Configure the DynamicGroups Workflow Element with Oracle Unified Directory 12c
Before You Begin
This 15-minute tutorial shows you how to configure the DynamicGroups Workflow Element (WFE) in Oracle Unified Directory 12c (OUD), and execute a number of LDAP searches which demonstrate the functionality provided by the WFE.
This tutorial is part of the Oracle Virtual Directory 11g to Oracle Unified Directory 12c Transition Series.
Background
The DynamicGroups WFE enables Oracle Unified Directory to process dynamic groups (objectclass=groupofurls) and present them as a virtual static group (objectclass=groupofuniquenames) equivalent. This allows you to maintain both static and dynamic groups in your directory while maintaining compatibility with applications which may not support the groupofurls objectclass.
What Do You Need?
- An environment with at least 16 GB of physical memory, Oracle Enterprise Linux 6.6 or later, and
oraclecredentials - A basic understanding of Linux
- This tutorial assumes that you have installed Oracle Unified Directory 12c
- An OUD LDAP server instance has been configured. The assumption for this OBE is that the OUD server is running on hostname
oud.example.com, LDAP port 1389, and LDAP administration port 4444 - The file
~/pwd.txtexists, containing the password for the Directory Administrator - The dyngrp.ldif file is loaded to the OUD instance
- This tutorial assumes that you have already defined the following environment variables:
OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oudOUD_INSTANCES=/u01/app/oracle/config/oud_instances
Configure a Directory Server Instance
In this section, you'll use the oud-setup utility to set up an Oracle Unified Directory 12c server instance.
- Launch a terminal window as
oracleand navigate to theOUD_ORACLE_HOMEdirectory. - Set the INSTANCE_NAME environment variable to indicate to the setup utility where to place the directory server instance configuration.
- Run the
oud-setupcommand to configure a directory server instance, and load the sample data for this tutorial. - Verify that the
oud_dyngrpinstance is running.$ cd $OUD_INSTANCES/oud_dyngrp/OUD/bin $ ./status -D "cn=Directory Manager" -j ~/pwd.txt -X -n
The output should look similar to this:
--- Server Status --- Server Run Status: Started Open Connections: 1
export INSTANCE_NAME=../../config/oud_instances/oud_dyngrp
/u01/app/oracle/product/oud19c/oud/oud-setup \ --cli \ --no-prompt \ --hostname oud.example.com \ --ldapPort 1389 \ --rootUserDN cn="Directory Manager" \ --rootUserPasswordFile ~/pwd.txt \ --baseDN dc=example,dc=com \ --ldifFile ~/dyngrp.ldif \ --adminConnectorPort 4444
The output should look similar to this:
Oracle Unified Directory 12.2.1.4.0 Please wait while the setup program initializes... Creating instance directory /u01/app/oracle/config/oud_instances/oud_dyngrp/OUD .....Done. See /u01/app/oracle/config/oud_instances/oud_dyngrp/OUD/logs/oud-setup for a detailed log of this operation. Configuring Directory Server ..... Done. Importing LDIF file /u01/app/home/oracle/sampledata.ldif ....... Processed 15 entries, imported 15, skipped 0, rejected 0 and migrated 0 in 0 seconds (average rate 18.9/sec) Starting Directory Server ....... Done. To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/oud_dyngrp/OUD/bin/status
View Sample Data
- Navigate to the OUD instance directory:
- Run the following
ldapsearchcommand to view the group data../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "ou=groups,dc=example,dc=com" \ "objectclass=*"
The output should look similar to this:
dn: ou=Groups,dc=example,dc=com ou: Groups objectClass: top objectClass: organizationalunit dn: cn=StaticGroup,ou=groups,dc=example,dc=com uniqueMember: uid=alutz, ou=People, dc=example,dc=com uniqueMember: uid=lulrich, ou=People, dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: StaticGroup dn: cn=DynGroup,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUrls memberURL: ldap:///ou=people,dc=example,dc=com??sub?(l=Santa Clara) cn: DynGroup
Note: You have two types of group here. The static group
cn=StaticGroup,ou=groups,dc=example,dc=comdefines members using theuniqueMemberattribute. The dynamic groupcn=DynGroup,ou=groups,dc=example,dc=comdefines members using thememberURLattribute, which specifies that any person in the branchou=people,dc=example,dc=comwherel=Santa Clarais a member of the group. - Run the following
ldapsearchcommand to view members of the static group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w \ -s sub \ -b "" \ "objectclass=groupofuniquenames" \ uniqueMember
The output should look similar to this:
dn: cn=StaticGroup,ou=groups,dc=example,dc=com uniqueMember: uid=alutz, ou=People, dc=example,dc=com uniqueMember: uid=lulrich, ou=People, dc=example,dc=com
Note: The 2 members of the static group are displayed.
- Run the following
ldapsearchcommand to view members of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "" \ "objectclass=groupofURLs" \ uniqueMember
The output should look similar to this:
dn: cn=DynGroup,ou=groups,dc=example,dc=com
Note: Although the group DN is displayed, no members (
uniquemember) of the dynamic group are displayed. - Run the following
ldapsearchcommand to check membership of the static group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "ou=groups,dc=example,dc=com" \ "(&(cn=StaticGroup)(uniqueMember=uid=alutz,ou=People,dc=example,dc=com))" \ dn
The output should look similar to this:
dn: cn=StaticGroup,ou=groups,dc=example,dc=com
Note: The DN of the group of which
uid=alutzis a member, is displayed. - Run the following
ldapsearchcommand to check membership of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "ou=groups,dc=example,dc=com" \ "(&(cn=DynGroup)(uniqueMember=uid=achassin,ou=People,dc=example,dc=com))" \ dn
Note: There is no output for this search.
We will reuse these searches later in this tutorial to demonstrate the effect of applying the DynamicGroups WFE.
cd $OUD_INSTANCES/oud_dyngrp/OUD/bin
Create a DynamicGroups Workflow Element
In this section, you'll create a DynamicGroups WFE and associate it with a network group.
- Navigate to the OUD instance directory:
- Use the
dsconfigcommand to create a DynamicGroups workflow element,dgwe:./dsconfig create-workflow-element \ --set enabled:true \ --set global-search:true \ --set next-workflow-element:userRoot \ --set user-search-base:dc=example,dc=com \ --type dynamic-groups \ --element-name dgwe \ --hostname oud.example.com \ --port 4444 \ --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Use the
dsconfigcommand to create a generic workflow,dgw, for the workflow elementdgwe:./dsconfig create-workflow \ --set enabled:true \ --set base-dn:dc=example,dc=com \ --set workflow-element:dgwe \ --type generic \ --workflow-name dgw \ --hostname oud.example.com \ --port 4444 --portProtocol LDAP \ --bindDN cn="Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Use the
dsconfigcommand to add thedgwworkflow to to create and enable a network group,NG1:./dsconfig create-network-group \ --group-name NG1 \ --set enabled:true \ --set workflow:dgw \ --set priority:1 \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
cd $OUD_INSTANCES/oud_dyngrp/OUD/bin
Search for Dynamic Group Entries with the DynamicGroup WFE Enabled
- Run the following
ldapsearchcommand to view members of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "" \ "objectclass=groupofURLs" \ uniqueMember
The output should look similar to this:
dn: cn=DynGroup,ou=groups,dc=example,dc=com uniqueMember: uid=achassin,ou=People,dc=example,dc=com uniqueMember: uid=jcampai2,ou=People,dc=example,dc=com uniqueMember: uid=jfalena,ou=People,dc=example,dc=com uniqueMember: uid=alutz,ou=People,dc=example,dc=com uniqueMember: uid=btalbo2,ou=People,dc=example,dc=com uniqueMember: uid=hmiller,ou=People,dc=example,dc=com uniqueMember: uid=striplet,ou=People,dc=example,dc=com
Note: All the members of the dynamic group are displayed as
uniquemember. - Run the following
ldapsearchcommand to check membership of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "ou=groups,dc=example,dc=com" \ "(&(cn=DynGroup)(uniqueMember=uid=achassin,ou=People,dc=example,dc=com))" \ dn
The output should look similar to this:
dn: cn=DynGroup,ou=groups,dc=example,dc=com
Note: This time the DN of the Dynamic Group is returned, indicating that
uid=achassinis a member of the group.
Search for Dynamic Group Entries with the DynamicGroup WFE Disabled
Disable the network group, NG1 so that no client requests can be handled by that network group. This has the effect of disabling the DynamicGroups WFE.
- Use the
dsconfigcommand to disable theNG1network group../dsconfig set-network-group-prop \ --group-name NG1 \ --set enabled:false \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Run the following
ldapsearchcommand to view members of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "" \ "objectclass=groupofURLs" \ uniqueMember
The output should look similar to this:
dn: cn=DynGroup,ou=groups,dc=example,dc=com
Note: With the DynamicGroups WFE disabled, although the group DN is displayed, no members (
uniquemember) of the dynamic group are displayed. - Run the following
ldapsearchcommand to check membership of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "ou=groups,dc=example,dc=com" \ "(&(cn=DynGroup)(uniqueMember=uid=achassin,ou=People,dc=example,dc=com))" \ dn
Note: With the DynamicGroups WFE disabled, there is no output for this search.
Search for Dynamic Group Entries with the DynamicGroup WFE Re-Enabled
Re-enable the network group, NG1. This has the effect of re-enabling the DynamicGroups WFE, and allowing dynamic group information to be displayed.
- Use the
dsconfigcommand to enable theNG1network group../dsconfig set-network-group-prop \ --group-name NG1 \ --set enabled:true \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --no-prompt \ --trustAll
- Run the following
ldapsearchcommand to view members of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "" \ "objectclass=groupofURLs" \ uniqueMember
The output should look similar to this:
dn: cn=DynGroup,ou=groups,dc=example,dc=com uniqueMember: uid=achassin,ou=People,dc=example,dc=com uniqueMember: uid=jcampai2,ou=People,dc=example,dc=com uniqueMember: uid=jfalena,ou=People,dc=example,dc=com uniqueMember: uid=alutz,ou=People,dc=example,dc=com uniqueMember: uid=btalbo2,ou=People,dc=example,dc=com uniqueMember: uid=hmiller,ou=People,dc=example,dc=com uniqueMember: uid=striplet,ou=People,dc=example,dc=com
Note: With the DynamicGroups WFE re-enabled, all the members of the dynamic group are displayed as
uniquemember. - Run the following
ldapsearchcommand to check membership of the dynamic group../ldapsearch -h oud.example.com \ -p 1389 \ -D cn="Directory Manager" \ -w <password> \ -s sub \ -b "ou=groups,dc=example,dc=com" \ "(&(cn=DynGroup)(uniqueMember=uid=achassin,ou=People,dc=example,dc=com))" \ dn
The output should look similar to this:
dn: cn=DynGroup,ou=groups,dc=example,dc=com
Note: With the DynamicGroups WFE re-enabled the DN of the Dynamic Group is returned, indicating that
uid=achassinis a member of the group.
Want to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.