are required to configure a
remote-root-dn
. You must configure the proxy server carefully, because it performs silent bind.
23.4.4 Configuring Pass-Through Authentication Using dsconfig
You can configure pass-through authentication using the dsconfig
command for different servers and a Kerberos server.
The following examples configure pass-through authentication with a remote LDAP server that stores the credentials with a base DN dc=auth,dc=com.
The Oracle Unified Directory instance stores the user entries locally below the dc=user,dc=com
suffix.
Here the remote LDAP server acts an Authentication Server, whereas Oracle Unified Directory acts as the User Server.
All the commands in the following procedures specify the proxy hostname (-h
), the proxy admin port (-p
), the bind DN (-D
), and the bind password file (-j
). The examples use the -X
option to trust all certificates.
This section contains the following topics:
23.4.4.1 Configuring Pass-Through Authentication for Different Servers
You can configure Pass-Through Authentication for different servers, as described in the below sections:
To configure pass-through authentication for a remote LDAP server:
23.4.5 Understanding Pass-Through Authentication Configuration Using OUDSM
You need to create a work flow element to configure a pass-through authentication.
For information about configuring a pass-through authentication workflow element using OUDSM, see Creating a Workflow Element.
23.5 About Oracle Unified Directory Plug-Ins Configuration
You can use the Oracle Unified Directory plug-in API to extend existing directory server functionality when you have a particular requirement and Oracle Unified Directory does not provide the necessary functionality to accommodate that requirement.
For example, you might configure a plug-in to customize LDAP operations or programmatically manipulate results.
Note:
-
For detailed information about developing and deploying Oracle Unified Directory plug-ins, see Building and Deploying an OUD Plug-In in
Oracle Fusion Middleware Developing Plug-Ins for Oracle Unified Directory.. -
For more information about Oracle Unified Directory plug-ins, see Understanding Oracle Unified Directory Plug-Ins.
23.6 Configuring a Proxy Instance to Monitor Back-End Servers
The proxy server periodically performs health check to determine the status and in turn the availability of the host. You can configure the time interval between checks using the monitoring-check-interval
property of ldap-server-extension
instance.
The monitoring-check-interval
property of proxy configuration against all back-end servers, defines the time internal (in milliseconds) between health checks scheduled by the proxy server.
You can set the monitoring-check-interval
property using the dsconfig
command as follows:
dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt\
set-extension-prop \
--extension-name proxy1 \
--set monitoring-check-interval:50000 \
23.7 Configuring Global Indexes Using the Command Line
Global indexes map entries to a specific distribution partition to speed up search and modify operations in distributed topologies. A global index maps entries based on a unique attribute, such as a phone number. Lists of global indexes are contained in a global index catalog. A proxy instance can contain one or more global index catalogs.
Note:
To configure and manage global indexes and global index catalogs, you must enable specific controls on the remote servers, particularly the LDAP Pre-Read Control and the CSN Control. For more information, see LDAP Controls and Operations Reference.
This section contains the following topics:
23.7.1 Configuring Global Index Catalogs Using gicadm
Global index catalogs are stored in a Berkeley database under INSTANCE_DIR/OUD/catalogs
. To ensure high availability of a distributed topology, replication of global index catalogs is recommended.
.For more information, see Replicating Global Index Catalogs.
The gicadm
command is located in the server instance directory:
-
For UNIX:
INSTANCE_DIR/OUD/bin/gicadm
-
For Windows:
INSTANCE_DIR\OUD\bat\gicadm.bat
For more information, see gicadm.
The procedures in this section assume that the proxy is deployed in a distribution architecture and presume that you are using the default proxy administration port (4444). This section contains the following topics:
23.7.1.1 Creating a Global Index Catalog Containing Global Indexes
To create global indexes, you must first create global index catalogs, as described in the following procedure. This procedure describes how to create global index catalogs, create and add global indexes, and add data to the global indexes. You can add the data to your global indexes later, if you prefer.
Before you begin, the proxy must be deployed for distribution.
23.7.1.2 Viewing Global Index Catalog Properties
Global index catalog properties are related to global index catalog replication. To view a list of the global index catalog properties and an explanation of their use, see About Modifying the Global Index Catalog Properties.
To view all the properties of a global index catalog, use the gicadm
command with the get-catalog-prop
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ get-catalog-prop --catalogName sampleCatalog --property all
The output will be similar to the following.
Property : Value(s) -------------------:------------------------------- replication-server : localhost:3390, localhost:4390 server-id : 4247 window-size : 100 heartbeat-interval : 1000 group-id : 1
To view the value for a specific global index catalog property, specify the property.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ get-catalog-prop --catalogName sampleCatalog --property heartbeat-interval
23.7.1.3 About Modifying the Global Index Catalog Properties
Global index properties are related to the replication of global index catalogs. The following global index catalog properties are available:
-
replication-server
: Lists the servers in the replication topology, in the format host:port. Do not use theset-catalog-prop
command to modify this property. Instead, use theenable-replication
command. -
server-id
: Specifies a unique identifier for the global index within the global index catalog replication domain. Each instance within the same global index catalog replication domain must have a different server ID. An instance which is a member of multiple global index catalog replication domains may use the same server ID for each of its global index catalog replication domain configurations.Syntax: 1 <= INTEGER <= 65535 or text. This property should not be modified.
-
window-size
: Specifies the window size that the instance will use when communicating with replication servers. Default value is 100.Syntax: 0 <= INTEGER or text.
-
heartbeat-interval
: Specifies the heartbeat interval that the instance will use when communicating with replication servers. The instance expects a regular heartbeat from the replication server within the specified interval. If a heartbeat is not received within this interval, the instance closes its connection and connects to another replication server.Syntax: 100 ms <= DURATION (ms)
-
group-id
: The id associated with a specific replicated domain. This value defines the group id of the replicated domain. The replication system will preferably connect and send updates to replicate to a replication server with the same group id as itself.Syntax: 1 <= INTEGER <= 127
Note:
This property should not be modified.
23.7.1.4 Modifying the Global Index Catalog Properties
You can modify the global index catalog properties using gicadm
command.
For a list of the global index catalog properties, see About Modifying the Global Index Catalog Properties.
Use the gicadm
command with the set-catalog-prop
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \
set-catalog-prop --catalogName sampleCatalog --set property:value
For example, one of the properties that can be modified is the heartbeat interval. In this case, use:
--set heartbeat-interval:500
23.7.1.5 Modifying Multi-Valued Global Index Catalog Properties
For multi-valued global index or global index catalog properties, you can add or remove a value using the --add
or --remove
options.
For global index catalog, only the property replication-server
can be multi-valued. For multi-valued global index properties, use the set-index-prop
subcommand instead
23.7.1.6 Resetting Global Index Catalog Properties to the Default Values
If you have modified any of the global index catalog properties and want to reset them to the default values, use the following procedure.
Use the gicadm
command with the set-catalog-prop
subcommand.
For example, to reset the heartbeat interval:
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \
set-catalog-prop --catalogName sampleCatalog --reset heartbeat-interval
23.7.1.7 Viewing Global Index Properties
To view the properties of a global index, use the gicadm
command with the get-index-prop
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ get-index-prop --catalogName sampleCatalog --attributeName telephoneNumber \ --property all
The properties should be similar to the following:
Property Names : Property Values ---------------------------------------------:--------------------------------- global-index-deleted-entry-retention-timeout : 500 db-cleaner-min-utilization : 50 db-log-file-max : 10000000 db-checkpointer-bytes-interval : 20000000 db-checkpointer-wakeup-interval : 30 db-num-lock-tables : - db-num-cleaner-threads : - db-txn-no-sync : false db-txn-write-no-sync : true je-property : - db-directory : catalogs db-directory-permissions : 700 global-index-catalogs-shared-cache : global-index-catalogs-shared-cac global-index-attribute : telephoneNumber
Note:
Generally, these values should not be modified.
23.7.1.8 Importing Content into a Global Index Catalog
You can import the contents of a specific file into one or multiple global indexes in a global index catalog. You must specify the name of the catalog into which the content of the file is to be imported. You can filter the content of the file to data related to a particular index by optionally providing the attributeName
parameter.
The data file to be imported can be created by executing the split-ldif
command or from executing the gicadm export
command, for example.
To import the contents of a file into a global index catalog, use the gicadm
command with the import
subcommand. For example:
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ import --file /usr/local/import-file --catalogName sampleCatalog
If the proxy server stops while a gicadm import
task is being executed, the global index catalog workflow element is disabled. In this case, re-enable the global index catalog workflow element by using dsconfig
, as follows, where sampleCatalog is the name of the global index catalog:
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \ set-workflow-element-prop --element-name sampleCatalog set enabled:true
23.7.1.9 Exporting Contents of a Global Index Catalog to a Directory
To export the contents of a global index catalog to a directory, use the gicadm
command with the export
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \
export --exportDirectory directory-path --catalogName sampleCatalog
23.7.1.10 Associating a Global Index Catalog With a Distribution Element
To associate a global index catalog with a distribution element, use the gicadm
command with the associate
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \
associate --catalogName sampleCatalog --distributionWorkflowElement element-name
When the global index catalog is associated with a distribution workflow element, the global index catalog will be listed in the properties of the distribution. To confirm which global index catalog is associated to a distribution, use the dsconfig get-workflow-element-prop
command. For information on workflow elements, see Configuring Workflow Elements Using dsconfig.
23.7.1.11 Disassociating a Global Index Catalog From a Distribution Element
To disassociate a global index catalog from a distribution topology, you must know the distribution workflow element with which the global index catalog is associated. To confirm the name of the distribution workflow element that is using the global index catalog, view the properties of the distribution topology by using the dsconfig get-workflow-element-prop
command.
To disassociate a global index catalog from a distribution workflow element, use the gicadm
command with the disassociate
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \
disassociate --distributionWorkflowElement element-Name
23.7.1.12 Adding a Global Index to a Global Index Catalog
To add a new global index to an existing global index catalog, for example to map a new attribute, use the following procedure. This procedure creates and adds the global index to the global index catalog. It is not possible to create a global index without adding it to a global index catalog.
Before you begin, you must already have configured a global index catalog.
Use the gicadm
command with the add-index
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ add-index --catalogName sampleCatalog --attributeName telephoneNumber
23.7.1.13 Removing a Global Index From a Global Index Catalog
To remove a global index from a global index catalog, Use the gicadm
command with the remove-index
subcommand.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ remove-index --catalogName sampleCatalog --attributeName telephoneNumber
23.7.2 Replicating Global Index Catalogs
To ensure high availability, global index catalogs should be replicated.
You can use a standard hardware load balancer and configure global index catalogs replication in a deployment, as shown by the graphic in Configuration 7: Multiple Replicated Proxies.
This section contains the following topics:
23.7.2.1 Creating a Replicated Topology and Enable Global Index Catalog Replication
This section describes how to create a replicated topology with three proxy instances and enable global index catalog replication.
This section describes how to create a replicated topology with three proxy instances and enable global index catalog replication, as illustrated in Figure 23-1.
Figure 23-1 Replicated Global Index Catalogs
Description of "Figure 23-1 Replicated Global Index Catalogs"
To create a replicated topology and enable global index catalog replication:
23.7.2.2 Enabling Global Index Catalog Replication
This command configures replication but does not initialize replication. The command is executed on the local host, declared by the -h
option, using the administration port of the local host. The remote host is declared by the --remoteHost
option, and must be a fully qualified host name or IP address. The command creates a global index catalog replication administrator with a bind ID of adminUID.
If you created global index catalogs during installation, the global index administrator is already created, with the same password as the directory manager. For more information on installing a distribution deployment with global index, see "To Configure Simple Distribution" section in Installing Oracle Unified Directory.
To enable replication of global index catalogs, use the gicadm enable-replication
command.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ enable-replication --catalogName sampleCatalog --adminUID adminUID --localReplicationPort 8989 --remoteReplicationPort 8989 \ --remoteAdminPort 4444 --remoteHost host
This command updates the proxy configuration to replicate the content of the global index catalog called sampleCatalog on the local host. If one of the proxy instances in the topology already replicates the global index catalog, this command updates the configuration of all other proxy instances in the topology. It is therefore sufficient to execute the gicadm enable-replication
once for the first two proxy instances in the topology, and once for each new proxy instance that is added to extend the topology.
The proxy instance on which you execute the command must be the instance whose replication port is declared by the --localReplicationPort
option. It is this local instance whose global index catalog is replicated across the topology later by the gicadm initialize-replication
command. The --remoteReplicationPort
option will replicate the content of the global index catalog called sampleCatalog from the local instance on to the remote instance. The --remoteAdminPort
is the administration port of the remote proxy instance.
You can declare the password for the local proxy instance in a file, by using the --adminPasswordFile
suboption.
You can optionally declare a DN for binding to the remote server by using the --remoteBindDN
suboption and the password for the remote proxy instance in a file, by using the --remoteBindPasswordFile
suboption. If you do not declare these, the global administrator that is declared by --adminUID
will be used to bind.
You can also optionally require the communication through the replication port of the local server to be secure, using the --localSecureReplication
suboption, and the communication through the replication port of the remote server to be secure, using the --remoteSecureReplication
suboption.
23.7.2.3 Initializing Global Index Catalog Replication
This command initializes the content of the global index catalog called sampleCatalog from the proxy instance on the server declared by the -h
option to all instances that are part of the topology. The port specified is the administration port, and not the replication port.
23.7.2.4 Disabling Global Index Catalog Replication
To disable replication of global index catalogs, use the gicadm disable-replication
command.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ disable-replication --catalogName sampleCatalog --adminUID adminUID
The gicadm disable-replication
command must be executed for each proxy instance in the topology on which you want to disable replication.
23.7.2.5 Viewing the Status of a Replicated Global Index Catalog Configuration
To view basic configuration information about a replicated global index catalog, use the gicadm status-replication
command.
$ gicadm -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X \ status-replication --catalogName sampleCatalog --adminUID adminUID
If you do not declare a catalog name, status information for all replicated global index catalogs is displayed.
23.7.2.6 Logging of Replication Activities
Replication logs are stored in the replication repair logs. Changes are recorded in the change logs.
For information on accessing these logs, see Accessing Logs.
When replicating global index catalogs, provision disk space for change logs. By default, these logs store changes for a 24 hour period. Approximately 100Mb is required for 300,000 write operations. With the default value of 24 hours, the log must be configured based on the expected size of the service during that period. A hint is to provision approximately 150Gb for 5 000 modifications per second over 24 hours. For information how to configure logs, see Configuring Logs.
23.7.2.7 Lifecycle Examples for Replicated Global Index Catalogs
This section describes several typical lifecycle examples in which events take place in a replication topology.
The basic replication topology used in all of these examples is the one created in Creating a Replicated Topology and Enable Global Index Catalog Replication.
The following topics explain, with examples, how to restart a global index catalogs, add a global index to the global index catalog topology, overwrite the contents of global index catalogs and add a proxy to the replicated topology:
23.7.2.7.1 Restarting a Global Index Catalog
This section describes the procedure to restart a global index catalog.
The example illustrated by Figure 23-2, shows three proxy instances running with a replicated global index catalog. If proxy instance 3 goes down or is stopped, for whatever reason, follow these steps to ensure that the three instances of the proxy are replicated.
- Issue the
start-ds
command on proxy instance 3. - You can verify if replication is complete by executing the
gicadm status-replication
command, as described in Viewing the Status of a Replicated Global Index Catalog Configuration.
Figure 23-2 Restarting a Global Index Catalog
Description of "Figure 23-2 Restarting a Global Index Catalog"
23.7.2.7.2 Adding a Global Index to a Replicated Global Index Catalog Topology
This section describes the procedure to add a global index to a replicated global index catalog topology.
The example illustrated by Figure 23-3, shows three proxy instances running with a replicated global index catalog. If you want to add an attribute, for example, mail
, to the replicated global index catalog, follow these steps.
- First, run the command
gicadm add-index mail
on each of the three proxy instances. - Export the directory data under the distribution route from one of the remote LDAP servers to an LDIF file named file1 by using
export-ldif
. - Run
split-ldif
to generate GIC content in the specified directory. - On proxy instance 1, execute the command
gicadm import --importDirectory directory-name
. - On proxy instance 1, execute the
gicadm initialize-replication --all
command. This command pushes the changes from proxy 1 to all the other proxies in the topology, and adds the new global index.
Figure 23-3 Adding a Global Index to a Replicated Global Index Catalog Topology
Description of "Figure 23-3 Adding a Global Index to a Replicated Global Index Catalog Topology"
23.7.2.7.3 Overwriting the Contents of Replicated Global Index Catalogs
This section describes the procedure to overwrite the contents of replicated global index catalogs.
The example illustrated by Figure 23-4, shows three proxy instances running with a replicated global index catalog. To overwrite the content of the global index catalogs on proxy instances 2 and 3 with the content of the global index catalog on instance 1, follow these steps.
- On proxy instance 1, execute the
gicadm initialize-replication --all
command. This replaces the content of the global index catalog on proxy instance 2 and 3 with the content of the global index catalog on proxy instance 1.
Figure 23-4 Overwriting the Contents of Replicated Global Index Catalogs
Description of "Figure 23-4 Overwriting the Contents of Replicated Global Index Catalogs"
23.7.2.7.4 Adding a Proxy to a Replicated Topology
This section describes the procedure to add a proxy to a replicated topology.
The example illustrated by Figure 23-5, shows three proxy instances running with a replicated global index catalog. To add a fourth proxy instance with a replicated global index catalog, follow these steps on the new proxy instance.
Figure 23-5 Adding a Proxy to a Replicated Topology
Description of "Figure 23-5 Adding a Proxy to a Replicated Topology"
23.7.3 Configuring Controls Required by the Global Index Catalog with Oracle Unified Directory
If you are using the proxy server with an Oracle Unified Directory directory server as the LDAP data source, the connections between the proxy and directory servers must be bound using the directory server's administrator ID. Otherwise, some configuration is required on the directory server to allow the global index catalog to function correctly.
If the global ACIs for controls have not been modified, then use the ldapmodify
command to apply the following changes to the directory server:
dn: cn=Access Control Handler,cn=config changetype: modify add: ds-cfg-global-aci ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 | | 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 | | 2.16.840.1.113730.3.4.16 || 1.3.6.1.1.13.1 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";) ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName| |modifyTimestamp||entryDN||entryUUID||subschemaSubentry||aclRights||aclRightsInfo") (version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
If you are deleting the ACI from an Oracle Unified Directory 11g R1 directory instance, then you must delete the following ACI:
dn: cn=Access Control Handler,cn=config changetype: modify delete: ds-cfg-global-aci ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";) ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName|| modifyTimestamp||entryDN||entryUUID||subschemaSubentry") (version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
If you are deleting the ACI from an Oracle Unified Directory 11g R2 directory instance, then you must delete the following ACI:
dn: cn=Access Control Handler,cn=config changetype: modify delete: ds-cfg-global-aci ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
Note:
The preceding OIDs are correct for an unmodified configuration of Oracle Unified Directory. If you change the default OIDs, modify the command include the correct OIDs.
The following controls are required for global index catalogs:
-
The Pre-Read Control, with OID =
1.3.6.1.1.13.1
-
The CSN Control, with OID =
1.3.6.1.4.1.42.2.27.9.5.9
23.8 Configuring Virtual ACIs
Each workflow is associated to an access control group which defines the list of ACIs that apply to operations handled by this workflow.
By default, an access control group is created known as "Local Backends." This access control group contains all ACIs coming from user data. You cannot delete it. If virtual ACIs are disabled for a workflow, then you must specify Local Backends as the access control group for that workflow. For the workflow for which virtual ACIs are enabled, you can specify any access control group.
Note:
To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus
license.
The following topics describe how to configure virtual ACIs for a workflow using dsconfig
command and OUDSM:
23.8.1 Configuring Virtual ACIs Using dsconfig
You can enable and disable virtual ACIs for a workflow and configure a replication for virtual ACIs using dsconfig
.
The following topics describe how to enable and disable virtual ACIs for a workflow:
23.8.1.1 Enabling Virtual ACIs for a Workflow
To enable virtual ACIs for a specific workflow, run the following command:
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \ set-workflow-prop --workflow-name workflow1 --set virtual-aci-mode:true \ --set access-control-group:group1
In this example, group1
references an access control group. This access control group can be either Local Backends
, which is created by default or any other access control group that you have created. For more information about creating access control groups, see Configuring Access Control Groups With dsconfig.
23.8.1.2 Disabling Virtual ACIs for a Workflow
To disable virtual ACIs for a specific workflow, run the following command:
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \ set-workflow-prop --workflow-name workflow1 --set virtual-aci-mode:false \ --set access-control-group:"Local Backends"
Note:
You must bear the following points in mind when you disable virtual ACIs for a workflow:
-
If you disable virtual ACIs, you must specify "Local Backends" as the access control group for this workflow.
-
Disabling virtual ACIs for a specific workflow does not delete virtual ACIs from the associated access control group.