Oracle by Example brandingConfigure the Dynamic Entry Tree Workflow Element in Oracle Unified Directory 12c

section 0Before You Begin

This 15-minute tutorial shows you how to configure the Dynamic Entry Tree Workflow Element (WFE) and execute the LDAP search operations to demonstrate the expected result.

This tutorial is part of the Oracle Virtual Directory 11g to Oracle Unified Directory 12c Transition Series.

Background

The Dynamic Entry Tree WFE can generate a virtual directory tree hierarchy by using attributes found in entry leaf nodes. For example, if a user entry exists as uid=user.0,ou=people,dc=example,dc=com,, the Dynamic Entry Tree WFE can insert a new hierarchy in the entry of the user, such as uid=user.0,st=MT,ou=people,dc=example,dc=com.

The Dynamic Entry Tree WFE is configured by specifying matching patterns using the patterns configuration parameter. The syntax for the patterns parameter value is attr[=entryattr[(SUPPRESS|value)]],...

For each DN component, an attribute name can have a value substituted with the attribute on the right side of the equals sign (=). If no substitution is required, then just the attribute is listed, which essentially refers to a matching component with the original DN. When a value is substituted, you can also further qualify what happens when entryattr has no value. You may either specify SUPPRESS to suppress the entry completely, or you may specify a default value within brackets after the entryattr name.

For example, if the pattern is set to uid,ou=%st%(NOST),ou, The pattern matches objects under the root (dc=example,dc=com) that have dn components matching uid,ou. Therefore, uid=user.0,ou=people,dc=example,dc=com would be selected for mapping. Upon return, the st attribute would be checked for values. If none are present, the static text NOST is substituted. The results will be uid=user.0,ou=MT,ou=people,dc=example,dc=com (when there is a value for attribute st for user.0) or uid=user.0,ou=NOST,ou=people,dc=example,dc=com (when there is no value for attribute st for user.0) respectively.

What Do You Need?

  • An environment with at least 16 GB of physical memory, Oracle Enterprise Linux 6.6 or later, and oracle credentials
  • A basic understanding of Linux
  • The LDIF file, dynamic_users_groups.ldif containing the sample data that must be loaded into the OUD instance
  • The pwd.txt file contains the Directory Manager's password needed during the OUD setup
  • This tutorial assumes that you have already defined the following environment variables:
    • OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
    • OUD_INSTANCES=/u01/app/oracle/config/oud_instances

section 1Set Up a Directory Server Instance

In this section, you'll use the oud-setup utility to set up two Oracle Unified Directory server instances.

  1. Launch a terminal window as oracle and navigate to the OUD_ORACLE_HOME directory. 
    $ cd /u01/app/oracle/product/oud/oud
  2. Run the oud-setup command to set up a directory server instance oud with baseDN dc=example,dc=com: 
    ./oud-setup --cli --no-prompt --hostname host01.example.com \
--ldapPort 1389 --adminConnectorPort 4444 \
--instancePath /u01/app/oracle/config/oud_instances/oud1/OUD \
--rootUserDN "cn=Directory Manager" --rootUserPasswordFile ~/pwd.txt \
--baseDN dc=example,dc=com \
--integration generic --serverTuning jvm-default \
--offlineToolsTuning jvm-default --noPropertiesFile

    The output should look similar to this:

    Oracle Unified Directory 12.2.1.4.0
Please wait while the setup program initializes...

Creating instance directory
/u01/app/oracle/config/oud_instances/oud1/OUD .....Done.
See /u01/app/oracle/config/oud_instances/oud1/OUD/logs/oud-setup for 
a detailed log of this operation.
Configuring Directory Server ..... Done.
Preparing the server for Oracle integration ....... Done.
Starting Directory Server ....... Done.
Creating Net Services suffixes ..... Done.
    
To see basic server configuration status and configuration you can launch
/u01/app/oracle/config/oud_instances/oud1/OUD/bin/status
  3. Run the ldapmodify command to add the users from the dynamic_users_groups.ldif: 
    $ /u01/app/oracle/product/oud/oud/bin/ldapmodify -h host01.example.com \
-p 1389 -D "cn=Directory Manager" -w <password> -c \
-f ~/dynamic_users_groups.ldif

    The output should look similar to this:

    Processing ADD request for ou=People,dc=example,dc=com
    ADD operation successful for DN ou=People,dc=example,dc=com
    Processing ADD request for ou=Marketing,dc=example,dc=com
    ADD operation successful for DN ou=Marketing,dc=example,dc=com
    Processing ADD request for uid=user.0,ou=people,dc=example,dc=com
    ADD operation successful for DN uid=user.0,ou=people,dc=example,dc=com
    Processing ADD request for uid=user.1,ou=people,dc=example,dc=com
    ADD operation successful for DN uid=user.1,ou=people,dc=example,dc=com
    Processing ADD request for cn=Brand,ou=Marketing,dc=example,dc=com
    ADD operation successful for DN cn=Brand,ou=Marketing,dc=example,dc=com
    Processing ADD request for cn=Media,ou=Marketing,dc=example,dc=com
    ADD operation successful for DN cn=Media,ou=Marketing,dc=example,dc=com

section 2Configure the OUD Proxy Server

Set up an OUD Proxy Server instance proxy1 in front of the data source oud1. In addition, to connect to a remote LDAP directory server, the OUD proxy needs LDAP server extension and LDAP proxy workflow elements configured. LDAP Server extensions are the properties required to connect from OUD Proxy proxy1 to the remote LDAP server oud1.

  1. Navigate to the $OUD_ORACLE_HOME directory: 
    $ cd $OUD_ORACLE_HOME
  2. Run the oud-proxy-setup command to create a proxy server instance, proxy1, as follows: 
    $ ./oud-proxy-setup --cli --no-prompt \
--hostname host01.example.com \
--ldapPort 2389 \
--adminConnectorPort 5444 \
--rootUserDN "cn=Directory Manager" \
--rootUserPasswordFile ~/pwd.txt \
--instancePath /u01/app/oracle/config/oud_instances/OUD/proxy1 \
--noPropertiesFile

    The output should look similar to this:

    Successfully wrote the updated Directory Server configuration
    Starting the Server :
    /scratch/export/oracle/config/oud_instances/OUD/proxy1/bin/start-ds --timeout 0 
    [25/Sep/2019:06:15:57 -0700] category=CORE severity=INFORMATION msgID=132 msg=The Directory Server is beginning the configuration bootstrapping process
---
---
(alert type org.opends.server.DirectoryServerStarted, alert ID 458887):  The Directory Server has started successfully
  3. Navigate to the bin directory of the OUD proxy server instance, $OUD_INSTANCES/OUD/proxy1/bin.
  4. Create an LDAP Server Extension, LDAPServerExtension1 that points to oud1: 
    $ ./dsconfig create-extension \
    --set enabled:true \
    --set remote-ldap-server-address:host01.example.com \
    --set remote-ldap-server-port:1389 \
    --type ldap-server \
    --extension-name LDAPServerExtension1 \
    --hostname host01.example.com \
    --port 5444 \
    --bindDN "cn=Directory Manager" \
    --bindPasswordFile ~/pwd.txt \
    --no-prompt \
    --trustAll
  5. Create an LDAP Proxy workflow element, ProxyLDAPWorkFlowElement1, that points to oud1:
    ./dsconfig create-workflow-element \
--set client-cred-mode:use-client-identity \
--set enabled:true \
--set ldap-server-extension:LDAPServerExtension1 \
--type proxy-ldap \
--element-name ProxyLDAPWorkFlowElement1 \
--hostname host01.example.com \
--port 5444 \
--trustAll \
--bindDN "cn=Directory Manager" \
--bindPasswordFile ~/pwd.txt \
--no-prompt

section 3Create the Dynamic Entry Tree Workflow Element

In this section you create a Dynamic Entry Tree WFE and set the pattern matching to uid,ou=%st%(NOST),ou.

  1. Create a Dynamic Entry Tree WFE, DynamicEntry-wfe: 
    $ ./dsconfig create-workflow-element \
    --type dynamic-entry-tree \
--set base-dn:dc=example,dc=com \
    --element-name DynamicEntry-wfe \
    --set next-workflow-element:ProxyLDAPWorkFlowElement1 \
    --set patterns:uid,ou=%st%\(NOST\),ou \
    --set enabled:true \
    --hostname host01.example.com  \
    --port 5444 \
    --trustAll \
    --bindDN "cn=Directory Manager" \
    --bindPasswordFile ~/pwd.txt \
    --no-prompt
  2. Create a workflow DynamicEntry-wf:
     ./dsconfig create-workflow \
    --set base-dn:dc=example,dc=com \
    --set enabled:true \
    --set workflow-element:DynamicEntry-wfe \
    --type generic \
    --workflow-name DynamicEntry-wf \
    --hostname host01.example.com  \
    --port 5444 \
    --trustAll \
    --bindDN "cn=Directory Manager" \
    --bindPasswordFile ~/pwd.txt \
    --no-prompt
  3. Attach the Dynamic Entry Tree Workflow , DynamicEntry-wf, to the network group: 
    ./dsconfig set-network-group-prop \
    --group-name network-group \
    --set workflow:DynamicEntry-wf \
    --hostname host01.example.com \
    --port 5444 \
    --portProtocol LDAP \
    --trustAll \
    --bindDN cn=Directory\ Manager \
    --bindPasswordFile ~/pwd.txt \
    --no-prompt

section 4Validate the Dynamic Entry Workflow Element

In this section you will run ldapsearch commands to validate the Dynamic Entry Workflow Element is working:

  1. Navigate to the OUD proxy instance directory: 
    $ cd $OUD_INSTANCES/OUD/proxy1/bin
  2. Run the following ldapsearch command to view the user data directly from the OUD Server oud1: 
    ./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \
-w <password> -b "dc=example,dc=com" "(objectclass=person)"
    The output will look similar to this: 
    dn: uid=user.0,ou=people,dc=example,dc=com
mail: user.0@example.com
sn: user.0
cn: user.0
objectClass: top
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
st: MT
uid: user.0

dn: uid=user.1,ou=people,dc=example,dc=com
sn: user.1
cn: user.1
objectClass: top
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
uid: user.1
    Notice that uid=user.0,ou=people,dc=example,dc=com entry has the ST attribute set st: MT.
    Notice that uid=user.1,ou=people,dc=example,dc=com entry has no ST attribute set.
  3. Run the following ldapsearch command to view the same user data from the proxy server proxy1. 
    $ ./ldapsearch -h host01.example.com -p 2389 -D cn="Directory Manager" \
-w <password> -b "dc=example,dc=com" "(objectclass=person)"

    The output should look similar to this:

    dn: uid=user.0,ou=MT,ou=people,dc=example,dc=com
sn: user.0
cn: user.0
objectClass: top
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
st: MT
uid: user.0

dn: uid=user.1,ou=NOST,ou=people,dc=example,dc=com
sn: user.1
cn: user.1
objectClass: top
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
uid: user.1

    Notice that user entry for user.0 has been transformed to uid=user.0,ou=MT,ou=people,dc=example,dc=com. Also, notice that the user.1 entry has been transformed to uid=user.1,ou=NOST,ou=people,dc=example,dc=com, as it has no st attribute defined.

section 5Modify the Dynamic Entry Tree Workflow Element

In this section, you'll modify the Dynamic WFE, DynamicEntry-wfe, and add another pattern cn,ou=%member%\(SUPPRESS\),ou.

The pattern will match objects under the root (dc=example,dc=com) that have dn components starting with cn and insert an additional node ou with the value of the attribute member. If the member attribute doesn't exist, then the pattern removes the entry from the results.

  1. Modify the DynamicEntry-wfe to add the pattern cn,ou=%member%(SUPPRESS),ou: 
    ./dsconfig set-workflow-element-prop \
    --element-name DynamicEntry-wfe \
    --add patterns:cn,ou=%member%\(SUPPRESS\),ou \
    --hostname host01.example.com \
    --port "5444" \
    --trustAll \
    --bindDN cn="Directory Manager" \
    --bindPasswordFile ~/pwd.txt \
    --no-prompt
  2. Run the following ldapsearch command to view the groups directly from the OUD Server oud1: 
    ./ldapsearch -h host01.example.com -p 1389 -D cn="Directory Manager" \
    -w <password> -b "dc=example,dc=com" "(objectclass=groupOfNames)"
    The output will look similar to this:
    dn: cn=Brand,ou=Marketing,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Brand
member: uid=user.0,ou=people,dc=example,dc=com

dn: cn=Media,ou=Marketing,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Media
    Notice that the entry cn=Brand,ou=Marketing,dc=example,dc=com has a member attribute and the entry cn=Media,ou=Marketing,dc=example,dc=com doesn't.
  3. Run the following ldapsearch command to view the same group data from the proxy server proxy1.: 
    ./ldapsearch -h host01.example.com -p 2389 -D cn="Directory Manager" \
    -w <password> -b "dc=example,dc=com" "(objectclass=groupOfNames)"
    The output will look similar to the following:
    dn: cn=Brand,ou=uid=user.0\,ou=people\,dc=example\,dc=com,ou=Marketing,dc=example,dc=com
    objectClass: top
    objectClass: groupOfNames
    cn: Brand
    member: uid=user.0,ou=people,dc=example,dc=com
    Notice the entry cn=Brand,ou=Marketing,dc=example,dc=com has been updated to cn=Brand,ou=uid=user.0\,ou=people\,dc=example\,dc=com,ou=Marketing,dc=example,dc=com, and that the entry cn=Media,ou=Marketing,dc=example,dc=com has been removed from the results completely, as it does not have the member attribute.

more informationWant to Learn More?

Dynamic Entry Tree Workflow Element

feedbackFeedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.