SlideShare uma empresa Scribd logo

Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition)

Transferir como PPTX, PDF
A
Andrejs Prokopjevs

1. The documentation incorrectly referenced the location of the modifyRealm.ldif template file needed to configure the naming context. 2. The subscriber entry for the naming context was not automatically created, requiring it to be manually added. 3. The user and group base DNs were not created, needing to be manually added. 4. The documented ACIs for Directory Integration Platform write permissions were insufficient, requiring additional permissions to be added. 5. Oracle Unified Directory places restrictions on unindexed searches by non-super users that could impact some Oracle applications.

Apresentações e oratória
1 de 56
Oracle Unified Directory. Lessons learnt. Is it worth moving from OID? ANDREJS PROKOPJEVS Lead Applications Database Consultant
About me © 2016 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
ABOUT PYTHIAN Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete © 2016 Pythian 3
TECHNICAL EXPERTISE © 2016 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 © 2016 Pythian 5
Agenda • What is Oracle Unified Directory? • Quick overview of integration process with Oracle E-Business Suite R12.2.5. • Issues faced while implementing OUD. • Features that deserve a note. • Performance tuning considerations. © 2016 Pythian 6
What is Oracle Unified Directory? © 2016 Pythian 7
What is Oracle Unified Directory? • LDAP v3 compliant directory. Ex Sun iPlanet Directory. • Completely runs on Java. • New generation of Oracle Directory Services since 11gR2. • Announced product replacement of Oracle Internet Directory. • Features: • Storage • Proxy and Load Balancing • Virtualization • Synchronization and Replication • Data is stored in JavaDB (Oracle Berkeley DB Java Edition). • Licensed under Oracle Directory Services Plus license. • Supports known features like Enterprise User Security and TNS store. © 2016 Pythian 8
What is Oracle Unified Directory? • Proxy - Load balancing. • LDAP data can be shared and distributed. © 2016 Pythian 9 OUD in Load Balancer (Proxy) mode LDAP client OUD directory 2 OUD directory 1 OUD directory 3
What is Oracle Unified Directory? • Proxy – mapping of external directories, like Active Directory. © 2016 Pythian 10 OUD Proxy mode with attribute virtualization LDAP client MS Active Directory
What is Oracle Unified Directory? • Replication and High Availability. • Same instance can share multiple roles like Storage and be a replication server. © 2016 Pythian 11 OUD Replication Server 2 OUD directory 4 OUD directory 3 OUD Replication Server 1 OUD directory 2 OUD directory 1 Replication group 1 Replication group 2 Replication group 3
Oracle Internet Directory comparison • Oracle Unified Directory • Runtime ▪ Java • Storage ▪ JavaDB, local disk storage • Clustering concept ▪ Multiple instances within replication group • Proxy / Virtualization ▪ Native support • Tools ▪ No ldapadd anymore, instead there is "ldapmodify --defaultAdd" • Backups ▪ No PITR, full or incremental snapshots initiated by the backup utility. © 2016 Pythian 12 • Oracle Internet Directory • Runtime ▪ C • Storage ▪ Oracle Database as metadata repository • Clustering concept ▪ Multiple instances connected to one common Oracle database • Proxy / Virtualization ▪ Not supported ▪ Requires Oracle Virtual Directory • Tools ▪ Standard set of tools (ldapadd, ldapmodify, ldapdelete, etc) • Backups ▪ Full PITR supported by Oracle Database.
Oracle E-Business Suite integration overview © 2016 Pythian 13
Software requirements • E-Business Suite R12.2.5+ • FMW 11.1.1.9 • R12.AD.C.7+ • Patches 22098300, 21229697, and 24008856 • Oracle Unified Directory 11.1.2.3 • Being deployed into a separate Fusion Middleware Home. • Oracle Directory Services Manager (ODSM) 11.1.2.3 ▪ Weblogic Server 10.3.6 ▪ Oracle ADF 11.1.1.9 • Repository Creation Utility 11.1.1.9 • Oracle Directory Integration Platform 11.1.1.9 • Oracle Access Manager 11.1.2.3 © 2016 Pythian 14
Documentation reference • Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1) • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • Installation Guide for Oracle Identity Management • https://docs.oracle.com/middleware/11119/core/INOIM/under_install.htm#INOIM1024 © 2016 Pythian 15
Configure OUD • Create the OUD instance. $ echo "welcome1" > /tmp/oud_pwd $ ./oud-setup --cli --hostName myoud.domain.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 4461 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/oud_pwd --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --serverTuning 512m --offlineToolsTuning 512m --no-prompt • “generic” integration option creates the necessary naming context, required for EBS integration. © 2016 Pythian 16
Configure Naming Context • Modify the realm default user and group base DN references. • Very important as this will bring issues at later stages, if not executed. • Reference: ▪ https://docs.oracle.com/cd/E52734_01/oud/OUDAG/eus.htm#BABGJFEE • Locate the LDIF template and edit the naming context you configured. • Execute it after correction. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif © 2016 Pythian 17
Configure DIP with OUD • Enable the External Change Log $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b dc=example,dc=com --trustAll --no-prompt $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b cn=oraclecontext --trustAll --no-prompt • Enforce Unique UID Attribute $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set enabled:true $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com • Configure DIP for OUD $ $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost localhost -ldapport 1389 -ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4461 © 2016 Pythian 18
Registration with Oracle EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch filesystem • Register OUD: $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory manager" • Update EBS Profile Options • Autoconfig • Cutover • Side note: • You can do all this in hot mode directly on run file system. • Multi-node: This isn’t required to be executed on all nodes as stated in the documentation. © 2016 Pythian 19
Registration with Oracle EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch filesystem • Install WebGate ▪ Recommendation: Apply WebGate latest BP patch • Deploy AccessGate perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -deployApps=accessgate • Register OAM $FND_TOP/bin/txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD • Autoconfig • Cutover © 2016 Pythian 20
Registration with Oracle EBS • Side note: • You can do all this in hot mode directly on run file system. • But beware of Bug 19817016 !!! ▪ oaea_server1 (AccessGate) port conflict between run and patch during the fs_clone. • Solution: ▪ Stop oaea_server1. ▪ Run fs_clone. ▪ Restart oaea_server1. ▪ Next fs_clone executions will not have this conflict anymore. © 2016 Pythian 21
Issues faced while implementing OUD © 2016 Pythian 22
Issue #1: Configure Naming Context • $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif $ ls -l $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif ls: cannot access /u01/app/oracle/product/fmw11g_oud/instances/OUD_instance/config/EUS/modifyRealm.ldif: No such file or directory $ ls -l $ORACLE_HOME/config/EUS/modifyRealm.ldif -rw-r-----. 1 oracle oinstall 1608 Nov 15 2013 /u01/app/oracle/product/fmw11g_oud/Oracle_OUD1/config/EUS/modifyRealm.ldif $ • Documentation bug. • Is deployed only with “--integration EUS”, but still available under Oracle Home © 2016 Pythian 23
Issue #1: Configure Naming Context • What does it fix? # cn=Common,cn=Products,cn=OracleContext orclSubscriberSearchBase: dc=com orclSubscriberNickNameAttribute: dc orclDefaultSubscriber: dc=example,dc=com # cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com orclCommonUserSearchBase: ou=people,dc=example,dc=com orclCommonGroupSearchBase: ou=groups,dc=example,dc=com • Side note: Handled automatically since 11.1.2.3.161018 BP © 2016 Pythian 24
Issue #2: No Subscriber found • Let’s query the naming context we created. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ • Where is my naming context base entry? $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s base "(objectclass=*)" "dn" SEARCH operation failed Result Code: 32 (No Such Entry) Additional Information: The entry dc=example,dc=com specified as the search base does not exist in the Directory Server $ © 2016 Pythian 25
Issue #2: No Subscriber found • Fix: Manually create the Naming Context base DN as subscriber. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: dc=example,dc=com objectClass: top objectClass: domain objectclass: orclSubscriber dc: example orclversion: 90600 orclsubscriberfullname: example aci: (targetattr != "userpassword || authpassword || aci") (version 3.0; acl "Anonymous read access to dc=example, dc=com"; allow (read,search,compare) userdn = "ldap:///anyone";) • Optional: Add read-only ACI permission for non-super-user access (except password attributes). © 2016 Pythian 26
Issue #3: User and Group Base DNs • Let’s query the naming context again. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ • Where are my user and group base DNs? © 2016 Pythian 27
Issue #3: User and Group Base DNs • Fix: Manually create the base DN entries. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: ou=people,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit © 2016 Pythian 28
Issue #4: Write permissions for DIP profiles • Documentation states that we need to apply these ACIs: dn: dc=example,dc=com changetype: modify add: aci aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) • But DIP runtime still fails on writes. © 2016 Pythian 29
Issue #4: Write permissions for DIP profiles • Fix: Add few more ACI permissions. • DIP profiles are actually running with “odipgroup” App DN members. dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) © 2016 Pythian 30
Issue #5: OUD restrictions on unindexed search • There are limits when OUD allows non-super-user to do unindexed searches. • None of OID specific attributes are indexed by default. • Example: search per “orcguid” attribute filter. [27/Apr/2016:01:25:45 -0700] SEARCH RES conn=381168 op=514 msgID=515 result=50 message="You do not have sufficient privileges to perform an unindexed search Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com' Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com'" nentries=0 authzDN="orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext" etime=0 © 2016 Pythian 31
Issue #5: OUD restrictions on unindexed search • Fix: Give a permission to your required non-super-user. • For DIP – required for each subscriber app DN. • Example: $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext changetype: modify add: ds-privilege-name ds-privilege-name: unindexed-search - add: ds-privilege-name ds-privilege-name: proxied-auth © 2016 Pythian 32
Issue #6: cn=changelog data timeout • By default, purge delay for replication in OUD is set to 1 day. • Set it to 1 week, at least. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n get-replication-server-prop --provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n set-replication-server-prop --provider-name "Multimaster Synchronization" --set replication-purge-delay:1w • Historical replication data retention also can be tuned. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -X -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set conflicts-historical-purge-delay:7200m © 2016 Pythian 33
Issues faced while implementing OAM with OUD © 2016 Pythian 34
Issue #1: EBS registration • Test connection to identity server is failing. • But network is fine, LDAP connection is working. $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD ... Failed while doing policy configurations In the log file this will be the only actual information. <class>oracle.apps.fnd.txk.oam.UserIdentityStoreConf</class> <message>Test connection to identity server is failed. Please verify the settings and try again.</message> <class>oracle.apps.fnd.txk.oam.RegisterOAM</class> <message>Failed while updating the configurations in OAM console</message> © 2016 Pythian 35
Issue #1: EBS registration • Only LDAP trace helped. [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2... [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(uid=*)" attrs="ALL" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=example,dc=com" scope=sub filter="(cn=*)" attrs="cn" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 © 2016 Pythian 36
Issue #1: EBS registration • Fix: User Base DN and Group Base DN should have at least 1 user and 1 group created. • In OID cn=orcladmin and cn=public are being seeded by default. dn: cn=testuser1,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: John sn: Testercn: testuser1 uid: testuser1 userpassword: welcome1 mail: test@test.com dn: cn=admins,ou=groups,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: testgroup © 2016 Pythian 37
Issue #2: Configuration of the User Identity Store • Not an issue, actually. More a recommendation. • These parameters are not set by default. • User Filter Object Classes: person • Group Name Attribute: cn • Group Filter Classes: groupofnames • Inactivity Timeout (in seconds): 60 © 2016 Pythian 38
Features that deserve a note. © 2016 Pythian 39
SSL • RIP SSL no-auth mode • Only SSL server or client-server authentication. • JSSE - Java Secure Socket Extension. • And this is good ! • Default keystore: $ORACLE_INSTANCE/OUD/config/keystore © 2016 Pythian 40
SSL - small comment about DIP • By default, DIP is configured with non-SSL. • SSL only mode is required if passwords are provisioned from external directories. • Requires a JKS keystore configuration with OUD server certificate imported. $ keytool -importcert -trustcacerts -alias OUD -file /tmp/oud_server_certificate_b64.txt -keystore $ORACLE_INSTANCE/config/DIP_JKS/dip.jks $ wlst.sh > connect('t3://localhost:7001') > createCred(map="dip", key="jksKey", user="jksuser", password="changeit") $ $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute keystorelocation - val /u01/app/oracle/product/fmw11g/dip_inst1/config/DIP_JKS/dip.jks $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D weblogic $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D weblogic © 2016 Pythian 41
External password plugins in OUD • Use case: Active Directory – passwords are not directly synced by DIP. • OID has a cool feature – external password plugin. • Java based module which forwards the BIND requests to external LDAP directories for authentication. • OUD does not have these kind of modules, however there are alternatives. • Pass Through Authentication (OUD 11.1.2.2+) • On-Demand Password and Password Translate (OUD 11.1.2.3+) • OUD / DIP Synchronization with Active Directory (Doc ID 1534241.1) © 2016 Pythian 42
Pass Through Authentication • How it works: Proxy mode workflow. • You have your Local Naming Context “dc=example,dc=com” with synced user entries by DIP (no userpassword / orclpassword attributes). • New Proxy Workflow is configured to mount external LDAP Base DN. • A Workflow Element will merge both sources and use local context as user provider and external proxy context as authentication provider. © 2016 Pythian 43
Pass Through Authentication • Configure OUD LDAP extension. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-extension --type ldap-server --extension-name proxy_extension_pta_ext_ldap --set remote-ldap-server-read-only:true --set remote-ldap-server-address:myad.example.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true --set ssl-trust-manager-provider:JKS --set enabled:true © 2016 Pythian 44
Pass Through Authentication • Configure OUD Proxy Workflow elements. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set client-cred-mode:use-specific-identity --set enabled:true --set ldap-server-extension:proxy_extension_pta_ext_ldap --set remote-ldap-server-bind-dn:cn=system_user,ou=ad_system_accounts,dc=example,dc=com --set remote-ldap-server-bind-password:password --set remote-root-dn:cn=system_user,ou=system_accounts,dc=ad,dc=example,dc=com --set remote-root-password:password --type proxy-ldap --element-name wf_element_auth_pta_ext_ldap $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set auth-provider-workflow-element:wf_element_auth_pta_ext_ldap --set enabled:true --set user-provider-workflow-element:userRoot # our default naming context created --set pta-suffix:ou=people,dc=example,dc=com --set pta-auth-suffix:ou=people,dc=example,dc=com --set pta-user-suffix:ou=people,dc=example,dc=com --type pass-through-authentication --element-name wf_element_pta_ext_ldap © 2016 Pythian 45
Pass Through Authentication • Configure OUD Proxy Workflow. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow --workflow-name pta_ext_ldap_wf --set base-dn:ou=people,dc=example,dc=com --set enabled:true --set workflow-element:wf_element_pta_ext_ldap • Enable the new configuration. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n set-network-group-prop --group-name network-group --set enabled:true --add workflow:pta_google_openldap_wf © 2016 Pythian 46
Pass Through Authentication • It works. $ ldapsearch -h localhost -p 1389 -D "cn=user1,ou=people,dc=example,dc=com" -b "cn=user1,ou=people,dc=example,dc=com" -s base "(objectclass=*)" "orclSourceObjectDN" Password for user 'cn=user1,ou=people,dc=example,dc=com': dn: cn=user1,ou=people,dc=example,dc=com orclSourceObjectDN: cn=user1,ou=People,dc=example,dc=com $ • Some illustration. © 2016 Pythian 47 Local Storage MS AD Proxy Workflow BINDUser and Attributes LDAP User Entry DN, virtually merged
OUD Access Log • OUD has access log tracing similar to Apache. • It tracks everything and YOU SHOULD LOVE IT! • $ORACLE_INSTANCE/OUD/logs/access [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:35 +0200] BIND REQ conn=1939 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:35 +0200] BIND RES conn=1939 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1 [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 [25/Nov/2016:13:50:35 +0200] DISCONNECT conn=1939 reason="Client Disconnect” [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:36 +0200] BIND REQ conn=1940 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:36 +0200] BIND RES conn=1940 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=0 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=domain,dc=com" scope=sub filter="(uid=*)" attrs="ALL” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=domain,dc=com" scope=sub filter="(cn=*)" attrs="cn” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 © 2016 Pythian 48
Virtual Attributes • An attribute which is more like a function. • The best example: isMemberOf • Is true if a user is a member of a defined group • The most useful place to use: LDAP filters • Example: OAM User Identity Store filter to allow only specific group to access your application. • KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(isMemberOf=cn=ebs_sso_allowed_users,ou=groups,dc=exam ple,dc=com)) © 2016 Pythian 49
Performance tuning considerations © 2016 Pythian 50
Overview • Performance is a feature.  • Overall the OUD performance is good. • The more memory you configure – the more you get into the cache. • Always try to apply the latest PSU BP. Many performance related bugs are resolved per the change log in every bundle. • Some real problems to look at may start only when your data size exceeds hundreds of thousands, like 400 000 user accounts. © 2016 Pythian 51
Indexes • OUD is not indexing by default most of the common OID attributes. • Example: DIP ApplicationToOID profile is doing Root DN sub-search looking for entries with required orclGUID, to confirm it exists. • With large directories it can spin the CPU a lot. Can be indexed. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-local-db-index -- element-name userRoot --index-name orclguid --set index-type:equality $ rebuild-index -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -b "dc=example,dc=com" - i orclguid • If DIP bootstrap has synchronized a huge amount of new user accounts (ex from external directory) – full index rebuild is highly recommended. $ rebuild-index -b "dc=example,dc=com" --rebuildAll © 2016 Pythian 52
Root DN based search • Same use case: DIP ApplicationToOID $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "" "(orclguid=XXXXXXXXXXXXXXXXXXXXXX)" "*" • OUD will also look into “cn=changelog” as it interprets it as non-hidden naming context. • This is how OUD works. • Recommendation: evaluate the data size, and put the memory enough to cache as maximum as possible. • https://blogs.oracle.com/sduloutr/entry/oud_external_change_log_and • OUD - Bad Performance of a Subtree Search on the Root DSE if the External Changelog is Enabled. (Doc ID 1676998.1) • With PTA add here your external Proxy Workflow Element as well. © 2016 Pythian 53
Data cache tuning • If your LDAP data is 1 GB in size, you can configure your OUD instance to 2 GB memory and set data cache to utilize 50 %. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password set-workflow-element-prop --element- name userRoot --set db-cache-percent:50 • Cache as much as possible !!! © 2016 Pythian 54
Summary • OUD is an interesting lightweight product. • Hard to say if it’s better or worse than OID. Both OUD and OID have their own pros and cons. • OUD – is a replacement product. OID is going away soon (Dec 2018 / Dec 2021). • Comparing to 11gR1, where OUD was not usable at all for all main integration use cases, it is now more less ready. Of course, with some nuances mentioned. • Simplified setup and configuration. • It takes time to tune everything. Let us be patient. There is a potential. © 2016 Pythian 55
THANK YOU Q & A © 2016 Pythian 56

Recomendados

Rapid Home Provisioning
Rapid Home ProvisioningRapid Home Provisioning
Rapid Home ProvisioningLudovico Caldara
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...
Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...
Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...confluent
 
Kafka connect 101
Kafka connect 101Kafka connect 101
Kafka connect 101Whiteklay
 
Expose your data as an api is with oracle rest data services -spoug Madrid
Expose your data as an api is with oracle rest data services -spoug MadridExpose your data as an api is with oracle rest data services -spoug Madrid
Expose your data as an api is with oracle rest data services -spoug MadridVinay Kumar
 
Oracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsOracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsJames Bayer
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesUnderstanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesMohamed Farouk
 

Recomendados

Rapid Home Provisioning
Rapid Home ProvisioningRapid Home Provisioning
Rapid Home ProvisioningLudovico Caldara
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...
Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...
Building Event Driven Architectures with Kafka and Cloud Events (Dan Rosanova...confluent
 
Kafka connect 101
Kafka connect 101Kafka connect 101
Kafka connect 101Whiteklay
 
Expose your data as an api is with oracle rest data services -spoug Madrid
Expose your data as an api is with oracle rest data services -spoug MadridExpose your data as an api is with oracle rest data services -spoug Madrid
Expose your data as an api is with oracle rest data services -spoug MadridVinay Kumar
 
Oracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsOracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsJames Bayer
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesUnderstanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesMohamed Farouk
 
REST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseREST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseJeff Smith
 
Integrating Microservices with Apache Camel
Integrating Microservices with Apache CamelIntegrating Microservices with Apache Camel
Integrating Microservices with Apache CamelChristian Posta
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
An Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops ManagerAn Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops ManagerMongoDB
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Weblogic
WeblogicWeblogic
Weblogicsudeeporcl
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginnersPini Dibask
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Sandesh Rao
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast SlidesOracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast SlidesLudovico Caldara
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDB
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDBWebinar slides: Migrating to Galera Cluster for MySQL and MariaDB
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDBSeveralnines
 
Kafka Connect & Streams - the ecosystem around Kafka
Kafka Connect & Streams - the ecosystem around KafkaKafka Connect & Streams - the ecosystem around Kafka
Kafka Connect & Streams - the ecosystem around KafkaGuido Schmutz
 
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...Andrejs Karpovs
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...Insight Technology, Inc.
 

Mais conteúdo relacionado

Mais procurados

REST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseREST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseJeff Smith
 
Integrating Microservices with Apache Camel
Integrating Microservices with Apache CamelIntegrating Microservices with Apache Camel
Integrating Microservices with Apache CamelChristian Posta
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
An Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops ManagerAn Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops ManagerMongoDB
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginnersPini Dibask
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Sandesh Rao
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast SlidesOracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast SlidesLudovico Caldara
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDB
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDBWebinar slides: Migrating to Galera Cluster for MySQL and MariaDB
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDBSeveralnines
 
Kafka Connect & Streams - the ecosystem around Kafka
Kafka Connect & Streams - the ecosystem around KafkaKafka Connect & Streams - the ecosystem around Kafka
Kafka Connect & Streams - the ecosystem around KafkaGuido Schmutz
 

Mais procurados (20)

REST Enabling Your Oracle Database
REST Enabling Your Oracle DatabaseREST Enabling Your Oracle Database
REST Enabling Your Oracle Database
 
Integrating Microservices with Apache Camel
Integrating Microservices with Apache CamelIntegrating Microservices with Apache Camel
Integrating Microservices with Apache Camel
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
 
An Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops ManagerAn Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops Manager
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Weblogic
WeblogicWeblogic
Weblogic
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginners
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
 
Ldap intro
Ldap introLdap intro
Ldap intro
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
 
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast SlidesOracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDB
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDBWebinar slides: Migrating to Galera Cluster for MySQL and MariaDB
Webinar slides: Migrating to Galera Cluster for MySQL and MariaDB
 
Kafka Connect & Streams - the ecosystem around Kafka
Kafka Connect & Streams - the ecosystem around KafkaKafka Connect & Streams - the ecosystem around Kafka
Kafka Connect & Streams - the ecosystem around Kafka
 

Semelhante a Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition)

Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...Andrejs Karpovs
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...Insight Technology, Inc.
 
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPOptimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPSecure-24
 
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsE business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsSrinivasa Pavan Marti
 
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsE business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsSrinivasa Pavan Marti
 
What’s New in Oracle E-Business Suite R12.2 for Database Administrators?
What’s New in Oracle E-Business Suite R12.2 for Database Administrators?What’s New in Oracle E-Business Suite R12.2 for Database Administrators?
What’s New in Oracle E-Business Suite R12.2 for Database Administrators?vasuballa
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
Case Study: Plus Retail - Moving from the Old World to the New World
Case Study: Plus Retail - Moving from the Old World to the New WorldCase Study: Plus Retail - Moving from the Old World to the New World
Case Study: Plus Retail - Moving from the Old World to the New WorldForgeRock
 
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?M. Fevzi Korkutata
 
Java Web Apps and Services on Oracle Java Cloud Service
Java Web Apps and Services on Oracle Java Cloud ServiceJava Web Apps and Services on Oracle Java Cloud Service
Java Web Apps and Services on Oracle Java Cloud ServiceAndreas Koop
 
Java WebApps und Services on Oracle Java Cloud Service
Java WebApps und Services on Oracle Java Cloud ServiceJava WebApps und Services on Oracle Java Cloud Service
Java WebApps und Services on Oracle Java Cloud Serviceenpit GmbH & Co. KG
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareManaging Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareLeighton Nelson
 
Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...
Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...
Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...Alfredo Krieg
 
Moving your APEX app to the Oracle Exadata Express Cloud
Moving your APEX app to the Oracle Exadata Express CloudMoving your APEX app to the Oracle Exadata Express Cloud
Moving your APEX app to the Oracle Exadata Express CloudDimitri Gielis
 
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Andrejs Vorobjovs
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!Performance Tuning Corporation
 
Running E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceRunning E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceMaris Elsins
 
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationOracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationFrancisco Alvarez
 
0396 oracle-goldengate-12c-tutorial
0396 oracle-goldengate-12c-tutorial0396 oracle-goldengate-12c-tutorial
0396 oracle-goldengate-12c-tutorialKlausePaulino
 

Semelhante a Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition) (20)

Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
Lessons Learnt from Oracle Unified Directory implementation with Oracle E-Bus...
 
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
[db tech showcase Tokyo 2018] #dbts2018 #B31 『1,2,3 and Done! 3 easy ways to ...
 
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPOptimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
 
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsE business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administrators
 
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsE business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administrators
 
What’s New in Oracle E-Business Suite R12.2 for Database Administrators?
What’s New in Oracle E-Business Suite R12.2 for Database Administrators?What’s New in Oracle E-Business Suite R12.2 for Database Administrators?
What’s New in Oracle E-Business Suite R12.2 for Database Administrators?
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
Case Study: Plus Retail - Moving from the Old World to the New World
Case Study: Plus Retail - Moving from the Old World to the New WorldCase Study: Plus Retail - Moving from the Old World to the New World
Case Study: Plus Retail - Moving from the Old World to the New World
 
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
 
Java Web Apps and Services on Oracle Java Cloud Service
Java Web Apps and Services on Oracle Java Cloud ServiceJava Web Apps and Services on Oracle Java Cloud Service
Java Web Apps and Services on Oracle Java Cloud Service
 
Java WebApps und Services on Oracle Java Cloud Service
Java WebApps und Services on Oracle Java Cloud ServiceJava WebApps und Services on Oracle Java Cloud Service
Java WebApps und Services on Oracle Java Cloud Service
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareManaging Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
 
Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...
Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...
Monitor Engineered Systems from a Single Pane of Glass: Oracle Enterprise Man...
 
Moving your APEX app to the Oracle Exadata Express Cloud
Moving your APEX app to the Oracle Exadata Express CloudMoving your APEX app to the Oracle Exadata Express Cloud
Moving your APEX app to the Oracle Exadata Express Cloud
 
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQL
 
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
 
Running E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceRunning E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database Appliance
 
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationOracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c Presentation
 
0396 oracle-goldengate-12c-tutorial
0396 oracle-goldengate-12c-tutorial0396 oracle-goldengate-12c-tutorial
0396 oracle-goldengate-12c-tutorial
 

Mais de Andrejs Prokopjevs

Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Andrejs Prokopjevs
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Andrejs Prokopjevs
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)Andrejs Prokopjevs
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Andrejs Prokopjevs
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Running Oracle EBS in the cloud (UKOUG APPS16 edition)
Running Oracle EBS in the cloud (UKOUG APPS16 edition)Running Oracle EBS in the cloud (UKOUG APPS16 edition)
Running Oracle EBS in the cloud (UKOUG APPS16 edition)Andrejs Prokopjevs
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 

Mais de Andrejs Prokopjevs (9)

Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
Running Oracle EBS in the cloud (UKOUG APPS16 edition)
Running Oracle EBS in the cloud (UKOUG APPS16 edition)Running Oracle EBS in the cloud (UKOUG APPS16 edition)
Running Oracle EBS in the cloud (UKOUG APPS16 edition)
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 

Último

Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 

Último (20)

Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 

Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (OGH TECH 17 edition)

  • 1. Oracle Unified Directory. Lessons learnt. Is it worth moving from OID? ANDREJS PROKOPJEVS Lead Applications Database Consultant
  • 2. About me © 2016 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
  • 3. ABOUT PYTHIAN Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete © 2016 Pythian 3
  • 4. TECHNICAL EXPERTISE © 2016 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
  • 5. Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 © 2016 Pythian 5
  • 6. Agenda • What is Oracle Unified Directory? • Quick overview of integration process with Oracle E-Business Suite R12.2.5. • Issues faced while implementing OUD. • Features that deserve a note. • Performance tuning considerations. © 2016 Pythian 6
  • 7. What is Oracle Unified Directory? © 2016 Pythian 7
  • 8. What is Oracle Unified Directory? • LDAP v3 compliant directory. Ex Sun iPlanet Directory. • Completely runs on Java. • New generation of Oracle Directory Services since 11gR2. • Announced product replacement of Oracle Internet Directory. • Features: • Storage • Proxy and Load Balancing • Virtualization • Synchronization and Replication • Data is stored in JavaDB (Oracle Berkeley DB Java Edition). • Licensed under Oracle Directory Services Plus license. • Supports known features like Enterprise User Security and TNS store. © 2016 Pythian 8
  • 9. What is Oracle Unified Directory? • Proxy - Load balancing. • LDAP data can be shared and distributed. © 2016 Pythian 9 OUD in Load Balancer (Proxy) mode LDAP client OUD directory 2 OUD directory 1 OUD directory 3
  • 10. What is Oracle Unified Directory? • Proxy – mapping of external directories, like Active Directory. © 2016 Pythian 10 OUD Proxy mode with attribute virtualization LDAP client MS Active Directory
  • 11. What is Oracle Unified Directory? • Replication and High Availability. • Same instance can share multiple roles like Storage and be a replication server. © 2016 Pythian 11 OUD Replication Server 2 OUD directory 4 OUD directory 3 OUD Replication Server 1 OUD directory 2 OUD directory 1 Replication group 1 Replication group 2 Replication group 3
  • 12. Oracle Internet Directory comparison • Oracle Unified Directory • Runtime ▪ Java • Storage ▪ JavaDB, local disk storage • Clustering concept ▪ Multiple instances within replication group • Proxy / Virtualization ▪ Native support • Tools ▪ No ldapadd anymore, instead there is "ldapmodify --defaultAdd" • Backups ▪ No PITR, full or incremental snapshots initiated by the backup utility. © 2016 Pythian 12 • Oracle Internet Directory • Runtime ▪ C • Storage ▪ Oracle Database as metadata repository • Clustering concept ▪ Multiple instances connected to one common Oracle database • Proxy / Virtualization ▪ Not supported ▪ Requires Oracle Virtual Directory • Tools ▪ Standard set of tools (ldapadd, ldapmodify, ldapdelete, etc) • Backups ▪ Full PITR supported by Oracle Database.
  • 13. Oracle E-Business Suite integration overview © 2016 Pythian 13
  • 14. Software requirements • E-Business Suite R12.2.5+ • FMW 11.1.1.9 • R12.AD.C.7+ • Patches 22098300, 21229697, and 24008856 • Oracle Unified Directory 11.1.2.3 • Being deployed into a separate Fusion Middleware Home. • Oracle Directory Services Manager (ODSM) 11.1.2.3 ▪ Weblogic Server 10.3.6 ▪ Oracle ADF 11.1.1.9 • Repository Creation Utility 11.1.1.9 • Oracle Directory Integration Platform 11.1.1.9 • Oracle Access Manager 11.1.2.3 © 2016 Pythian 14
  • 15. Documentation reference • Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1) • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • Installation Guide for Oracle Identity Management • https://docs.oracle.com/middleware/11119/core/INOIM/under_install.htm#INOIM1024 © 2016 Pythian 15
  • 16. Configure OUD • Create the OUD instance. $ echo "welcome1" > /tmp/oud_pwd $ ./oud-setup --cli --hostName myoud.domain.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 4461 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/oud_pwd --generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --serverTuning 512m --offlineToolsTuning 512m --no-prompt • “generic” integration option creates the necessary naming context, required for EBS integration. © 2016 Pythian 16
  • 17. Configure Naming Context • Modify the realm default user and group base DN references. • Very important as this will bring issues at later stages, if not executed. • Reference: ▪ https://docs.oracle.com/cd/E52734_01/oud/OUDAG/eus.htm#BABGJFEE • Locate the LDIF template and edit the naming context you configured. • Execute it after correction. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif © 2016 Pythian 17
  • 18. Configure DIP with OUD • Enable the External Change Log $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b dc=example,dc=com --trustAll --no-prompt $ dsreplication enable-changelog -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -r 8989 -b cn=oraclecontext --trustAll --no-prompt • Enforce Unique UID Attribute $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set enabled:true $ dsconfig -p 4461 -h localhost -D "cn=directory manager" -j /tmp/oud_pwd -n --trustAll set-plugin-prop -- plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com • Configure DIP for OUD $ $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost localhost -ldapport 1389 -ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4461 © 2016 Pythian 18
  • 19. Registration with Oracle EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch filesystem • Register OUD: $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory manager" • Update EBS Profile Options • Autoconfig • Cutover • Side note: • You can do all this in hot mode directly on run file system. • Multi-node: This isn’t required to be executed on all nodes as stated in the documentation. © 2016 Pythian 19
  • 20. Registration with Oracle EBS • Start EBS Online Patching Cycle (adop phase=prepare) • Run all the actions against patch filesystem • Install WebGate ▪ Recommendation: Apply WebGate latest BP patch • Deploy AccessGate perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -deployApps=accessgate • Register OAM $FND_TOP/bin/txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD • Autoconfig • Cutover © 2016 Pythian 20
  • 21. Registration with Oracle EBS • Side note: • You can do all this in hot mode directly on run file system. • But beware of Bug 19817016 !!! ▪ oaea_server1 (AccessGate) port conflict between run and patch during the fs_clone. • Solution: ▪ Stop oaea_server1. ▪ Run fs_clone. ▪ Restart oaea_server1. ▪ Next fs_clone executions will not have this conflict anymore. © 2016 Pythian 21
  • 22. Issues faced while implementing OUD © 2016 Pythian 22
  • 23. Issue #1: Configure Naming Context • $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif $ ls -l $ORACLE_INSTANCE/config/EUS/modifyRealm.ldif ls: cannot access /u01/app/oracle/product/fmw11g_oud/instances/OUD_instance/config/EUS/modifyRealm.ldif: No such file or directory $ ls -l $ORACLE_HOME/config/EUS/modifyRealm.ldif -rw-r-----. 1 oracle oinstall 1608 Nov 15 2013 /u01/app/oracle/product/fmw11g_oud/Oracle_OUD1/config/EUS/modifyRealm.ldif $ • Documentation bug. • Is deployed only with “--integration EUS”, but still available under Oracle Home © 2016 Pythian 23
  • 24. Issue #1: Configure Naming Context • What does it fix? # cn=Common,cn=Products,cn=OracleContext orclSubscriberSearchBase: dc=com orclSubscriberNickNameAttribute: dc orclDefaultSubscriber: dc=example,dc=com # cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com orclCommonUserSearchBase: ou=people,dc=example,dc=com orclCommonGroupSearchBase: ou=groups,dc=example,dc=com • Side note: Handled automatically since 11.1.2.3.161018 BP © 2016 Pythian 24
  • 25. Issue #2: No Subscriber found • Let’s query the naming context we created. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ • Where is my naming context base entry? $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s base "(objectclass=*)" "dn" SEARCH operation failed Result Code: 32 (No Such Entry) Additional Information: The entry dc=example,dc=com specified as the search base does not exist in the Directory Server $ © 2016 Pythian 25
  • 26. Issue #2: No Subscriber found • Fix: Manually create the Naming Context base DN as subscriber. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: dc=example,dc=com objectClass: top objectClass: domain objectclass: orclSubscriber dc: example orclversion: 90600 orclsubscriberfullname: example aci: (targetattr != "userpassword || authpassword || aci") (version 3.0; acl "Anonymous read access to dc=example, dc=com"; allow (read,search,compare) userdn = "ldap:///anyone";) • Optional: Add read-only ACI permission for non-super-user access (except password attributes). © 2016 Pythian 26
  • 27. Issue #3: User and Group Base DNs • Let’s query the naming context again. $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "dc=example,dc=com" -s one "(objectclass=*)" "dn" dn: cn=OracleContext,dc=example,dc=com $ • Where are my user and group base DNs? © 2016 Pythian 27
  • 28. Issue #3: User and Group Base DNs • Fix: Manually create the base DN entries. $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd –defaultAdd dn: ou=people,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit © 2016 Pythian 28
  • 29. Issue #4: Write permissions for DIP profiles • Documentation states that we need to apply these ACIs: dn: dc=example,dc=com changetype: modify add: aci aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn=" ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) • But DIP runtime still fails on writes. © 2016 Pythian 29
  • 30. Issue #4: Write permissions for DIP profiles • Fix: Add few more ACI permissions. • DIP profiles are actually running with “odipgroup” App DN members. dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration platform,cn=Products,cn=oraclecontext";) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn=" ldap:///cn=odipgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) © 2016 Pythian 30
  • 31. Issue #5: OUD restrictions on unindexed search • There are limits when OUD allows non-super-user to do unindexed searches. • None of OID specific attributes are indexed by default. • Example: search per “orcguid” attribute filter. [27/Apr/2016:01:25:45 -0700] SEARCH RES conn=381168 op=514 msgID=515 result=50 message="You do not have sufficient privileges to perform an unindexed search Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com' Operation 'SEARCH' failed in participant 'user' for entry 'ou=people,dc=example,dc=com'" nentries=0 authzDN="orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext" etime=0 © 2016 Pythian 31
  • 32. Issue #5: OUD restrictions on unindexed search • Fix: Give a permission to your required non-super-user. • For DIP – required for each subscriber app DN. • Example: $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd dn: orclodipagentname=AD_DIP_PROFILE,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,cn=products,cn=OracleContext changetype: modify add: ds-privilege-name ds-privilege-name: unindexed-search - add: ds-privilege-name ds-privilege-name: proxied-auth © 2016 Pythian 32
  • 33. Issue #6: cn=changelog data timeout • By default, purge delay for replication in OUD is set to 1 day. • Set it to 1 week, at least. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n get-replication-server-prop --provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -n set-replication-server-prop --provider-name "Multimaster Synchronization" --set replication-purge-delay:1w • Historical replication data retention also can be tuned. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password -X -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set conflicts-historical-purge-delay:7200m © 2016 Pythian 33
  • 34. Issues faced while implementing OAM with OUD © 2016 Pythian 34
  • 35. Issue #1: EBS registration • Test connection to identity server is failing. • But network is fine, LDAP connection is working. $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD ... Failed while doing policy configurations In the log file this will be the only actual information. <class>oracle.apps.fnd.txk.oam.UserIdentityStoreConf</class> <message>Test connection to identity server is failed. Please verify the settings and try again.</message> <class>oracle.apps.fnd.txk.oam.RegisterOAM</class> <message>Failed while updating the configurations in OAM console</message> © 2016 Pythian 35
  • 36. Issue #1: EBS registration • Only LDAP trace helped. [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2... [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP... [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(uid=*)" attrs="ALL" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=example,dc=com" scope=sub filter="(cn=*)" attrs="cn" [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 © 2016 Pythian 36
  • 37. Issue #1: EBS registration • Fix: User Base DN and Group Base DN should have at least 1 user and 1 group created. • In OID cn=orcladmin and cn=public are being seeded by default. dn: cn=testuser1,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: John sn: Testercn: testuser1 uid: testuser1 userpassword: welcome1 mail: test@test.com dn: cn=admins,ou=groups,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: testgroup © 2016 Pythian 37
  • 38. Issue #2: Configuration of the User Identity Store • Not an issue, actually. More a recommendation. • These parameters are not set by default. • User Filter Object Classes: person • Group Name Attribute: cn • Group Filter Classes: groupofnames • Inactivity Timeout (in seconds): 60 © 2016 Pythian 38
  • 39. Features that deserve a note. © 2016 Pythian 39
  • 40. SSL • RIP SSL no-auth mode • Only SSL server or client-server authentication. • JSSE - Java Secure Socket Extension. • And this is good ! • Default keystore: $ORACLE_INSTANCE/OUD/config/keystore © 2016 Pythian 40
  • 41. SSL - small comment about DIP • By default, DIP is configured with non-SSL. • SSL only mode is required if passwords are provisioned from external directories. • Requires a JKS keystore configuration with OUD server certificate imported. $ keytool -importcert -trustcacerts -alias OUD -file /tmp/oud_server_certificate_b64.txt -keystore $ORACLE_INSTANCE/config/DIP_JKS/dip.jks $ wlst.sh > connect('t3://localhost:7001') > createCred(map="dip", key="jksKey", user="jksuser", password="changeit") $ $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute keystorelocation - val /u01/app/oracle/product/fmw11g/dip_inst1/config/DIP_JKS/dip.jks $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D weblogic $ $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D weblogic © 2016 Pythian 41
  • 42. External password plugins in OUD • Use case: Active Directory – passwords are not directly synced by DIP. • OID has a cool feature – external password plugin. • Java based module which forwards the BIND requests to external LDAP directories for authentication. • OUD does not have these kind of modules, however there are alternatives. • Pass Through Authentication (OUD 11.1.2.2+) • On-Demand Password and Password Translate (OUD 11.1.2.3+) • OUD / DIP Synchronization with Active Directory (Doc ID 1534241.1) © 2016 Pythian 42
  • 43. Pass Through Authentication • How it works: Proxy mode workflow. • You have your Local Naming Context “dc=example,dc=com” with synced user entries by DIP (no userpassword / orclpassword attributes). • New Proxy Workflow is configured to mount external LDAP Base DN. • A Workflow Element will merge both sources and use local context as user provider and external proxy context as authentication provider. © 2016 Pythian 43
  • 44. Pass Through Authentication • Configure OUD LDAP extension. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-extension --type ldap-server --extension-name proxy_extension_pta_ext_ldap --set remote-ldap-server-read-only:true --set remote-ldap-server-address:myad.example.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true --set ssl-trust-manager-provider:JKS --set enabled:true © 2016 Pythian 44
  • 45. Pass Through Authentication • Configure OUD Proxy Workflow elements. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set client-cred-mode:use-specific-identity --set enabled:true --set ldap-server-extension:proxy_extension_pta_ext_ldap --set remote-ldap-server-bind-dn:cn=system_user,ou=ad_system_accounts,dc=example,dc=com --set remote-ldap-server-bind-password:password --set remote-root-dn:cn=system_user,ou=system_accounts,dc=ad,dc=example,dc=com --set remote-root-password:password --type proxy-ldap --element-name wf_element_auth_pta_ext_ldap $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow-element --set auth-provider-workflow-element:wf_element_auth_pta_ext_ldap --set enabled:true --set user-provider-workflow-element:userRoot # our default naming context created --set pta-suffix:ou=people,dc=example,dc=com --set pta-auth-suffix:ou=people,dc=example,dc=com --set pta-user-suffix:ou=people,dc=example,dc=com --type pass-through-authentication --element-name wf_element_pta_ext_ldap © 2016 Pythian 45
  • 46. Pass Through Authentication • Configure OUD Proxy Workflow. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-workflow --workflow-name pta_ext_ldap_wf --set base-dn:ou=people,dc=example,dc=com --set enabled:true --set workflow-element:wf_element_pta_ext_ldap • Enable the new configuration. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n set-network-group-prop --group-name network-group --set enabled:true --add workflow:pta_google_openldap_wf © 2016 Pythian 46
  • 47. Pass Through Authentication • It works. $ ldapsearch -h localhost -p 1389 -D "cn=user1,ou=people,dc=example,dc=com" -b "cn=user1,ou=people,dc=example,dc=com" -s base "(objectclass=*)" "orclSourceObjectDN" Password for user 'cn=user1,ou=people,dc=example,dc=com': dn: cn=user1,ou=people,dc=example,dc=com orclSourceObjectDN: cn=user1,ou=People,dc=example,dc=com $ • Some illustration. © 2016 Pythian 47 Local Storage MS AD Proxy Workflow BINDUser and Attributes LDAP User Entry DN, virtually merged
  • 48. OUD Access Log • OUD has access log tracing similar to Apache. • It tracks everything and YOU SHOULD LOVE IT! • $ORACLE_INSTANCE/OUD/logs/access [25/Nov/2016:13:50:35 +0200] CONNECT conn=1939 from=10.10.10.187:13771 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:35 +0200] BIND REQ conn=1939 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:35 +0200] BIND RES conn=1939 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1 [25/Nov/2016:13:50:35 +0200] UNBIND REQ conn=1939 op=1 msgID=2 [25/Nov/2016:13:50:35 +0200] DISCONNECT conn=1939 reason="Client Disconnect” [25/Nov/2016:13:50:36 +0200] CONNECT conn=1940 from=10.10.10.160:63638 to=10.10.10.160:1389 protocol=LDAP [25/Nov/2016:13:50:36 +0200] BIND REQ conn=1940 op=0 msgID=1 type=SIMPLE dn="cn=directory manager" version=3 [25/Nov/2016:13:50:36 +0200] BIND RES conn=1940 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=0 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=1 msgID=2 base="ou=people,dc=domain,dc=com" scope=sub filter="(uid=*)" attrs="ALL” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=1 msgID=2 result=0 nentries=0 etime=1 [25/Nov/2016:13:50:36 +0200] SEARCH REQ conn=1940 op=2 msgID=3 base="ou=groups,dc=domain,dc=com" scope=sub filter="(cn=*)" attrs="cn” [25/Nov/2016:13:50:36 +0200] SEARCH RES conn=1940 op=2 msgID=3 result=0 nentries=0 etime=0 © 2016 Pythian 48
  • 49. Virtual Attributes • An attribute which is more like a function. • The best example: isMemberOf • Is true if a user is a member of a defined group • The most useful place to use: LDAP filters • Example: OAM User Identity Store filter to allow only specific group to access your application. • KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(isMemberOf=cn=ebs_sso_allowed_users,ou=groups,dc=exam ple,dc=com)) © 2016 Pythian 49
  • 51. Overview • Performance is a feature.  • Overall the OUD performance is good. • The more memory you configure – the more you get into the cache. • Always try to apply the latest PSU BP. Many performance related bugs are resolved per the change log in every bundle. • Some real problems to look at may start only when your data size exceeds hundreds of thousands, like 400 000 user accounts. © 2016 Pythian 51
  • 52. Indexes • OUD is not indexing by default most of the common OID attributes. • Example: DIP ApplicationToOID profile is doing Root DN sub-search looking for entries with required orclGUID, to confirm it exists. • With large directories it can spin the CPU a lot. Can be indexed. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -n create-local-db-index -- element-name userRoot --index-name orclguid --set index-type:equality $ rebuild-index -h localhost -p 4461 -D "cn=directory manager" -j /tmp/oud_pwd -X -b "dc=example,dc=com" - i orclguid • If DIP bootstrap has synchronized a huge amount of new user accounts (ex from external directory) – full index rebuild is highly recommended. $ rebuild-index -b "dc=example,dc=com" --rebuildAll © 2016 Pythian 52
  • 53. Root DN based search • Same use case: DIP ApplicationToOID $ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd -b "" "(orclguid=XXXXXXXXXXXXXXXXXXXXXX)" "*" • OUD will also look into “cn=changelog” as it interprets it as non-hidden naming context. • This is how OUD works. • Recommendation: evaluate the data size, and put the memory enough to cache as maximum as possible. • https://blogs.oracle.com/sduloutr/entry/oud_external_change_log_and • OUD - Bad Performance of a Subtree Search on the Root DSE if the External Changelog is Enabled. (Doc ID 1676998.1) • With PTA add here your external Proxy Workflow Element as well. © 2016 Pythian 53
  • 54. Data cache tuning • If your LDAP data is 1 GB in size, you can configure your OUD instance to 2 GB memory and set data cache to utilize 50 %. $ dsconfig -h localhost -p 4461 -D "cn=directory manager" -w password set-workflow-element-prop --element- name userRoot --set db-cache-percent:50 • Cache as much as possible !!! © 2016 Pythian 54
  • 55. Summary • OUD is an interesting lightweight product. • Hard to say if it’s better or worse than OID. Both OUD and OID have their own pros and cons. • OUD – is a replacement product. OID is going away soon (Dec 2018 / Dec 2021). • Comparing to 11gR1, where OUD was not usable at all for all main integration use cases, it is now more less ready. Of course, with some nuances mentioned. • Simplified setup and configuration. • It takes time to tune everything. Let us be patient. There is a potential. © 2016 Pythian 55
  • 56. THANK YOU Q & A © 2016 Pythian 56