Before You Begin
This 15-minute tutorial shows you how to configure the RDN Changing Workflow Element (WFE) and execute the LDAP search operations
demonstrating the expected results with and without the workflow
element.
This tutorial is part of the Oracle Virtual
Directory 11g to Oracle Unified Directory 12c Transition
Series.
Background
The RDN Changing Workflow Element provides the RDN changing functionality in Oracle Unified Directory (OUD). This workflow element is able to modify an entry DN by transforming its RDN. The transformation applies to all the entries with the specified object class.
For example, on read operations, the transformation substitutes an RDN containing the specified sourceRDN with an RDN containing the specified clientRDN. If replace-value is set to true, the RDN value is also substituted with the value of the toRDN attribute. For instance, uid=user.1234,ou=people,dc=example,dc=com
can be replaced by cn=User1234Name,ou=people,dc=example,dc=com
. On write operations, the transformation substitutes an RDN containing the clientRDN with an RDN containing the sourceRDN.
What Do You Need?
- An environment with at least 16 GB of physical memory,
Oracle Enterprise Linux 6.6 or later, and
oracle
credentials - A basic understanding of Linux
- This tutorial assumes that you have already installed Oracle Unified Directory 12c (12.2.1.4.0)
- An LDIF file, users_groups.ldif containing the sample data that must be loaded into the OUD instance
- The
pwd.txt
file contains the Directory Manager's password needed during the OUD setup - This tutorial assumes that you have already defined the
following environment variables:
OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
OUD_INSTANCES=/u01/app/oracle/config/oud_instances
Set Up a Directory Server Instance
In this section, you'll use the oud-setup
utility
to set up an Oracle Unified Directory server instance.
- Launch a terminal window as
oracle
and navigate to theOUD_ORACLE_HOME
directory.$ cd /u01/app/oracle/product/oud/oud
- Run the
oud-setup
command to set up a directory server instanceoud1
:./oud-setup --cli --no-prompt --hostname oud.example.com \ --ldapPort 1389 --adminConnectorPort 4444 \ --instancePath /u01/app/oracle/config/oud_instances/oud1/OUD \ --rootUserDN "cn=Directory Manager" --rootUserPasswordFile ~/pwd.txt \ --baseDN dc=example,dc=com \ --integration generic --serverTuning jvm-default \ --offlineToolsTuning jvm-default --noPropertiesFile
The output should look similar to this:
Oracle Unified Directory 12.2.1.4.0 Please wait while the setup program initializes... Creating instance directory /u01/app/oracle/config/oud_instances/oud1/OUD .....Done. See /u01/app/oracle/config/oud_instances/oud1/OUD/logs/oud-setup for a detailed log of this operation. Configuring Directory Server ..... Done. Preparing the server for Oracle integration ....... Done. Starting Directory Server ....... Done. Creating Net Services suffixes ..... Done.
To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/oud1/OUD/bin/status - Run the
ldapmodify
command to add the users and groups from the users_groups.ldif:
$ /u01/app/oracle/product/oud/oud/bin/ldapmodify -h oud.example.com \ -p 1389 -D "cn=Directory Manager" -w <password> -c \ -f ~/users_groups.ldif
The output should look similar to this:
adding new entry "ou=People,dc=example,dc=com" adding new entry "ou=Groups,dc=example,dc=com" adding new entry "uid=user.0,ou=People,dc=example,dc=com" adding new entry "uid=user.2,ou=People,dc=example,dc=com" adding new entry "cn=Sales,ou=Groups,dc=example,dc=com"
View Sample Data
- Navigate to the OUD instance directory:
$ cd $OUD_INSTANCES/oud1/OUD/bin
- Run the following ldapsearch command to view the group data for Sales:
$ ./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" "cn=Sales"
The output should look similar to this:
dn: cn=Sales,ou=Groups,dc=example,dc=com
cn: Sales
description: Sales_Department
objectClass: top
objectClass: groupOfNames
member: uid=user.0,ou=People,dc=example,dc=com - Run the following ldapsearch command to view the
isMemberOf
data for Sales:$ ./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \
-w <password> -b "dc=example,dc=com" \ "isMemberOf=cn=Sales,ou=Groups,dc=example,dc=com"The output should look similar to this:
dn: uid=user.0,ou=People,dc=example,dc=com mail: user.0@example.com sn: Smith cn: Aaron Smith manager: uid=user.2,ou=people,dc=example,dc=com objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person description: This is the description for Aaron Smith. uid: user.0
- Run the following ldapsearch command to view the
isMemberOf
data for user.0:./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "uid=user.0" isMemberOf
The output should look similar to this:
dn: uid=user.0,ou=People,dc=example,dc=com isMemberOf: cn=Sales,ou=Groups,dc=example,dc=com
- Run the following ldapsearch command to view the data for
member=uid=user.0
:./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "member=uid=user.0,ou=People,dc=example,dc=com"
The output should look similar to this:dn: cn=Sales,ou=Groups,dc=example,dc=com cn: Sales description: Sales_Department objectClass: top objectClass: groupOfNames member: uid=user.0,ou=People,dc=example,dc=com
- Run the following ldapsearch command to view the data for
objectclass=groupOfNames
:./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "objectclass=groupOfNames"
The output should look similar to this:dn: cn=Sales,ou=Groups,dc=example,dc=com cn: Sales description: Sales_Department objectClass: top objectClass: groupOfNames member: uid=user.0,ou=People,dc=example,dc=com
You will reuse these searches later in this tutorial to demonstrate the effect of applying the RDN Changing WFE.
Create a RDN Changing Workflow Element
In this section you'll create an RDN Changing Workflow Element to change the source RDN uid
to the client RDN mail
. The transformation applies to all the entries with the objectclass person
.
- Navigate to the
oud1
instance directory:$ cd $OUD_INSTANCES/oud1/OUD/bin
- Use the dsconfig command to create an RDN Changing Workflow Element,
myrdnchangingwfe
:$ ./dsconfig create-workflow-element \ --set client-rdn:mail \ --set enabled:true \ --set next-workflow-element:userRoot \ --set source-rdn:uid \ --set replace-value:true \ --set objectclass:person \ --type rdn-changing \ --element-name myrdnchangingwfe \ --hostname oud.example.com \ --port "4444" \ --trustAll \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt
Note: In the above--dnattributes
is not set, but the default value ismember, manager, owner
. - Use the dsconfig command to create a generic workflow,
chgrdnw
, for the workflow elementmyrdnchangingwfe
:$ ./dsconfig create-workflow \ --set enabled:true \ --set base-dn:dc=example,dc=com \ --set workflow-element:myrdnchangingwfe \ --type generic \ --workflow-name chgrdnw \ --hostname oud.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Use the dsconfig command to update the network group, for the workflow
chgrdnw
:$ ./dsconfig set-network-group-prop \
--group-name network-group \
--set workflow:chgrdnw \
--hostname oud.example.com \
--port 4444 \
--portProtocol LDAP \
--trustAll \
--bindDN cn=Directory\ Manager \
--bindPasswordFile ~/pwd.txt \
--no-prompt
Validate the RDN Changing Workflow Element Results
In this section you will run some of the ldapsearch commands from Section 2 and validate the RDN Changing Workflow Element is working:
- Navigate to the OUD instance directory:
$ cd $OUD_INSTANCES/oud1/OUD/bin
- Run the following ldapsearch command to view the group data for Sales:
./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "cn=Sales"
dn: cn=Sales,ou=Groups,dc=example,dc=com
cn: Sales
description: Sales_Department objectClass: top objectClass: groupOfNames member: mail=user.0@example.com,ou=People,dc=example,dc=comNotice that the
member
attribute holdinguid=user.0,ou=People,dc=example,dc=com
has had its RDN changed tomail=user.0@example.com,ou=People,dc=example,dc=com.
- Run the following ldapsearch command to view the
isMemberOf
data for Sales.$ ./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "dc=example,dc=com" \ "isMemberOf=cn=Sales,ou=Groups,dc=example,dc=com"
The output should look similar to this:
dn: mail=user.0@example.com,ou=People,dc=example,dc=com mail: user.0@example.com sn: Smith cn: Aaron Smith manager: mail=user.2@example.com,ou=people,dc=example,dc=com objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person description: This is the description for Aaron Smith. uid: user.0
Notice that the dn
uid=user.0,ou=People,dc=example,dc=com
of user.0 has had its RDN changed tomail=user.0@example.com,ou=People,dc=example,dc=com
.
Also notice that themanager
attributeuid=user.2,ou=People,dc=example,dc=com
has had its RDN changed tomail=user.2@example.com,ou=people,dc=example,dc=com
Modify the RDN Changing Workflow Element
In this section, you'll modify the RDN Changing WFE, myrdnchangingwfe
, to apply to the objectclass groupOfNames
, dnattributes isMemberOf
, and change the source RDN cn
to client DN description
.
- Navigate to the
oud1
instance directory:$ cd $OUD_INSTANCES/oud1/OUD/bin
- Modify the
myrdnchangingwfe
as follows :$ ./dsconfig set-workflow-element-prop \ --element-name myrdnchangingwfe \ --set client-rdn:description \ --set source-rdn:cn \ --set objectclass:groupOfNames \ --set dn-attributes:isMemberOf \ --hostname oud.example.com \ --port "4444" \ --trustAll \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt
Validate the RDN Changing Workflow Element Results
In this section you will run some of the ldapsearch commands from Section 2 and validate the RDN Changing Workflow Element is working:
- Navigate to the OUD instance directory:
$ cd $OUD_INSTANCES/oud1/OUD/bin
- Run the following ldapsearch command to view the
isMemberOf
data for user.0:./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "uid=user.0" isMemberOf
The output should look similar to this:
dn: uid=user.0,ou=People,dc=example,dc=com isMemberOf: description=Sales_Department,ou=Groups,dc=example,dc=com
Notice that the
isMemberOf
attribute holdingcn=Sales,ou=Groups,dc=example,dc=com
has had its RDN changed todescription=Sales_Department,ou=Groups,dc=example,dc=com.
- Run the following ldapsearch command to view the data for
member=uid=user.0
:./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "member=uid=user.0,ou=People,dc=example,dc=com"
The output should look similar to this:
dn: description=Sales_Department,ou=Groups,dc=example,dc=com cn: Sales description: Sales_Department objectClass: top objectClass: groupOfNames member: uid=user.0,ou=People,dc=example,dc=com
Notice that the description attribute holding
cn=Sales,ou=Groups,dc=example,dc=com
has had its RDN changed todescription=Sales_Department,ou=Groups,dc=example,dc=com
. - Run the following ldapsearch command to view the data for
objectclass=groupOfNames
:./ldapsearch -h oud.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "" \ "objectclass=groupOfNames"
The output should look similar to this:
dn: description=Sales_Department,ou=Groups,dc=example,dc=com cn: Sales description: Sales_Department objectClass: top objectClass: groupOfNames member: uid=user.0,ou=People,dc=example,dc=com
Notice that the Group dn attribute holding
cn=Sales,ou=Groups,dc=example,dc=com
has had its RDN changed todescription=Sales_Department,ou=Groups,dc=example,dc=com
.
Want to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.