Identity and Cloud Security A-Team at Oracle Open World

I just wanted to let everyone know that Kiran and I will be presenting with our good friend John Griffith from Regions Bank at Oracle Open World next week. Our session is Oracle Identity Management Production Readiness: Handling the Last Mile in Your Deployment [CON6972] It will take place on Wednesday, Sep 21, 1:30 p.m. […]

Oracle Unified Directory 11gR2PS3 Very Large Static Groups

This post is about OUD and extremely large static groups where membership numbers exceed hundreds of thousands or even millions; yes I said millions.  I have been using Directory Services for over 15 years and the response I typically have for a customer that wants to use very large static groups is don’t do it.  Then I steer […]

Working with Oracle Unified Directory 11gR2 Transformation Framework

If you have been using Oracle’s Identity Management software for at least the last few years you will probably be familiar or at least heard of OVD (Oracle Virtual Directory), which was originally acquired back in 2005 from a company called OctetString. OVD provides a vast number of great virtual features used to aggregate multiple […]

Improve Oracle Unified Directory 11gR2 Search Performance with Index Entry Limit

Introduction I am always looking for great tips that give big values; this one is no exception. This article is to help you understand how to tweak the index called “Index Entry Limit” to reap some dramatic ldapsearch performance improvements. I explain what this index is about, some of my own test results, how to determine the […]

BPM Workspace Login with libOVD and LDAP, Part 2: Login

Introduction In Part 1, we looked at the initialization of libOVD at server startup. Now let’s examine what happens inside libOVD when you actually click on the login button in BPM Workspace. Again, we are looking at BPM 11g PS5 BP7 with Patch 17315336. The Workspace login is a two step process. The first step is […]

BPM Workspace Login with libOVD and LDAP, Part 1: Configuration and Startup

Intruduction Some of Oracle BPM 11g customers have reported performance issues when trying to login to BPM Workspace with an external LDAP as an identity store. While each customer could have a different issue that caused the slow down, the process of identifying the issue usually is the same. Having a good understanding of how […]

Mass Reset Password-part1 OID

Introduction One of the great features that customers need to be aware of and it could be used, as post-process, on many different situations such as: P2T, T2P and clone is the ability to reset multiple passwords simultaneously. Imagine the customer is scaling out their environment because they need an additional UAT environment. This customer […]

Oracle Unified Directory 11gR2 (11.1.2.2.0) Installation Cheat-sheet

This is a cheat-sheet for installing Oracle Unified Directory (OUD) including the graphical administration tool (Oracle Directory Services Manager – ODSM). While the core of OUD does not require an application server such as WebLogic, ODSM does, so you need to install that too (unless you want to do all administration from the command line). All […]

Managing the performance impact of OID last login tracking

Does your environment have demanding performance requirements? High volume, customer-facing applications such as eCommerce or Internet banking, with business critical requirements for low response time? Then having last login tracking enabled in OID (orclpwdtracklogin=1 in your password policy) can have a substantial performance cost. It converts every login, every bind/compare against an OID entry, into a modify of that OID entry to update […]

Creating a Custom OVD Plugin

1. Introduction In a recent engagement, I worked with a customer that had a business requirement where they needed to create and expose to their application two computed LDAP attributes, based on the value of an existing attribute. For instance, let’s say the original attribute is “myCorpID” and its value could be something like “23451588-IT […]

Starting OID 11g with Upstart

If you read my post on Upstart a while ago you know that I’m a fan of Upstart. But I hadn’t sat down to redo my old (and crummy) OID/OVD start scripts to use Upstart until this week partly because “if it ain’t broke don’t fix it” but partly because wh…

Virtual Directory Performance Tuning Guidelines

In its simplest deployment possible, a Virtual directory has a listener, a server component and an adapter that talks to a backend target. In such a deployment, the Virtual directory only plays the role of being a proxy that receives a request, forwards it to the target and sends the response back from the target to the client.

In such a deployment, one can still encounter performance issues if OVD isn’t tuned adequately.

Performance of OVD depends on the following factors:

• OS tuning
• Server Processors cores
• JVM tuning
• OVD server configuration (threads, work queue capacity) adsad
• Data size of requests issued to Target
• The performance of backend systems (directories, DBs, proprietary stores) that OVD is virtualizing.

Before you conduct any tuning, gather a baseline performance metrics for overall solution. Follow these steps to gather these base line numbers:

 
1.     Start with the official documentation. It is a good reference for tuning OVD.
2.     Collect a sampling of requests that are likely to be sent to OVD by your intended client applications.
3.     Test OVD by manually issuing each of these requests to confirm that the wiring to the Target is proper and that there are no functional issues with OVD or the Target it is talking to.
4.     Disable TRACE level logging for OVD server
5.     Install a load generation tool like Slamd on a server other than the server hosting OVD (I have seen situations where Slamd is installed on the same host as OVD and it tends to consume the CPU capacity there by leaving OVD gasping for CPU)
6.     Configure scripts in Slamd to execute the sampling of requests you collected in step (1) with adequate number of clients.
7.     Gather the OVD access logs and mark down the request/response times.
 
Look at the Log analysis section below for information on how to parse the OVD access logs. Before you tune OVD, if you notice that the Target itself is taking a long time to respond, work on improving the performance of the target. Usually, the responses from OVD should consume less than a second but depending on the performance of the Target data source, this could vary drastically. There is no appropriate answer. It is very important to note that the performance of the Target data source directly impacts the performance of OVD because OVD is just a proxy in this case.
 
OS tuning
 
Allocate adequate number of file handles to the user who owns the OVD process so that OVD can open required number of connections with clients and Targets. The ability of OVD to support a higher number of concurrent client connections is directly based on this. On Unix platforms, it is recommended that you start with a  ulimit of 8192 for the OS user’s environment settings.
 
Server Processor cores
 
OVD is multi-threaded by design and can receive multiple requests, process them simultaneously via worker threads. Therefore, the more processors you have, the better it is for OVD.
 
And OVD can be directly configured to take advantage of these processors by allocating a minimum of 10 to 20 threads per processor. That means, if you have 10 cores, configure up to 200 threads via OVD configuration.
 
JVM tuning
 
Update your JVM to the latest minor version. As of the writing of this article, the latest JDK version is 1.6_035. The minor version is 35.
 
The default heap size for a OVD is 512MB upon installation. For a production environment, configure a heap size of at least 1GM and make sure that the min and the max heap size is set to the same value.  On a 64-bit OS, you can increase the heap size beyond 3.6 GB but Full GCs can cost you significant performance hits.  Unless your request sizes are big or OVD is running out of memory, I do not recommend increasing the heap size beyond 2 GB.
 
Make sure the JVM is configured to start with –server option. Otherwise, OVD is running in a client mode.
 
Here is a snippet of opmn.xml
 
</ias-component><ias-component id=”ovd1″>
   <process-type id=”OVD” module-id=”OVD”>
     <module-data>
       <category id=”start-options”>
           <data id=”java-bin” value=”$ORACLE_HOME/jdk/bin/java”/>
           <data id=”java-options” value=”-server -Xms512m -Xmx512m
-Dvde.soTimeoutBackend=0
-Didm.oracle.home=$ORACLE_HOME
-Dcommon.components.home=$ORACLE_HOME/../oracle_common
-Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml”/>
           <data id=”java-classpath” value=”$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar”/>
        </category>
      </module-data>
     <stop timeout=”120″/>
    </process-type>
 </ias-component>
 
I recommend not setting any specific size for Permgen space or young or old generation space. I also recommend that you not specify a particular Garbage collector. I will publish another blog post about GC issues and how to resolve those with a real customer situation I dealt with recently.
 
OPMN (Oracle Process Monitoring and Notification) server monitors OVD. If you notice that your OVD instance is being restarted abruptly, that means, OPMN is trying to ping OVD but OVD is not responding. Try increasing the polling interval. This is documented in the aforementioned documentation link.
 
While you can increase the polling interval, it is better to investigate why OVD is not responding and if there is a problem that is preventing OVD from responding.
 
OVD server tuning
 
There are three files of significance for OVD tuning. Those are listeners_os.xml , adapters_os.xml and server_os.xml, both located in the directory $ORACLE_INSTANCE/config/OVD/ovd<number>/conf .
 
listeners_os.xml
 
<anonymousBind>deny</anonymousBind>
 
I recommend turning off Anonymous binds. While OVD supports such binds, it is a bad habit to allow any one to bind to OID without a proper userid and password. This is a unnecessary waste of resources on OVD. Even if you have a load balancer, configure the LBR to bind to OVD with a real userid and a password.  This allows you to only permit authorized clients to connect to OVD.
 
<threads>100</threads>
 
Set this to a value equal to 10 to 20 times the number of threads per CPU Core available on your hardware server that is hosting OVD. If you have 10 Cores, set this value to 100 or a maximum of 200.
 
<useNIO>false</useNIO>
 
At this time, OVD provide only partial support for non-blocking IO in Java. Turn off this parameter.
 
<workQueueCapacity>8096</workQueueCapacity>
 
This parameter tells the server to hold requests that cannot be processed by the specified threads for the given listener. If there are more requests than threads, those requests end up in this queue to be processed as soon as a worker thread is available. Set this to a value of 4 to 8K. I would adjust this parameter only if you see that OVD is denying requests (not Anonymous binds of course).
 
<socketOptions>
  <tcpNoDelay>true</tcpNoDelay>
  …
 </socketOptions>
 
By default, this is set to true. This parameter controls buffering so as to support scenarios where there is large amount of data to be returned to a client per request. Unless recommended, you should not set this parameter to false. This ensures that OVD responds as soon as the target responds to a given request.
<socketOptions>…
  <keepAlive>false</keepAlive>
  …
 </socketOptions>

 

Turn off keepAlive. This parameter is only required to ensure that there is a tcp keep alive sent to the client to make sure that the connection opened by the client to OVD is still valid. On Linux OS, the timing of this keepAlive parameter is controlled by the OS parameter net.ipv4.tcp_keepalive_time in seconds.
 
server_os.xml
 
<inactiveConnectionTimeout>5</inactiveConnectionTimeout>
                                                                                                                
By default, OVD does not close any connections to a client no matter how long the connection is idle. I recommend setting this to a value of 5 minutes so that connections that are idle are automatically closed. In such cases, OVD will close the connection and a FIN will be sent to the client so as to inform the client that the connection is closed by the server. The client can send an ACK and terminate the connection to the server. This parameter is in minutes.
 
adapters_os.xml
 
<referals>false</referals>
 
Turn off referrals. Even if your Target supports referrals, configure OVD not to follow referrals because a request issued to OVD can take far longer than the connection timeout period specified on the client side. In such cases, OVD will still be busy processing the request, while the client is no longer willing to wait for the response. In the worst case, the client decides to reissue the same request on a new connection and that just bogs down OVD by consuming thread after thread for a request that no client is willing to wait for.
 
<initialPoolSize>50</initialPoolSize>
<maxPoolSize>100</maxPoolSize>
 
Your maxPoolSize should be equal to the maximum number of concurrent clients you expect OVD to respond to at any given time. But, I do not recommend setting the initialPoolSize to a high value because it can result in a significant number of connections being opened to the target. And if you are using SSL, this is a significant burden on both OVD and the target.
 
 
Play around with these parameters and once you have a good idea of the performance of your OVD deployment, you can adjust to your specific needs. It is important to note that OVD will never perform faster than a Target it is wired to. If the Target takes 10 milliseconds to respond to a query, OVD will take 10+x milliseconds to respond to the client. OVD does not cache results and you should never assume that caching will improve your performance. It can improve your performance but it can also create other problems with stale data.
 
It is easy to acquire stuff and store them but it is much harder to know when and how to get rid of them. What is true in life also applies to caching in OVD. Just don’t assume that OVD will perform better than the Target data source such as a LDAP server or DB.
 
How many OVD instances should you deploy?
 
That is a as good as any one’s guess. Without a good understanding of your performance requirements and the performance of a pair of OVD instances (set up for HA), you have no way to find out.
 
Once you followed the recommendations in this article and if you are still short of performance, and you see that the physical server hosting OVD is more than 50% idle, I would install an additional OVD instance on the same host. Configure your LBR to load balance to this OVD instance also. And that will enhance your performance.
 
How to keep your OVD healthy and happy?
 
Some of you who are LDAP administrators know very well that every thing gets blamed on a LDAP server. There used to be a time when Database was always the culprit when it came to performance. No application developer ever wrote code that was poorly designed or no client is ever mis-configured until proven otherwise. Often, LDAP administrators face the burden of having to prove that their LDAP server is indeed responding properly and that it is the client application that is at fault.
 
Well, it starts with some investment on your part. If you as a LDAP administrator want to deal with such allegations effectively and decisively, start by monitoring the following:
 
a)    Connections opened by each client to OVD
b)   Queries issued by the client to OVD and the corresponding response times
c)    Hardware server capacity utilization (on Linux, vmstat command is a good starting point)
d)   A sampling of the aforementioned two items during your peak hours and off-peak hours
 
Oracle Directory Server Enterprise Edition (former Sun DSEE) or Oracle Internet Directory (OID) are excellent at providing such metrics so you can easily isolate the cause for poor performance. OVD access logs provide similar information. Write some scripts to parse this data and generate a summary report.
 
And look at these reports over a period of time to ensure that you have a proper understanding of your client applications and the behaviours that are normal vs abnormal. In the end, a healthy OVD instance can only deliver good performance to your enterprise applications if you give it the attention needed.
 
OVD Access log
 
Access logs for OVD give you information about when a request was sent and a response was sent back to the client. This is OVD’s perspective of the request/response times. A typical access log looks like as follows:
 
 
[2012-09-17T11:11:19.259-07:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 66] [ecid: b9af6bb1052db062:da036ce:139c63d427d:-8000-000000000000001c,1:109818:2] conn=41 op=2,628 SRCH base=dc=myorg,dc=mycompany scope=2 filter=(&(uid=userA)(objectclass=inetorgperson))
[2012-09-17T11:11:19.263-07:00] [octetstring] [NOTIFICATION] [OVD-20044] [com.octetstring.accesslog] [tid: 66] [ecid: b9af6bb1052db062:da036ce:139c63d427d:-8000-000000000000001c,1:109818:2] conn=41 op=2,628 RESULT err=0 tag=0 nentries=1 etime=4 dbtime=0 mem=1,564,201/2,232,496
[2012-09-17T11:11:19.265-07:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 29] [ecid: ac28ba5c19ecb1ba:1155e622:139c63d109b:-8000-0000000000000017,1:108956:2] conn=43 op=2,399 SRCH base=dc=myorg,dc=mycompany scope=2 filter=(&(uid=userB)(objectclass=inetorgperson))
[2012-09-17T11:11:19.265-07:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 20] [ecid: b9af6bb1052db062:da036ce:139c63d427d:-8000-000000000000001c,1:109819:2] conn=44 op=1,309 SRCH base=dc=myorg,dc=mycompany scope=2 filter=(&(uid=userC)(objectclass=inetorgperson))
[2012-09-17T11:11:19.270-07:00] [octetstring] [NOTIFICATION] [OVD-20044] [com.octetstring.accesslog] [tid: 29] [ecid: ac28ba5c19ecb1ba:1155e622:139c63d109b:-8000-0000000000000017,1:108956:2] conn=43 op=2,399 RESULT err=0 tag=0 nentries=1 etime=5 dbtime=0 mem=1,564,201/2,232,496
[2012-09-17T11:11:19.270-07:00] [octetstring] [NOTIFICATION] [OVD-20044] [com.octetstring.accesslog] [tid: 20] [ecid: b9af6bb1052db062:da036ce:139c63d427d:-8000-000000000000001c,1:109819:2] conn=44 op=1,309 RESULT err=0 tag=0 nentries=1 etime=5 dbtime=0 mem=1,564,201/2,232,496
[2012-09-17T11:11:19.271-07:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 28] [ecid: b9af6bb1052db062:da036ce:139c63d427d:-8000-000000000000001c,1:109818:4] conn=492 op=2,629 SRCH base=dc=myorg,dc=mycompany scope=2 filter=uniquemember=uid=userA,cn=users,dc=myorg,dc=mycompany
 
 
Each request and its corresponding response from OVD can be matched using these entries:
 
“conn=<connect number> op=<operation number since last start> and tid: <thread id>”
 
For example,  a request issued with a filter (&(uid=userB)(objectclass=inetorgperson)) was processed  by thread id 29. The connection number is 43 and the operation number is 2399.
 
 
[2012-09-17T11:11:19.265-07:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 29] [ecid: ac28ba5c19ecb1ba:1155e622:139c63d109b:-8000-0000000000000017,1:108956:2] conn=43 op=2,399 SRCH base=dc=myorg,dc=mycompany scope=2 filter=(&(uid=userB)(objectclass=inetorgperson))
[2012-09-17T11:11:19.265-07:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 20] [ecid: b9af6bb1052db062:da036ce:139c63d427d:-8000-000000000000001c,1:109819:2] conn=44 op=1,309 SRCH base=dc=myorg,dc=mycompany scope=2 filter=(&(uid=userC)(objectclass=inetorgperson))
[2012-09-17T11:11:19.270-07:00] [octetstring] [NOTIFICATION] [OVD-20044] [com.octetstring.accesslog] [tid: 29] [ecid: ac28ba5c19ecb1ba:1155e622:139c63d109b:-8000-0000000000000017,1:108956:2] conn=43 op=2,399 RESULT err=0 tag=0 nentries=1 etime=5 dbtime=0 mem=1,564,201/2,232,496
 
 
 
The corresponding result was sent back to the client successfully because you see a string “RESULT err=0 etime=5….”
 
This entry has the same connection number, operation number and thread id.
 
It is easy to write a simple parser using something like Python or Perl to generate request/response timings. I use one to identify exceptions, determine requests that exceeded a given threshold and those requests that never got a response back etc.

In these sample log statements, the string etime=<time in milli seconds> refers to the time consumed by OVD and the Target data source to process the given query issued to OVD.

 
I will discuss stuck threads and how to diagnose them in a future article.
 

Fast Group Membership Lookups in OID with the orclMemberOf Attribute

If you utilize nested and dynamic groups (and especially nested dynamic groups), then it can take a lot of effort and time to calculate all of a user’s group memberships in an LDAP directory.

First you have to search for the user and find the user’s DN. Then you have to search all your groups to figure out which groups your user is directly a member of. Then for each of those groups you have to search all your groups again to see which of those groups your user is a member of.

You have continue to search your groups with the results of each subsequent search until you reach the maximum desired level of nested memberships that you want to pursue or all the searches come back empty. All the while you have to keep yourself out of infinite loops created by repeating memberships such as when two groups are members of each other.

Many LDAP directories simplify things through a virtual “member of” attribute which is a virtual multi valued attribute containing all of the groups a user is a member of through both direct and indirect means.

It may have escaped your notice, but OID joined the party fairly recently (in 11.1.1.4 I believe) and now supports such an attribute. The attribute’s name is orclMemberOf. You can read all about the attribute here; but suffice it to say it is a dynamic multi valued attribute containing the groups to which a member belongs.

The membership includes both direct membership and indirect membership from nested groups. It also includes membership from dynamic groups and dynamic nested groups based on labeleduri.

The attribute value is computed during a search and is not stored. This means you will not see orclMemberOf populated in an LDAP data browser including ODSM. Further, the value is not returned by default in searches. You have to explicitly request it. Lastly, orclMemberOf cannot be used in a search filter.

One nice little additional feature thrown in is that the aliases of memberof and ismemberof are supported for compatibility with code written for compatibility with Active Directory and Oracle Directory Server Enterprise Edition (DSEE) / SunOne / IPlanet.

Below is a sample search with results for a specific user where I request and receive the value(s) of orclMemberOf.  You will also notice that nested memberships are returned multiple times, once for each group that the user belongs to that is a member of another given group.  So, watch out for that.

In a future post, I’ll discuss how you can use the orclMemberOf attribute to greatly speed up authentication into WebLogic and Fusion Middleware Products such as SOA Suite and WebCenter which utilize WebLogic’s security framework.

[oracle@oam1 bin]$ ./ldapsearch -h oam1.example.com -p 3060 -D cn=orcladmin -w Oracle1_g -b “cn=Users,dc=example,dc=com” -L -s sub -v “uid=tim.doyle” memberOf

ldap_open( oam1.example.com, 3060 )

filter pattern: uid=tim.doyle

returning: memberOf

filter is: (uid=tim.doyle)

dn: uid=tim.doyle,cn=users,dc=example,dc=com

memberof: cn=administrators,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

memberof: cn=nyusers,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

memberof: cn=nestgrp1,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

memberof: cn=oaamcsrmanagergroup,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

memberof: cn=oaamenvadmingroup,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

memberof: cn=oaamruleadministratorgroup,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

memberof: cn=product support group,cn=groups,dc=example,dc=com

memberof: cn=groupofgroups,cn=groups,dc=example,dc=com

1 matches

5 minutes or less: Indexing Attributes in OID

I’ve written this short post as just a note to myself quite some time back. Since I had to rely on it quite a couple of times, I thought it would be worth sharing it with our readers.

It may be too basic to some people, but I am sure others out there had, are having or will have issues when running searches with LDAP filters against OID (Oracle Internet Directory), especially if those filters refer to custom attributes. The information presented here is certainly available in OID Administration Guide at Managing Directory Schema chapter, but it still might be a little bit scattered.

First and foremost: an attribute is only searchable in OID if it is indexed. This is definitely not the case of any your brand new custom attributes.

Any search containing a non-indexed attribute in the ldap filter will return something like:

> ldapsearch -h localhost -p 6501 -D "cn=orcladmin" -w welcome1 -b "cn=users,ou=mycompany,dc=com"–s sub "assistant=kathy"

ldap_search: DSA is unwilling to perform
ldap_search: additional info:
LDAP Error 53 : [LDAP: error code 53 - Function Not Implemented, search filter attribute assistant is not indexed/cataloged]

Second, directly from OID Administration Guide, About Indexing Attributes section:

You can index only those attributes that have:

The error message above is straightforward. But how do you create an index for the attribute?

There are 3 ways to index attributes in OID: i) using ODSM (Oracle Directory Services Manager), ii) using ldapmodify or iii) using the catalog tool.

ODSM and ldapmodify are only good if you have just defined the attribute and there’s still no data associated with it. Only values added after the index creation are indexed.

The safest approach is running OID’s catalog tool, because it indexes all existing attribute values.

1) Indexing attributes using ODSM:

 

ODSM_IndexingAttr

Here I’ve randomly picked a non-indexed attribute, assistant. The Indexed checkbox (pointed by the blue arrow) is read-only. You actually have to click on the button pointed by the red arrow first.

2) Indexing attributes using ldapmodify:

 

Create a small ldif file as the one below and run ldapmodify using the –f argument.

dn: cn=catalogs 
changetype: modify
add: orclindexedattribute
orclindexedattribute: assistant

> ldapmodify –h <host> –p <port> –D <admin user dn> –w <password> –f <ldif file>

3) Indexing attributes using the catalog tool:

 

a) Set the ORACLE_HOME environment variable to the your IDM ORACLE_HOME installation. If you’ve accepted the names given to you by the Oracle Installer, this value is typically $MW_HOME/Oracle_IDM1. The catalog tool is found under $ORACLE_HOME/ldap/bin

b) Set the ORACLE_INSTANCE environment variable to your IDM instance installation. If you’ve accepted the names given to you by the Oracle Installer, this value is typically $MW_HOME/asinst_1. Under $ORACLE_INSTANCE you should find a tnsnames.ora under the config folder. This is where the catalog tool gets your database connection details.

c) Run

$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” add=true attribute=”assistant”

 

If you want to delete an existing index:

$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” delete=true attribute=”assistant”

where OIDDB is the actual tnsname defined in your IDM instance tnsnames.ora file.

OIM 11g OID (LDAP) Groups Request-Based Provisioning with custom approval – Part II

Introduction This is Part Two of the article describing a potential implementation of Request Based LDAP Group Membership provisioning. Part One can be accessed here. Continuing with the implementation after disabling the default approval policies at the Request and Operation Levels, the next step is to configure OIM to enable the modification of a provisioned […]

OIM 11g OID (LDAP) Groups Request-Based Provisioning with custom approval – Part I

Introduction In recent days, I was assigned the task to implement a use case that I am sure many customers of Oracle have in mind but are not sure how to implement in OIM 11g. I even saw some thread inquiring about this very topic with no answer. Well, after some time I was able […]

Oracle Identity Manager Academy

Index to the Oracle Identity Manager Series from the Fusion Security Blog TeamOIM 11g is the current release of the Oracle provisioning tool, this post is to be used as basis for all the other OIM related posts in this blog. Through the posts we try to…

Extending the OID 11g schema via ldapmodify

I recently said the following to someone in an IMversation: ldapsearch and ldapmodify are about 10 times better than a stupid GUI because you can script everything.it’s like the difference between knowing SQL and having to use TOAD or Access (*shudder…

WebLogic Domain Models for Installing the Oracle Identity Management Suite – Part 2

A couple days ago I wrote what I consider to be an important post about whether different Oracle middleware packages (or bundles) should be installed together in a single domain or installed in separate domains.

I’ve received a few questions asking a logical extension of that topic which is what about the individual products within one package? Should individual products within one package be installed together in a single domain (which is really the default behavior) or be spread across several domains? For example, if you are deploying the Identity Management package with OID,OVD, and OIF, should you install them all in one domain or maybe put OIF in one domain and OID in a separate domain?

There are a number of things to consider in answering this question.

Let’s begin by looking at the issues that led me to recommend that you not install multiple packages/bundles in a single domain.

The first issue was the risk of incompatibilities between the packages and the difficulty in dealing with such issues when they arise. I would have to say that this issue does not apply to multiple products within one package. After all, the package was explicitly developed and tested with the idea that all the products would be running in same domain.

The second issue I raised was the notion that deploying multiple packages to one domain could complicate patching and upgrading; even potentially leading to a situation where you will be kept from upgrading due to version incompatibilities. Again, since we are now talking about products within one package, there is less of a concern about patching and upgrades. However, since even a single product patch could include components that are common across the entire package, having all the products from a package in a single domain means that you should really test every product that you use in the domain before deploying the patch to production. I don’t see this as being a huge deal but it is something to consider.

The next consideration which I did not address in my last post is delegation of duty or purpose for a domain. Some customers segregate certain WLS domains for certain purposes. Often this is seen as a security practice such as the case where a customer deploys all intranet apps to one domain , extranet apps to a second domain, and utility services to a third domain. If you are a customer that does this you may see some products in a package as falling in a different category from another. One example of this is that many customers will see OID and OVD as being “internal” or “utility” applications where as they might see OIF as being an “external “– end user facing application. This might lead them to deploy these applications from the Identity Management package into separate domains.

The last consideration is to note that some of the integrations between products in a package only work if the products are installed in the same domain. Two examples of this are the OAM/OIM integration and the native integration between OAM and OAAM. If you want to use the integrated functionality offered by these packages, you have to deploy them in the same WLS domain.