Synchronizing accounts based on Active Directory group membership

At some point we were discussing if it would be possible to synchronize user account based on group membership using the default procedures of Oracle Identity Management.
The idea is to sync as little user accounts as possible to our Oracle Internet Directory where the user accounts are spread over a width range of Active Directory containers were different policies apply to. Not all users in these containers need to have access to the Oracle applications which are integrated with the Oracle Identity Management.

So by granting a user a special group priviledge (soa) in Active Directory it should be synced to Oracle Internet Directory. Other users should not be synced as they are not part of this special “soa” group. When this grant would be revoked, the user account should also be deleted from our Oracle Internet Directory.

Case1 :We are synchronizing all users from Active Directory to Oracle Internet Directory.
When we use a basic searchfilter like :

searchfilter=(&(objectclass=user)

We get all users added and deleted in AD to be processed in OID. This works.

Case2: We are synchronizing based on Group membership.
We use this searchfilter :

searchfilter=(&(objectclass=user)(MemberOf=CN=soa,OU=groups,OU=nieuwegein,DC=iteye,DC=nl))

Users are added to our OID when they straight away are added to the group “soa”, before the sync ( odi ) checks the changes.

In the scenario when the user is added, the sync runs , the user is granted to the “soa” group. The sync will not add the user anymore.

Deletions are not preformed anymore.

Case3: We are synchronizing based on Attributes, we use the displayname attribute as a trigger to sync or not sync our user.
We want to perform this test to see if we could use an attribute ( for example : displayname ) which would indicate this “group membership” by setting a value 1 in it.

We use this searchfilter :

searchfilter=(&(objectclass=user)(displayname=1))

We get only users added which have the displayname changed to 1. No matter if the User was created and adjusted the displayname within a synchronizing period. So in the scenario when the user is added, the sync runs , the users displayname is changed to 1. The sync will still add the user.

Deletions are not preformed anymore. We are not able to delete ( in case 2 and 3 ) or backfill a user based on groupmembership ( case 2 ) After some research we can see in MSDN the description for the memberOf attribute for an AD user:

—————-
memberOf
The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this attribute is retrieved:

At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user’s membership in domain local and global groups in other domains. At a GC server, memberOf for the user is complete with respect to all universal group memberships. If both conditions are true for the DC, both sets of data are contained in memberOf.

Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.

This attribute is not stored—it is a computed back-link attribute.
————–
http://msdn2.microsoft.com/en-us/library/ms677943.aspx

Now, this means that when you add a user to a group in AD, AD is just modifying the group not also the user itself. Going forward with this, that means that uSNChanged is updated only once.

The ODI server is reading the uSNChanged value and runs a search against the AD to retrieve the last changes. Here it will find only the group has been changed. The filter for the change will be formed:

(&(uSNChanged interval)(our_custom_filter))

So, for both cases 2 and 3, we will need to take some actions on the user when the group is changed which is not possible with ODI. ODI works on an entity level (that means the mapping files are applied , and actions are performed only on the entity detected as changed).

For case 3 you will not be able to delete a user when an attibute is changed as deletes are searched from a special DeletedObjects AD container. A user is not added in this DeletedObjects AD container when you change in our case the displayname attribute.

However, we could , as a partial solution create a OID plug-in that will fire in a post-update LDAP operation on the specific groups. So, if a user is removed from a group, after the synchronization runs, it will trigger the plug-in. In the plug-in code we should be able to identify the user that was removed and delete it from OID.

But this means we need to extend the possibilities of the default procedures available in Oracle Identity Management.

Our conclusion at this point is that it’s not possible to sync based on group membership with deleting and / or backfilling users working using the default procedures of Oracle Identity Management. However there are possibilities to write your own plug-in for Oracle Identity Manager to do a post-update operation on your user store ( OID ) to keep it clean and up to date.

Oracle Application Testing Suite version 8.30 released

Oracle recently released Oracle Application Testing Suite version 8.30 which provides us with a tool to load test our web applications and web services. As Oracle describes it , it could be used to preform the following tests.

• Load Testing for Web Applications for scalability, performance and load testing.
• Functional Testing for Web Applications for automated functional and regression testing.
• Test Manager for Web Application for test process management, including test requirements management, test management, test execution and defect tracking.

As of now there is only a Windows 32 Bits version available.

I hope to see this kind of capabilities to be integrated within the next Enterprise Manager Grid Control. So that we can centralize products to serve our needs to monitor and improve our applications using just one tool. Some of these tests are now already available in our Enterprise Grid Control by using Plugins like the SOA management pack.

More information on this product can be found here.

Recieve and Insert an Email into an Oracle Database using PHP

Recently i have been challanged with the question as where i would recieve mail using postfix and insert this email in my oracle Database 10g. There are many ways of handling this question as for me , i choose to use PHP scripting to do the trick.

The PHP script has the ability to filter out the information by To, From, Subject and Message. After all parts are filtered out, we can start to create our insert statement.
The PHP language is powerfull as also the extensions for supporting Oracle databases. Mainly there are 2 ways of handling Oracle connection from PHP. The OCI protocol which stands for Oracle Call-Interface and the ORA protocol which use the Normal Oracle function.

As for now i choose to use the OCI protocol as it seems to give me a more stable connection to my Oracle database.

Here i will show you the code i use to recieve an Email through postfix. ( add this code to your aliases file for recieving mail on reciever@YOUR-DOMAIN.COM , remember to run newaliases to update your aliases.db !)

##########################################################
# PIPE Mail naar Oracle DB Poster
##########################################################
reciever:    "|/etc/postfix/post_mail_reciever.php"

After recieving an email , the email is passed into our script where it will be filtered and inserted into the database. The script i use to do this looks like this : ( copy paste this as /etc/postfix/post_mail_reciever.php ) Make sure you provide enough rights for the script to be executed by user “nobody”.

#!/usr/local/bin/php

< ?php

###############################################
# Read from stdin
###############################################

$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd)) {
$email .= fread($fd, 1024);
}
fclose($fd);

###############################################
# Handle email
###############################################
$lines = explode("\n", $email);

###############################################
# Empty vars
###############################################

$from = "";
$subject = "";
$headers = "";
$message = "";
$splittingheaders = true;

###############################################
# Email in vars
###############################################

for ($i=0; $i < count($lines); $i++) {
     if ($splittingheaders) {
     // this is a header
     $headers .= $lines[$i]."\n";

     // look out for special headers
    if (preg_match("/^Subject: (.*)/", $lines[$i], $matches)) {
        $subject = $matches[1];
    }
    if (preg_match("/^From: (.*)/", $lines[$i], $matches)) {
        $from = $matches[1];
    }
  }
  else
  {
     // not a header, but message
     $message .= $lines[$i]."\n";
  }

  if (trim($lines[$i])=="") {
     // empty line, header section has ended
     $splittingheaders = false;
  }
}

###############################################
# Replace Chars in String
###############################################

$message = str_replace("'" , "\"" , $message);

################## TEMP ################
# Debug mail , for storing recieved mail
########################################

# ECHO "----------HEADERS---------------------/n";
# ECHO $headers;
# ECHO "----------FROM------------------------/n";
# ECHO $from;
# ECHO "----------Subject---------------------/n";
# ECHO $subject;
# ECHO "----------MEssage----------------------/n";
# ECHO $message;
# ECHO "-------------------------------------";

#      $save_path='/tmp';
#
#      $date = date("H:i:s,d-m-Y");
#      $temp='file.tmp';
#      $dest= "MAIL_".$date;
#
#
#      $fp = fopen($save_path.'/'.$temp, "w", 0);
#      fputs($fp, $email);
#      fclose($fp);
#
#      rename($save_path.'/'.$temp,$save_path.'/'.$dest);
#
#######################################

###############################################
# Enviroment
###############################################

PutEnv("ORACLE_SID=ORCL");
PutEnv("ORACLE_HOME=/u00/oracle/product/10.2.0/db");
PutEnv("TNS_ADMIN=/u00/oracle/product/10.2.0/db/network/admin");

###############################################
# Mail Functions
###############################################

function send_mail($status , $errcode , $errmsg , $erroff , $errsql) {

      $mail = "error_mail@YOUR_DOMAIN.COM";

      ##############################
      # Create Error mail attachment
      ##############################
      $save_path='/etc/postfix';

      $temp='file.tmp';
      $dest='error.txt';

      $date = date("H:i:s d-m-Y");

      $fp = fopen($save_path.'/'.$temp, "w", 0);
      fputs($fp, "[".$date."] Error Code : ORA-".$errcode."\n\n");
      fputs($fp, "[".$date."] Error MSG  : ".$errmsg."\n");
      fputs($fp, "[".$date."] Error Pos  : ".$erroff."\n\n");
      fputs($fp, "[".$date."] Error SQL  : ".$errsql."\n\n");
      fclose($fp);

      rename($save_path.'/'.$temp,$save_path.'/'.$dest);
      ##############################

      $command = "mail -s $status $mail < /etc/postfix/error.txt";
      shell_exec($command);
}

###############################################
# Main
###############################################

$error = "";

$db = "ORCL";

$connect = OCILogOn("scott", "tiger", $db);

$query="begin scott.general.p_accept_mail_from_postfix('$from',sysdate,'$subject','$message'); end;";

if ($connect)
{
	## Parse Error catch
    	$parse = ociparse($connect, $query);
    	if (!$parse) {
	      $error = OCIError($connect);
	      send_mail("MAIL_PARSE_ERROR(ORCL)", $error['code'] ,$error['message'] , $error['offset'] , $error['sqltext']);
	}

    	ociexecute($parse);

    	## Execute Error catch
    	$error = OCIError($parse);
    	if($error){
      		 send_mail("MAIL_EXECUTE_ERROR(ORCL)",$error['code'] ,$error['message'] , $error['offset'] , $error['sqltext']);
    	}

	$committed = ocicommit($connect);

	## Commit Error catch
    	if (!$committed) {
      		$error = OCIError($committed);
      		send_mail("MAIL_COMMIT_ERROR(ORCL)",$error['code'] ,$error['message'] , $error['offset'] , $error['sqltext']);
    	}
    	# We can turn this on when we want to also monitor every successful processed Mail
        #else
    	#{
       	# send_mail("EM-Mail-Processed","OK" , "OK" , "OK" , "OK");
    	#}
    ocilogoff($connect);
   }
   else
   {
   	 $error = OCIError($connect);
    	 send_mail("URGENT-MAIL_DBCONNECT_ERROR(ORCL)", $error['code'] ,$error['message'] , $error['offset'] , $error['sqltext'] ); }

###### END ########
? >

As you can see there are alot of error control checks in there just to be sure an email is processed correctly. When ever there is a problem while parsing , executing or connecting against the Oracle database. A rich error report is send to an email adres of your choice for debug purposes.

Hope you will find benefit for using this script in your implementations.

Why use the Microsoft Exchange Server Plug-in ?

When using one central grid monitoring tool you might also wonder what it would be like to monitor 3rd party systems with it. This is what made me try-out the MS Exchange Server plug-in for Enterprise Grid Control server. On top of the workload as a DBA or IAS specialist some are challenged with monitoring an Exchange Mail Server or another server in there park aswell.

Basic Monitoring can be preformed on the host just by installing a Management Agent on the Host. But what if you want to see more then only the Host Preformance and Health ? Well Oracle offers a width range of Plug-ins to monitor all different kinds of components.

Here i took a peak at the posibilities to monitor our Exchange Server with one of these plugins. It was fairly easy to install and configure this plugin. At first i got serveral errors while opening the different graphs displayed on the page. The error i recieved was something like :

Error code = 0x80041010 em_error=An error has occured while fetching WMI data.

After some research i found that this was due to a WMI repository which is not up-to-date. The following command on the Exchange Server solved this problem for me ( preformed this 2 or 3 times )

wmiadap /f
wmiadap /resyncperf
net stop "Windows Management Instrumentation"
net start "Windows Management Instrumentation"

As a result i got nice reports on Load and Throughput of messages inbound and outbound. Also it would show me nice graphics on Information Store Connections, Number of Clients logged-in and Global Message Traffic. Its not possible to control your Exchange server from there , but then again, i would rather want to use the Microsoft Management tools to do this.

For those of you interested in how this would look like , here is a small impression on what to expect of this Plug-in.

Here you can find more information on the Plugin which is included as of version 10.2.0.4 of Oracle Enterprise Manager Grid Control: Oracle’s Microsoft Exchange Plug-in

Exception while using WebUtil on OAS 10.1.2.3

After upgrading OAS to the latest patch 3 ( 10.1.2.3 ) we ran into a problem while using WEBUTIL. When using a webutil component from within our forms application , an exception is Thrown in to the java console and nothing seems to happen in the Form itself.

The error message thrown :

Exception in thread "AWT-EventQueue-3" java.lang.NoSuchMethodError:
oracle.forms.handler.IHandler.getApplet()Ljava/applet/Applet;
at oracle.forms.webutil.common.VBeanCommon.init(VBeanCommon.java:281)
at oracle.forms.handler.UICommon.instantiate(Unknown Source)
at oracle.forms.handler.UICommon.onCreate(Unknown Source)
at oracle.forms.handler.JavaContainer.onCreate(Unknown Source)
at oracle.forms.engine.Runform.onCreateHandler(Unknown Source)
at oracle.forms.engine.Runform.processMessage(Unknown Source)
at oracle.forms.engine.Runform.processSet(Unknown Source)
at oracle.forms.engine.Runform.onMessageReal(Unknown Source)
at oracle.forms.engine.Runform.onMessage(Unknown Source)
at oracle.forms.engine.Runform.processEventEnd(Unknown Source)
at oracle.ewt.lwAWT.LWComponent.redispatchEvent(Unknown Source)
at oracle.ewt.lwAWT.LWComponent.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)

Thanks to the active community at the Oracle forums i was able to come up with this solution.

This is due to the fact that the frmwebutil.jar used in a earlier version is not compiled against the new OAS 10.1.2.3 frmall.jar version. As a result this exception is thrown.

The solution to this is to extract the orginal complid “frmwebutil.jar” from the OAS 10.1.2.3 installation files and overwrite the frmwebutil.jar currently used. To extract the GOOD frmwebutil.jar browse threw the installation path towards this point “Disk1\stage\Patches\oracle.developer.forms.builder\10.1.2.3.0\1\DataFiles\”

Extract the this jar as followed :

$ORACLE_HOME\jdk\bin\jar xf webutil.2.2.jar frmwebutil.jar

Rename the frmwebutil.jar0 to frmwebutil.jar and overwrite the current version used which most likely can be found here “$ORACLE_HOME\forms\java”.

This solved the problem for me !

Changing Password when Soasuite is integrated with an OID

Recently i experienced some problem while changing the cn=orcladmin account in a Oracle configuration setup where Soasuite is integrated with an Oracle Internet Directory. Following serveral Oracle notes on how to change passwords for ‘cn=orcladmin’ left out an important details on what to do when you have a configuration setup as descriped above.

When changing the password of superaccount ‘cn=orcladmin’ i was supprissed that after a successful password change we were not able to get the tasklist in bpel console anymore. Reason for this is a configuration file called ‘is_config.xml’ that was left out. The location of this file is $ORACLE_HOME_SOA/bpel/system/services/config/is_config.xml and should basicly look like this when you have integrated it with an OID.

Example 1:

 <?xml version = '1.0' encoding = 'UTF-8'?>
 <isconfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
    <configurations>
       <configuration realmName="ITEYE" displayName="ITEYE Realm">
          <provider providerType="JAZN" name="OID" service="Identity">
             <connection url="ldap://sso.it-eye.nl:389" binddn="cn=orcladmin" password="KyYv7aj6Rus2nPK5XC8H3g==" encrypted="true"/>
          </provider>
       </configuration>
    </configurations>
 </isconfiguration>

Now we need to change the OLD password HASH with the new password. To do this we have to set the correct password in plaintext and set the encrypted value to “false”.

Example 2:

 <?xml version = '1.0' encoding = 'UTF-8'?>
 <isconfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
    <configurations>
       <configuration realmName="ITEYE" displayName="ITEYE Realm">
          <provider providerType="JAZN" name="OID" service="Identity">
             <connection url="ldap://sso.it-eye.nl:389" binddn="cn=orcladmin" password="plainpassword" encrypted="false"/>
          </provider>
       </configuration>
    </configurations>
 </isconfiguration>

After you restart de BPEL server the password is changed into a HASH encrypted password again and the encrypted value will be changed back to “true” automatically aswell.

Your Tasklist should appear again after a successful login into the bpel console.

Why use Identity Management Grid Control Plug-in ?

For a while i am working with Oracle Identity Management as a central user store for all my Oracle products.To monitor this environment Oracle Enterprise Manager Grid Control offers a rich information interface to help you do so. However i am missing information on the Directory Integration Platforms which is used to connect to 3rd party Ldap Directories such as OpenLdap , Edirectory and Active Directory. This important information should be available in the Grid Control Montoring tool as it could happen that the synchronization runs into a problem without us noticing.

To take the monitoring capabilities to a higher level and provide such information , Oracle provides the “Identity Management Grid Control Plug-in”. This Plug-in must be installed into your Monitoring Grid and on every Agent which monitors and Oracle Identity Management.

After doing so you will have a new group next to your host , databases , etc called “Identity Management” which provides us with a complete overview of our Identity Management. It also collects administrative pages and offers you a direct link from within EM Grid to User Management, Group Management , Manage Services , Scope Settings and Session Setting.

I would recommend using this plug-in on top of a basic installation of Enterprise Manager Grid Control.

Here is a quick impression of how these pages would look like :

Will Windows Native Authentication (WNA) work with Oracle Identity Management and Firefox ?

As more people like the idea of going platform independent with their applications and their implementations, this seems like a fare question to ask. Can i use my Firefox browser to log me into my applications which are configured for Windows Native Authentication using an Oracle Identity Management server.

The oracle documentation on Oracle Identity Management explicitly mention the use of non-IE browser in a WNA configured environment. (See Oracle Docs, Implementing Fallback Authentication)

Would you choose to use Firefox against a WNA SSO server you must expect a Fallback-Authentication method. Would you use your IE browser which is enabled for WNA. You would login automatically into any registered SSO partner application on that SSO server. When we dig a little deeper we can see that the auth mechanism SPNEGO is used.

This protocol is supported for IE and also some non-IE browsers like Firefox. Visit Achim Grolms webpage to see how you could achieve this.

This information has been bought to Oracle’s attention and they now are looking into the possibilities of using Firefox in a WNA environment. The limitation is not residing on the client side (Firefox) but lies in the capabilities of the Single Sign On server at this point. The Single Sign On server queries the browser information and selects based on the Browser type if it would use WNA of not. Oracle expects to support Firefox in future releases but does not yet give a specific release number. At this moment oracle confirms that 10.1.4.2 and previous releases has not yet been enhanced for using non-IE browsers in combination with WNA. Instead an Oracle INTERNAL BUG is reported which calls for this feature. This bug is registered under :

BUG:6803891 ORACLE SSO WNA COULE BE ENHANCED TO SUPPORT FIREFOX BROWSER

I hope Oracle can come up with a quick solution on this matter as it seems to be a showstopper for migrating many clients desktops to open Source desktops !