Before You Begin

This 15-minute tutorial shows you how to configure and verify identity mappers with Oracle Unified Directory 12c. These provide a replacement for UPNBind Plugin functionality previously provided by Oracle Virtual Directory 11g.

This tutorial is part of the Oracle Virtual Directory 11g to Oracle Unified Directory 12c Transition Series.

Background

Identity Mappers are responsible for establishing a mapping between an identifier string provided by a client, and the entry for the user that corresponds to that identifier. Oracle Unified Directory 12c provides support, via Identity Mappers, to allow simple binds using any configured username attribute, such as cn, SamAccountName, sn, and uid.

What Do You Need?

• An environment with:
• At least 16 GB of physical memory
• Oracle Enterprise Linux 6.6 or later with access to the Internet
• oracle user credentials
• A basic understanding of Linux

This tutorial assumes that you have already installed and configured the following:

• Oracle Unified Directory (OUD) 12c
• The identitymappersdata.ldif sample data should be loaded to this OUD instance.
• These two OBEs assumes that the following environment variables are defined:
  
  • OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
  • OUD_INSTANCES=/u01/app/oracle/config/oud_instances

Configure a Directory Server Instance

In this section, you'll use the oud-setup utility to set up an Oracle Unified Directory 12c server instance.

1. Navigate to the OUD_ORACLE_HOME directory, where the Oracle Unified Directory 12c software is installed. Run the oud-setup utility from the command line to setup an Oracle Unified Directory server instance.
   

   # $OUD_ORACLE_HOME/oud-setup \
   --cli \
   --no-prompt \
   --hostname oud.example.com
   --ldapPort 1389 \
   --rootUserDN "cn=Directory Manager" \
   --rootUserPasswordFile ~/pwd.txt \
   --baseDN dc=example,dc=com \
   --adminConnectorPort 4444 \
   --instancePath /u01/app/oracle/config/oud_instances/idmap \
   --ldifFile ~/identitymappersdata.ldif

   The output should look similar to this:
   

   Oracle Unified Directory
   Please wait while the setup program initializes...
   Creating instance directory /u01/app/oracle/config/oud_instances/idmap/.....Done.
   See /u01/app/oracle/config/oud_instances/idmap/logs/oud-setup for a detailed log of this operation.
   Configuring Directory Server ..... Done.
   Importing LDIF file /home/oracle/identitymappersdata.ldif ........ Processed 15 entries, imported 15, skipped 0, rejected 0 and migrated 0 in 0 seconds (average rate 15.8/sec)
   Starting Directory Server ........ Done.
   To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/idmap/bin/status

   Note: The ~/pwd.txt should contain the password that you want to assign to your OUD Administrator.

Configure an Exact Match Identity Mapper at Global Level

In this section, you'll use the dsconfig utility to set up an Exact Match Identity Mapper that allows users to bind using their uid.

1. Configure the Exact Match identity mapper at global level using the dsconfig command with the following parameters. Make sure the property non-dn-simple-bind-allowed value is set to true to enable simple binds for non-dn atributes.
   

   # cd $OUD_INSTANCES/idmap/bin
   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-global-configuration-prop --add "generic-identity-mapper:Exact Match" \
   --set "non-dn-simple-bind-allowed:true" \
   --trustAll \
   --no-prompt

2. Use the dsconfig command to see the default configured match attribute value, uid for the Exact Match Identity Mapper you configured in Step 1.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   get-identity-mapper-prop --mapper-name "Exact Match" \
   --trustAll \
   --no-prompt

   The output should look similar to this:
   

   Property        : Value(s)
   ----------------:---------
   enabled         : true
   match-attribute : uid
   match-base-dn   : -
   match-pattern   : (.)*
   priority        : 1

3. Execute the ldapsearch command to confirm that you can bind to the directory with the default configured bind user attribute uid.

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "asales" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(uid=asales)" dn cn uid mail

   The output should look similar to this:

   dn: uid=asales,ou=People,dc=example,dc=com
   mail: asales@example.com
   cn: Anthony Sales
   uid: asales

Configure an Additional Match Attribute for the Exact Match Identity Mapper at Global Level

In this section, you will use the dsconfig utility to set up an additional match-attribute that allows users to bind using their mail attribute in addition to uid.

1. Configure an additional match-attribute mail for your Exact Match generic identity mapper.
   

   # cd $OUD_INSTANCES/idmap/bin 
   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Exact Match" \
   --add "match-attribute:mail" \
   --trustAll \
   --no-prompt 

2. Execute the dsconfig command to see the configured match attributes values mail, and uid for Exact Match generic identity mapper configured in the previous step.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   get-identity-mapper-prop --mapper-name "Exact Match" \
   --trustAll \
   --no-prompt 

   The output should look similar to this:
   

   Property        : Value(s)
   ----------------:----------
   enabled         : true
   match-attribute : mail, uid
   match-base-dn   : -
   match-pattern   : (.)*
   priority        : 1

3. Execute the ldapsearch command to test binding with the default configured match-attribute uid.

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "jjones" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(uid=jjones)" dn cn uid mail
   

   The output should look similar to this:

   dn: uid=jjones,ou=People,dc=example,dc=com
   mail: jjones@example.com
   cn: Jim Jones
   uid: jjones

4. Now execute the ldapsearch command to test binding with the same user, but using the other configured match-attribute mail.

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "jjones@example.com" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(mail=jjones@example.com)" dn cn uid mail

   The output should look similar to this:

   dn: uid=jjones,ou=People,dc=example,dc=com
   mail: jjones@example.com
   cn: Jim Jones
   uid: jjones

   The ldap bind is successful with both user attributes uid, and mail. This demonstrates how you can configure multiple user attributes as identity strings in OUD 12c

Configure Match and Replace Identity Mapper at Global Level

In this section you will configure the Match and Replace Identity Mapper. This allows you to use a regular expression to translate your provided identifier in binds.

1. Configure the Match and Replace Identity Mapper at global level using the dsconfig command.
   

   # cd $OUD_INSTANCES/idmap/bin 
   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-global-configuration-prop \
   --add "generic-identity-mapper:Match And Replace" \
   --trustAll \
   --no-prompt 

2. Execute the dsconfig command to configure the match-attribute value to the sn attribute.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Match And Replace" \
   --set "match-attribute:sn" \
   --trustAll \
   --no-prompt 

3. Execute the dsconfig command to see the configured match-attribute value sn for the Identity Mapper configured in the previous step
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   get-identity-mapper-prop --mapper-name "Match And Replace" \
   --trustAll \
   --no-prompt 

   The output should look similar to this:
   

   Property        : Value(s)
   ----------------:-------------
   enabled         : true
   match-attribute : sn
   match-base-dn   : -
   match-pattern   : ^([^@]+)@.+$
   priority        : 1
   replace-pattern : $1

4. Execute the ldapsearch command to test binding against the configured bind user attribute sn.
   

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "Kral@example.com" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(uid=ikral)" dn cn uid mail sn

   The output should look similar to this:

   dn: uid=ikral,ou=People,dc=example,dc=com
   mail: ikral@example.com
   sn: Kral
   cn: Ivan Kral
   uid: ikral

   In this example, the Identity Mapper has mapped the username from the mail address (the part before the '@'), 'Kral', to the sn attribute.

5. You can try the ldapsearch command with another value, for example Andrews@example.com.

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "Andrews@example.com" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(uid=bandrews)" dn cn uid mail sn

   In this case the username 'Andrews' is mapped to the sn attribute.

   dn: uid=bandrews,ou=People,dc=example,dc=com
   mail: bandrews@example.com
   sn: Andrews
   cn: Barry Andrews
   uid: bandrews

Verify Simple Bind for Duplicated Attributes

In this section you will perfom a simple bind on an attribute which has a duplicate value in more than one entry to see how the Exact Match Identity Mapper handles this scenario.

1. Execute the ldapsearch command to show entries which have a sn attribute value of 'Jones'.

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   "(sn=Jones)" dn sn

   The output should look similar to this:

   dn: uid=jjones,ou=People,dc=example,dc=com
   sn: Jones
   dn: uid=sjones,ou=People,dc=example,dc=com
   sn: Jones

2. Execute the dsconfig command to add the match-attribute sn to the Exact Match Identity Mapper.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Exact Match" \
   --set "match-attribute:sn" \
   --trustAll \
   --no-prompt 

3. Execute the dsconfig command to see the configured match attributes values mail, uid and sn for the Exact Match Identity Mapper.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   get-identity-mapper-prop --mapper-name "Exact Match" \
   --trustAll \
   --no-prompt 

   The output should look similar to this:
   

   Property        : Value(s)
   ----------------:----------
   enabled         : true
   match-attribute : sn
   match-base-dn   : -
   match-pattern   : (.)*
   priority        : 1

4. Execute the ldapsearch command to test a simple bind using the sn attribute.
   

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "Jones" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(sn=Jones)" dn cn uid mail

   The output should look similar to this:

   The simple bind attempt failed
   Result Code: 49 (Invalid Credentials)

   The ldap bind fails if more than one entry has the same value for the configured attribute. Here the configured attribute is sn. The entries for uid=jjones and uid=sjones have the same value of sn i.e., Jones.

Configure Identity Mapper at Network Group Level

In this section you will configure Identity Mappers at the network group and global levels. This will demonstrate how network group level Identity Mappers take priority over global level Identity Mappers.

1. Configure an Exact Match Identity Mapper at the network group level using the dsconfig command.
   

   
   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-network-group-prop --group-name network-group \
   --add "generic-identity-mapper:Exact Match" \
   --trustAll \
   --no-prompt 

2. Set the priority for this Identity Mapper using the dsconfig command.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Exact Match" \
   --set "priority:2" \
   --trustAll \
   --no-prompt 

3. Set the match-attribute for this Identity Mapper to sn.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Exact Match" \
   --set "match-attribute:sn" \
   --trustAll \
   --no-prompt 

4. Configure a Match and Replace Identity Mapper at the global level using the dsconfig command.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Match and Replace" \
   --set "priority:1" \
   --trustAll \
   --no-prompt 

5. Set the match-attribute for this Identity Mapper to uid.
   

   # ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   set-identity-mapper-prop --mapper-name "Match and Replace" \
   --set "match-attribute:uid" \
   --trustAll \
   --no-prompt 

6. Execute the ldapsearch command to test a simple bind using the configured bind user attribute uid. In this case the Match and Replace Identity Mapper extracts 'ikral' from the mail address provided and attempts to match against the uid attribute.
   

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN "ikral@example.com" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(uid=ikral)" dn cn uid mail

   The output should look similar to this:

   The simple bind attempt failed.
   Result Code: 49 (Invalid Credentials)

   This bind fails even though the string passed matches uid. This is because the network group level Identity Mapper takes precedence over the global level Identity Mapper.
   

7. Execute the ldapsearch command to test a simple bind using the sn attribute.
   

   # ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \
   --bindDN  "Kral" \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   --bindPasswordFile ~/pwd.txt \
   "(uid=ikral)" dn cn uid mail sn

   The output should look similar to this:

   dn: uid=ikral,ou=People,dc=example,dc=com
   mail: ikral@example.com
   sn: Kral
   cn: Ivan Kral
   uid: ikral

   In this example, the bind is successful as it meets the requirements of the network group level Identity Mapper.

Want to Learn More?

• Understanding Oracle Unified Directory Identity Mapping

Feedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.