Before You Begin
This 15-minute tutorial shows you how to configure the DN Renaming Workflow Element (WFE) and execute the LDAP search operations
to demonstrate the expected result.
This tutorial is part of the Oracle Virtual
Directory 11g to Oracle Unified Directory 12c Transition
Series.
Background
In some Oracle Unified Directory (OUD) environments the Distinguished Name (DN) and the attributes defined on the client side, do not map with the DN and attributes on the server side. For example, an organization has a directory that contains the DN dc=parentcompany
, dc=com. The parent company acquires another organization whose directory contains the DN dc=newcompany,dc=com
. Therefore, dc=newcompany,dc=com
must be renamed into dc=parentcompany,dc=com
for the existing client application to work.
In this tutorial the OUD server DN is dc=example,dc=com
and the client DN is dc=myorg,dc=com
.
What Do You Need?
- An environment with at least 16 GB of physical memory,
Oracle Enterprise Linux 6.6 or later, and
oracle
credentials - A basic understanding of Linux
- The LDIF files, dnrename_users_groups.ldif, add_dnrename_newuser.ldif, add_dnrename_newgroup.ldif, and delete_dnrename_group.ldif containing the sample data that must be loaded into the OUD instance
- The
pwd.txt
file contains the Directory Manager's password needed during the OUD setup - This tutorial assumes that you have already defined the
following environment variables:
OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
OUD_INSTANCES=/u01/app/oracle/config/oud_instances
Set Up a Directory Server Instance
In this section, you'll use the oud-setup
utility
to set up two Oracle Unified Directory server instances.
- Launch a terminal window as
oracle
and navigate to theOUD_ORACLE_HOME
directory.$ cd /u01/app/oracle/product/oud/oud
- Run the
oud-setup
command to set up a directory server instanceoud
with baseDNdc=example,dc=com
:./oud-setup --cli --no-prompt --hostname host01.example.com \ --ldapPort 1389 --adminConnectorPort 4444 \ --instancePath /u01/app/oracle/config/oud_instances/oud1/OUD \ --rootUserDN "cn=Directory Manager" --rootUserPasswordFile ~/pwd.txt \ --baseDN dc=example,dc=com \ --integration generic --serverTuning jvm-default \ --offlineToolsTuning jvm-default --noPropertiesFile
The output should look similar to this:
Oracle Unified Directory 12.2.1.4.0 Please wait while the setup program initializes... Creating instance directory /u01/app/oracle/config/oud_instances/oud1/OUD .....Done. See /u01/app/oracle/config/oud_instances/oud1/OUD/logs/oud-setup for a detailed log of this operation. Configuring Directory Server ..... Done. Preparing the server for Oracle integration ....... Done. Starting Directory Server ....... Done. Creating Net Services suffixes ..... Done.
To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/oud1/OUD/bin/status - Run the
ldapmodify
command to add the users from the dnrename_users_groups.ldif:
$ /u01/app/oracle/product/oud/oud/bin/ldapmodify -h host01.example.com \ -p 1389 -D "cn=Directory Manager" -w <password> -c \ -f ~/dnrename_users_groups.ldif
The output should look similar to this:
Processing ADD request for ou=People,dc=example,dc=com
ADD operation successful for DN ou=People,dc=example,dc=com
Processing ADD request for ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Groups,dc=example,dc=com
Processing ADD request for uid=user.3,ou=People,dc=example,dc=com
ADD operation successful for DN uid=user.3,ou=People,dc=example,dc=com
Processing ADD request for uid=user.5,ou=People,dc=example,dc=com
ADD operation successful for DN uid=user.5,ou=People,dc=example,dc=com
Configure the OUD Proxy Server
Set up an OUD Proxy Server instance proxy1
in front of the data sources oud1. In addition, to connect to a remote LDAP directory server, the OUD proxy needs LDAP server extension and LDAP proxy workflow elements configured. LDAP Server extensions are the properties required to connect from OUD Proxy proxy1
to the remote LDAP server oud1
.
- Navigate to the
$OUD_ORACLE_HOME
directory:$ cd $OUD_ORACLE_HOME
- Run the
oud-proxy-setup
command to create a proxy server instance,proxy1
, as follows:$ ./oud-proxy-setup --cli --no-prompt \ --hostname host01.example.com \ --ldapPort 2389 \ --adminConnectorPort 5444 \ --rootUserDN "cn=Directory Manager" \ --rootUserPasswordFile ~/pwd.txt \ --instancePath /u01/app/oracle/config/oud_instances/OUD/proxy1 \ --noPropertiesFile
The output should look similar to this:
Successfully wrote the updated Directory Server configuration
Starting the Server :
/scratch/export/oracle/config/oud_instances/OUD/proxy1/bin/start-ds --timeout 0
[25/Sep/2019:06:15:57 -0700] category=CORE severity=INFORMATION msgID=132 msg=The Directory Server is beginning the configuration bootstrapping process --- --- (alert type org.opends.server.DirectoryServerStarted, alert ID 458887): The Directory Server has started successfully - Navigate to the bin directory of the OUD proxy server instance,
$OUD_INSTANCES/OUD/proxy1/bin.
- Create an LDAP Server Extension,
LDAPServerExtension1
that points tooud1
:$ ./dsconfig create-extension \
--set enabled:true \
--set remote-ldap-server-address:host01.example.com \
--set remote-ldap-server-port:1389 \
--type ldap-server \
--extension-name LDAPServerExtension1 \
--hostname host01.example.com \
--port 5444 \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll - Create an LDAP Proxy workflow element,
ProxyLDAPWorkFlowElement1
, that points tooud1
:./dsconfig create-workflow-element \ --set client-cred-mode:use-client-identity \ --set enabled:true \ --set ldap-server-extension:LDAPServerExtension1 \ --type proxy-ldap \ --element-name ProxyLDAPWorkFlowElement1 \ --hostname host01.example.com \ --port 5444 \ --trustAll \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt
Create the DN Renaming Workflow Element
- Create a DN Renaming WFE,
DNRenaming-wfe
, to rename the server DNdc=example,dc=com
to the client DNdc=myorg,dc=com
:$ ./dsconfig create-workflow-element \
--type dn-renaming \
--element-name DNRenaming-wfe \
--set client-base-dn:dc=myorg,dc=com \
--set next-workflow-element:ProxyLDAPWorkFlowElement1 \
--set source-base-dn:dc=example,dc=com \
--set enabled:true \
--hostname host01.example.com \
--port 5444 \
--trustAll \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt - Create a workflow
DNRenaming-wf
:
./dsconfig create-workflow \
--set base-dn:dc=myorg,dc=com \
--set enabled:true \
--set workflow-element:DNRenaming-wfe \
--type generic \
--workflow-name DNRenaming-wf \
--hostname host01.example.com \
--port 5444 \
--trustAll \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt - Attach the DNRenaming Workflow ,
DNRenaming-wf
, to the network group:./dsconfig set-network-group-prop \
--group-name network-group \
--set workflow:DNRenaming-wf \
--hostname host01.example.com \
--port 5444 \
--portProtocol LDAP \
--trustAll \
--bindDN cn=Directory\ Manager \
--bindPasswordFile ~/pwd.txt \
--no-prompt
Validate the DN Renaming Workflow Element
In this section you will run ldapsearch commands to validate the DN Renaming Workflow Element is working:
- Navigate to the OUD proxy instance directory:
$ cd $OUD_INSTANCES/OUD/proxy1/bin
- Run the following ldapsearch command to view the user data directly from the OUD Server
oud1
:./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "dc=example,dc=com" "(objectclass=person)"
The output will look similar to this:dn: uid=user.3,ou=People,dc=example,dc=com sn: doe cn: user.3 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person uid: user.3
dn: uid=user.5,ou=People,dc=example,dc=com sn: smith cn: user.5 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person uid: user.5 - Run the following ldapsearch command to view the same user data from the proxy server
proxy1
.$ ./ldapsearch -h host01.example.com -p 2389 -D cn="Directory Manager" \ -w <password> -b "dc=myorg,dc=com" "(objectclass=person)"
The output should look similar to this:
dn: uid=user.3,ou=People,dc=myorg,dc=com sn: doe cn: user.3 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person uid: user.3
dn: uid=user.5,ou=People,dc=myorg,dc=com sn: smith cn: user.5 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person uid: user.5Notice that the DN has been renamed to
dc=myorg,dc=com
. - Run the following ldapmodify command to add a new user to the DN
dc=myorg,dc=com
via proxy serverproxy1
: - Run the following ldapsearch command to view the new user directly from the OUD Server
oud1
:./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "dc=example,dc=com" "uid=user.12"
The output will look similar to this:dn: uid=user.12,ou=People,dc=example,dc=com
Notice that the DN is
sn: james
cn: user.12
objectClass: top
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
uid: user.12dc=example,dc=com
.
./ldapmodify -h host01.example.com -p 2389 -D "cn=Directory Manager" \ -w <password> -c -f ~/add_dnrename_newuser.ldifThe output will look similar to this:
Processing ADD request for uid=user.12,ou=People,dc=myorg,dc=comNotice that the DN is
ADD operation successful for DN uid=user.12,ou=People,dc=myorg,dc=com
dc=myorg,dc=com
.
Modify the DN Changing Workflow Element
In this section, you'll modify the DN Changing WFE, DNRenaming-wf
, to blacklist an attribute uniqueMember
. You'll then run ldapsearch commands to validate the change in functionality.
- Run the following ldapmodify command to add a new group
cn=Sales
withuniqueMember
uid=user.8
to the DNdc=myorg,dc=com
via proxy serverproxy1
:./ldapmodify -h host01.example.com \ -p 2389 -D "cn=Directory Manager" -w <password> -c \ -f ~/add_dnrename_newgroup.ldif
The output will look similar to this:Processing ADD request for cn=Sales,ou=Groups,dc=myorg,dc=com
ADD operation successful for DN cn=Sales,ou=Groups,dc=myorg,dc=com - Run the following ldapsearch command to view the group directly from the OUD Server
oud1
:./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "ou=Groups,dc=example,dc=com" "cn=Sales"
The output will look similar to this:dn: cn=Sales,ou=Groups,dc=example,dc=com uniqueMember: uid=user.12,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Sales
Notice the DN isdc=example,dc=com
. - Run the following ldapmodify command to delete the group you just created:
./ldapmodify -h host01.example.com \ -p 2389 -D "cn=Directory Manager" -w <password> -c \ -f ~/delete_dnrename_newgroup.ldif
The output will look similar to the following:Processing DELETE request for cn=Sales,ou=Groups,dc=myorg,dc=com
DELETE operation successful for DN cn=Sales,ou=Groups,dc=myorg,dc=com - Modify the
DNRenaming-wfe
to blacklist theuniqueMember
attribute as follows :$ ./dsconfig set-workflow-element-prop \
--element-name DNRenaming-wfe \
--set black-list-attributes:uniqueMember \
--hostname oud.example.com \
--port "4444" \
--trustAll \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt - Run the following ldapmodify command to add the same group
cn=Sales,dc=myorg,dc=com
withuniqueMember
uid=user.8,dc=myorg,dc=com
to the DNdc=myorg,dc=com
via proxy serverproxy1
:./ldapmodify -h host01.example.com \ -p 2389 -D "cn=Directory Manager" -w <password> -c \ -f ~/add_dnrename_group.ldif
The output should look similar to this:Processing ADD request for cn=Sales,ou=Groups,dc=myorg,dc=com
ADD operation successful for DN cn=Sales,ou=Groups,dc=myorg,dc=com - Run the following ldapsearch command to view the group directly from the OUD Server
oud1
:./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "ou=Groups,dc=example,dc=com" "cn=Sales"
The output should look similar to this:dn: cn=Sales,ou=Groups,dc=example,dc=com
Notice dc:
uniqueMember: uid=user.8,ou=Groups,dc=myorg,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Salescn=Sales,ou=Groups,dc=example,dc=com
has the DNdc=example,dc=com
, but as theuniqueMember
attribute was black listed,uniqueMember
has the DNdc=myorg,dc=com
.
Want to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.