AppNote: Using IDM to Synchronize with Oracle Internet Directory and Integrate Multiple Oracle Databases
Novell Cool Solutions: AppNote
By Michel Bluteau
Digg This -
Posted: 23 Sep 2005
Novell Identity Manager, Oracle Internet Directory, and Enterprise User and Role:
How to Synchronize with Multiple Oracle Database Servers
The goal of this article is to provide an enterprise solution for synchronizing multiple Oracle Databases (dictionary or catalog) through Oracle Internet Directory and LDAP. This is an alternative to using multiple JDBC drivers (one per database).
Note: It is recommended to first read the other two articles in this series:
- One(or more) Oracle Database server 9i or above(I am using 10g). If you want to setup a new server, you can look at my article on setting up an Oracle 10g Database on SUSE Linux Enterprise Server 9.
- One Oracle Application Server 10g. Again, you can look at my article for setting up Oracle Application Server 10g on SUSE Linux Enterprise Server 9 if you want to set up a new server.
We will first configure Enterprise User and Role. This is required in order to be able to leverage OID(Oracle Internet Directory) for global management of Users and Roles. While there are multiple sources of information and documentation on how to implement Enterprise User and Role, I decided to include the information in this document in order to get everything in one place.
Then we will set up the DirXML (aka Identity Manager) LDAP driver for OID.
Configuring the Enterprise User and Role
Setting Up Directory Usage
1. Start Oracle Net Configuration Assistant while logged in as Oracle on your Oracle Database server.
Figure 1: Starting Oracle Net Configuration Assistant
2. Select Directory Usage Configuration, then click Next.
Figure 2: Directory Usage Configuration
3. Select Oracle Internet Directory, then click Next.
Figure 3: Oracle Internet Directory
If you use OID Manager on your Application Server, you can find out what the Non SSL port is, e.g., 3060.
Figure 4: Determining the Non SSL port
You can also find out about the SSL port, e.g. 3130, and other settings.
Figure 5: SSL, other ports, other settings.
4. In Oracle Net Configuration Assistant, enter the Hostname and the 2 ports. Make sure you have DNS in place with entries for your 2 Oracle servers, or host file entries.
Figure 6: Entering the Hostname and ports
5. Select the context you want to use as the default Oracle Context.
Figure 7: Selecting the Oracle context
The connectivity between your Database server and the OID server should now be complete. The Oracle Net Configuration Assistant will complete the setup of Directory Usage.
Figure 8: Completed setup of Directory Usage
6. Click Finish to exit.
Figure 9: Finishing the setup
Setting Database Options
1. Start the Database Configuration Assistant from the Database server.
Figure 10: Starting the Database Configuration Assistant
2. Click Next.
Figure 11: Database Configuration Assistant
3. Select Configure Database Options, then click Next.
Figure 12: Selecting Configure Database Options
4. Select the Database you want to configure, then click Next.
Figure 13: Selecting the database
5. Enter the user DN and password for cn=orcladmin for OID. You can use the same password for the Wallet Password.
Figure 14: Entering the user DN and password
6. Click Finish to launch the registration.
Figure 15: Database Components page
7. Click OK to register the database.
Figure 16: Registering the database
The Progress screen for the registration process appears.
Figure 17: Progress screen for registration
The registration should have completed successfully.
8. Click No to continue.
Figure 18: Completing the registration
Configuring the Database Schema Mapping
We now need to configure the database schema mapping.
1. Start a tool like sqlplus or sqlplus worksheet.
Figure 19: Starting a tool for database schema mapping
2. Authenticate against your database with sys as SYSDBA.
Figure 20: Authenticating as SYSDBA
Here is a sample SQL*Plus worksheet.
Figure 21: SQL*Plus Worksheet
3. Create a user called guest(or any name you want to use).
Figure 22: Creating a user
4. Grant a Create Session to Guest.
Figure 23: Granting a Create Session to Guest
5. Start Enterprise Security Manager from your Database server.
Figure 24: Starting Enterprise Security Manager
6. Authenticate against Oracle Internet Directory using cn=orcladmin.
Figure 25: Authenticating against Oracle Internet Directory
7. The Enterprise Security Manager window appears.
Figure 26: Enterprise Security Manager
8. Navigate down to OracleDefaultDomain.
9. Select the Database Schema Mapping tab, then click Add.
Figure 27: Selecting the Database Schema Mapping
Figure 28: Browse to your cn=Users context, and type guest for the Schema. Click OK.
You are enabling all the users under this context to connect to the database.
Figure 29: Enabling user connections
You should now see this result. Click Apply to continue.
Figure 30: Continuing the connection process
Creating a User
1. Create a new user (with a password) in OID under our cn=Users context.
Figure 30: Creating a new user
2. You should be able to connect to the database using a tool like sqlplus with your new user.
Figure 31: Connecting to the database with your new user
3. Enter the command/query "select user from dual" to obtain guest as a result, because we are using the guest user as a proxy.
Figure 32: Obtaining the guest
4. Enter the command below to obtain the distinguished name for your OID user.
Figure 33: Obtaining the distinguished name
At this point, you have set up a basic configuration for Enterprise User.
Figure 34: Basic configuration for Enterprise User
5. You can use sqlplus connected with system, in order to create a new global user and grant him or her the connect privilege.
Figure 35: Creating a new global user with the connect privilege
Creating a Global Role
1. Create a new global role and grant the create session privilege to it.
Figure 35: Creating a global role with the create session privilege
2. Go back to ESM and select the OracleDefaultDomain object.
Figure 36: Selecting the OracleDefaultDomain object3. From Operations (or a right-click) select Create Enterprise Role.
Figure 37: Selecting the Create Enterprise Role
4. You should now see the new Enterprise Role. Click Add to add a database role.
Figure 38: Adding a database role
5. Select the database instance from which you want to add the global role.
Figure 39: Selecting the database instance for the global role
6. Authenticate against the database using "system".
Figure 40: Authenticating
7. Select the database global role you want to map with the enterprise role.
Figure 41: Selecting the database global role
You should now see the association between your new enterprise role and the database global role.
Figure 42: Association of new enterprise role and database global role
8. To add Users or OID Groups to the enterprise role, click Add from the Users page.
Figure 43: Adding Users or OID Groups to the enterprise role
9. Navigate to your cn=Users context, type the name of your user, click Search Now, and then select your user in the bottom box.
Figure 44: Selecting your user
10. You should now see your user in the Users box. Click Apply to continue.
Figure 45: User displaying in the Users box
11. In Oracle Directory Manager, select the cn=Groups context under your domain structure. Make sure you select the right one.
Figure 46: Select the cn=Groups context under your domain structure
12. Create a new Group object, with the above Object Classes.
Figure 47: Creating a new Group object
13. Add your user to the uniqueMember attribute for your new group.
Figure 48: Adding user to the uniqueMember attribute
14. Click Apply to see your Group object.
Figure 49: Group object
15. In ESM, select your enterprise role and click Add from the Users page.
Figure 50: Adding the enterprise role
16. Select your Group object. This illustrate a second way to grant an enterprise role (associated with one or more database roles) to a user - this time indirectly through a Group object.
Figure 51: Granting an enterprise role by select a Group object
17. You should now see this result. Click Apply to continue.
Figure 52: Results of granting an enterprise role
We are now done with the section on how to configure the Enterprise User and Role, in order to globally and centrally manage multiple Oracle Database instances through a single point, Oracle Internet Directory. I encourage you to test and explore your configuration by assigning privileges and testing them through the Enterprise User, Role, and Groups.
Interface: eDirectory, Identity Manager, and Oracle Internet DirectoryWe will now start to work on the interface between Novell eDirectory, Identity Manager, and Oracle Internet Directory. The first thing we need is to create a user for the Identity Manager driver.
Creating a User for the IDM Driver
We will use a LDAP Browser in order to test our user for the driver. LBE(LDAP Browser Editor) is a LDAP application that is free and that I like to use. You can get it from several locations, including this one:
If you cannot find it there, try Google with "LDAP Browser\Editor".
Figure 53: LDAP Browser\Editor
1. Create a connection for OID using orcladmin.
Figure 54: Creating a connection for OID
You should be able to browse OID.
Figure 55: Browsing OID
2. In Oracle Directory Manager, select cn=orcladmin, then Operations (or right-click) and Create Like.
Figure 56: Create Like operation
3. Change the Distinguished Name, the cn, and the sn to IdM.
Figure 57: Changing names to IdM
4. Change the description and any other fields that reference orcladmin.
Figure 58: Changing orcladmin references
5. Change the givenname.
Figure 59: Changing the givenname
6. Change other attributes as needed
Figure 60: Changing other attributes
7. Change the uid.
Figure 61: Changing the uid
8. Set the password.
Figure 62: Setting the password
9. Save your IdM user.
Figure 63: Saving the IdM user
10. Access Access Control Management.
Figure 64: Access Control Management
11. Select cn=Users in order to modify the ACLs. Select an existing entry for a group under Structural Access Items and click Create Like.
Figure 65: Create Like operation
12. On the By Whom page, delete the A Specific Group entry, and add IdM for a Specific Entry.
Figure 66: Adding IdM for a Specific Entry.
13. Set the ACLs as shown above
Figure 67: Setting ACLs
14. Select an existing group entry under Content Access Items and click Create Like.
Figure 68: Create Like operation
15. Clear the group entry and add IdM as before.
Figure 69: Adding IdM, as before
16. Set the ACLs as above.
Figure 70: Setting the ACLs, as above
Click Apply to save the changes. Now IdM has the proper rights/ACLs to manage the users under cn=Users.
Figure 71: Saving the changes
Creating Groups for the IDM Driver
Now we will repeat the previous process for cn=Groups.
1. Select an existing group entry under Structural Access Items and click Create Like.
Figure 72: Create Like operation
2. Clear the group and add IdM.
Figure 73: Adding IdM
3. Set the ACLs as above.
Figure 74: Setting the ACLs
4. Select an existing entry under Content Access Items.
Figure 75: Selecting a Content Access Items entry
5. Clear the group and add IdM.
Figure 76: Adding IdM
Figure 77: Set the ACLs as above.
Figure 78: Now save your changes by clicking Apply. IdM has now the proper rights in order to manage groups under cn=Groups.
Testing the Rights
Let's now test the rights for IdM.
1. Change the User DN for the connection using the LDAP Browser\Editor or a tool of your choice.
Figure 79: Changing the User DN for the connection
2. You should be able to connect and browse OID. Select an existing user and then LDIF|Export.
Figure 80: Selecting an existing user to export
3. Select a file for exporting the user in LDIF format.
Figure 81: File for exporting the user in LDIF
4. Open the export file with a text editor.
Figure 82: Export file
5. Modify all the references to the existing user in order to leverage the LDIF file to create a new user. This will put our rights through the test.
Figure 83: Modifying references to user, to test rights
6. Use LDIF|Import to import the modified file.
Figure 84: Importing the modified file
You should see a message telling you that your user was created.
Figure 85: User creation message
You should also be able to display your new user.
Figure 86: Displaying your new user
7. To test the privileges for groups, select an existing group, then export it to a file using LDIF|Export.
Figure 87: Testing the privileges for groups
Here is the Export file for the selected group.
Figure 88: Export file for the selected group
8. Modify the file to create a new group, and add your new user as a member.
Figure 89: Adding your new user as a member of a group
9. Import the new group using LDIF|Import.
Figure 90: Import the new group using LDIF|Import.
You should now see your new group in OID with the uniquemember attribute pointing to your new user.
Figure 91: New group in OID pointing to your new user
At this point, IdM should have all the proper rights to manage users and groups for cn=Users and cn=Groups. This will take care of your Subscriber Channel for the Identity Manager driver. You can also decide to manage other objects in other contexts; the recipe should work the same way. Using the LDAP Browser\Editor is a quick way to clear potential rights issues off the radar screen, so you can concentrate on the business logic when it is the time to setup the Identity Manager driver, which uses LDAP.
Setting Up the Publisher Channel
For the Publisher channel (from OID to eDirectory), we will leverage the changelog that is included with OID and activated by default. The IdM user will need some rights for the changelog.
1. Under Access Control Management, select cn=changelog.
2. Under Structural Access Items, select an existing group entry, then click on Create Like.
Figure 92: Create Like operation
3. Clear the group entry and add IdM.
Figure 93: Adding IdM
4. For the Access Rights, set as shown above. Add is not required.
Figure 94: Setting the Access Rights
5. Select an existing group entry under Content Access Items, then click Create Like.
Figure 95: Create Like operation
6. Clear the group entry, then add IdM.
Figure 96: Adding IdM
7. Set the Access Rights as above.
Figure 97: Setting the Access Rights
8. Click Apply when you are done. You should get the following results:
Figure 98: Results of setting Access Rights
Setting Up the Identity Manager LDAP driver setup for OID
Now let's get to the Identity Manager LDAP driver setup for OID.
1. Launch the wizard to create a new driver.
Figure 99: New Driver wizard
2. Use the LDAP.xml driver template that comes with Identity Manager. You can find the templates under the installation CD (i.e., under the Windows installation tree).
Figure 100: LDAP.xml driver template
3. Give a name to the template, e.g., OID.
Figure 101: Naming the template
4. Select the OU in eDirectory where you want to sync users. I used Mirror for the placement type in my example.
Figure 102: Selecting the OU.
5. Type the LDAP OU for cn=Users for your OID tree. Also, specify the LDAP Server address and port.
Figure 103: LDAP OU, LDAP Server address and port
6. Type the IdM DN for Administrator DN and enter the password.
Figure 104: IdM DN and password
7. Use "Local" for the driver, if you follow my example. You can also install the remote loader on the Oracle server and leverage SSL through Identity Manager. This may be simpler than using LDAPs, depending on how familiar you are with Oracle Security.
Figure 105: Local Driver
8. Define the Security Equivalence for the driver, e.g., admin. You can also exclude eDirectory users from the synchronization process like admin.
Figure 106: Defining the Security Equivalence for the driver
9. Once you get to the summary page, click Finish.
Below is the Driver page in iManager 2.5.
Figure 108: Driver page in iManager 2.5
10. With the default configuration, the driver synchronizes the OU and User classes. You can modify the objects and attributes being synchronized through the Filter page.
Figure 109: Filter page
11. Add the Group class and 3 attributes (CN, Member and Description). The mapping rule will be updated automatically based on the information entered in the Filter page.
Figure 110: Adding the Group class and attributes
12. Make sure the Member is mapped to uniqueMember.
Figure 111: Member mapped to uniqueMember
13. Copy the rules for User and adapt them for Group. For example, the above Publisher Create Rule can be found for User.
Figure 112: Copying the rules for User and adapting them for Group
14. Create a new Create Rule for Group as shown above.
Figure 113: Creating a new Create Rule for Group
15. Copy and adapt the User Placement Rule for the Publisher Channel.
Figure 114: Copying and adapting the User Placement Rule for the Publisher Channel
16. Make a Create Rule for Group on the Publisher Channel similar to the one shown above.
Figure 115: Create Rule for Group on the Publisher Channel
Figure 116: You also need to create rules for the Subscriber Channel for Group. Shown above is the Create Rule for User.
Here is an example Create Rule for Group (Subscriber):
Figure 117: Example of the Create Rule for Group (Subscriber)
Adding Classes for User and Group
1. Add some auxiliary or secondary classes for both User and Group on the Subscriber Channel(eDir to OID). This can be done through 2 Create Rules as shown above. Using Object Class(vs objectclass, the name of the attribute in OID) is problematic under some circumstances, so I suggest you use objectclass.
Figure 118: Adding auxiliary or secondary classes for both User and Group on the Subscriber Channel
The Placement Rule on the Subscriber Channel for User is shown below.
Figure 119: Placement Rule on Subscriber Channel for User
Here is the new Placement Rule for Group, copied (and adapted) from the one for User.
Figure 120: Adapted Placement Rule for Group
2. Specify a Create Rule for required attributes for Group on the Subscriber Channel.
Figure 121: Create Rule for required attributes
The Parameters for the driver, Publisher Settings are shown below.
You can modify the Poll rate interval here. I suggest you use 2-None for entries to process on startup, unless you want to use cn=orcladmin for the driver or a user with almost equivalent privileges (which is difficult to set up in OID, and also could represent a security hole). If you use cn=orcladmin, modifications made with cn=orcladmin in OID will be discarded by the loopback prevention option(enabled by default) for the LDAP driver. The consequence of using 2-None is that you will need some LDIF script to "touch" existing user and group objects in OID(e.g. Modify the Description), or "touch" them manually if there are not too many, for them to synchronize with eDirectory.
3. You may want to change the Driver Name from LDAP to OID. This is helpful in relation to Password Sync.
Figure 123: Changing the Driver Name from LDAP to OID
Creating a Password Policy
1. Create a Password Policy under Passwords.
Figure 124: Creating a Password Policy
I chose the name Policy for OID but you can be more creative here.
Figure 125: Sample Policy for OID
2. You can configure many options in relation to your Password Policy and Universal Password. I will not cover all the details. For now, we just need any Policy and Universal Password in order for Password Sync to work from eDir to OID.
Figure 126: Sample Policy and Universal Password
Advanced Password Rules are shown below.
Figure 127: Advanced Password Rules
3. You can enable the Forgotten Password feature, which allows a user to manage his or her password even if forgotten, through the self-service portal http://ip_address/nps.
Figure 128: Enabling the Forgotten Password feature
4. Assign the Password Policy to the OU for OID users.
Figure 129: Assign the Password Policy
5. At the Summary page for the Password Policy wizard, click Finish.
Figure 130: Summary page for the Password Policy wizard
Your driver should now be operational; it should synchronize Users and Groups on both sides, as well as Passwords from eDirectory to OID. If you encounter issues, you can leverage DSTrace as shown below.
Figure 131: DSTrace through the iMonitor mini-web portal included with eDirectory
Here is some sample event information in DSTrace.
Figure 132: DSTrace Event information
You can increase the trace level from the Misc page for the driver, in order to troubleshoot a problem. Don't forget to set it back to 0 after you're done, since this could slow down your eDirectory. Reading the trace can prove very useful and informative - usually, when something goes wrong, the trace will tell you exactly what is going on. A little practice is required to get familiar with reading the trace.
Figure 133: Driver Trace screen
Let's quickly go through some provisioning example initiated from eDirectory.
1. Use iManager to browse the OUs for users and groups.
Figure 134: Browsing OUs in iManager
2. Right-click on the OU for users and select Create User.
Figure 135: Selecting Create User
3. Create a new user and assign a password.
Figure 136: Creating a new user and password
4. Right-click on the enterprise group (member of the enterprise role with ESM) and select Modify Group.
Figure 137: Selecting Modify Group
5. Add the new user in the Members list.
Figure 138: Adding the new user in the Members list
6. In Oracle Directory Manager, confirm that the user has been created, with the proper attribute values and classes.
Figure 139: Confirming proper attribute values and classes
7. Verify that the user is a member of the Enterprise Group (that has been set as a member of the Enterprise Role with ESM earlier).
Figure 140: Verifying the user is a member of the Enterprise Group
8. At the Oracle Database server, log in with sqlplus using your new user. You should be able to connect, because the connect privilege has been granted to the user through the enterprise group.
Figure 141: Logging in and connecting with your new user
9. Verify that the user can authenticate against OID by creating a connect profile for the user.
Figure 142: Creating a connect profile for the user
Connect to OID and browse the tree using the new user.
Figure 143: Connecting to OID and browsing the tree with the new user.
The example we just got through illustrates some very basic provisioning initiated from eDirectory. This results in a functionnal user account in OID and the Oracle Database registered with OID. You can, of course, do a lot more than that, but my goal with this article was to get you started.
Currently, we do have some limitations with the configuration described in this article - for example password sync is uni-directional (from eDir to OID/Oracle). Some mechanisms that are included with OID and Oracle Identity Management would probably allow the password to be synchronized in the other direction, but I have not explored this option yet. The projects I have been involved with so far did not require that.
Also, we are not provisioning Enterprise Roles from eDirectory to Oracle - they must be created prior to being used by eDirectory. Even if an Oracle Group can be created from eDirectory(to OID), it would be required to assign the group as a member for an Enterprise Role using ESM. This would result in the definition of privileges (Enterprise Roles and Groups) in OID but assignment of privileges from eDirectory (through Enterprise Group memberships). Depending on the requiremnts for a given project, the solution described in this article could be fully compliant right away, or some adjustments could be required.
Do not hesitate to provide me with feedback, comments, or questions if you hit a roadblock in using this method.
Here are some references for details on how to implement Enterprise User for Oracle Databases that I found useful for building a working example, like the one in this article.
Migrating database users to OID:
Creating enterprise users in OID:
Managing Enterprise User Security:
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com