Configuring Oracle Unified Directory (OUD) 11g as a Directory Server

I used Oracle Unified Directory (OUD) Version 11.1.1.5.0 during my test deployment locally here. I tried to collect as much information possible in this post for configuration.

Ideally, there are three possible configuration options for OUD:

• as a Directory Server
• as a Replication Server
• as a Proxy Server

Directory Server provides the main LDAP functionality in OUD. Proxy server can be used for proxying LDAP requests. And Replication Server is used for replication from one OUD to another OUD or even to another ODSEE (earlier Sun Java Directory) server. You can my previous posts on OUD here and here.

In this post, we will talk about configuring OUD after installation as a Directory Server. You can read about OUD installation in my previous post here.

Once installation is completed, you will find following files in $ORACLE_HOME Directory.

-rwxr-x---  1 oracle oracle 1152 May 17 11:16 oud-proxy-setup  -rwxr-x---  1 oracle oracle 1482 May 17 11:16 oud-proxy-setup.bat  -rwxr-x---  1 oracle oracle 1180 May 17 11:16 oud-replication-gateway-setup  -rwxr-x---  1 oracle oracle 1510 May 17 11:16 oud-replication-gateway-setup.bat  -rwxr-x---  1 oracle oracle 1141 Aug 10 16:50 oud-setup  -rwxr-x---  1 oracle oracle 1538 May 17 11:15 oud-setup.bat

In this listing, .bat files are used in windows. So, In Linux (that is what I am using), we will be using following files.

• oud-setup – To configure Directory Server
• oud-replication-gateway-setup – To configure Directory Replication Server
• oud-proxy-setup – To Setup Proxy Server

You can run the script shown below.

$ ./oud-setup OUD Instance location successfully created - /u01/oracle/Middleware/Oracle_OUD1/../asinst_2 Launching graphical setup...  The graphical setup launch failed.  Check file /tmp/oud-setup-8836874387532698932.log for more details.  Launching command line setup...  Oracle Unified Directory 11.1.1.5.0 Please wait while the setup program initializes...  What would you like to use as the initial root user DN for the Directory Server? [cn=Directory Manager]: Please provide the password to use for the initial root user: Please re-enter the password for confirmation:  On which port would you like the Directory Server to accept connections from LDAP clients? [1389]: 389  ERROR:  Unable to bind to port 389.  This port may already be in use, or you may not have permission to bind to it.  On UNIX-based operating systems, non-root users may not be allowed to bind to ports 1 through 1024 On which port would you like the Directory Server to accept connections from LDAP clients? [1389]:  On which port would you like the Administration Connector to accept connections? [4444]: Do you want to create base DNs in the server? (yes / no) [yes]:  Provide the base DN for the directory data: [dc=example,dc=com]: Options for populating the database:  1)  Only create the base entry 2)  Leave the database empty 3)  Import data from an LDIF file 4)  Load automatically-generated sample data  Enter choice [1]: 1  Do you want to enable SSL? (yes / no) [no]: yes On which port would you like the Directory Server to accept connections from LDAPS clients? [1636]:  Do you want to enable Start TLS? (yes / no) [no]: yes Certificate server options:  1)  Generate self-signed certificate (recommended for testing purposes only) 2)  Use an existing certificate located on a Java Key Store (JKS) 3)  Use an existing certificate located on a JCEKS key store 4)  Use an existing certificate located on a PKCS#12 key store 5)  Use an existing certificate on a PKCS#11 token  Enter choice [1]: Provide the fully-qualified host name or IP address that will be used to generate the self-signed certificate [ut1ef1]:  Do you want to start the server when the configuration is completed? (yes / no) [yes]:  Setup Summary ============= LDAP Listener Port:            1389 Administration Connector Port: 4444 LDAP Secure Access:            Enable StartTLS Enable SSL on LDAP Port 1636 Create a new Self-Signed Certificate Root User DN:                  cn=Directory Manager Directory Data:                Create New Base DN dc=example,dc=com. Base DN Data: Only Create Base Entry (dc=example,dc=com)  Start Server when the configuration is completed  What would you like to do?  1)  Set up the server with the parameters above 2)  Provide the setup parameters again 3)  Print equivalent non-interactive command-line 4)  Cancel and exit  Enter choice [1]: 3  Equivalent non-interactive command-line to setup server:  oud-setup \ --cli \ --baseDN dc=example,dc=com \ --addBaseEntry \ --ldapPort 1389 \ --adminConnectorPort 4444 \ --rootUserDN cn=Directory\ Manager \ --rootUserPassword ****** \ --enableStartTLS \ --ldapsPort 1636 \ --generateSelfSignedCertificate \ --hostName ut1ef1 \ --no-prompt \ --noPropertiesFile  What would you like to do?  1)  Set up the server with the parameters above 2)  Provide the setup parameters again 3)  Print equivalent non-interactive command-line 4)  Cancel and exit  Enter choice [1]: 4 No configuration performed. OUD Instance directory deleted. $

Then you need to run the oud-setup with the options provided for creating the directory server.

$ ./oud-setup           –cli           –baseDN dc=example,dc=com           –addBaseEntry           –ldapPort 1389           –adminConnectorPort 4444           –rootUserDN cn=Directory\ Manager           –rootUserPassword ******           –enableStartTLS           –ldapsPort 1636           –generateSelfSignedCertificate           –hostName ut1ef1           –no-prompt           –noPropertiesFile

OUD Instance location successfully created – /u01/oracle/Middleware/Oracle_OUD1/../asinst_2

An error occurred while parsing the command-line arguments:  An unexpected error occurred while attempting to initialize the command-line arguments:  Argument “bat” does not start with one or two dashes and unnamed trailing arguments are not allowed

Here, the issue is with the rootUserPassword value. Since I put * here, it replaced with all the files in the local directory, so it failed. Replace it with the required password for the “cn=Directory Manager” as shown below.

$ ./oud-setup           --cli           --baseDN dc=example,dc=com           --addBaseEntry           --ldapPort 1389           --adminConnectorPort 4444           --rootUserDN cn=Directory\ Manager           --rootUserPassword pass_t3st           --enableStartTLS           --ldapsPort 1636           --generateSelfSignedCertificate           --hostName ut1ef1           --no-prompt           --noPropertiesFile OUD Instance location successfully created - /u01/oracle/Middleware/Oracle_OUD1/../asinst_2  Oracle Unified Directory 11.1.1.5.0 Please wait while the setup program initializes...  See /tmp/oud-setup-5822533240188214866.log for a detailed log of this operation.  Configuring Directory Server ..... Done. Configuring Certificates ..... Done. Creating Base Entry dc=example,dc=com ..... Done. Starting Directory Server ......... Done.  To see basic server configuration status and configuration you can launch /u01/oracle/Middleware/asinst_2/OUD/bin/status $  cd bin $ ./status  >>>> Specify Oracle Unified Directory LDAP connection parameters  How do you want to trust the server certificate?  1)  Automatically trust 2)  Use a truststore 3)  Manually validate  Enter choice [3]: 1  Administrator user bind DN [cn=Directory Manager]:  Password for user 'cn=Directory Manager':  --- Server Status --- Server Run Status:        Started Open Connections:         1  --- Server Details --- Host Name:                ut1ef1 Administrative Users:     cn=Directory Manager Installation Path:        /u01/oracle/Middleware/Oracle_OUD1 Instance Path:            /u01/oracle/Middleware/asinst_2/OUD Version:                  Oracle Unified Directory 11.1.1.5.0 Java Version:             1.6.0_26 Administration Connector: Port 4444 (LDAPS)  --- Connection Handlers --- Address:Port : Protocol               : State -------------:------------------------:--------- --           : LDIF                   : Disabled 0.0.0.0:161  : SNMP                   : Disabled 0.0.0.0:1389 : LDAP (allows StartTLS) : Enabled 0.0.0.0:1636 : LDAPS                  : Enabled 0.0.0.0:1689 : JMX                    : Disabled  --- Data Sources --- Base DN:     dc=example,dc=com Backend ID:  userRoot Entries:     1 Replication: Disabled

$

Now, your newly created OUD Directory Server is running in the machine. You can check this with the ldapsearch command.

$ ldapsearch -h localhost -p 1389 -D “cn=Directory Manager” -w ebs_t3st -s sub -b “dc=example,dc=com” “(objectclass=*)” cn
dn: dc=example,dc=com

$

LDAP Search command will return one entry as shown above.

Here are some of my Observations:

• If you want to use the port 389/636 for your Directory Server, then you need to run the setup using root user. Then you need to use start-ds and stop-ds commands using root user only.
• There are six scripts to setup OUD components (three for unix/linux and three for windows environments)
• You can setup a new TLS based certificate as part of configuring a new Directory Server.

 

Okay, thats all for now. We will meet in another post. Until then

Advanced Replication Setup for High availability and Performance

In my personal opinion, Oracle leads the market in Directory Product offerings (LDAP Directories). Starting from Oracle Internet Directory (OID), to the latest Oracle Unified Directory (OUD), Oracle definitely provides variety of LDAP Directory related products for integration.

With increasing demand for mobile computing and cloud computing offering, there is a need to standardize LDAP Deployments for Identification, Authentication and (sometimes) Authorization (IAA) services. With a highly scalable, highly performing, highly available, highly stable and highly secure LDAP Directory, these IAA services will be easier to integrate with applications in the cloud or for the mobile applications.

Introduction

Oracle Unified Directory (OUD) is a latest LDAP Directory offering from Oracle Corp. As mentioned in my previous post, OUD comes with three main components. They are:

• Directory Server
• Proxy Server
• Replication Server

Here, Directory Server provides the main LDAP functionality (I assume you already know what an LDAP Directory Server means). Proxy server is used for to proxy LDAP requests (how?). AndReplication Server is used for replicating (copying) data from one OUD to another OUD or even to ODSEE server (we will talk more about replication in this post). You can read about my first post on OUD here. In this current article, I will write about replication server and advanced replication setup for Oracle Unified Directory.

Many people want a step by step guide (kind of cheat sheet) to setup something like OUD or OID for replication. Unfortunately I am not going to give you that here. In my personal opinion, that (cheat sheet) is not a right approach at all and will not be helpful in the long run for gaining concepts or knowledge. First of all, we need to give importance to the basic concepts behind how something works.

First of all, read OUD Documentation

Product Documentation must be read before you plan your deployment. You can find the OUD Documentation here. This link is for OUD Version 11.1.1. Make sure to refer the latest product manual. Documentation provides lot of details about the product and save lot of time with investigation later. For Replication, you need to start with “Architecture Reference” Guide.

When do you want to setup replication?

There should be a reason, right? If there is no reason, then there is no need for you to setup replication at all. Instead, you can have a beer and pass the time happily doing something else.

Ideally, you need replication setup for “High Availability” and “Performance”. Usually, there will be multiple instances of OUD Directory Server processes running in Production. Let’s say we need to have around four OUD Directory Servers (and four more for Business Continuity/Disaster Recovery).

Unfortunately, there is no single process to update all the eight OUD Directory Servers in our example. We need to find a mechanism to synchronize the directory entries across these servers.  For this, we need to use the OUD Replication Server Component.

Securing the Replication Traffic

We don’t want network sniffers taking away critical user information (even inside the internal network, it is possible). We need to encrypt the traffic between the replication servers. Do not consider setting up a Replication Server communication without encrypted traffic.

Since OUD provided identity data, all the network traffic is prone to sniffing attacks. Always use encrypted or secure connections to OUD or to any LDAP Directory.

Deciding a Replication Method to use

Next important thing is to decide what replication method you are going to use. This is mostly site specific and you need to know lot of details before deciding a replication method to use. I am planning to use the following sample architecture for this post. Let’s understand our sample OUD Architecture first.

 

Here are the quick components of the architecture:

• We have one master OUD Server called PROD-01. All the updates to the directory happens here. Most probably, HR System will update the directory. Also, Updates can happen using a custom developed application plug-in for LDAP Directory or using a Identity and Access Management System (IAM) system such as Oracle Identity Manager or Tivoli Identity Manager.
• PROD-02 will be used with PROD-01 for High Availability and Performance in this Production Deployment.
• In Disaster Recovery deployment, we have PROD-03 and PROD-04 servers. These servers need to synchronize the user data from the master server PROD-01.

One way to setup replication is by provisioning users into all the six OUD Directory Servers by an Identity and Access Management (IAM) System (such as Oracle Identity Manager or Tivoli Identity Manager). However this provisioning can be time consuming to complete because it will be treated as updating six different LDAP Directories. So a better way to achieve this is using a Replication Server.

We will continue setting up the Replication Server for this architecture. Lets meet in another post - Until then.