Before You Begin
This 15-minute tutorial shows you how to configure the Dynamic Entry Tree Workflow Element (WFE) and execute the LDAP search operations
to demonstrate the expected result.
This tutorial is part of the Oracle Virtual
Directory 11g to Oracle Unified Directory 12c Transition
Series.
Background
The Dynamic Entry Tree WFE can generate a virtual directory tree hierarchy by using attributes found in entry leaf nodes. For example, if a user entry exists as uid=user.0,ou=people,dc=example,dc=com
,, the Dynamic Entry Tree WFE can insert a new hierarchy in the entry of the user, such as uid=user.0,st=MT,ou=people,dc=example,dc=com
.
The Dynamic Entry Tree WFE is configured by specifying matching patterns using the patterns configuration parameter. The syntax for the patterns parameter value is attr[=entryattr[(SUPPRESS|value)]],...
For each DN component, an attribute name can have a value substituted with the attribute on the right side of the equals sign (=). If no substitution is required, then just the attribute is listed, which essentially refers to a matching component with the original DN. When a value is substituted, you can also further qualify what happens when entryattr has no value. You may either specify SUPPRESS to suppress the entry completely, or you may specify a default value within brackets after the entryattr name.
For example, if the pattern is set to uid,ou=%st%(NOST),ou,
The pattern matches objects under the root (dc=example,dc=com
) that have dn components matching uid,ou
. Therefore, uid=user.0,ou=people,dc=example,dc=com
would be selected for mapping. Upon return, the st
attribute would be checked for values. If none are present, the static text NOST
is substituted. The results will be uid=user.0,ou=MT,ou=people,dc=example,dc=com
(when there is a value for attribute
st
for user.0) or uid=user.0,ou=NOST,ou=people,dc=example,dc=com
(when there is no value for attribute
st
for user.0) respectively.
What Do You Need?
- An environment with at least 16 GB of physical memory,
Oracle Enterprise Linux 6.6 or later, and
oracle
credentials - A basic understanding of Linux
- The LDIF file, dynamic_users_groups.ldif containing the sample data that must be loaded into the OUD instance
- The
pwd.txt
file contains the Directory Manager's password needed during the OUD setup - This tutorial assumes that you have already defined the
following environment variables:
OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
OUD_INSTANCES=/u01/app/oracle/config/oud_instances
Set Up a Directory Server Instance
In this section, you'll use the oud-setup
utility
to set up two Oracle Unified Directory server instances.
- Launch a terminal window as
oracle
and navigate to theOUD_ORACLE_HOME
directory.$ cd /u01/app/oracle/product/oud/oud
- Run the
oud-setup
command to set up a directory server instanceoud
with baseDNdc=example,dc=com
:./oud-setup --cli --no-prompt --hostname host01.example.com \ --ldapPort 1389 --adminConnectorPort 4444 \ --instancePath /u01/app/oracle/config/oud_instances/oud1/OUD \ --rootUserDN "cn=Directory Manager" --rootUserPasswordFile ~/pwd.txt \ --baseDN dc=example,dc=com \ --integration generic --serverTuning jvm-default \ --offlineToolsTuning jvm-default --noPropertiesFile
The output should look similar to this:
Oracle Unified Directory 12.2.1.4.0 Please wait while the setup program initializes... Creating instance directory /u01/app/oracle/config/oud_instances/oud1/OUD .....Done. See /u01/app/oracle/config/oud_instances/oud1/OUD/logs/oud-setup for a detailed log of this operation. Configuring Directory Server ..... Done. Preparing the server for Oracle integration ....... Done. Starting Directory Server ....... Done. Creating Net Services suffixes ..... Done.
To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/oud1/OUD/bin/status - Run the
ldapmodify
command to add the users from the dynamic_users_groups.ldif:
$ /u01/app/oracle/product/oud/oud/bin/ldapmodify -h host01.example.com \ -p 1389 -D "cn=Directory Manager" -w <password> -c \ -f ~/dynamic_users_groups.ldif
The output should look similar to this:
Processing ADD request for ou=People,dc=example,dc=com
ADD operation successful for DN ou=People,dc=example,dc=com
Processing ADD request for ou=Marketing,dc=example,dc=com
ADD operation successful for DN ou=Marketing,dc=example,dc=com
Processing ADD request for uid=user.0,ou=people,dc=example,dc=com
ADD operation successful for DN uid=user.0,ou=people,dc=example,dc=com
Processing ADD request for uid=user.1,ou=people,dc=example,dc=com
ADD operation successful for DN uid=user.1,ou=people,dc=example,dc=com
Processing ADD request for cn=Brand,ou=Marketing,dc=example,dc=com
ADD operation successful for DN cn=Brand,ou=Marketing,dc=example,dc=com
Processing ADD request for cn=Media,ou=Marketing,dc=example,dc=com
ADD operation successful for DN cn=Media,ou=Marketing,dc=example,dc=com
Configure the OUD Proxy Server
Set up an OUD Proxy Server instance proxy1
in front of the data source oud1. In addition, to connect to a remote LDAP directory server, the OUD proxy needs LDAP server extension and LDAP proxy workflow elements configured. LDAP Server extensions are the properties required to connect from OUD Proxy proxy1
to the remote LDAP server oud1
.
- Navigate to the
$OUD_ORACLE_HOME
directory:$ cd $OUD_ORACLE_HOME
- Run the
oud-proxy-setup
command to create a proxy server instance,proxy1
, as follows:$ ./oud-proxy-setup --cli --no-prompt \ --hostname host01.example.com \ --ldapPort 2389 \ --adminConnectorPort 5444 \ --rootUserDN "cn=Directory Manager" \ --rootUserPasswordFile ~/pwd.txt \ --instancePath /u01/app/oracle/config/oud_instances/OUD/proxy1 \ --noPropertiesFile
The output should look similar to this:
Successfully wrote the updated Directory Server configuration
Starting the Server :
/scratch/export/oracle/config/oud_instances/OUD/proxy1/bin/start-ds --timeout 0
[25/Sep/2019:06:15:57 -0700] category=CORE severity=INFORMATION msgID=132 msg=The Directory Server is beginning the configuration bootstrapping process --- --- (alert type org.opends.server.DirectoryServerStarted, alert ID 458887): The Directory Server has started successfully - Navigate to the bin directory of the OUD proxy server instance,
$OUD_INSTANCES/OUD/proxy1/bin.
- Create an LDAP Server Extension,
LDAPServerExtension1
that points tooud1
:$ ./dsconfig create-extension \
--set enabled:true \
--set remote-ldap-server-address:host01.example.com \
--set remote-ldap-server-port:1389 \
--type ldap-server \
--extension-name LDAPServerExtension1 \
--hostname host01.example.com \
--port 5444 \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt \
--trustAll - Create an LDAP Proxy workflow element,
ProxyLDAPWorkFlowElement1
, that points tooud1
:./dsconfig create-workflow-element \ --set client-cred-mode:use-client-identity \ --set enabled:true \ --set ldap-server-extension:LDAPServerExtension1 \ --type proxy-ldap \ --element-name ProxyLDAPWorkFlowElement1 \ --hostname host01.example.com \ --port 5444 \ --trustAll \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt
Create the Dynamic Entry Tree Workflow Element
In this section you create a Dynamic Entry Tree WFE and set the pattern matching to uid,ou=%st%(NOST),ou
.
- Create a Dynamic Entry Tree WFE,
DynamicEntry-wfe
:$ ./dsconfig create-workflow-element \
--type dynamic-entry-tree \ --set base-dn:dc=example,dc=com \
--element-name DynamicEntry-wfe \
--set next-workflow-element:ProxyLDAPWorkFlowElement1 \
--set patterns:uid,ou=%st%\(NOST\),ou \
--set enabled:true \
--hostname host01.example.com \
--port 5444 \
--trustAll \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt - Create a workflow
DynamicEntry-wf
:
./dsconfig create-workflow \
--set base-dn:dc=example,dc=com \
--set enabled:true \
--set workflow-element:DynamicEntry-wfe \
--type generic \
--workflow-name DynamicEntry-wf \
--hostname host01.example.com \
--port 5444 \
--trustAll \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt - Attach the Dynamic Entry Tree Workflow ,
DynamicEntry-wf
, to the network group:./dsconfig set-network-group-prop \
--group-name network-group \
--set workflow:DynamicEntry-wf \
--hostname host01.example.com \
--port 5444 \
--portProtocol LDAP \
--trustAll \
--bindDN cn=Directory\ Manager \
--bindPasswordFile ~/pwd.txt \
--no-prompt
Validate the Dynamic Entry Workflow Element
In this section you will run ldapsearch commands to validate the Dynamic Entry Workflow Element is working:
- Navigate to the OUD proxy instance directory:
$ cd $OUD_INSTANCES/OUD/proxy1/bin
- Run the following ldapsearch command to view the user data directly from the OUD Server
oud1
:./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \ -w <password> -b "dc=example,dc=com" "(objectclass=person)"
The output will look similar to this:dn: uid=user.0,ou=people,dc=example,dc=com mail: user.0@example.com sn: user.0 cn: user.0 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person st: MT uid: user.0 dn: uid=user.1,ou=people,dc=example,dc=com sn: user.1 cn: user.1 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person uid: user.1
Notice thatuid=user.0,ou=people,dc=example,dc=com
entry has the ST attribute setst: MT
.
Notice thatuid=user.1,ou=people,dc=example,dc=com
entry has no ST attribute set. - Run the following ldapsearch command to view the same user data from the proxy server
proxy1
.$ ./ldapsearch -h host01.example.com -p 2389 -D cn="Directory Manager" \ -w <password> -b "dc=example,dc=com" "(objectclass=person)"
The output should look similar to this:
dn: uid=user.0,ou=MT,ou=people,dc=example,dc=com sn: user.0 cn: user.0 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person st: MT uid: user.0 dn: uid=user.1,ou=NOST,ou=people,dc=example,dc=com sn: user.1 cn: user.1 objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person uid: user.1
Notice that user entry for user.0 has been transformed to
uid=user.0,ou=MT,ou=people,dc=example,dc=com
. Also, notice that the user.1 entry has been transformed touid=user.1,ou=NOST,ou=people,dc=example,dc=com,
as it has nost
attribute defined.
Modify the Dynamic Entry Tree Workflow Element
In this section, you'll modify the Dynamic WFE, DynamicEntry-wfe
, and add another pattern cn,ou=%member%\(SUPPRESS\),ou.
The pattern will match objects under the root (dc=example,dc=com
) that have dn components starting with cn
and insert an additional node ou
with the value of the attribute member
. If the member
attribute doesn't exist, then the pattern removes the entry from the results.
- Modify the
DynamicEntry-wfe
to add the patterncn,ou=%member%(SUPPRESS),ou
:./dsconfig set-workflow-element-prop \
--element-name DynamicEntry-wfe \
--add patterns:cn,ou=%member%\(SUPPRESS\),ou \
--hostname host01.example.com \
--port "5444" \
--trustAll \
--bindDN cn="Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt - Run the following ldapsearch command to view the groups directly from the OUD Server
oud1
:./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \
The output will look similar to this:
-w <password> -b "dc=example,dc=com" "(objectclass=groupOfNames)"dn: cn=Brand,ou=Marketing,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: Brand member: uid=user.0,ou=people,dc=example,dc=com dn: cn=Media,ou=Marketing,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: Media
Notice that the entrycn=Brand,ou=Marketing,dc=example,dc=com
has amember
attribute and the entrycn=Media,ou=Marketing,dc=example,dc=com
doesn't. - Run the following ldapsearch command to view the same group data from the proxy server
proxy1
.:./ldapsearch -h host01.example.com -p 2389 -D cn="Directory Manager" \
The output will look similar to the following:
-w <password> -b "dc=example,dc=com" "(objectclass=groupOfNames)"dn: cn=Brand,ou=uid=user.0\,ou=people\,dc=example\,dc=com,ou=Marketing,dc=example,dc=com
Notice the entry
objectClass: top
objectClass: groupOfNames
cn: Brand
member: uid=user.0,ou=people,dc=example,dc=comcn=Brand,ou=Marketing,dc=example,dc=com
has been updated tocn=Brand,ou=uid=user.0\,ou=people\,dc=example\,dc=com,ou=Marketing,dc=example,dc=com
, and that the entrycn=Media,ou=Marketing,dc=example,dc=com
has been removed from the results completely, as it does not have themember
attribute.
Want to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.