1. Administering Oracle Unified Directory
  2. Configuring Proxy, Distribution, and Virtualization Functionality
  3. Configuring Virtualization

24 Configuring Virtualization

You can configure a virtual directory view of repositories and optimize search results from the virtual directory

The following topics describe how to configure a virtual directory view of repositories:

This chapter also gives an overview of DN Renaming, RDN Changing and Transformations Configurations.

Note:

To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus license.

Note:

You can choose to configure some virtualization elements using dsconfig or Oracle Unified Directory Services Manager (OUDSM).

24.1 Configuring a Virtual Directory View of Your Repositories

You can create and configure a Join workflow element to create a virtual directory view of your repositories by using dsconfig command or OUDSM.

The following topics describe configuring a virtual directory view:

Note:

To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus license.

24.1.1 Prerequisites for Creating the Join Workflow Element

Before creating the Join workflow element, you must configure the participating workflow elements so you can link to them from the Join workflow element configuration.

For example, consider a scenario with two separate Proxy LDAP workflow elements:

  • The first Proxy LDAP workflow element, we-proxy1, will be linked to the primary participant of the Join workflow element configuration.

  • The second Proxy LDAP workflow element, we-proxy2, will be linked to the secondary participant of the Join workflow element configuration.

Note:

For more information about creating Proxy LDAP workflow elements, see Configuring Proxy LDAP Workflow Elements.

Assume there is an entry in the we-proxy1 data source as follows: 

dn:cn=john,cn=users,dc=com1
objectclass:inetorgperson
cn:john
sn:doe
uid:jdoe
title:PMTS
description: This entry is from we-proxy1

Next, assume there is an entry in the we-proxy2 data source as follows: 

dn: sn=doe,cn=employees,dc=com2
empid: jdoe
cn:John
sn:doe
department: Sales
manager: userid=smith,cn=users,dc=com2
description: This entry is from we-proxy2
objectclass:inetorgperson

The joined-entry returned from Join Workflow element would be:

dn:cn=john,cn=users,dc=join
objectclass:inetorgperson
cn:john
sn:doe
uid:jdoe
empid: jdoe
title:PMTS
description: This entry is from we-proxy1
description: This entry is from we-proxy2
manager: userid=smith,cn=users,dc=join
department: Sales

24.1.2 Creating a Join Workflow Element Using the dsconfig Command

You can create and configure a Join workflow element topology, based on the scenario using the two Proxy LDAP workflow elements.

The two Proxy LDAP workflow elements are described in Prerequisites for Creating the Join Workflow Element.

Note:

The following steps assume that you have already created the participating workflow elements.

To configure a Join workflow element topology:

  1. Create a Join workflow element, named we-join.
    dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X 
-n create-workflow-element --set enabled:true --set join-suffix:dc=join
--type join --element-name we-join

    >>>> Specify Oracle Unified Directory LDAP connection parameters
 
Directory server hostname or IP address [ip]:
 
Directory server administration port number [4444]:
 
Administrator user bind DN [cn=Directory Manager]:
 
Password for user 'cn=Directory Manager':
 
 
>>>> Configure the properties of the Join Workflow Element
 
        Property                Value(s)
        ---------------------------------------------------------------
    1)  dn-attribute            manager, member, memberof, uniquemember
    2)  enabled                 true
    3)  join-suffix             dc=join
    4)  populate-joinedentrydn  false
 
    ?)  help
    f)  finish - create the new Join Workflow Element
    q)  quit
 
Enter choice [f]: f
 
The Join Workflow Element was created successfully
  2. Create a primary participant, named jp-p1, that is linked to the Proxy LDAP workflow element named, we-proxy1.
    dsconfig create-join-participant --element-name we-join \
--set participant-dn:dc=com1 \
--set participating-workflow-element:we-proxy1 \
--set primary-participant:true --type generic --participant-name jp-p1 \

    Provide the following information to create a primary participant:

    >>>> Specify Oracle Unified Directory LDAP connection parameters
 
Directory server hostname or IP address [ip]:
 
Directory server administration port number [4444]:
 
Administrator user bind DN [cn=Directory Manager]:
 
Password for user 'cn=Directory Manager':
 
 
>>>> Configure the properties of the Join Participant
 
         Property                        Value(s)
         ----------------------------------------------------------------------
    1)   enabled-operation               compare, delete, modify, search
    2)   join-condition                  By default, no join condition is
                                         defined. That is all entries
                                         satisfying the original search filter
                                         are considered for join.
    3)   joiner-type                     one-to-one
    4)   non-retrievable-attribute       By default, the non-retrievable list
                                         is empty, which means that all
                                         attributes are retrievable.
    5)   non-storable-attribute          By default, the non-storable list is
                                         empty, which means that all attributes
                                         are storable.
    6)   participant-bind-priority       0
    7)   participant-criticality         true
    8)   participant-dn                  dc=com1
    9)   participants-join-rule          ""
    10)  participating-workflow-element  we-proxy1
    11)  primary-participant             true
    12)  retrievable-attribute           By default, the retrievable list is
                                         empty, which means that all attributes
                                         are retrievable.
    13)  storable-attribute              By default, the storable list is
                                         empty, which means that all attributes
                                         are storable.
 
    ?)   help
    f)   finish - create the new Join Participant
    q)   quit
 
Enter choice [f]: f

The Join Participant was created successfully.
  3. Create a secondary participant, named jp-p2, that is linked to the Proxy LDAP workflow element named, we-proxy2.
    dsconfig create-join-participant --element-name we-join \
--set participant-dn:dc=com2 \
--set participating-workflow-element:we-proxy2 \
--set primary-participant:false --type generic --participant-name jp-p2 \
--set participants-join-rule:jp-p1.uid=jp-p2.empid

    Provide the following information to create a secondary participant:

    >>>> Specify Oracle Unified Directory LDAP connection parameters
 
Directory server hostname or IP address [ip]:
 
Directory server administration port number [4444]:
 
Administrator user bind DN [cn=Directory Manager]:
 
Password for user 'cn=Directory Manager':
 
 
>>>> Configure the properties of the Join Participant
 
         Property                        Value(s)
         ----------------------------------------------------------------------
    1)   enabled-operation               compare, delete, modify, search
    2)   join-condition                  By default, no join condition is
                                         defined. That is all entries
                                         satisfying the original search filter
                                         are considered for join.
    3)   joiner-type                     one-to-one
    4)   non-retrievable-attribute       By default, the non-retrievable list
                                         is empty, which means that all
                                         attributes are retrievable.
    5)   non-storable-attribute          By default, the non-storable list is
                                         empty, which means that all attributes
                                         are storable.
    6)   participant-bind-priority       0
    7)   participant-criticality         true
    8)   participant-dn                  dc=com2
    9)   participants-join-rule          jp-p1.uid=jp-p2.empid
    10)  participating-workflow-element  we-proxy2
    11)  primary-participant             false
    12)  retrievable-attribute           By default, the retrievable list is
                                         empty, which means that all attributes
                                         are retrievable.
    13)  storable-attribute              By default, the storable list is
                                         empty, which means that all attributes
                                         are storable.
 
    ?)   help
    f)   finish - create the new Join Participant
    q)   quit
 
Enter choice [f]: f
 
The Join Participant was created successfully.
  4. To specify which Join policy type to use for a Join workflow element, configure the ds-cfg-join-policy parameter. For example, --set join-policy:left-outer-join.

24.1.3 Creating a Join Workflow Element Using OUDSM

You can create a Join workflow element using the OUDSM graphical user interface.

Note:

For information, see Creating a Workflow Element.

24.2 Optimizing Search Results From a Virtual Directory

To help you more efficiently view or retrieve data from virtual data sources, Oracle Unified Directory provides two workflow elements that automatically narrow search results.

You can insert the GetRidOfDuplicate or HideByFilter workflow elements into any workflow chain that returns search results.

This section includes the following topics:

For more information about Oracle Unified Directory workflows, see “OUD Plug-Ins and Workflows" in Oracle Fusion Middleware Developer's Guide for Oracle Unified Directory.

24.2.1 Eliminating Duplicate Entries from Search Results Using the GetRidofDuplicate Workflow Element

The GetRidofDuplicate workflow element removes, from search results for the current search operation, all the entries whose DN has already been returned to the client application. This is useful when a workflow element is likely to return several entries with the same DN.

To eliminate duplicate entries from search operations:

Add the GetRidOfDuplcate workflow element before any workflow element, such as the Join workflow element, that returns duplicate entries.

The following example creates a get-rid-of-duplicate WFE (next WFE=NEXT_WFE). 

dsconfig create-workflow-element \
          --set enabled:true \
          --set next-workflow-element:NEXT_WFE \
           --set cache-size:1000000 \
          --type get-rid-of-duplicate \
          --element-name example \
          --hostname locahost \
          --port 1444 \
          -X \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \
          --no-prompt

In this example, a search will return no more than 1000000 unique entries.

Note:

In this configuration example, the created workflow element is not part of any workflow chain. A full configuration must also define or create the workflow chain, and update the Network group.

The GetRidofDuplicate has one configuration parameter:

cache-size

The cache-size parameter is required. It specifies the maximum number of entries that can be returned to the client during a single search operation.

24.2.2 Filtering Search Results Using the HideByFilter Workflow Element

The HideByFilter workflow element enables you to control in fine detail which entries are returned by searches of a virtual directory.

For example, if you are using Oracle Unified Directory as an address book directory, you can display only the entries for customer service representatives. First you give all customer service representatives an ou value of CSR. Then can use the HideByFilter workflow element with hideFilter set to ou=CSR. When the directory is searched, only the customer service representatives entries are returned.

To filter search results using the HideByFilter workflow element:

Create and link a HideByFilter workflow element. For example: 

dsconfig create-workflow-element \
          --set enabled:true \
          --set next-workflow-element:NEXT_WFE \
          --set ldap-filter:ou=CSR \
          --type hide-entries-by-filter \
          --element-name example1 \
          --hostname dosapano \
          --port 1444 \
          -X \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile ****** \
          --no-prompt

Table 24-1 summarizes the HideByFilter plug-in configuration parameters:

Table 24-1 HideByFilter Parameters

Parameter Description

hideFilter

  • Static Filter Example: If hideFilter = (department=Sales) then only entries with the attribute department=Sales are returned to the client application.

  • Dynamic Filter Example: If hideFilter = (department=%department%) then %department% is replaced with the department attribute value of the bound user.

ldapURL (multivalued)

If an entry matches the ldapURL filter then it is returned to the client application only if it's a descendant of the LdapURL base DN. All the other fields of the LDAP filter are ignored.

adapterNames

A list of adapters from which the user entry for the dynamic filter is searched. If list is empty, or if the user entry can be found in none of the adapters (including the current adapter) then the dynamic filter is ignored.

applyForAdmin

When set to true, the filtering does apply to admin users. The parameter is optional and the default value is false.

24.3 Adding the memberof User Attribute to person Entries

You can add the memberof user attribute to person entries. This is useful when you want applications to see group membership, but do not want them to perform secondary searches for those groups.

Note:

For more information, see Understanding Addition of memberof User Attributes to person Entries.

To define a VirtualMemberof workflow element, use the following configuration parameters:

  • searchBase: DN of the base to search for groups containing person entries.

  • explicitRequestOnly: Specify True or False

    • True (default): Adds the memberof attribute to the entry only if it is explicitly requested as a returned attribute.

    • False: Always adds the memberof attribute to the entry.

  • member-attribute-name: The name of the memberof attribute to add.

    Note:

    The memberof attribute has a default value for Oracle Virtual Directory convergence.

    In Oracle Virtual Directory, the memberof attribute is a user attribute (not operational). The definition is: 

    attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf'
  DESC 'The distinguished name of the groups to which this object belongs'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  X-ORIGIN 'Microsoft Active Directory' )

24.4 Performing DN Renaming

You can perform DN Renaming configuration. It can be viewed and modified using dsconfig commands.

The following topics describe the DN Renaming configuration:

24.4.1 Configuring DN Renaming

To configure DN renaming, you must first create a DN renaming workflow element and then you can modify the DN renaming properties.

You can modify the following DN renaming properties:

  • client base DN

  • source base DN

  • next workflow element

  • black list attributes

  • white list attributes

24.4.2 Creating a DN Renaming Workflow Element

To create a DN renaming workflow element, use the dsconfig create-workflow-element command.

Follow the below given instructions:

$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \
 create-workflow-element \
 --type dn-renaming \
 --element-name RenameorgDN \
 --set client-base-dn:ou=myorg,dc=example,dc=com \
 --set next-workflow-element:load-bal-we1 \
 --set source-base-dn:ou=people,dc=example,dc=com \
 --set enabled:true

where:

  • --set client-base-dn indicates the client base DN, which is the workflow entry point

  • --set source-base-dn indicates the base DN which the entries should have after transformation, which is the workflow exit point.

  • --set next-workflow-element indicates the workflow element that will follow the DN renaming workflow element in the proxy architecture. You can specify any type of workflow element here.

24.4.3 Modifying a DN Renaming Configuration

You can view and modify a DN renaming configuration by using the dsconfig commands.

  • To view the current DN renaming properties, use the dsconfig get-workflow-element-prop command.

  • To modify a DN renaming property, use the dsconfig set-workflow-element-prop command. For example, 

    $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \
 set-workflow-element-prop \
 --element-name RenameorgDN \
 --set source-base-dn:ou=admin,dc=example,dc=com

    In the preceding example, only the source-base-dn is modified. There is no need to specify the old source base DN. Only the new one is required.

  • To create a black list of DN attributes that should not be renamed by using, use the dsconfig set-workflow-element-prop command. For example, 

    $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \
  set-workflow-element-prop --element-name RenameorgDN \
  --set black-list-attributes:manager

    The attribute must have a DN type.

24.5 Performing RDN Changing Configuration

You can perform RDN changing configuration, create RDN changing workflow element using dsconfig create-workflow-element command and modify RDN values.

The following topics describe how to perform RDN changing configuration:

24.5.1 Configuring RDN Changing

To change RDNs, you must first create an RDN Changing workflow element, and then you can modify the properties.

Modify the below given required properties:

  • client RDN

  • source RDN

  • next workflow element

  • objectclass

  • dn attributes

  • replace-value

Note:

To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus license.

24.5.2 Creating an RDN Changing Workflow Element

To create an RDN Changing workflow element, use the dsconfig create-workflow-element command.

Use the following commands to create an RDN changing workflow element:

dsconfig create-workflow-element \
          --set client-rdn:cn \
          --set enabled:true \
          --set next-workflow-element:localproxy \
          --set source-rdn:uid \
          --type rdn-changing \
          --element-name myrdnchangingwfe \
          --hostname localhost \
          --port "4444" \
          --trustAll \
          --bindDN cn=directory\ manager \
          --bindPasswordFile pwd-file \
          --no-prompt

where:

  • --set client-rdn indicates the client base RDN, which is the workflow entry point.

  • --set source-rdn indicates the base RDN which the entries should have after transformation, which is the workflow exit point.

  • --set next-workflow-element:localproxy indicates the workflow element that will follow the RDN changing workflow element in the proxy architecture. This can be any type of workflow element.

    Note:

    You must create the Proxy LDAP workflow element with the parameters

    • remote-root-dn

    • remote-root-password

    The RDN Changing workflow element uses these credentials to perform internal searches on the remote server.

  • --element-name myrdnchangingwfe indicates the name of the RDN Changing workflow element you are creating.

    This configuration replaces uid=user.1,ou=people,dc=example,dc=com with cn=User CN,ou=people,dc=example,dc=com.

24.5.3 Modifying RDN Values

After you have configured an RDN changing workflow element, you can view and modify RDN values by using dsconfig commands.

  1. To view the current RDN properties, use the dsconfig get-workflow-element-prop command.
  2. To rename or replace an RDN property, use the dsconfig set-workflow-element-prop command.
    $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \
 set-workflow-element-prop \
 --element-name myrdnchangingwfe \
 --set source-rdn:uid

    In the preceding example, only the source-rdn is modified. There is no need to specify the old source-rdn. Only the new one is required.

24.6 Configuring Transformations

You can configure transformations by using dsconfig and OUDSM.

The following topics explain the transformations configuration model:

Note:

To use the virtual directory capabilities described here, you must have a valid Oracle Directory Service Plus license.

Note:

For more information about transformations, see Understanding the Transformation Framework.

24.6.1 Understanding the Configuration Model

The transformation workflow element and transformations are the backbone entities for configuring transformation.

The transformation workflow element is a container that contains a list of references to transformations. One transformation can be reused by multiple transformation workflow elements. Conditions are properties (attributes) that you can set either on a transformation workflow element or on a transformation.

Note:

For detailed information about the various transformation types, conditions, and parameters that you can configure for a transformation workflow element, see Components of Transformation.

You cannot configure the order in which the transformations should work. For example, you define a transformation workflow element that uses transformation A and transformation B. But, you cannot determine if an entry is first processed by transformation A and then by transformation B. It can be B before A.

If you must define the order in which transformations should occur, for example transformation A should happen before transformation B, then it is recommended that you first create a transformation workflow element that uses transformation A. Next, create another transformation workflow element that uses transformation B. Then, place the second transformation workflow element after the first transformation workflow element.

Figure 24-1 illustrates a high-level configuration model.

Figure 24-1 Configuration Model

Description of Figure 24-1 follows
Description of "Figure 24-1 Configuration Model"

24.6.2 Configuring Transformation Using dsconfig

You can create transformations, a workflow element, add transformations, and associate conditions using the dsconfig CLI.

Note:

To configure transformation:

  1. Create a first transformation of type filter-outbound-attribute.
    $ dsconfig create-transformation -X -n -Q -p -D cn="directory manager" -j pwd-file \
--set source-attribute:description \
--type filter-outbound-attribute\
--transformation-name fodescription
  2. Create another transformation of type add-outbound-attribute.
    $ dsconfig create-transformation -X -n -Q -p -D cn="directory manager" -j pwd-file  \ 
--set client-attribute:legacyemail=%cn%.%sn%@mycompany.com \ 
--type add-outbound-attribute \ 
--transformation-name legacyemail
  3. Create the transformations-workflow-element with the first transformation, and add it to the processing flow.
    $ dsconfig create-workflow-element -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--set transformation:legacyemail \ 
--set set next-workflow-element:pxywfe \ 
--type transformations \ 
--element-name trsfwfe

    $ sdsconfig set-workflow-prop -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--workflow-name pxywf \ 
--set workflow-element:trsfwfe
  4. Add the second transformation to the workflow element.
    $ dsconfig set-workflow-element-prop -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--element-name trsfwfe \ 
--add transformation:fodescription
  5. Define the transformation criteria, which is that the transformation will occur only under cn=users.
    $ dsconfig set-workflow-element-prop -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--element-name trsfwfe \ 
--set entry-parent-suffix:cn=users,dc=example
  6. Set that transformations will happen only for users located in Paris.
    $ dsconfig set-workflow-element-prop -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--element-name trsfwfe \ 
--set entry-match-filter:l=Paris
  7. Create a new mapping transformation and add it to the workflow element.
    $ dsconfig create-transformation -X -n -Q -p -D cn="directory manager" -j pwd-file  \ 
--set client-attribute:faxnum=%facsimileTelephoneNumber% \ 
--type map-attribute \ 
--transformation-name mapfax 

    $ dsconfig set-workflow-element-prop -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--element-name trsfwfe \ 
--add transformation:mapfax
  8. Set that this transformation will happen only for persons.
    $ dsconfig set-transformation-prop -X -n -Q -p -D cn="directory manager" -j pwd-file \ 
--transformation-name mapfax \ 
--set entry-match-filter:\(objectclass=person\)

24.6.3 Configuring Transformations Using OUDSM

You can create, modify, and delete a transformation workflow element for Oracle Unified Directory proxy servers using OUDSM.

Note:

To create a transformation workflow element using dsconfig, see Configuring Transformation Using dsconfig.

This section includes the following topics:

24.6.3.1 Creating Transformations

If you are connected to an Oracle Unified Directory Proxy Server, then OUDSM allows you to create five different types of transformations.

For more information about the types of transformations supported, see Overview of Transformation Types.

Note:

If you are connected to an Oracle Unified Directory server instance, then the option to create a new Transformation is not available because transformation functionality is supported by proxy servers only.

To create a transformation using OUDSM:

  1. Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.

  2. Select the Configuration tab.

  3. Select the Core Configuration view.

  4. From the Create menu, select Transformation.

  5. From the Transformation submenu, select the desired transformation type.

    Figure 24-2 Transformation Types

    Description of Figure 24-2 follows
    Description of "Figure 24-2 Transformation Types"

    In this example, consider the following properties for an Outbound Attribute Addition transformation type.

    Note:

    The properties that appear while creating a transformation vary depending on the type of transformation you create. For more information about each transformation type and the associated properties, see Overview of Transformation Types.

  6. In the Name field, type the name for the transformation.

  7. In the Conditions region, enter the following information:

    Note:

    Conditions are optional. However; at runtime, conditions specified here at the transformation level are used with those specified at the transformation workflow element level in the transformation workflow element where the transformation is used. For more information about transformation workflow element, see Configuring Workflow Elements Using OUDSM.

    1. In the Entry Matching Filter field, type a valid LDAP filter.

    2. In the Entry Parent Suffixes box, click Add to specify the DN that must be an ascendant.

      To select an entry, click Select.

      In the Entry Picker window, select Tree View to navigate the directory tree and locate the entry, or Search View to search for the entry.

    3. From the Excluded Operations list, select the operations that you want to exclude.

  8. In the Transformation Definition region, enter the following information:

    1. In the Client Attribute field, type the name of the client virtual attribute.

      To select a client attribute entry, click Select.

      In the Attribute Picker window, select locate the desired entry, or Click Search to search for the entry.

    2. In the Value Definitions box, click Add to specify the value definitions of the client virtual attribute.

      Click Define to enter an appropriate value definition. For more information about specifying value definitions, see Selecting Values from Value Definition Screen.

  9. From the Conflict Behavior list, select the desired conflict behavior policy.

  10. Click Virtual in Source to Yes.

  11. Click Create.

24.6.3.2 Modifying Transformations

This section describes how to modify the properties for a transformation.

In this example, modify the properties for an Outbound Attribute Addition transformation type created in Creating Transformations.

To modify a transformation:

  1. Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
  2. Select the Configuration tab.
  3. Select the Core Configuration view.
  4. Expand the Transformations element.
  5. Click the desired transformation.

    Transformation configuration details appear for modification in the right pane.

  6. Modify the required information.
  7. Click Apply.
24.6.3.3 Deleting Transformations

This section describes the procedure to delete Transformation using OUDSM.

To delete a transformation:

  1. Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
  2. Select the Configuration tab.
  3. Select the Core Configuration view.
  4. Expand the Transformations element.
  5. Select the desired transformation to delete.

    The Delete configuration window appears seeking confirmation before deleting.

  6. Click OK.
24.6.3.4 Selecting Values from Value Definition Screen

The Value Definition Builder subscreen allows you to define a value for an attribute that is being added, mapped, or deleted by a transformation.

You can specify the following values:

  • Constant value: It is used to enter a constant value.

  • Value of another attribute: It is used to create a new attribute from an existing attribute in the entry that is being processed or to filter a value taken from another attribute.

  • Value of expression: It is used to create an attribute value or to filter an attribute value by manipulating the value of one or more existing attributes.

Figure 24-3 shows the Value Definition screen.

Figure 24-3 Value Definition Screen

Description of Figure 24-3 follows
Description of "Figure 24-3 Value Definition Screen"

24.7 Configuring SAML XASP

The dsconfig command allows you to create a new SAML XASP workflow element and also edit the properties of an existing workflow element.

24.7.1 Creating a New SAML XASP Workflow Element Using the dsconfig Command

The dsconfig create-workflow-element --type saml-xasp command allows you to create new SAML XASP workflow elements.

To create a new SAML XASP workflow element:
  1. Run the dsconfig create-workflow-element --type saml-xasp command:
    $ ./dsconfig create-workflow-element \
	--type saml-xasp \
	--set enabled:true \
	--set java-class:org.opends.server.workflowelement.ovdplugin.xasp.SamlXaspWorkflowElement \
	--element-name test01 \
	--set xasp-attribute-name:certificatedn \
	--set xasp-base-dn:dc=example,dc=com \
	--set xasp-contains-dn:dc=example,dc=com \
	--set xasp-ws-url:http://host01.example.com:7777/fed/ar/soap
	--hostname host01.example.com \
	--port 6444 
	--bindDN "cn=Directory Manager" \
	--bindPasswordFile /home/oracle/pwd.txt \


>>>> Configure the properties of the Saml Xasp Workflow Element

         Property             Value(s)
         ----------------------------------------------------------------------
    1)   enabled              true
    2)   java-class           org.opends.server.workflowelement.ovdplugin.xasp.
                              SamlXaspWorkflowElement
    3)   xasp-attribute-name  certificatedn
    4)   xasp-base-dn         "dc=example,dc=com"
    5)   xasp-contains-dn     "dc=example,dc=com"
    6)   xasp-debug           false
    7)   xasp-index           -
    8)   xasp-response        -
    9)   xasp-reverse-dn      false
    10)  xasp-ttl             -
    11)  xasp-ws-url          http://host01.example.com:7777/fed/ar/soap

    ?)   help
    f)   finish - create the new Saml Xasp Workflow Element
    q)   quit

Enter choice [f]: 

The Saml Xasp Workflow Element was created successfully

    For more information on the configuration properties of the SAML XASP workflow element, see Configuration Parameters for SAML XASP Workflow Element.

24.7.2 Modifying the Properties of an Existing SAML XASP Workflow Element

The dsconfig set-workflow-element-prop command allows you to edit the properties of an existing SAML XASP workflow element.

To modify an existing SAML XASP property:
  1. Run the dsconfig set-workflow-element-prop command:
    $ ./dsconfig set-workflow-element-prop \
	--element-name test01 \
	--set xasp-attribute-name:certificatedn100 \
	--hostname host01.example.com \
	--port 6444 
	--bindDN "cn=Directory Manager" \
	--bindPasswordFile /home/oracle/pwd.txt \


>>>> Configure the properties of the Saml Xasp Workflow Element

         Property             Value(s)
         ----------------------------------------------------------------------
    1)   enabled              true
    2)   java-class           org.opends.server.workflowelement.ovdplugin.xasp.
                              SamlXaspWorkflowElement
    3)   xasp-attribute-name  certificatedn100
    4)   xasp-base-dn         "dc=example,dc=com"
    5)   xasp-contains-dn     "dc=example,dc=com"
    6)   xasp-debug           false
    7)   xasp-index           -
    8)   xasp-response        -
    9)   xasp-reverse-dn      false
    10)  xasp-ttl             -
    11)  xasp-ws-url          http://host01.example.com:7777/fed/ar/soap

    ?)   help
    f)   finish - apply any changes to the Saml Xasp Workflow Element
    q)   quit

Enter choice [f]:  


The Saml Xasp Workflow Element was modified successfully

    Note:

    In the preceding example, only the xasp-attribute-name property is modified. There is no need to specify the old XASP attribute name. Only the new one is required.

24.8 Deploying ForkJoin Workflow Element Configuration Model

The dsconfig command allows you to create and configure a ForkJoin workflow element.

Topics

24.8.1 Understanding ForkJoin Workflow Element Configuration Model

Consider a scenario, where you have two directory servers namely oud1 and oud2. Here, oud1 is the primary participant and oud2 is the secondary participant. Data resides in the both the primary participant and the secondary participant.

For this scenario, assume the following:

  • The primary participant namespace is dc=example,dc=com.

  • The secondary participant namespace is dc=example,dc=com.

  • The ForkJoin workflow element suffix is dc=forkjoin.

Before creating the ForkJoin workflow element, you must configure the participating workflow elements so that you can link to them from the ForkJoin workflow element configuration. For each directory, you must create a Proxy LDAP workflow element that is associated with a directory to retrieve information from that directory. For example, consider a scenario with two separate Proxy LDAP workflow elements:

  • The first Proxy LDAP workflow element, ProxyLDAPWorkFlowElement1 , is linked to the primary participant of the ForkJoin workflow element configuration.

  • The second Proxy LDAP workflow element, ProxyLDAPWorkFlowElement2, is linked to the secondary participant of the ForkJoin workflow element configuration.

Note:

You can also configure an RDBMS workflow element as a primary or a secondary participant.

Assume oud3 is a proxy workflow element, which has a ForkJoin workflow element pointing to the preceding participants through ProxyLDAPWorkFlowElement1 (to oud1) and ProxyLDAPWorkFlowElement2 (to oud2). To learn how to deploy the ForkJoin workflow element configuration, see Implementing ForkJoin Workflow Element Configuration Model.

The following diagram provides a pictorial representation of the ForkJoin workflow element configuration model.

Figure 24-4 ForkJoin Workflow Element Configuration Model

Description of Figure 24-4 follows
Description of "Figure 24-4 ForkJoin Workflow Element Configuration Model"

The secondary-only-attributes parameter is set to title in ForkJoin workflow element and the join-rule is set as cn=cn. Data in secondary participant as mentioned in the following table, does not have the description attribute.

The following table lists the data that resides in the primary participant and secondary participant.

Table 24-2 Data in Primary Participant and Secondary Participant

Data in Primary Participant Data in Secondary Participant 
dn: cn=Rock,dc=example,dc=com
objectclass: inetorgperson
cn: Rock
sn: Anne
givenname: Anne rock
telephonenumber: 54300
 
dn: cn=Rock,dc=example,dc=com
objectclass: inetorgperson
cn: Rock
sn: Anne
title: Manager
 
dn: cn=Sandy,dc=example,dc=com
objectclass: inetorgperson
cn: Sandy
sn: Ketty
manager:  cn=Rock, dc=primary
telephonenumber: 54301
 
dn: cn=Sandy,dc=example,dc=com
objectclass: inetorgperson
cn: Sandy
sn: Ketty
title: SMTS
 
dn: cn=Rivry,dc=example,dc=com
objectclass: inetorgperson
cn: Rivry
sn: Rod
title: Trainee
manager: cn=Rock, dc=secondary
telephonenumber: 54303
description: Trainee for dept 543
departmentNumber: 543
 
dn: cn=Rivry,dc=example,dc=com
objectclass: inetorgperson
cn: Rivry
sn: Rod
title: Trainee
 
dn: cn=Woods,dc=example,dc=com
objectclass: inetorgperson
cn: Woods
sn: Tent
description: User with no title
 
dn: cn=Mounty,dc=example,dc=com
objectclass: inetorgperson
cn: Mounty
sn: Ret
title: MTS - dept_sec

24.8.2 Implementing ForkJoin Workflow Element Configuration Model

You can create and configure a ForkJoin workflow element to aggregate data from two data sources at real time by using dsconfig command.

Note:

See Understanding ForkJoin Workflow Element Configuration Model to comprehend the ForkJoin workflow element configuration model.
24.8.2.1 Preparing For ForkJoin Workflow Element Configuration

To deploy a ForkJoin workflow element configuration, you need to set up the OUD Directory Server instance and the OUD Proxy Server instance. You need to place a proxy server in front of the data sources that you want to join.

Set up the First OUD Instance (oud1)

  1. Run the oud-setup command to create the oud1 instance as follows: 

    ./oud-setup --cli --baseDN "dc=example,dc=com" --addBaseEntry --adminConnectorPort 1444 --ldapPort 1389 \
--rootUserDN "cn=Directory Manager" --rootUserPasswordFile pwd.txt --no-prompt --noPropertiesFile

  2. Populate the oud1 directory server instance with sample entries.

    1. Create an LDIF file (fj_oud1.ldif) with Data in Primary Participant as described in Understanding ForkJoin Workflow Element Configuration Model.

    2. Run the ldapmodify command to populate the oud1 instance with the entries in fj_oud1.ldif file. 

      ./ldapmodify --hostname host01.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPasswordFile pwd.txt --defaultAdd --filename fj_oud1.ldif

Set up the Second OUD Instance (oud2)

  1. Run the oud-setup command to create the oud2 instance as follows: 

    ./oud-setup --cli --baseDN "dc=example,dc=com" --addBaseEntry --adminConnectorPort 2444 --ldapPort 2389 \ 
--rootUserDN "cn=Directory Manager" --rootUserPasswordFile pwd.txt --no-prompt --noPropertiesFile

  2. Populate the oud2 directory server instance with sample entries.

    1. Create an LDIF file (fj_oud2.ldif) with Data in Secondary Participant as described in Understanding ForkJoin Workflow Element Configuration Model.

    2. Run the ldapmodify command to populate the oud2 instance with the entries in fj_oud2.ldif file. 

      ./ldapmodify --hostname host01.example.com --port 2389 --bindDN "cn=Directory Manager" --bindPasswordFile pwd.txt --defaultAdd --filename fj_oud2.ldif

Set up the OUD Proxy Server Instance (oud3)

  1. Run the oud-proxy-setup command to create a proxy server instance, oud3, as follows: 

    ./oud-proxy-setup --cli --ldapPort 3389 --adminConnectorPort 3444 --rootUserDN "cn=Directory Manager" --rootUserPasswordFile pwd.txt
24.8.2.2 Configuring OUD Proxy Server For ForkJoin Workflow Element Configuration

To connect to a remote LDAP directory server, the Oracle Unified Directory proxy needs LDAP server extension and LDAP proxy workflow element.

LDAP Server extensions are the properties required to connect from OUD Proxy oud3 to the remote LDAP servers (oud1 and oud2). You create LDAP Server extensions for oud1 and oud2. You will use these extensions in the workflow configuration later.

In addition, you need to create proxy workflow elements for oud1 and oud2. These specify connection details and credentials to the remote LDAP servers.

  1. Create an LDAP Server Extension (LDAPServerExtension1) and that points to oud1. 

    ./dsconfig create-extension \
		--set enabled:true \ 
		--set remote-ldap-server-address:host01.example.com \  
		--set remote-ldap-server-port:1389 \
		--type ldap-server \ 
		--extension-name LDAPServerExtension1 \  
		--hostname host01.example.com \  
		--port 3444 \  
		--trustAll \  
		--bindDN cn=Directory\ Manager \  
		--bindPasswordFile pwd.txt \  
		--no-prompt

  2. Create an LDAP Proxy workflow element (ProxyLDAPWorkFlowElement1) that points to oud1. 

    ./dsconfig create-workflow-element \  
		--set client-cred-mode:use-client-identity \  
		--set enabled:true \  
		--set ldap-server-extension:LDAPServerExtension1 \  
		--type proxy-ldap \  
		--element-name ProxyLDAPWorkFlowElement1 \  
		--hostname host01.example.com \  
		--port 3444 \  
		--trustAll \  
		--bindDN cn=Directory\ Manager \  
		--bindPasswordFile pwd.txt \  
		--no-prompt

  3. Create an LDAP Server Extension (LDAPServerExtension2) that points to oud2. 

    ./dsconfig create-extension \
		--set enabled:true \ 
		--set remote-ldap-server-address:host01.example.com \  
		--set remote-ldap-server-port:2389 \
		--type ldap-server \ 
		--extension-name LDAPServerExtension2 \  
		--hostname host01.example.com \  
		--port 3444 \  
		--trustAll \  
		--bindDN cn=Directory\ Manager \  
		--bindPasswordFile pwd.txt \  
		--no-prompt

  4. Create an LDAP Proxy workflow element (ProxyLDAPWorkFlowElement2) that points to oud2. 

    ./dsconfig create-workflow-element \  
		--set client-cred-mode:use-client-identity \  
		--set enabled:true \  
		--set ldap-server-extension:LDAPServerExtension2 \  
		--type proxy-ldap \  
		--element-name ProxyLDAPWorkFlowElement2 \  
		--hostname host01.example.com \  
		--port 3444 \  
		--trustAll \  
		--bindDN cn=Directory\ Manager \  
		--bindPasswordFile pwd.txt \  
		--no-prompt

  5. Run the dsconfig command to view the server extensions. 

    ./dsconfig -h host01.example.com -p 3444 -D "cn=Directory Manager" --bindPasswordFile pwd.txt -X -n list-extensions

  6. Run the dsconfig command to view the proxy LDAP workflow elements. 

    ./dsconfig -h host01.example.com -p 3444 -D "cn=Directory Manager" --bindPasswordFile pwd.txt -X -n list-workflow-elements
24.8.2.3 Creating ForkJoin Workflow Element

You can create a ForkJoin workflow element using dsconfig command.

  1. Create workflow element of type fork-join for join-suffix dc=forkjoin. 

    ./dsconfig create-workflow-element \
          --set enabled:true \
          --set join-suffix:dc=forkjoin \
          --set populate-joinedentrydn:true \
          --set secondary-only-attributes:title \
          --type fork-join \
          --element-name fjwe1 \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt

  2. Create a workflow of type generic for join-suffix dc=forkjoin. 

    ./dsconfig create-workflow \
          --set base-dn:dc=forkjoin \
          --set enabled:true \
          --set workflow-element:fjwe1 \
          --type generic \
          --workflow-name forkjoinwf \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt
24.8.2.4 Configuring ForkJoin Workflow Element

You can configure the ForkJoin workflow element using dsconfig command.

  1. Create the Primary ForkJoin participant that is the link between the ForkJoin workflow element and oud1. 

    ./dsconfig create-primary-fork-join-participant \
          --element-name fjwe1 \
          --set participant-dn:dc=example,dc=com \
          --set participating-workflow-element:ProxyLDAPWorkFlowElement1 \
          --type generic \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt

  2. Create the Secondary ForkJoin participant that is the link between the ForkJoin workflow element and oud2. 

    ./dsconfig create-secondary-fork-join-participant \
          --element-name fjwe1 \
          --set participant-dn:dc=example,dc=com \
          --set participating-workflow-element:ProxyLDAPWorkFlowElement2 \
          --set participants-join-rule:cn=cn \
          --type generic \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt

  3. Configure the secondary-only-attributes property for the ForkJoin workflow element. 

    ./dsconfig --hostname host01.example.com  --port 3444  --trustAll  --bindDN "cn=Directory Manager" \
--bindPasswordFile pwd.txt --no-prompt set-workflow-element-prop --element-name fjwe1 --add secondary-only-attributes:description

  4. Attach the ForkJoin Workflow element (forkjoinwf) to the network group. 

    ./dsconfig set-network-group-prop \
          --group-name network-group \
          --set workflow:forkjoinwf \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt
24.8.2.5 Configuring ForkJoin Workflow Element Join Policy

ForkJoin workflow element supports standard-join, left-outer-join, and full-outer-join Join policies. Learn to configure the Join policy.

  1. Set the join-policy parameter to full-outer-join. 

    ./dsconfig set-secondary-fork-join-participant-prop \
          --element-name fjwe1 \
          --set join-policy:full-outer-join \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt

  2. Set the join-policy parameter to standard-join. 

    ./dsconfig set-secondary-fork-join-participant-prop \
          --element-name fjwe1 \
          --set join-policy:standard-join \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt

  3. Set the join-policy parameter to left—outer-join. 

    ./dsconfig set-secondary-fork-join-participant-prop \
          --element-name fjwe1 \
          --set join-policy:left-outer-join \
          --hostname host01.example.com \
          --port 3444 \
          --portProtocol LDAP \
          --trustAll \
          --bindDN cn=Directory\ Manager \
          --bindPasswordFile pwd.txt \
          --no-prompt
24.8.2.6 Validating ForkJoin Workflow Element Configuration

Learn to validate the ForkJoin workflow element configuration.

  1. To test the full-outer-join condition, run the ldapsearch command as follows: 

    ./ldapsearch -h host01.example.com -p 3389 -D "cn=Directory Manager" -j pwd.txt -b "dc=forkjoin" -s sub "|(sn=*e*)(title=*e*)" sn cn title
    cn=Rock,dc=forkjoin
sn=Anne
cn=Rock
title=Manager
 
cn=Sandy,dc=forkjoin
sn=Ketty
cn=Sandy
title=SMTS
 
cn=Woods,dc=forkjoin
sn=Tent
cn=Woods
 
cn=Rivry,dc=forkjoin
sn=Rod
cn=Rivry
title=Trainee
 
cn=Mounty,dc=forkjoin
sn=Ret
cn=Mounty
title=MTS - dept_sec

  2. To test the standard-join condition, run the ldapsearch as follows: 

    ./ldapsearch -h host01.example.com -p 3389 -D "cn=Directory Manager" -j pwd.txt -b "dc=forkjoin" -s sub "|(sn=*e*)(title=*e*)" sn cn title
    cn=Rock,dc=forkjoin
sn=Anne
cn=Rock
title=Manager
 
cn=Sandy,dc=forkjoin
sn=Ketty
cn=Sandy
title=SMTS
 
cn=Woods,dc=forkjoin
sn=Tent
cn=Woods

  3. To test the left—outer-join condition, run the ldapsearch as follows: 

    ./ldapsearch -h host01.example.com -p 3389 -D "cn=Directory Manager" -j pwd.txt -b "dc=forkjoin" -s sub "|(sn=*e*)(title=*e*)" sn cn title
    cn=Rock,dc=forkjoin
sn=Anne
cn=Rock
title=Manager
 
cn=Sandy,dc=forkjoin
sn=Ketty
cn=Sandy
title=SMTS
 
cn=Woods,dc=forkjoin
sn=Tent
cn=Woods
 
cn=Rivry,dc=forkjoin
sn=Rod
cn=Rivry
title=Trainee

24.9 Configuring DynamicGroup Workflow Element

You can configure DynamicGroup Workflow Element by using dsconfig.

The following sections describe configuring dynamic group workflow element:

24.9.1 Understanding DynamicGroup Workflow Element Configuration Model

Learn about the DynamicGroup Workflow Element Configuration.

The following diagram illustrates the DynamicGroup Workflow Element configuration:

Description of dyngroups1.png follows
Description of the illustration dyngroups1.png

In the above example, for each backend directory, a ProxyLDAPWorkflowElement is created that retrieves information from the backend directory. Depending on the bind DN, a search would be routed through network-group and forwarded to workflow elements dgw or p2w.The DynamicGroupsWorkflowElement does the conversation with the directory servers that are dependent on the Proxy LDAP Workflow elements.

In this scenario, assume the following:

  • oud1 is associated with a ProxyLDAPWorkflowElement pwe1 with suffix dc=p1.

  • oud2 is associated with ProxyLDAPWorkflowElement pwe2 with suffix dc=p2

  • oud3 is OUD proxy server which front-ends OUD1 and OUD2 above using ProxyLDAPWorkflowElement pwe1 and pwe2 respectively. DynamicGroupsWorkflowElement is configured on top of ProxyLDAPWorkflowElement pwe1 in order to handle the processing of Dynamic groups present in oud1.

  • LDAPExt1 and LDAPExt2 are LDAPServerExtensions.

24.9.2 Implementing DynamicGroup Workflow Element Configuration Model

Learn how to implement DynamicGroup Workflow element configuration.

The following sections describe how to implement dynamic group workflow element configuration:
24.9.2.1 Setting up OUD Instances to Configure DynamicGroups Workflow Element

You need to setup OUD proxy and OUD instances to configure dynamic groups.

  1. Run oud-setup to create an instance oud1with baseDN dc=p1.
    ./oud-setup --cli --no-prompt --hostname localhost --ldapPort 2389 --rootUserDN cn="Directory Manager" --rootUserPasswordFile pwd.txt --baseDN dc=p1 --adminConnectorPort 2444
  2. Run oud-setupto create another instance oud2 with baseDN dc=p2.
    ./oud-setup --cli --no-prompt --hostname localhost --ldapPort 3389 --rootUserDN cn="Directory Manager" --rootUserPasswordFile pwd.txt --baseDN dc=p2 --adminConnectorPort 3444
  3. Run oud-proxy-setup to create a proxy server instance oud3.
    ./oud-proxy-setup --cli --adminConnectorPort 4444 --ldapPort 4389 --rootUserDN "cn=Directory Manager" --rootUserPasswordFile  pwd.txt --no-prompt –noPropertiesFile
24.9.2.2 Configuring Proxy LDAP Workflow Element and DynamicGroups Workflow Against First OUD Instance

Learn how to configure the Proxy LDAP Workflow Element and dynamic groups Workflow Element against oud1.

Run the following command to create LDAP Server extension, a workflow, a dynamic group and associate it with network group.
  1. Run dsconfig create-extension to create LDAP Server Extension.
    ./dsconfig create-extension 
--set enabled:true 
--set remote-ldap-server-address:host01.example.com 
--set remote-ldap-server-port:2389 
--type ldap-server --extension-name LdapExt1 
--hostname host01.example.com
--port 4444 
--bindDN cn="Directory Manager"
--bindPasswordFile pwd.txt 
--no-prompt
  2. Run dsconfig create-workflow-element to create an ldap proxy workflow element that points to oud1.
    ./dsconfig create-workflow-element 
--set client-cred-mode:use-client-identity 
--set enabled:true 
--set ldap-server-extension:LdapExt1 
--set remote-ldap-server-bind-dn:cn="Directory Manager" 
--set remote-ldap-server-bind-password:pwd.txt 
--type proxy-ldap --element-name pwe1 
--hostname host01.example.com
--port 4444 
--portProtocol LDAP 
--bindDN cn="Directory Manager" 
--bindPasswordFile pwd.txt 
--no-prompt
  3. Run dsconfig create-workflow-element with global-search parameter set to true and user-search-base set to dc=p2.
     ./dsconfig create-workflow-element 
--set enabled:true 
--set next-workflow-element:pwe1   
--set global-search:true 
--set user-search-base:dc=p2 
--type dynamic-groups  
--element-name dgwe 
--hostname host01.example.com 
--port 4444 
--portProtocol LDAP 
--bindDN cn="Directory Manager"
--bindPasswordFile pwd.txt 
--no-prompt
  4. Run dsconfig create-workflow to create a generic workflow with name dgw and base-dn set to dc=p1.
    ./dsconfig create-workflow
--set enabled:true 
--set base-dn:dc=p1  
--set workflow-element:dgwe 
--type generic 
--workflow-name dgw 
--hostname host01.example.com 
--port 4444 
--portProtocol LDAP 
--bindDN cn="Directory Manager"
--bindPasswordFile pwd.txt 
--no-prompt
  5. Run set-network-group-prop to add workflow dgw.
    ./dsconfig set-network-group-prop 
--group-name network-group 
--set workflow:dgw 
--hostname host01.example.com 
--port 4444 
--bindDN cn="Directory Manager" 
--bindPasswordFile pwd.txt
--no-prompt
  6. Run an ldapsearch to verify the configuration with dc=p1.
    ./ldapsearch -p 4389 -D cn="Directory Manager" -w password -s sub -b dc=p1 "objectclass=*" uid
24.9.2.3 Configuring LDAP Proxy Workflow Element Against Second OUD Instance

Learn how to configure Proxy LDAP Workflow Element against oud2 with dc=p2.

  1. Run dsconfig create-extension to create an LDAP server extension LDAPext2 that points to oud2.
    ./dsconfig create-extension 
--set enabled:true
 --set remote-ldap-server-address:localhost 
--set remote-ldap-server-port:3389
--type ldap-server 
--extension-name LDAPext2
--hostname host01.example.com 
--port 4444 
--bindDN cn="Directory Manager" 
--bindPasswordFile pwd.txt
--no-prompt
  2. Create the a Proxy LDAP Workflow Element ProxyWe2 that points to oud2.
    ./dsconfig create-workflow-element 
--set client-cred-mode:use-client-identity 
--set enabled:true
--set ldap-server-extension:LDAPext2
--set remote-ldap-server-bind-dn:cn="Directory Manager" 
--set remote-ldap-server-bind-password:pwd.txt 
--type proxy-ldap  
--element-name ProxyWe2
-–hostname host01.example.com
--port 4444 
--portProtocol LDAP 
--bindDN cn=”Directory Manager” 
--bindPasswordFile pwd.txt
--no-prompt
  3. Create a workflow p2w for dc=p2.
    ./dsconfig create-workflow 
--set enabled:true 
--set base-dn:dc=p2 
--type generic 
--set workflow-element:pwe2 
--workflow-name p2w
--hostname host01.example.com 
--port 4444 
--bindDN cn="Directory Manager" 
--bindPasswordFile pwd.txt
--no-prompt
  4. Run set-network-group-prop to add the workflow p2w.
    ./dsconfig set-network-group-prop 
--group-name network-group
--add workflow:p2w 
--hostname localhost 
--port 4444 
--bindDN cn="Directory Manager" 
--bindPasswordFile pwd.txt 
--no-prompt
  5. Run an ldapsearch against OUD proxy server with base as dc=p2. Now the results should be drawn from oud2 as well which is linked to proxy ldap workflow and to the network group.
    ./ldapsearch -p 4389 -D "cn=Directory Manager" -w password -s sub -b dc=p2 "objectclass=*" uid

24.9.3 Testing the DynamicGroup Workflow Element Configuration

Learn how to test the dynamic group workflow configuration.

The following sections describe how to test the dynamic groups configuration:

24.9.3.1 Testing DynamicGroups with and without expanding memberURL attribute

Learn how to test dynamic groups with and without expanding memberURL attribute.

Perform the following steps to check the LDAP entries based on memberURL attribute expansion:
  1. Assume the following LDAP entry in an LDIF file.
    dn:cn=admingroup,dc=groups,dc=acme,dc=com
uniqueMember:cn=mark,cn=users,dc=acme,dc=com
memberURL:ldap:///cn=users,dc=acme,dc=com??sub?(|(cn=john)(cn=smith))
objectClass:groupOfUniqueNames
objectClass:groupOfUrls
  2. The following LDAP search returns the entry as is; without expanding the memberURL value. The query matches the dynamic group entry, as it has cn=mark,cn=users,dc=acme,dc=com as a static group member via uniqueMember attribute.
    Base DN: dc=groups,dc=acme,dc=com
Scope:sub
Filter:uniqueMember=cn=mark,cn=users,dc=acme,dc=com
  3. However, if you execute the following LDAP search, the Dynamic Group workflow returns the following LDAP entry with the cn=john value in uniqueMember. 
    Base DN: dc=groups,dc=acme,dc=com
Scope:sub
Filter:uniquemember=cn=john,cn=users,dc=acme,dc=com
    dn:cn=admingroup,dc=groups,dc=acme,dc=com
uniqueMember:cn=mark,cn=users,dc=acme,dc=com
uniqueMember:cn=john,cn=users,dc=acme,dc=com
memberURL:ldap:///cn=users,dc=acme,dc=com??sub?(|(cn=john)(cn=smith))
objectClass:groupOfUniqueNames
objectClass:groupOfUrls
    In this query the search filter does not match the dynamic group entry as it does not have cn=john,cn=users,dc=acme,dc=com defined as a static group member. But since the query does not return any results, the DynamicGroups workflow element processes all the dynamic groups by expanding their memberURL attributes to check if any of them match the search filter. It finds that admingroup entry (after expanding memberURL) matches the search filter, so returns it.

Note:

If there is objectclass=groupOfUniqueNames and objectclass=groupOfUrls in the DynamicGroup, then you have to change single-structural-objectclass-behavior:accept parameter using the --advanced option as follows:

./dsconfig set-global-configuration-prop --set single-structural-objectclass-behavior:accept --advanced

To configure the single-structural-objectclass-behavior:accept parameter, see "single-structural-objectclass-behavior" in the Configuration Reference for Oracle Unified Directory.

24.9.3.2 Testing Group Membership

The Dynamic Groups workflow element detects a membership test query by detecting the presence of both cn and uniqueMember filter terms. When present, the Dynamic Groups workflow processes the query differently by recognizing that the client wants to test a membership assertion. The workflow element modifies the results and returns only the single user being tested as the member.

  1. Run the following ldapsearch to test the group membership:
    ./ldapsearch -D bindDN -q -b ou=groups,ou=airius,o=yourcompany.com -s 
sub "(&(cn=TestCheck)(uniquemember=cn=Jim Ward,ou=accounting,o=yourcompany.com))"

cn: TestCheck,ou=groups,ou=airius,o=yourcompany.com 
memberURL:ldap:///oud=accounting,o=yourcompany.com??sub?(cn=*) 
objectClass: groupOfUniqueNames 
objectClass: groupOfUrls 
cn: TestCheck 
uniqueMember: cn=Jim Ward,ou=Accounting,o=YourCompany,com
In the above example, when the search is performed, the query results only the single user cn=Jim Ward set in the uniqueMember attribute of the group.