OrclNetServiceAlias with OUD

Similar Messages

• Register oracle DB with OUD for EUS

  My goal is to Enable Kerberos authentication to an oracle database using OUD as a proxy to Active Directory. When I attempt to register the DB with OUD 11.1.2.2.0. I get the following error in the access logs.
  [19/Feb/2015:09:11:02 -0500] ADD RES conn=26 op=2 msgID=3 result=65 message="Entry cn=wolfe,cn=OracleContext violates the Directory Server schema configuration because it includes attribute orclAci which is not allowed by any of the objectclasses defined in that entry" etime=2
  So it seems there is an issue with the orclAci attribute. I checked the schema through ODSM and I don't see it listed in the schema.
  I am hoping Sylvain Duloutre-Oracle could help with the problem.

  Hello,
  You should use the cn=oracleContext,<your OUD suffix> during DB registration, not cn=OracleContext.
  cn=OracleContext is populated when OUD is configured for EUS support howveer all the other EUS-related configuration objects must be created in
  the cn=oracleContext associated with the OUD suffix configured for EUS.
  Sylvain
  Please mark the response as helpful or correct when appropriate to make it easier for others to find it

• Is Sun DS 5.2 compatible with OUD 11gR2 PS1 Replication Gateway?

  Hi
  Is it possible to synchronise a Sun DS 5.2 master with OUD 11gR2 PS1 using an OUD replication gateway?
  If not, is it possible to set up replication between Sun DS 5.2 and ODSEE 11gR2, and then synchronise ODSEE 11gR2 with OUD via the OUD replication gateway?
  Thanks.

  Hi,
  The replication gateway must communicate with one ODSEE 11gR2 master. However the rest of the topology does not need to be upgraded to 11g.
  Many customers deploy the replication gateway and the ODSEE11g instance on the same box; The ODSEE11g can be seen as a companion of the replication gateway.
  Note that some specific limitations apply when DSEE5.2 is in the picture: Some Password policy related state, e.g. nb of failed authentication are not fully replicated between DSEE 5.2 and OUD.
  -Sylvain

• Authn and authz issues with OUD

  I have an application that supports LDAP as a means of authentication and authorization. I would like to have it use our OUD-based identity store. This is not an open system; I have no control over the client's behaviour, so any tweaking I do to make it work must be done on the server side.
  Authentication Issue:
  If I just enter a username "firstname.lastname" (as is our convention), the application sends this string verbatim to OUD and fails.
  [11/Mar/2014:14:49:34 -0400] CONNECT conn=67 from=xxx.xxx.xxx.xxx:44715 to=xxx.xxx.xxx.xxx:1636 protocol=LDAPS
  [11/Mar/2014:14:49:34 -0400] BIND REQ conn=67 op=0 msgID=1 type=SIMPLE dn="firstname.lastname"
  [11/Mar/2014:14:49:34 -0400] BIND RES conn=67 op=0 msgID=1 result=1 message="The provided value "firstname.lastname" could not be parsed as a valid distinguished name because it contained an RDN containing an empty attribute name" etime=23
  This is predictable as the application is not smart enough to expand this username to something smart like "uid=firstname.lastname,ou=People,dc=example,dc=com". However, if I authenticate with this full qualified DN, authentication succeeds.
  I don't don't expect my users to remember this ugly DN string. Is there anyway I can tweak the OUD side to accept these types of shortened aliases? Or am I verging on OVD territory here?
  Authorization Issue:
  The application is capable of mapping it's internal authorization levels to LDAP groups. The problem here is that it uses searches for memberOf (AD) or groupMembership (Novell) attributes in order to ascertain group membership, rather than the conventional memberUid or ismemberOf.
  [11/Mar/2014:14:49:59 -0400] SEARCH REQ conn=71 op=1 msgID=2 base="uid=firstname.lastname,ou=People,dc=example,dc=com" scope=baseObject filter="(objectclass=user)" attrs="memberOf,groupMembership"
  [11/Mar/2014:14:49:59 -0400] SEARCH RES conn=71 op=1 msgID=2 result=0 nentries=0 etime=0
  The result of course is that group membership is not properly found, and thus authorizations are not assigned.
  I understand that I can create a virtual attribute, based on ismemberof, but called memberof, which should be able to add support for this query but I cannot find a working recipe to properly add this functionality.
  Has anyone done anything like this before?
  Running OUD 11.1.2.1.0
  Thanks.
  Fred

  Excellent. Changing that setting looks to be a step in the right direction. Authentication works smoothly now using the shortened username, but now the authorization problem is different. Where before I could do a valid query for the uid- string, now OUD is throwing an error when trying to search the group membership of an invalid RDN.
  [12/Mar/2014:12:46:49 -0400] CONNECT conn=187 from=xxx.xxx.xxx.xxx:3356 to=xxx.xxx.xxx.xxx:1636 protocol=LDAPS
  [12/Mar/2014:12:46:50 -0400] BIND REQ conn=187 op=0 msgID=1 type=SIMPLE dn="firstname.lastname"
  [12/Mar/2014:12:46:50 -0400] BIND RES conn=187 op=0 msgID=1 result=0 authDN="uid=firstname.lastname,ou=People,dc=example,dc=com" etime=6
  [12/Mar/2014:12:46:50 -0400] SEARCH REQ conn=187 op=1 msgID=2 base="firstname.lastname" scope=baseObject filter="(objectclass=user)" attrs="memberOf,groupMembership"
  [12/Mar/2014:12:46:50 -0400] SEARCH RES conn=187 op=1 msgID=2 result=34 message="The provided value "firstname.lastname" could not be parsed as a valid distinguished name because it contained an RDN containing an empty attribute name" nentries=0 etime=1
  [12/Mar/2014:12:46:50 -0400] SEARCH REQ conn=187 op=2 msgID=3 base="dc=example,dc=com" scope=wholeSubtree filter="(&(objectclass=user)(|(samAccountName=firstname.lastname)(displayName=firstname.lastname)(userPrincipalName=firstname.lastname)))" attrs="dn"
  [12/Mar/2014:12:46:50 -0400] SEARCH RES conn=187 op=2 msgID=3 result=0 nentries=0 etime=0
  [12/Mar/2014:12:46:50 -0400] UNBIND REQ conn=187 op=3 msgID=4
  [12/Mar/2014:12:46:50 -0400] DISCONNECT conn=187 reason="Client Disconnect"
  Is there more work to be done in the Identity Mappers configuration to get this follow-up query to work?
  As for virtual attributes, I have not yet registered "memberOf" as a virtual attribute and tested it. I was asking if doing so was a recommended course of action for this type of scenario. I will give it a shot and see what happens.

• Configuring Oracle Authentication Services 4 OS (OAS4OS) with OUD

  I'm planning on using OAS4OS to configure with unix/linux servers. From the documentation, it says the directory needs to be OID. Is that the only directory supported? Can I use OUD or OVD in front of AD?
  Thanks

  Hi Hussein,
  While running the perl adbldxml.pl tier=db appsuser=apps appspasswd=apps I got following errors in the log file.
  [ s_dbGlnam ]
  SEVERITY : INFO
  SOURCE SEARCHED : Reading the value from v$parameter table
  SEARCH RESULTS : Value obtained from table - VIS
  VALUE ASSIGNED : VIS
  USER ACTION : No action required
  [ s_dbService ]
  SEVERITY : INFO
  SOURCE SEARCHED : Reading the value from v$parameter table
  SEARCH RESULTS : Value obtained - VIS
  VALUE ASSIGNED : VIS
  USER ACTION : No action required
  [ s_dbCluster ]
  SEVERITY : INFO
  SOURCE SEARCHED : Reading the value from v$parameter table
  SEARCH RESULTS : Value obtained - FALSE
  VALUE ASSIGNED : FALSE
  USER ACTION : No action required
  FOLLOWING ERROR OCCURED :
  3 >= 3
  StackTrace:
  java.lang.ArrayIndexOutOfBoundsException: 3 >= 3
  at java.util.Vector.setElementAt(Unknown Source)
  at oracle.apps.ad.context.GenerateContext.setJRETOP(GenerateContext.java:7483)
  at oracle.apps.ad.context.GenerateContext.InstantiateRestForDB(GenerateContext.java:3057)
  at oracle.apps.ad.context.GenerateContext.main(GenerateContext.java:8150)
  THX
  Naveed

• How to use OUD as LDAP for single db user repository?

  I have been assigned a project to add all the database users to OUD as a single repository for all our database users.  This would be similar to using Active Directory.  Could someone explain or point me in the right direction on how to add users and password (to include password policy) to OUD and then map them to global database schemas and/or roles?   I am a DBA and not familiar with OUD, but followed the instructions and got OUD up and running and have registered the databases with it.
  Part 2 of my question is after registering the database with OUD, this database is a 2 node RAC and it only registered the database and not the associated instances and/or services.  How do you add those (instances and services) into OUD?
  Thanks in advance!

  Hello,
  This is typically the EUS use case where OUD is used to store Enterprise Users and Roles + the associated mappings.
  More about EUS support in OUD at Integrating With Oracle's Enterprise User Security - 11g Release 2 (11.1.2)
  I guess you configured DB user location in the OUD directory when you configured EUS. See Integrating Oracle Unified Directory with Oracle Enterprise User Security - 11g Release 2 (11.1.2)
  You can create users in LDAP using various means e.g.
  ldapmodify (Adding, Modifying, and Deleting Directory Data - Oracle Fusion Middleware Administration Guide for Oracle Unified Direct…). Any user objectclass, including inetorgperson would fit
  import-ldif
  any graphical tool including ODSM (Managing Data With Oracle Directory Services Manager - Oracle Fusion Middleware Administration Guide for Oracle Unified …)
  To create roles and mappings, you can use the database console  or EUSM command line as described in https://blogs.oracle.com/sduloutr/entry/using_eusm_to_manage_eus
  Regarding question #2, RAC instances are not individually registsred in EUS, the global RAC DB name only need to be registered.
  Sylvain
  Please mark this response as correct or helpful when appropriate to make it easier for others to find it

• Replication with  more than one naming context ?

  Hi there,
  well, i want to replace our very old OID installation with OUD (for Oracle Database Net services) but i'm facing one more problem.
  I have 2 naming context dc=my,dc=domain,dc=org and dc=world.
  I have created the dc=world with ODSM (Configuration->Create local naming context for Oracle Database Net services).
  I'm able to query entries in each context.
  So i decided to install an other server for HA and using replication.
  I installed on the second server with same option and same procedure (stand alone and for Oracle Database Net services).
  I created the dc=world on the second server.
  Then i used dsconfig to create replication server on port 8989 on both server.
  I created new Replication Domain for my two contexts with dsconfig -> replication -> synchronisation provider->Replication Domain Management menu -> Create new replication domain.
  The list option show me the two domains.
  But when i'm doing a dsreplication->enable replication, i only have cn=OracleContext or dc=my,dc=domain,dc=org or cn=OracleContext,dc=my,dc=domain,dc=org.
  No trace of dc=world or cn=OracleContext,dc=world.
  Is it possible to replicate several naming contexts and what is the procedure to do that ?
  Even with ODSM and topology manager, i only see the dc=my,dc=domain,dc=world.
  Thanks

  Hi there,
  well i found why the replication was not working for a context.
  I do not have to create a replication domain with dsconfig before.

• OUD Query

  Hi,
  We have OAM 11gR2 installed with OUD as the data source. I need to lock/unlock users in OUD but i am unable to find any attribute for the same.
  Can someone guide me on this? The other requirement is to check first login of the user. Is there any attribute in OUD to check first time login of any user?
  Please suggest.

  You can take a look at password policies in OAM 11gR2.  You can refer to blog written by Rob Otto http://www.ateam-oracle.com/password-policy-in-oam-11g-r2/

• OVD and OUD

  Hi,
  I have OIM 11gR2, OVD and OUD installed in our environment. I am planning to do LDAP Sync with OIM.
  Can I do LDAP Sync directly with OUD by using libovd scripts or is it mandatory to configure LDAP Sync with OVD only?
  What happens if i configure LDAP sync directly with OUD? (Since we have plans to authenticate users from OAM against OUD)
  Also how we can extend schema if we use OVD, any doc for this?
  Appreciate your help.
  Thanks

  Yes, you can use libovd to talk directly to OUD without OVD

• OAM 11gR2 PS1: Authenticate with email

  Hi All
  I want to authenticate users with email address and password instead of user id and password. Has anyone implemented this before.
  I tried to update the user name attribute to mail which matches with my OUD attribute name but I am still not able to authenticate with email.
  Any pointers will be highly appreciated.
  Thanks

  Hi,
  Try with the below values in the User Identity Store Values in OAM Admin Console::
  User Name Attribute :::: mail
  User Filter Object Classes ::: inetOrgPerson
  Group Name Attribute ::: group
  User Filter Classes ::: groupOfUniqueNames
  As an alternate solution, you can also configure OVD as Identity Store with OAM and then configure LDAP adapter for OVD with OUD details.
  Choose "OVD: Oracle Virtual Directory" as store type and provide store details. Configuring LDAP adapter for OUD in OVD.
  Provide your OUD details required.
  Hope this helps.

• Active Directory Connector Questions in 11.1.2.1

  Hello All.  I am new to this version of IDM and I am trying to get through the setup and config.  I just installed a single instance of 11.1.2.1 with OUD, OAM, OIM.  I installed the Active Directory connector for User Management and I believe I have it configured. 
  I followed the post at Weblogic Corner: Oracle Identity Manager: The Active Directory Connector Tutorial and got a lot of questions answered with that.  First, note that I was able to follow the guide and run the lookup recon jobs as well as the user and group recon in trusted mode, then target mode to create all of the users and groups.  I am also able to create a user in OIM, add an account and have that provisioned to AD. 
  Here are my questions if you would be so kind:
  1) When I create a user in AD and I run the user recon(target), the event says "No User Match Found".  I was kind of expecting it to create a new user for me.  I was also expecting to schedule the recon job in target mode and not have to ever switch back to trusted mode after the first full sync.  What did I miss here?
  2) When I add an account to the user in OIM, the AD User form comes up with all the fields empty.  Is that the way it should work?  I was hoping that it would prepopulate some of the stuff from the OIM profile.
  3) When I modify a field in OIM, say middle name, will that sync in the next recon run, or will the admin need to open the account, update the AD form also and submit the middle name in two places?
  Thanks in advance!

  1. Identity gets created in Oracle Identity Manager from an authoritative source. in case of target recon, it will just sync with the matched account in oim.
  please have a look in the below link seccion 12.1.12
  Managing Reconciliation - 11g Release 2 (11.1.2)
  2.u can very well prepopulate filed in the process definition, even u can automate the provisioning process using  role based when provissioning process.
  3.there should be some tasks available for each field. no need run the recon task or modify the account in AD. it will be updated in AD using the tasks. check the connector process definition.

• OAM-OIM 11g r2 integration is failing

  Hi,
  Following is my configuration,
  1. I have OIM 11g r2 and OAM 11gr2 installed on different weblogic domains.
  2. OIM synchronized with OUD LDAP
  3. I followed the steps described in http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oim.htm
  4. After the integration, I'm not able to login to the Oracle Access Manager console. Though my authentication is successful, I'm getting authorization error.
  As per the doc, oamadmin user (member of oamadministrator group) should be able to login to the console. On weblogic console -> security realms screen, I can see oudauthenticator (authenticates against OUD LDAP) created by the idmconfig tool (tool used for the integration). On the same screen, if I open oamadmin user profile, I don't see any group membershiip information for this user. I also created Administrator group in my LDAP and assigned oamadmin as a member, but in vain. My guess is, since oam server is not recognizing user's role, it's giving an authorization error.
  The documentation mainly talks about using OID as LDAP between OIM and OAM, though it claims other LDAPs are also supported. If anyone has successfully integrated, what do you see in oamadmin user profile, especially in the group membership attribute. Any other ideas/workarounds are greatly appreciated.
  Thanks, Nishanth

  I successfully did this into my VMWare and oamadmin user has there:
  [oracle@thiagoleoncioVM ~]$ ldapsearch -D cn=orcladmin -w **** -b "dc=leoncio,dc=thiago" -L -s sub -v orclmtuid=*oaamadmin* memberOf
  filter pattern: orclmtuid=*oaamadmin*
  returning: memberOf
  filter is: (orclmtuid=*oaamadmin*)
  dn: cn=oaamadmin,cn=Users,dc=leoncio,dc=thiago
  memberof: cn=oaamcsrgroup,cn=groups,dc=leoncio,dc=thiago
  memberof: cn=oaamcsrmanagergroup,cn=groups,dc=leoncio,dc=thiago
  memberof: cn=oaamenvadmingroup,cn=groups,dc=leoncio,dc=thiago
  memberof: cn=oaaminvestigationmanagergroup,cn=groups,dc=leoncio,dc=thiago
  memberof: cn=oaaminvestigatorgroup,cn=groups,dc=leoncio,dc=thiago
  memberof: cn=oaamruleadministratorgroup,cn=groups,dc=leoncio,dc=thiago
  memberof: cn=oaamsoapservicesgroup,cn=groups,dc=leoncio,dc=thiago
  1 matches
  I hope this information helps you with your issue then you should be able to see what is missing there,
  Thiago Leoncio.

• I want to remove icloud account & i forget the password

  Hi all,
  i have a big big big problem ... i have i phone 5
  ... then i went to someone  who made for me  an account for the  icloud  then i forget the password of it and i cannot even remove this account and make a new one ????
  is there is any way to remove it with oud knowing the password   please hellllp

  is there is any way to remove it with oud knowing the password
  No.
  Reset the password: http://iforgot.apple.com.

• Berkeley DB HA solution

  Hi
  As we are implimenting OUD which uses Berkeley DB. Considering that we have below requirement.
  Master site with HA - read/write capability
  Secondary sites will read only replica
  =======================================
  How can we achive same with OUD [BrkDb] in Primary site.
  + Read only replica on Secondary site.
  So need you expert advice for such kind of implimentation . Any Architectural Diagram
  Thanks
  Vijay Kumar

  Can you tell me more about what the letters in OUD stand for and what this application does? What version of Berkeley DB are you planning to use?
  Here is a pointer to a very high-level description of Berkeley DB High Availability that includes a diagram describing the sites in a replication group:
  High Availability
  Here is a pointer to the documentation for our latest 6.1 release:
  Berkeley DB (Version: 12c Release 1)
  You can read "Getting Started with Replication" and the "Reference Guide for Berkeley DB" chapter 12 to find more details about Berkeley DB replication.
  If you have more specific questions, please ask them.
  Paula Bingham
  Oracle

• Idmconfigtool.sh in OIM R2

  I installed OIM R2. I already have OAM 11.1.1.5 configured against OVD 11.1.1.5 front-ending AD with our enterprise users. I do not have the option to extend the orcl schema on AD, so I decided to use OUD R2 and the install and base config went fine. I’m following this URL: http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ to prep OUD and the schema went in fine. Now I’m confused with what exactly I need to do to complete OIM-OAM integration. Documentation seems to be everywhere with idmconfigtool.sh especially with R2.
  I did not enable LDAP Sync during OIM config, so im following this post-install link – http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#CHDBICCC to complete that setup. And here’s where I see there is not much detail on how I need to idmconfigtool.sh and with what options. The good thing with OUD is almost all orcl schema is shipped and there is nothing much to do related to schema, except for ob objectclasses and index, which i did based on the first link posted above.
  Experts, do you have any thoughts on how to proceed with idmconfigtool.sh related to OIM R2? Thanks for the help.
  Sunil.

  Hello,
  I'm trying also to configure LDAPSync post install in OIM 11gR2 and I've stumbled on that thread while trying to find precisions regarding the confusing official doc. The steps you are pointing out make sense, but can you confirm that they work? Anything else I should know before proceeding?
  Thanks,
  --jtellier