Before You Begin
This tutorial shows you how to configure the Map Object Class Transformation with Oracle Unified Directory 12c (OUD).
This tutorial is part of the Oracle Virtual Directory 11g to Oracle Unified Directory 12c Transition Series.
Background
The Map Object Class Transformation creates a mapping that can make one objectClass appear like another objectClass. This is useful when an application is expecting a specific objectclass/attributes. For example a source objectClass User (compatible with Active Directory) can appear like a client objectClass inetOrgPerson (compatible with Oracle Unified Directory).
The Map Object Class Transformation Type provides similar functionality to that provided by the ObjectClass Mapper Plugin from Oracle Virtual Directory 11g (OVD) and can be used as part of a transformation strategy from OVD 11g to OUD 12c.
What Do You Need?
- An environment with at least 16 GB of physical memory, Oracle Enterprise Linux 6.6 or later
- A basic understanding of Linux
- Installation of Oracle Unified Directory 12c (12.2.1.3.0 or above)
- This tutorial assumes that you have already defined the following environment variables:
- OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
- OUD_INSTANCES=/u01/app/oracle/config/oud_instances
Configure a Proxy Server Instance
- Launch a terminal window as oracle and navigate to the OUD_ORACLE_HOME directory.
cd $OUD_ORACLE_HOME
- Run the oud-setup command as shown below.
./oud-proxy-setup \ --cli \ --hostname oud.example.com \ --ldapPort 1389 \ --adminConnectorPort 4444 \ --rootUserDN "cn=Directory Manager" \ --rootUserPasswordFile ~/pwd.txt \ --instancePath /u01/app/oracle/config/oud_instances/mapoc \ --no-prompt
The output should look similar to this:
Successfully wrote the updated Directory Server configuration Starting the Server : /u01/oracle/oracle/config/oud_instances/mapoc/bin/start-ds --timeout 0 [08/Oct/2019:08:54:18 -0700] category=CORE severity=INFORMATION msgID=132 msg=The Directory Server is beginning the configuration bootstrapping process [08/Oct/2019:08:54:19 -0700] category=CORE severity=NOTICE msgID=458886 msg=Oracle Unified Directory 12.2.1.4.0 (build 20190830164322Z, R1908300907) starting up [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381717 msg=Installation Directory: /u01/oracle/oracle/product/oud/oud [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381719 msg=Instance Directory: /u01/oracle/oracle/config/oud_instances/mapoc [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381713 msg=JVM Information: 1.8.0_221-b11 by Oracle Corporation, 64-bit architecture, 3357540352 bytes heap size [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381714 msg=JVM Host: oud.example.com, running Linux 4.1.12-124.28.6.el7uek.x86_64 amd64, 15099535360 bytes physical memory size, number of processors available 4 [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381715 msg=JVM Arguments: "-Dorg.opends.server.scriptName=start-ds" [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381721 msg=The maximum number of file descriptors allocated to the server process: 65536 [08/Oct/2019:08:54:20 -0700] category=ACCESS_CONTROL severity=INFORMATION msgID=12582978 msg=Added 10 Global Access Control Instruction (ACI) attribute types to the access control evaluation engine [08/Oct/2019:08:54:20 -0700] category=BACKEND severity=INFORMATION msgID=9437595 msg=Local DB backend virtualAcis does not specify the number of lock tables: defaulting to 97 [08/Oct/2019:08:54:21 -0700] category=JEB severity=NOTICE msgID=8847402 msg=The database backend cn=virtualAcis,cn=Workflow Elements,cn=config containing 0 entries has started [08/Oct/2019:08:54:21 -0700] category=EXTENSIONS severity=INFORMATION msgID=1048797 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: oud.example.com [08/Oct/2019:08:54:21 -0700] category=CORE severity=INFORMATION msgID=731 msg=LDAP Connection Handler 0.0.0.0 port 1636 does not specify the number of request handler threads: sizing automatically to use 8 threads [08/Oct/2019:08:54:21 -0700] category=CORE severity=INFORMATION msgID=731 msg=LDAP Connection Handler 0.0.0.0 port 1389 does not specify the number of request handler threads: sizing automatically to use 8 threads [08/Oct/2019:08:54:21 -0700] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Administration Connector 0.0.0.0 port 4444 [08/Oct/2019:08:54:21 -0700] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1636 [08/Oct/2019:08:54:21 -0700] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1389 [08/Oct/2019:08:54:21 -0700] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully [08/Oct/2019:08:54:21 -0700] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID 458887): The Directory Server has started successfully
Note: The ~/pwd.txt should contain the password that you want to assign to your OUD Administrator.
Create an LDAP Server Extension
Create an LDAP Server Extension to hold the connection details and credentials required to connet to the source Active Directory instance.
- Navigate to the OUD_ORACLE_HOME/bin directory.
cd $OUD_ORACLE_HOME/bin
- Create the LDAP Server extension using the
dsconfig
command../dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ create-extension \ --extension-name adserver \ --type ldap-server \ --set enabled:true \ --set remote-ldap-server-address:ad.example.com \ --set remote-ldap-server-port:389
Create a Proxy LDAP Workflow Element (WFE)
- Create a Proxy LDAP WFE using the
dsconfig
command../dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ create-workflow-element \ --element-name adwfe \ --type proxy-ldap \ --set enabled:true \ --set client-cred-mode:use-client-identity \ --set ldap-server-extension:adserver
Note: The
client-cred-mode
here is set touse-client-identity
. This means that the client credentials you pass when issuing anldapsearch
will be used to authenticate with the remote Active Directory. Alternatively you can define proxy credentials inuse-specific-identity
bind mode where the credentials are declared in theremote-ldap-server-bind-dn
andldap-server-bind-password
WFE properties.
Create Map Object Class Transformation
-
The Map Object Class transformation creates a mapping that can make one objectClass appear like another objectClass. Create a mapping that makes a source objectclass
user
appear like a client objectclassinetOrgPerson
by running the followingdsconfig
command../dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ create-transformation \ --type map-object-class \ --transformation-name aduseriop \ --set map-objectclass:inetOrgPerson=user
Map an Attribute from the user
Source Objectclass to the Client inetOrgPerson
Objectclass.
-
Add a mapping where the
userPrincipalName
attribute value from the Active Directoryuser
objectclass is used to populate theuid
attribute of theinetOrgPerson
objectclass../dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ set-transformation-prop \ --transformation-name aduseriop \ --set map-attribute:uid=%userPrincipalName%
Create a Transformation Workflow Element (WFE)
-
Create a transformation workflow element using the
dsconfig
command../dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ create-workflow-element \ --element-name tfwfe \ --type transformations \ --set enabled:true \ --set transformation:aduseriop \ --set next-workflow-element:adwfe
Create a Workflow and Add to the Default Network Group
-
Create a workflow using the
dsconfig
command../dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ create-workflow \ --workflow-name "mapoc" \ --set enabled:true \ --set base-dn:"dc=example,dc=com" \ --set workflow-element:tfwfe
-
Add the Workflow to the default Network Group
./dsconfig \ --hostname oud.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPasswordFile ~/pwd.txt \ --trustAll \ --no-prompt \ set-network-group-prop \ --group-name network-group \ --add workflow:"mapoc"
Validate the Object Class Mapping
-
Validate that the objectclass mapping is working using the
ldapsearch
command../ldapsearch \ --hostname oud.example.com \ --port 1389 \ --bindDN "cn=Administrator,cn=Users,dc=example,dc=com" \ --bindPasswordFile ~/pwd.txt \ --baseDN "dc=example,dc=com" \ --searchScope sub \ "(cn="ADUserA")" objectclass uid
When you run the search via the OUD Proxy Server (
oud.example.com:1389
it returns the user from Active Directory with an objectclass ofinetorgperson
. Theuid
attribute is populated with the value ofuserPrincipalName
.dn: CN=ADUserA,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: adusera@example.com SearchReference(referralURLs={ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com}) SearchReference(referralURLs={ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com}) SearchReference(referralURLs={ldap://example.com/CN=Configuration,DC=example,DC=com})
If you re-run the search directly to the Active Directory Server (
ad.example.com:389
the objectclass returned isuser
and theuid
is not present../ldapsearch \ --hostname ad.example.com \ --port 389 \ --bindDN "cn=Administrator,cn=Users,dc=example,dc=com" \ --bindPasswordFile ~/pwd.txt \ --baseDN "dc=example,dc=com" \ --searchScope sub \ "(cn="ADUserA")" \ objectclass uid dn: CN=ADUserA,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user SearchReference(referralURLs={ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com}) SearchReference(referralURLs={ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com}) SearchReference(referralURLs={ldap://example.com/CN=Configuration,DC=example,DC=com})
Note: The
bindDN
passed here is set to the Administrator user for the Active Directory instance defined in the LDAP Server Extension defined earlier in this tutorial.
Want to Learn More?
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.