Before You Begin
This 15-minute tutorial shows you how to configure and verify identity mappers with Oracle Unified Directory 12c. These provide a replacement for UPNBind Plugin functionality previously provided by Oracle Virtual Directory 11g.
This tutorial is part of the Oracle Virtual Directory 11g to Oracle Unified Directory 12c Transition Series.
Background
Identity Mappers are responsible for establishing a mapping
between an identifier string provided by a client, and the entry
for the user that corresponds to that identifier. Oracle Unified
Directory 12c provides support, via Identity Mappers, to allow simple binds using any configured username attribute, such as cn
, SamAccountName
, sn
, and uid
.
What Do You Need?
- An environment with:
- At least 16 GB of physical memory
- Oracle Enterprise Linux 6.6 or later with access to the Internet
oracle
user credentials- A basic understanding of Linux
This tutorial assumes that you have already installed and configured the following:
- Oracle Unified Directory (OUD) 12c
- The identitymappersdata.ldif sample data should be loaded to this OUD instance.
- These two OBEs assumes that the following environment
variables are defined:
OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
OUD_INSTANCES=/u01/app/oracle/config/oud_instances
Configure a Directory Server Instance
In this section, you'll use the oud-setup
utility to set up an Oracle Unified Directory 12c server instance.
- Navigate to the
OUD_ORACLE_HOME
directory, where the Oracle Unified Directory 12c software is installed. Run theoud-setup
utility from the command line to setup an Oracle Unified Directory server instance.
The output should look similar to this:# $OUD_ORACLE_HOME/oud-setup \ --cli \ --no-prompt \ --hostname oud.example.com --ldapPort 1389 \ --rootUserDN "cn=Directory Manager" \ --rootUserPasswordFile ~/pwd.txt \ --baseDN dc=example,dc=com \ --adminConnectorPort 4444 \ --instancePath /u01/app/oracle/config/oud_instances/idmap \ --ldifFile ~/identitymappersdata.ldif
Note: TheOracle Unified Directory Please wait while the setup program initializes... Creating instance directory /u01/app/oracle/config/oud_instances/idmap/.....Done. See /u01/app/oracle/config/oud_instances/idmap/logs/oud-setup for a detailed log of this operation. Configuring Directory Server ..... Done. Importing LDIF file /home/oracle/identitymappersdata.ldif ........ Processed 15 entries, imported 15, skipped 0, rejected 0 and migrated 0 in 0 seconds (average rate 15.8/sec) Starting Directory Server ........ Done. To see basic server configuration status and configuration you can launch /u01/app/oracle/config/oud_instances/idmap/bin/status
~/pwd.txt
should contain the password that you want to assign to your OUD Administrator.
Configure an Exact Match Identity Mapper at Global Level
In this section, you'll use the dsconfig
utility to set up an Exact Match Identity Mapper that allows users to bind using their uid
.
- Configure the
Exact Match
identity mapper at global level using thedsconfig
command with the following parameters. Make sure the propertynon-dn-simple-bind-allowed
value is set totrue
to enable simple binds fornon-dn
atributes.
# cd $OUD_INSTANCES/idmap/bin # ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-global-configuration-prop --add "generic-identity-mapper:Exact Match" \ --set "non-dn-simple-bind-allowed:true" \ --trustAll \ --no-prompt
- Use the
dsconfig
command to see the default configured match attribute value,uid
for theExact Match
Identity Mapper you configured in Step 1.
The output should look similar to this:# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ get-identity-mapper-prop --mapper-name "Exact Match" \ --trustAll \ --no-prompt
Property : Value(s) ----------------:--------- enabled : true match-attribute : uid match-base-dn : - match-pattern : (.)* priority : 1
- Execute the
ldapsearch
command to confirm that you can bind to the directory with the default configured bind user attributeuid
.# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "asales" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(uid=asales)" dn cn uid mail
The output should look similar to this:
dn: uid=asales,ou=People,dc=example,dc=com mail: asales@example.com cn: Anthony Sales uid: asales
Configure an
Additional Match Attribute for the Exact Match Identity Mapper at
Global Level
In this section, you will use the dsconfig
utility to set up an additional match-attribute
that allows users to bind using their mail
attribute in addition to uid
.
- Configure an additional match-attribute
mail
for yourExact Match
generic identity mapper.
# cd $OUD_INSTANCES/idmap/bin # ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Exact Match" \ --add "match-attribute:mail" \ --trustAll \ --no-prompt
- Execute the
dsconfig
command to see the configured match attributes valuesmail
, anduid
forExact Match
generic identity mapper configured in the previous step.
The output should look similar to this:# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ get-identity-mapper-prop --mapper-name "Exact Match" \ --trustAll \ --no-prompt
Property : Value(s) ----------------:---------- enabled : true match-attribute : mail, uid match-base-dn : - match-pattern : (.)* priority : 1
- Execute the
ldapsearch
command to test binding with the default configured match-attributeuid
.
The output should look similar to this:# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "jjones" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(uid=jjones)" dn cn uid mail
dn: uid=jjones,ou=People,dc=example,dc=com mail: jjones@example.com cn: Jim Jones uid: jjones
- Now execute the
ldapsearch
command to test binding with the same user, but using the other configured match-attributemail
.# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "jjones@example.com" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(mail=jjones@example.com)" dn cn uid mail
The output should look similar to this:
The ldap bind is successful with both user attributesdn: uid=jjones,ou=People,dc=example,dc=com mail: jjones@example.com cn: Jim Jones uid: jjones
uid
, andmail
. This demonstrates how you can configure multiple user attributes as identity strings in OUD 12c
Configure
Match and Replace Identity Mapper at Global Level
In this section you will configure the Match and Replace Identity Mapper. This allows you to use a regular expression to translate your provided identifier in binds.
- Configure the Match and Replace Identity Mapper at global level using the
dsconfig
command.
# cd $OUD_INSTANCES/idmap/bin # ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-global-configuration-prop \ --add "generic-identity-mapper:Match And Replace" \ --trustAll \ --no-prompt
- Execute the
dsconfig
command to configure the match-attribute value to thesn
attribute.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Match And Replace" \ --set "match-attribute:sn" \ --trustAll \ --no-prompt
- Execute the
dsconfig
command to see the configured match-attribute valuesn
for the Identity Mapper configured in the previous step
The output should look similar to this:# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ get-identity-mapper-prop --mapper-name "Match And Replace" \ --trustAll \ --no-prompt
Property : Value(s) ----------------:------------- enabled : true match-attribute : sn match-base-dn : - match-pattern : ^([^@]+)@.+$ priority : 1 replace-pattern : $1
- Execute the
ldapsearch
command to test binding against the configured bind user attributesn
.
# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "Kral@example.com" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(uid=ikral)" dn cn uid mail sn
The output should look similar to this:
dn: uid=ikral,ou=People,dc=example,dc=com mail: ikral@example.com sn: Kral cn: Ivan Kral uid: ikral
In this example, the Identity Mapper has mapped the username from the mail address (the part before the '@'), 'Kral', to the
sn
attribute. - You can try the
ldapsearch
command with another value, for exampleAndrews@example.com
.# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "Andrews@example.com" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(uid=bandrews)" dn cn uid mail sn
In this case the username 'Andrews' is mapped to the
sn
attribute.dn: uid=bandrews,ou=People,dc=example,dc=com mail: bandrews@example.com sn: Andrews cn: Barry Andrews uid: bandrews
Verify Simple Bind for Duplicated Attributes
In this section you will perfom a simple bind on an attribute which has a duplicate value in more than one entry to see how the Exact Match Identity Mapper handles this scenario.
- Execute the
ldapsearch
command to show entries which have asn
attribute value of 'Jones'.
The output should look similar to this:# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --baseDN "dc=example,dc=com" \ --searchScope sub \ "(sn=Jones)" dn sn
dn: uid=jjones,ou=People,dc=example,dc=com sn: Jones dn: uid=sjones,ou=People,dc=example,dc=com sn: Jones
- Execute the
dsconfig
command to add the match-attributesn
to the Exact Match Identity Mapper.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Exact Match" \ --set "match-attribute:sn" \ --trustAll \ --no-prompt
- Execute the
dsconfig
command to see the configured match attributes valuesmail
,uid
andsn
for the Exact Match Identity Mapper.
The output should look similar to this:# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ get-identity-mapper-prop --mapper-name "Exact Match" \ --trustAll \ --no-prompt
Property : Value(s) ----------------:---------- enabled : true match-attribute : sn match-base-dn : - match-pattern : (.)* priority : 1
- Execute the
ldapsearch
command to test a simple bind using thesn
attribute.
# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "Jones" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(sn=Jones)" dn cn uid mail
The output should look similar to this:
The ldap bind fails if more than one entry has the same value for the configured attribute. Here the configured attribute isThe simple bind attempt failed Result Code: 49 (Invalid Credentials)
sn
. The entries foruid=jjones
anduid=sjones
have the same value ofsn
i.e.,Jones
.
Configure
Identity Mapper at Network Group Level
In this section you will configure Identity Mappers at the network group and global levels. This will demonstrate how network group level Identity Mappers take priority over global level Identity Mappers.
- Configure an Exact Match Identity Mapper at the
network group level using the
dsconfig
command.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-network-group-prop --group-name network-group \ --add "generic-identity-mapper:Exact Match" \ --trustAll \ --no-prompt
-
Set the priority for this Identity Mapper using the
dsconfig
command.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Exact Match" \ --set "priority:2" \ --trustAll \ --no-prompt
- Set the match-attribute for this Identity Mapper to
sn
.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Exact Match" \ --set "match-attribute:sn" \ --trustAll \ --no-prompt
- Configure a Match and Replace Identity Mapper at the global level using the
dsconfig
command.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Match and Replace" \ --set "priority:1" \ --trustAll \ --no-prompt
- Set the match-attribute for this Identity Mapper to
uid
.
# ./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ set-identity-mapper-prop --mapper-name "Match and Replace" \ --set "match-attribute:uid" \ --trustAll \ --no-prompt
- Execute the
ldapsearch
command to test a simple bind using the configured bind user attributeuid
. In this case the Match and Replace Identity Mapper extracts 'ikral' from the mail address provided and attempts to match against theuid
attribute.
The output should look similar to this:# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "ikral@example.com" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(uid=ikral)" dn cn uid mail
The simple bind attempt failed. Result Code: 49 (Invalid Credentials)
This bind fails even though the string passed matches
uid
. This is because the network group level Identity Mapper takes precedence over the global level Identity Mapper.
- Execute the
ldapsearch
command to test a simple bind using thesn
attribute.
The output should look similar to this:# ./ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "Kral" \ --baseDN "dc=example,dc=com" \ --searchScope sub \ --bindPasswordFile ~/pwd.txt \ "(uid=ikral)" dn cn uid mail sn
dn: uid=ikral,ou=People,dc=example,dc=com mail: ikral@example.com sn: Kral cn: Ivan Kral uid: ikral
In this example, the bind is successful as it meets the requirements of the network group level Identity Mapper.
Want
to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.