John’s Oracle Experiences

My everyday experiences with Oracle products

Archive for the ‘Identity Manager’ Category

Export/Import OID users using DSML xml standard

Posted by John Paul van Helvoort on July 10, 2009

When using the DSML (Directory Service Markup Language) standard we create a representation of directory service information in an XML syntax instead of a ldif syntax.

ldapsearch -h source.example.com -p 389 -X -D “cn=orcladmin” -w “xxx” -b “cn=Users,dc=example,dc=com” -s sub “objectclass=*” > /home/oracle/source_users.xml

To prevent this error when importing ;

adding new entry cn=james, cn=Users, dc=example, dc=com
ldap_add: DSA is unwilling to perform
ldap_add: additional info: You cannot add entries containing authpasswords.

We need to process our source_users.xml to not hold this attribute. To accomplish this we used a xsl template created by mgueury.

del_auth_password.xsl

<!--
  File    : del_authpassword.xsl
  Version : 1.0
  Author  : mgueury
  Description:
    Remove the authpassword from the DSML files
-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

  <xml:output method="xml"/>

  <xsl:template match="*|@*|node()">
    <xsl:copy>
      <xsl:apply-templates select="*|@*|node()"/>
    </xsl:copy>
  </xsl:template>

  <xsl:template match="attr">
    <xsl:choose>
      <xsl:when test="@name='authpassword;oid'">
      </xsl:when>
      <xsl:when test="@name='authpassword;orclcommonpwd'">
      </xsl:when>
      <xsl:otherwise>
        <xsl:copy>
          <xsl:apply-templates select="*|@*|node()"/>
        </xsl:copy>
      </xsl:otherwise>
    </xsl:choose>
  </xsl:template>

</xsl:stylesheet>

To use this we executed the following command ;

xml -f -s /home/oracle/del_auth_password.xsl -o /home/oracle/target_users.xml /home/oracle/source_users.xml

After this we can fill our target OID with the clean target_users.xml;

ldapadd -h target.example.com -p 389 -D “cn=orcladmin” -w “xxx” -c -X /home/oracle/target_users.xml

adding new entry cn=james, cn=Users, dc=example, dc=com
adding new entry cn=jake, cn=Users, dc=example, dc=com
adding new entry cn=marly, cn=Users, dc=example, dc=com
adding new entry cn=john, cn=Users, dc=example, dc=com
..

Posted in Identity Manager, LDAP, OID | Leave a Comment »

Monitoring the Integration Profile Status in Enterprise Grid Control

Posted by John Paul van Helvoort on March 11, 2009

By default the monitoring facillity by oracle does not provide us with a threshold to monitor the synchronization profiles created in Oracle Identity Management.
Several enhancement requests are logged on metalink but still no solution is provided. Know that this option requires the installation of the plugin for identity management on both OMS and Agent ( info )

Here is a quick hack to implement such a feature in your monitoring tool so that a email is sent whenever the status of the syncing profile returns “Agent Execution Successful, Mapping/IMPORT operation Failure”.

We need to change the following files and update the changes so that the agent is now aware of these new monitoring rules.

First we alter this file $AGENT_HOME/sysman/admin/default_collection/oracle_eps_server.xml and add the following to the file :

...
&amp;lt;CollectionItem NAME="ODIIntegrationProfileStatus"&amp;gt;
    &amp;lt;Schedule&amp;gt;
      &amp;lt;IntervalSchedule INTERVAL="2" TIME_UNIT="Min"/&amp;gt;
    &amp;lt;/Schedule&amp;gt;
    &amp;lt;Condition COLUMN_NAME="Status"
               CRITICAL="Agent Execution Successful, Mapping/IMPORT operation Failure"
               WARNING="N/A"
               OPERATOR="EQ"
               MESSAGE="The DIP Sync Profile is in broken state"
               CLEAR_MESSAGE="The DIP Sync Profile is up"
               CLEAR_MESSAGE_NLSID="eps_server_dip_broken_cond_clear"
               MESSAGE_NLSID="eps_server_dip_broken_cond"/&amp;gt;
    &amp;lt;Condition COLUMN_NAME="ProfileErrors"
               CRITICAL="Error"
               WARNING="N/A"
               OPERATOR="EQ"
               MESSAGE="The DIP Sync Profile is in broken state"
               CLEAR_MESSAGE="The DIP Sync Profile is up"
               CLEAR_MESSAGE_NLSID="eps_server_dip_broken_cond_clear"
               MESSAGE_NLSID="eps_server_dip_broken_cond"/&amp;gt;
&amp;lt;/CollectionItem&amp;gt;
...

Now update the $AGENT_HOME/sysman/admin/metadata/oracle_eps_server.xml file and increase the release nummer so that the metarepository identifies this change.

&amp;lt;TargetMetadata META_VER="6.7" TYPE="oracle_eps_server" CATEGORY_PROPERTIES="VersionCategory"
                RESOURCE_BUNDLE_PACKAGE="oracle.oimcontrol.eps.rsc"&amp;gt;

to

&amp;lt;TargetMetadata META_VER="6.8" TYPE="oracle_eps_server" CATEGORY_PROPERTIES="VersionCategory"
                RESOURCE_BUNDLE_PACKAGE="oracle.oimcontrol.eps.rsc"&amp;gt;

After these changes we need to let the agent know we made the changed by reloading the settings.

$ORACLE_HOME_AGENT\bin\emctl reload

Oracle Enterprise Manager 10g Release 4 Grid Control 10.2.0.4.0.
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
---------------------------------------------------------------
EMD reload completed successfully

After this you can define the Metric Threshold on the monitoring page of the Directory Integration Platform.

Posted in Grid Control, Identity Manager | Leave a Comment »

Oracle Identity Management Grid Control Plug-in Repository Assistant Failed

Posted by John Paul van Helvoort on January 26, 2009

While installing the Oracle Identity Management Grid Controle Plug-in as an add-on to your Enterprise Manager Grid Control, I ran into an error straight away. This happend to me before but i couldn’t remember what caused this behaviour. As the installer guides you through the installation process clearly, at some point you select your “/u00/oracle/product/10.2.0/oms10g” as ORACLE_HOME to be upgraded. After a successful installation, it automatically proceed to repository assistant configuration and it fails there shown this error:

Command = oracle.sysman.emcp.oms.IMRepositoryPatchUpgrade -verbose 

Setting configuration environment variables ...
INFO: Starting to execute configuration assistants
INFO: Command = oracle.sysman.emcp.oms.IMRepositoryPatchUpgrade -verbose
Command = oracle.sysman.emcp.oms.IMRepositoryPatchUpgrade has failed
Exception : java.lang.Exception:
Command: /u00/oracle/product/10.2.0/oms10g/sysman/admin/emdrep/bin/RepManager em.backbone.local 1521 emrep -action upgrade -verbose -repos_user sysman failed.
Exit code: expected [0 43 45 ], but got 2
INFO: Configuration assistant "IMGC Repository Assistant" failed
INFO: The "/u00/oracle/product/10.2.0/oms10g/cfgtoollogs/configToolFailedCommands" script contains all commands that failed, were skipped or were cancelled.
This file may be used to run these configuration assistants outside of OUI. Note that you may have to update this script with passwords (if any) before executing the same.
-----------------------------------------------------------------------------

As it turned out the RepManager has a problem when the correct ORACLE_HOME is not set while starting the runInstaller process. This is offcource the right setting to have, but as you select the ORACLE_HOME during the installation process, you might overlook this stupid mistake in the start.

To overcome this you need to stop the installer and set your ORACLE_HOME to point to the correct one , being the oms10g ORACLE_HOME.
After this start the installer and remove an earlier attempt by removing the plug-in from the “Installated Products”. When done so you are ready to try your luck again !

Here you can download this great plugin :
http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

Posted in Grid Control, Identity Manager | Leave a Comment »

Synchronization from a relational database to Oracle Internet Directory

Posted by John Paul van Helvoort on January 14, 2009

In order to be able to sync from a relational database to an Oracle Internet Directory ( 10.1.2.0.2 ). We need to create our own Custom sync profile.
This profile will have to select the information we want to store in our OID plus it has to map these values to an entry in our OID.
The information we want to import can be selected in the configuration file ( in our case CUSTOMDB_OID.cfg ) while the mapping can be made threw the mapping file ( in our case CUSTOMDB_OID.map ). The integration server uses profiles which holds configuration and mappings.

To create your very own CUSTOMDB sync profile you can use these example files

CUSTOMDB_OID.properties – profile settings
CUSTOMDB_OID.cfg - configuration file
CUSTOMDB_OID.map - mapping file

CUSTOMDB_OID.properties

odip.profile.name = CUSTOMDB
odip.profile.status = DISABLE
odip.profile.syncmode = IMPORT
odip.profile.retry = 5
odip.profile.schedinterval = 60
odip.profile.condirurl = db01.backbone.local:1521:APPSDB
odip.profile.condiraccount = operator
odip.profile.condirpassword = *******
odip.profile.interface = DB
odip.profile.configfile = /u00/oracle/product/10.1.2/idm/ldap/odi/conf/CUSTOMDB_OID.cfg
odip.profile.mapfile = /u00/oracle/product/10.1.2/idm/ldap/odi/conf/CUSTOMDB_OID.map
odip.profile.lastchgnum = 0
odip.profile.debuglevel = 63

CUSTOMDB_OID.cfg

[DBQUERY
select:
ID,
EMAILADDRESS,
NAME,
TO_CHAR(LAST_UPDATE,'YYYYMMDDHH24MISS') CHANGEDATE
from
APPSUSERS
WHERE
LAST_UPDATE&amp;gt;TO_DATE (:CHANGEDATE,'YYYYMMDDHH24MISS')
ORDER BY
LAST_UPDATE

[SYNC-PARAMS]
CHANGEKEYATTRS:CHANGEDATE
[INTERFACEDETAILS]
SKIPERRORTOSYNCNEXTCHANGE: TRUE

CUSTOMDB_OID.map

DomainRules
NONLDAP:cn=users,dc=backbone,dc=local:cn=%,cn=users,dc=backbone,dc=local
AttributeRules
ID:1: : :cn: :person
ID: : : :cn: :orcluserv2
ID: : : :cn: :organizationalPerson
NAME: : : :sn: :person
EMAILADDRESS: : : :mail: :inetOrgperson
EMAILADDRESS: : : :uid: :inetOrgperson

And preform the following statement to load your own config in Oracle Internet Directory;

$ORACLE_HOME/bin/dipassistant createprofile -host idm01.backbone.local -port 389 -w &amp;lt;password&amp;gt; -configset 1 –file CUSTOMDB_OID.properties

We now have created a sync profile which uses the CHANGEDATE field in the relational database to determine if a row is changed and therefor needs to be resync or not.
This is a basic setup to use for a more complex import using more fields and mappings.

More information on the topic can be found here

Posted in Identity Manager | Leave a Comment »

Synchronizing accounts based on Active Directory group membership

Posted by John Paul van Helvoort on July 17, 2008

At some point we were discussing if it would be possible to synchronize user account based on group membership using the default procedures of Oracle Identity Management.
The idea is to sync as little user accounts as possible to our Oracle Internet Directory where the user accounts are spread over a width range of Active Directory containers were different policies apply to. Not all users in these containers need to have access to the Oracle applications which are integrated with the Oracle Identity Management.

So by granting a user a special group priviledge (soa) in Active Directory it should be synced to Oracle Internet Directory. Other users should not be synced as they are not part of this special “soa” group. When this grant would be revoked, the user account should also be deleted from our Oracle Internet Directory.

Case1 :We are synchronizing all users from Active Directory to Oracle Internet Directory.
When we use a basic searchfilter like :

searchfilter=(&amp;amp;(objectclass=user)

We get all users added and deleted in AD to be processed in OID. This works.

Case2: We are synchronizing based on Group membership.
We use this searchfilter :

searchfilter=(&amp;amp;(objectclass=user)(MemberOf=CN=soa,OU=groups,OU=nieuwegein,DC=iteye,DC=nl))

Users are added to our OID when they straight away are added to the group “soa”, before the sync ( odi ) checks the changes.

In the scenario when the user is added, the sync runs , the user is granted to the “soa” group. The sync will not add the user anymore.

Deletions are not preformed anymore.

Case3: We are synchronizing based on Attributes, we use the displayname attribute as a trigger to sync or not sync our user.
We want to perform this test to see if we could use an attribute ( for example : displayname ) which would indicate this “group membership” by setting a value 1 in it.

We use this searchfilter :

searchfilter=(&amp;amp;(objectclass=user)(displayname=1))

We get only users added which have the displayname changed to 1. No matter if the User was created and adjusted the displayname within a synchronizing period. So in the scenario when the user is added, the sync runs , the users displayname is changed to 1. The sync will still add the user.

Deletions are not preformed anymore. We are not able to delete ( in case 2 and 3 ) or backfill a user based on groupmembership ( case 2 ) After some research we can see in MSDN the description for the memberOf attribute for an AD user:

—————-
memberOf
The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this attribute is retrieved:

At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user’s membership in domain local and global groups in other domains. At a GC server, memberOf for the user is complete with respect to all universal group memberships. If both conditions are true for the DC, both sets of data are contained in memberOf.

Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.

This attribute is not stored—it is a computed back-link attribute.
————–
http://msdn2.microsoft.com/en-us/library/ms677943.aspx

Now, this means that when you add a user to a group in AD, AD is just modifying the group not also the user itself. Going forward with this, that means that uSNChanged is updated only once.

The ODI server is reading the uSNChanged value and runs a search against the AD to retrieve the last changes. Here it will find only the group has been changed. The filter for the change will be formed:

(&amp;amp;(uSNChanged interval)(our_custom_filter))

So, for both cases 2 and 3, we will need to take some actions on the user when the group is changed which is not possible with ODI. ODI works on an entity level (that means the mapping files are applied , and actions are performed only on the entity detected as changed).

For case 3 you will not be able to delete a user when an attibute is changed as deletes are searched from a special DeletedObjects AD container. A user is not added in this DeletedObjects AD container when you change in our case the displayname attribute.

However, we could , as a partial solution create a OID plug-in that will fire in a post-update LDAP operation on the specific groups. So, if a user is removed from a group, after the synchronization runs, it will trigger the plug-in. In the plug-in code we should be able to identify the user that was removed and delete it from OID.

But this means we need to extend the possibilities of the default procedures available in Oracle Identity Management.

Our conclusion at this point is that it’s not possible to sync based on group membership with deleting and / or backfilling users working using the default procedures of Oracle Identity Management. However there are possibilities to write your own plug-in for Oracle Identity Manager to do a post-update operation on your user store ( OID ) to keep it clean and up to date.

Posted in Identity Manager | Leave a Comment »

Why use Identity Management Grid Control Plug-in ?

Posted by John Paul van Helvoort on July 3, 2008

For a while i am working with Oracle Identity Management as a central user store for all my Oracle products.To monitor this environment Oracle Enterprise Manager Grid Control offers a rich information interface to help you do so. However i am missing information on the Directory Integration Platforms which is used to connect to 3rd party Ldap Directories such as OpenLdap , Edirectory and Active Directory. This important information should be available in the Grid Control Montoring tool as it could happen that the synchronization runs into a problem without us noticing.

To take the monitoring capabilities to a higher level and provide such information , Oracle provides the “Identity Management Grid Control Plug-in”. This Plug-in must be installed into your Monitoring Grid and on every Agent which monitors and Oracle Identity Management.

After doing so you will have a new group next to your host , databases , etc called “Identity Management” which provides us with a complete overview of our Identity Management. It also collects administrative pages and offers you a direct link from within EM Grid to User Management, Group Management , Manage Services , Scope Settings and Session Setting.

I would recommend using this plug-in on top of a basic installation of Enterprise Manager Grid Control.

Here is a quick impression of how these pages would look like :

DIP Impression


DAS Administrative Links

Posted in Grid Control, Identity Manager | Tagged: , , , | 5 Comments »