Before You Begin

This tutorial shows you how to configure the Map Object Class Transformation with Oracle Unified Directory 12c (OUD).

This tutorial is part of the Oracle Virtual Directory 11g to Oracle Unified Directory 12c Transition Series.

Background

The Map Object Class Transformation creates a mapping that can make one objectClass appear like another objectClass. This is useful when an application is expecting a specific objectclass/attributes. For example a source objectClass User (compatible with Active Directory) can appear like a client objectClass inetOrgPerson (compatible with Oracle Unified Directory).

The Map Object Class Transformation Type provides similar functionality to that provided by the ObjectClass Mapper Plugin from Oracle Virtual Directory 11g (OVD) and can be used as part of a transformation strategy from OVD 11g to OUD 12c.

What Do You Need?

• An environment with at least 16 GB of physical memory, Oracle Enterprise Linux 6.6 or later
• A basic understanding of Linux
• Installation of Oracle Unified Directory 12c (12.2.1.3.0 or above)
• This tutorial assumes that you have already defined the following environment variables:
• OUD_ORACLE_HOME=/u01/app/oracle/product/oud/oud
• OUD_INSTANCES=/u01/app/oracle/config/oud_instances

Configure a Proxy Server Instance

1. Launch a terminal window as oracle and navigate to the OUD_ORACLE_HOME directory.

   cd $OUD_ORACLE_HOME

2. Run the oud-setup command as shown below.

   ./oud-proxy-setup \
   --cli \
   --hostname oud.example.com \
   --ldapPort 1389 \
   --adminConnectorPort 4444 \
   --rootUserDN "cn=Directory Manager" \
   --rootUserPasswordFile ~/pwd.txt \
   --instancePath /u01/app/oracle/config/oud_instances/mapoc \
   --no-prompt

   The output should look similar to this:

   Successfully wrote the updated Directory Server configuration
   Starting the Server :
   /u01/oracle/oracle/config/oud_instances/mapoc/bin/start-ds --timeout 0 
   [08/Oct/2019:08:54:18 -0700] category=CORE severity=INFORMATION msgID=132 msg=The Directory Server is beginning the configuration bootstrapping process
   [08/Oct/2019:08:54:19 -0700] category=CORE severity=NOTICE msgID=458886 msg=Oracle Unified Directory 12.2.1.4.0 (build 20190830164322Z, R1908300907) starting up
   [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381717 msg=Installation Directory:  /u01/oracle/oracle/product/oud/oud
   [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381719 msg=Instance Directory:      /u01/oracle/oracle/config/oud_instances/mapoc
   [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381713 msg=JVM Information: 1.8.0_221-b11 by Oracle Corporation, 64-bit architecture, 3357540352 bytes heap size
   [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381714 msg=JVM Host: oud.example.com, running Linux 4.1.12-124.28.6.el7uek.x86_64 amd64, 15099535360 bytes physical memory size, number of processors available 4
   [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381715 msg=JVM Arguments: "-Dorg.opends.server.scriptName=start-ds"
   [08/Oct/2019:08:54:20 -0700] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381721 msg=The maximum number of file descriptors allocated to the server process: 65536
   [08/Oct/2019:08:54:20 -0700] category=ACCESS_CONTROL severity=INFORMATION msgID=12582978 msg=Added 10 Global Access Control Instruction (ACI) attribute types to the access control evaluation engine
   [08/Oct/2019:08:54:20 -0700] category=BACKEND severity=INFORMATION msgID=9437595 msg=Local DB backend virtualAcis does not specify the number of lock tables: defaulting to 97
   [08/Oct/2019:08:54:21 -0700] category=JEB severity=NOTICE msgID=8847402 msg=The database backend cn=virtualAcis,cn=Workflow Elements,cn=config containing 0 entries has started
   [08/Oct/2019:08:54:21 -0700] category=EXTENSIONS severity=INFORMATION msgID=1048797 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: oud.example.com
   [08/Oct/2019:08:54:21 -0700] category=CORE severity=INFORMATION msgID=731 msg=LDAP Connection Handler 0.0.0.0 port 1636 does not specify the number of request handler threads: sizing automatically to use 8 threads
   [08/Oct/2019:08:54:21 -0700] category=CORE severity=INFORMATION msgID=731 msg=LDAP Connection Handler 0.0.0.0 port 1389 does not specify the number of request handler threads: sizing automatically to use 8 threads
   [08/Oct/2019:08:54:21 -0700] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Administration Connector 0.0.0.0 port 4444
   [08/Oct/2019:08:54:21 -0700] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1636
   [08/Oct/2019:08:54:21 -0700] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1389
   [08/Oct/2019:08:54:21 -0700] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully
   [08/Oct/2019:08:54:21 -0700] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID 458887):  The Directory Server has started successfully
   

   Note: The ~/pwd.txt should contain the password that you want to assign to your OUD Administrator.

Create an LDAP Server Extension

Create an LDAP Server Extension to hold the connection details and credentials required to connet to the source Active Directory instance.

1. Navigate to the OUD_ORACLE_HOME/bin directory.

   cd $OUD_ORACLE_HOME/bin

2. Create the LDAP Server extension using the dsconfig command.

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   create-extension \
   --extension-name adserver \
   --type ldap-server \
   --set enabled:true \
   --set remote-ldap-server-address:ad.example.com \
   --set remote-ldap-server-port:389
                     

Create a Proxy LDAP Workflow Element (WFE)

1. Create a Proxy LDAP WFE using the dsconfig command.

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   create-workflow-element \
   --element-name adwfe \
   --type proxy-ldap \
   --set enabled:true \
   --set client-cred-mode:use-client-identity \
   --set ldap-server-extension:adserver
                     

   Note: The client-cred-mode here is set to use-client-identity. This means that the client credentials you pass when issuing an ldapsearch will be used to authenticate with the remote Active Directory. Alternatively you can define proxy credentials in use-specific-identity bind mode where the credentials are declared in the remote-ldap-server-bind-dn and ldap-server-bind-password WFE properties.

Create Map Object Class Transformation

1. The Map Object Class transformation creates a mapping that can make one objectClass appear like another objectClass. Create a mapping that makes a source objectclass user appear like a client objectclass inetOrgPerson by running the following dsconfig command.

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   create-transformation \
   --type map-object-class \
   --transformation-name aduseriop \
   --set map-objectclass:inetOrgPerson=user
                       

Map an Attribute from the user Source Objectclass to the Client inetOrgPerson Objectclass.

1. Add a mapping where the userPrincipalName attribute value from the Active Directory user objectclass is used to populate the uid attribute of the inetOrgPerson objectclass.

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   set-transformation-prop \
   --transformation-name aduseriop \
   --set map-attribute:uid=%userPrincipalName%
                       

Create a Transformation Workflow Element (WFE)

1. Create a transformation workflow element using the dsconfig command.

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   create-workflow-element \
   --element-name tfwfe \
   --type transformations \
   --set enabled:true \
   --set transformation:aduseriop \
   --set next-workflow-element:adwfe
                       

Create a Workflow and Add to the Default Network Group

1. Create a workflow using the dsconfig command.

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   create-workflow \
   --workflow-name "mapoc" \
   --set enabled:true \
   --set base-dn:"dc=example,dc=com" \
   --set workflow-element:tfwfe
                       

2. Add the Workflow to the default Network Group

   ./dsconfig \
   --hostname oud.example.com \
   --port 4444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile ~/pwd.txt \
   --trustAll \
   --no-prompt \
   set-network-group-prop \
   --group-name network-group \
   --add workflow:"mapoc"
                       

Validate the Object Class Mapping

1. Validate that the objectclass mapping is working using the ldapsearch command.

   ./ldapsearch \
   --hostname oud.example.com \
   --port 1389 \ 
   --bindDN "cn=Administrator,cn=Users,dc=example,dc=com" \
   --bindPasswordFile ~/pwd.txt \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \
   "(cn="ADUserA")" objectclass uid

   When you run the search via the OUD Proxy Server (oud.example.com:1389 it returns the user from Active Directory with an objectclass of inetorgperson. The uid attribute is populated with the value of userPrincipalName.

   dn: CN=ADUserA,CN=Users,DC=example,DC=com
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: inetorgperson
   uid: adusera@example.com
   
   SearchReference(referralURLs={ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com})
   SearchReference(referralURLs={ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com})
   SearchReference(referralURLs={ldap://example.com/CN=Configuration,DC=example,DC=com})

   If you re-run the search directly to the Active Directory Server (ad.example.com:389 the objectclass returned is user and the uid is not present.

   ./ldapsearch \
   --hostname ad.example.com \
   --port 389 \ 
   --bindDN "cn=Administrator,cn=Users,dc=example,dc=com" \
   --bindPasswordFile ~/pwd.txt \
   --baseDN "dc=example,dc=com" \
   --searchScope sub \					
   "(cn="ADUserA")" \
   objectclass uid
   
   dn: CN=ADUserA,CN=Users,DC=example,DC=com
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: user
   
   SearchReference(referralURLs={ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com})
   SearchReference(referralURLs={ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com})
   SearchReference(referralURLs={ldap://example.com/CN=Configuration,DC=example,DC=com})

   Note: The bindDN passed here is set to the Administrator user for the Active Directory instance defined in the LDAP Server Extension defined earlier in this tutorial.

Want to Learn More?

• Map Object Class Transformation Type
• Mapping Object Classes by Using map-object-class Transformation Type
• Configuring Transformation Using dsconfig

Feedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.