Saturday, February 2, 2013

OIM: Retrieve Access Policy Modified in Last x Days

Hi All,

This is an extension of the blog I wrote in Dec last year :

http://ajmerasunny.blogspot.com/2012/12/oim-11g-read-access-policy-data.html

Basically, the below code retrieves the Role that is attached to the Access Policy along with the Groups that are provisioned using the same. This code is with reference to Oracle Internet Directory Target System. After writing the data to the flatfile, the task also triggers the OIM OOTB "Evaulate User Policies" to propagate the changes to the affected users.

package security.provisioning;
import java.io.BufferedWriter;
import java.io.FileWriter;
import java.sql.Timestamp;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import oracle.iam.platform.Platform;
import oracle.iam.scheduler.api.SchedulerService;
import oracle.iam.scheduler.vo.JobHistory;
import oracle.iam.scheduler.vo.TaskSupport;
import com.thortech.util.logging.Logger;

public class DumpAccessPolicyDataByDays extends TaskSupport {
 HashMap> mapping = new HashMap>();
 tcAccessPolicyOperationsIntf moAccesspolicyutility = null;
 private static final Logger logger = Logger.getLogger("CUSTOM.EVENTS");
 private static final String CLASS_NAME = "security.provisioning.DumpAccessPolicyDataByDays : ";
 @Override
 public void execute(HashMap arg0) throws Exception {
  final String METHOD_NAME = "execute :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Entering Method - execute");
  // Output File Name
  String outputFileName = arg0.get("Output File Name").toString();
  logger.debug(CLASS_NAME + METHOD_NAME + " Output File Name "
    + outputFileName);
  // Delimiter for FTB Roles in the Input File
  String ROLE_DELIMITER = arg0.get("List Delimiter").toString();
  logger.debug(CLASS_NAME + METHOD_NAME + " List Delimiter "
    + ROLE_DELIMITER);
  // Delimiter for the Attributes in the Input File
  String FILE_DELIMITER = arg0.get("Field Delimiter").toString();
  logger.debug(CLASS_NAME + METHOD_NAME + " Field Delimiter "
    + FILE_DELIMITER);
  // Policies Updated in Last x Days
  String noOfDays = arg0.get("Modified in Last x Days").toString();
  if (noOfDays.isEmpty()) {
   noOfDays = "0";
  }
  logger.debug(CLASS_NAME + METHOD_NAME + " Modified in Last x Days "
    + noOfDays);
  // Creating FileStream for writing the mapping data
  FileWriter fstream = new FileWriter(outputFileName);
  BufferedWriter out = new BufferedWriter(fstream);
  Calendar cal = Calendar.getInstance();
  SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
  cal.add(Calendar.DATE, -Integer.parseInt(noOfDays));
  String searchDate = sdf.format(cal.getTime());
  // Output File Header
  out.write("#Role,Groups");
  out.write("\n");
  tcAccessPolicyOperationsIntf moAccesspolicyutility = Platform
    .getService(tcAccessPolicyOperationsIntf.class);
  HashMap searchPolicy = new HashMap ();
  searchPolicy.put("Access Policies.Retrofit Flag", 1);
  tcResultSet result = moAccesspolicyutility.findAccessPolicies(searchPolicy);
    
  logger.debug(CLASS_NAME + METHOD_NAME
    + "Total Count of Access Policies Present in OIM is: "
    + result.getRowCount());
  String policyDate, policyName;
  int policyCount = 0;

  HashSet groupList = new HashSet();

  for (int i = 0; i < result.getTotalRowCount(); i++) {
 
   result.goToRow(i);
 
   long policyKey = result.getLongValue("Access Policies.Key");
   logger.debug(CLASS_NAME + METHOD_NAME + "Access Policy Key :" + policyKey);
 
   policyDate = result.getStringValue("Access Policies.Update Date");
   logger.debug(CLASS_NAME + METHOD_NAME + "Access Policies.Update Date:-> "+policyDate);
 
   policyName = result.getStringValue("Access Policies.Name");
   logger.debug(CLASS_NAME + METHOD_NAME + "Access Policy Name:"
     + policyName );
   if (searchDate.compareTo(policyDate) <= 0) {
    ++policyCount;
    logger.debug(CLASS_NAME + METHOD_NAME
      + "Searching for Access Policies Updated Since " + searchDate);
               
    tcResultSet policyresult = moAccesspolicyutility
      .getDataSpecifiedFor(policyKey);
  
    for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
     policyresult.goToRow(f);
     long formKey = policyresult
       .getLongValue("Structure Utility.Key");
     long objectKey = policyresult.getLongValue("Objects.Key");
     tcResultSet groupResult = moAccesspolicyutility
       .getAssignedGroups(policyKey);
     for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
      groupResult.goToRow(j);
      // Role
      String Role = groupResult
        .getStringValue("Groups.Group Name");
      logger.debug(CLASS_NAME + METHOD_NAME + " Role: "
        + Role);
      AccessPolicyResourceData policyData = moAccesspolicyutility
        .getDataSpecifiedForObject(policyKey,
          objectKey, formKey);
      HashMap pData = policyData
        .getChildTables();
      Set s = pData.keySet();
      Iterator it = s.iterator();
      logger.debug(CLASS_NAME + METHOD_NAME
        + "Below are the EDR Groups associated with FTB Role "
        + ftbRole);
      while (it.hasNext()) {
       String tableKey = it.next().toString();
       PolicyChildTableRecord[] pChildTableData = policyData
         .getChildTableRecords(tableKey);
       for (int g = 0; g < pChildTableData.length; g++) {
        String GroupName = pChildTableData[g]
          .getValue("UD_OID_GRP_GROUP_NAME");
        String arrtemp1[] = GroupName.split(",");
        String arrtemp2[] = arrtemp1[0].split("=");
        logger.debug(CLASS_NAME + METHOD_NAME
          + " " + arrtemp2[1]);
        // Adding the Groups in a ArrayList
        groupList.add(arrtemp2[1]);
       }
      }
      // Adding the  Role as Key and Groups as  ArrayList in  HashMap
      mapping.put(Role, groupList);
      // Instantiating new ArrayList for storing Groups
      groupList = new HashSet();
     }
    }
   }
  }

  logger.info(CLASS_NAME + METHOD_NAME
    + "Count of Access Policies matching Search Criteria is "
    + policyCount);

   
  // Writing the Mapping in FlatFile
  Set s = mapping.keySet();
  Iterator itr = s.iterator();
  while (itr.hasNext()) {
   String key = itr.next().toString();
   out.write(key);
   out.write(FILE_DELIMITER);
   Iterator listitr = mapping.get(key).iterator();
   int listSize = mapping.get(key).size();
   int i = 0;
   while (listitr.hasNext()) {
    out.write(listitr.next().toString());
    i++;
    if (i != listSize)
     out.write(ROLE_DELIMITER);
   }
   out.write("\n");
  }
  
  // Invoking Evaluate User Policies Schedule Task
   SchedulerService schService = Platform.getService(SchedulerService.class);
   schService.triggerNow("Evaluate User Policies");
   logger.info(CLASS_NAME + METHOD_NAME + " Evaluate User Policies is Executed");
   //Integer status = schService.getStatusOfJob("Evaluate User Policies");

    // Closing the File Stream
    out.close();
    fstream.close();
    logger.info(CLASS_NAME + METHOD_NAME +"Mapping written on " + outputFileName);
    

 }
 @Override
 public HashMap getAttributes() {
  return null;
 }
 @Override
 public void setAttributes() {
 }
}
Posted by at No comments:

Saturday, January 26, 2013

OIM11g PostProcess EventHandler on RoleMembership


Below is the PostProcess Event Handler that I wrote to update a Custom UDF in OIM with the list of Roles assigned to the user (seperate by delimiter ','). This EventHandler is triggered every time a role is assigned/revoked to the user. The EventHandler for entity-type='RoleUser' actually calls the BulkEventResult execute() method, not the EventResult execute() method [ Oracle Doc ID: 1461252.1 ].


package oracle.oim.extensions.postprocess;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.io.Serializable;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcLookupOperationsIntf;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.identity.usermgmt.vo.UserManagerResult;
import oracle.iam.platform.Platform;
import oracle.iam.platform.kernel.spi.PostProcessHandler;
import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
import oracle.iam.platform.kernel.vo.BulkEventResult;
import oracle.iam.platform.kernel.vo.BulkOrchestration;
import oracle.iam.platform.kernel.vo.EventResult;
import oracle.iam.platform.kernel.vo.Orchestration;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;

public class RoleProcessor implements PostProcessHandler {

 private static final String LOOKUP_COLUMN_DECODE = "Lookup Definition.Lookup Code Information.Decode";

 public BulkEventResult execute(long processId, long eventId,
   BulkOrchestration orchestration) {
  // TODO Auto-generated method stub
  try {
   String userKey = null;
   String operation = orchestration.getOperation().trim().toString();
   System.out.println("<---------- br="" bulkeventresult="">     + getClass().getName() + ": Operation[" + operation + "] Execute ---------->");
   HashMap[] bulkParameters = orchestration
     .getBulkParameters();
   for (int j = 0; j < bulkParameters.length; j++) {
    Set set = bulkParameters[j].keySet();
    Iterator itr = set.iterator();
    while (itr.hasNext()) {
     String key = itr.next().toString();
     if ("userKeys".equalsIgnoreCase(key)) {
     //Value of UserKey comes as [6088]. So below is the regex to replace special character from the Userkey.
      // Regular Expression to replace Special Character '[' & ']' from the UserKey
       userKey = bulkParameters[j].get(key).toString().replaceAll("[\\[\\]]", "");
       System.out.println("userKey ->" + userKey);
     }
    }
   }
  
   // Get List of  Roles to be Filtered
   HashSet removeRoles = readLookup();

   // Find List of Roles assigned to the user in OIM
   StringBuffer stringBuffer = new StringBuffer();
   RoleManager rolemanager = Platform.getService(RoleManager.class);
   List groupList = rolemanager
     .getUserMemberships(userKey, true);
   HashSet roleList = new HashSet();
   for (Role role : groupList) {
    String roleName = role.getAttribute("Role Name").toString();
    System.out.println("RoleName :" + roleName);
    roleList.add(roleName);
   }

  
   // Remove Roles like "ALL Users" and other default roles that are assigned to users. Requirement was to store only business/functional/applciation specific roles in Custom UDF.
   roleList.removeAll(removeRoles);
  
   Iterator iterator = roleList.iterator();
   String role = null;
   System.out.println("Role To Be Assigned Count is: " + roleList.size());
   int counter = 1;
   while (iterator.hasNext()) {
    role = iterator.next().toString();
    stringBuffer.append(role);
    if (counter != roleList.size()) {
     stringBuffer.append(",");
    }
    counter++;
   }
   String RoleList = stringBuffer.toString();
   System.out.println("Role List: " + RoleList );

   // Updating UDF
   HashMap mapAttrs = new HashMap();
   mapAttrs.put("Role List", RoleList);
   executeEvent(bulkParameters, orchestration.getTarget().getType(),
     userKey, RoleList);
  } catch (Exception e) {
   e.printStackTrace();
  }
  return new BulkEventResult();
 }


 public HashSet readLookup() {
 
  System.out.println("Reading Lookup");
  String lookupDecode = "Lookup.RoleProcessor.IgnoreRole";
  HashSet filterRoles = new HashSet();
  try {
  //Read Lookup to Find FilteredRoles
  tcLookupOperationsIntf lookupOps = Platform.getService(tcLookupOperationsIntf.class);
  tcResultSet lookupResultSet = lookupOps.getLookupValues(lookupDecode);
  for (int i = 0; i < lookupResultSet.getRowCount(); i++) {
   lookupResultSet.goToRow(i);
   String decode = lookupResultSet.getStringValue(
     LOOKUP_COLUMN_DECODE).trim();
   filterRoles.add(decode);
  }
  }catch(Exception e) {
   e.printStackTrace();
  }
  return filterRoles;
 }
 private void executeEvent(HashMap[] parameterHashMap, String targetType,
   String userKey, String RoleList) {
  try {
   System.out.println("Inside executeEvent () ");
   System.out.println("userKey " + userKey);
   System.out.println("Role List for UDF: " + RoleList);
   HashMap mapAttrs = new HashMap();
   mapAttrs.put("Role List", RoleList);

  // Finding User Login using usr_key as UserManager modify() expect User Login Name as one of the input parameters
   String username = null;
   UserManager userService = Platform.getService(UserManager.class);
   SearchCriteria criteria = new SearchCriteria("usr_key", userKey,
     SearchCriteria.Operator.EQUAL);
   Set attrNames = null;
   HashMap parameters = null;
   HashMap attributes = null;
   attrNames = new HashSet();
   attrNames.add("User Login");
   List users = null;
   //Set keys = null;
   users = userService.search(criteria, attrNames, parameters);
            System.out.println("Searching User_Login  based on USR_KEY");
  
   if (users != null && !users.isEmpty()) {
    System.out.println("search results, quantity=" + users.size());
    for (User user : users) {
     attributes = user.getAttributes();
     //keys = attributes.keySet();
     username = attributes.get("User Login").toString();
     System.out.println("User Login " + username);
    }
   }
  
   System.out.println("Updating UDF using UserManager");
   User user = null;
   user = new User(username,mapAttrs);
   UserManagerResult result = userService.modify("User Login",username,user);
            System.out.println( "Modification Status " + result.getStatus());
  
  } catch (Exception e) {
   System.out.println(e.getMessage());
   e.printStackTrace();
  }
 }
 @Override
 public void initialize(HashMap arg0) {
  // TODO Auto-generated method stub
  System.out
    .println("Initialize  RoleProcessor OIM PostProcess EventHandler");
 }
 @Override
 public boolean cancel(long arg0, long arg1,
   AbstractGenericOrchestration arg2) {
  System.out.println("Inside  cancel() method");
  // TODO Auto-generated method stub
  return false;
 }
 @Override
 public void compensate(long arg0, long arg1,
   AbstractGenericOrchestration arg2) {
  System.out.println("Inside  compensate() method");
  // TODO Auto-generated method stub
 }
 @Override
 public EventResult execute(long arg0, long arg1, Orchestration arg2) {
  // TODO Auto-generated method stub
  System.out.println("Inside EventResult execute ");
  return null;
 }
}

Note: This blog is just for my record keeping and contains my views/experience but if it helps someone, then I will be very glad.
Posted by at 1 comment:
Labels: , , , , , , ,

Friday, December 21, 2012

OIM 11g: Read Access Policy Data

Hi,

Below is the sample code that I wrote to read the Data of Access Policies that are modified today. The code gives you the assigned role and the Groups provisioned to user by this access policy. In my case, the assigned resource was Oracle Internet Directory. The code uses the OIM 9.x APIs as 11g doesn't provide any API to get the access policies data.

package sample;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import com.ibm.keymanager.logic.e;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormDefinitionOperationsIntf;
import oracle.iam.accesspolicy.vo.PolicyObjectDetails;
import oracle.iam.platform.OIMClient;
public class fetchAccessPolicyData {
 private static final String OIM_URL = "t3://oimhost:oimport";
 private static final String AUTH_CONF = "C:/designconsole/config/authwl.conf";
 private static final String OIM_USERNAME = "xelsysadm";
 private static final String OIM_PASSWORD = "password";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();
 public tcAccessPolicyOperationsIntf moAccesspolicyutility;
 public fetchAccessPolicyData() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
  return;
 }
 public void getData() {
  try {
  
   tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
     "xelsysadm", "Abcd1234");
   moAccesspolicyutility = (tcAccessPolicyOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
   tcFormDefinitionOperationsIntf formOp = (tcFormDefinitionOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcFormDefinitionOperationsIntf");
   HashMap attributeList = new HashMap();
   attributeList.put("Access Policies.Retrofit Flag", 1);
   tcResultSet result = moAccesspolicyutility
     .findAccessPolicies(attributeList);
   // tcResultSet result =
   // moAccesspolicyutility.getAccessPolicyByResourceName("OID User");
   SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
   Date now = new Date();
   String strDate = sdf.format(now);
   System.out.println("Current Date: " + strDate);
   String policyDate;
   for (int i = 0; i < result.getTotalRowCount(); i++) {
    result.goToRow(i);
    policyDate = result.getStringValue("Access Policies.Update Date");
    if (strDate.compareTo(policyDate) == 0) {
     System.out.println("Access Policy Name :"
       + result.getStringValue("Access Policies.Name"));
     System.out.println("Access Policies.Update Date :"
         + result.getStringValue("Access Policies.Update Date"));
    long policyKey = result.getLongValue("Access Policies.Key");
    tcResultSet policyresult = moAccesspolicyutility
      .getDataSpecifiedFor(policyKey);
    for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
     policyresult.goToRow(f);
     long formKey = policyresult
       .getLongValue("Structure Utility.Key");
     long objectKey = policyresult.getLongValue("Objects.Key");
     tcResultSet groupResult = moAccesspolicyutility
       .getAssignedGroups(policyKey);
     for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
      groupResult.goToRow(j);
     
    // This gives you the Role for which access policy will be triggered.
      System.out.println(groupResult
        .getStringValue("Groups.Group Name") + ",");

      AccessPolicyResourceData policyData = moAccesspolicyutility
        .getDataSpecifiedForObject(policyKey,
          objectKey, formKey);
      HashMap pData = policyData.getChildTables();
      Set s = pData.keySet();
      Iterator it = s.iterator();
      while (it.hasNext()) {
       String tableKey = it.next().toString();
       // System.out.println("tableKey " +tableKey);
       PolicyChildTableRecord[] pChildTableData = policyData
         .getChildTableRecords(tableKey);
       // System.out.println("pChildTableData.length " +
       // pChildTableData.length);
       for (int g = 0; g < pChildTableData.length; g++) {
        String EDRGroupName = pChildTableData[g]
          .getValue("UD_OID_GRP_GROUP_NAME");
        String arrtemp1[] = EDRGroupName.split(",");
        // System.out.println(arrtemp1[0]);
        String arrtemp2[] = arrtemp1[0].split("=");

//This will give you the groups which will be assigned to user account in OID/target resource applicable.
        System.out.print(arrtemp2[1]);
        System.out.println(";");
       }
      }
     }
    }
   }
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
}
References:
http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/AccessPolicyResourceData.html


Thanks
Posted by at No comments:
Labels: , , , ,

Creating Another OID Account With Superuser Privileges

Hi,

If you want to create a user which has same privileges as superuser cn=orcladmin has, then you need to assign the below privileged groups to the user account. You can query for those groups by searching for entries with "uniquemember=cn=orcladmin" or you can use the information provided below:

dn: cn=OracleDBCreators,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleNetAdmins,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleContextAdmins,cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDomainAdmins,cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDBAQUsers, cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=iASAdmins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=authenticationServices, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=verifierServices, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=UserProxyPrivilege, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASAdminGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASUserPriv, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASConfiguration, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASGroupPriv, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASCreateUser, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASDeleteUser, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASEditUser, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASCreateGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASDeleteGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASEditGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=oraclemanageextendedpreferences, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleResourceAccessGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=ComputerAdmins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=UMAdminsGroup,cn=UMContainer,cn=Products,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASServiceAdminGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASAccountAdminGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=ASPAdmins, cn=groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=IAS & User Mgmt Application Admins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=Trusted Applications Admins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=Common User Attributes, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=Common Group Attributes, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=PKIAdmins,cn=groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=CRLAdmins,cn=groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: ccn=OCS_PORTAL_USERS, cn=groups,dc=ftb,dc=ca,dc=gov
changetype: modify
add: uniquemember
uniquemember: <>


Replace the <> with your user account dn and save the above entries in an ldif file and run the ldapmodify command to assing super user like privileges to the user.

Note: If you want the above user account to be able to modify the Schema (ObjectClasses & Attributes) & Security Settings in Oracle Internet Directory, then please add the privilege group also.

dn: cn=DirectoryAdminGroup,cn=oracle internet directory
changetype: modify
add: member
member: <>

References:

http://docs.oracle.com/cd/E12839_01/oid.1111/e10029/oid_susers.htm#CIHDCHHI

Thanks
Posted by at No comments:
Labels: , , ,

Wednesday, October 3, 2012

Don't waste your time using DSCC


This isn't first time I felt frustrated using DSCC (Directory Service Control Center). Although I am not someone who prefer using GUI instead of CLI but sometimes, you just want to use GUI either because you don't have time or you feel lazy.

If you try deleting ACI (Access Control Instructions) from DSCC, you will feel exactly  like me, wasted and frustrated as why this doesn't work most of them.

Not only this, if you have Multi-Master replication enabled in your environment, then you might have came across a GUI bug. Ideally, the no. of entries in each server should be same but this is not the case. You will see one of your directory server instance lagging behind the others in terms of record count even though there is no problem in replication setup. In short, if you want to check the replication health/status, please don't use DSCC, instead use insync utility.

So, my advice to all is use CLI instead of GUI.

Anyway, I am going back to work, have to resolve a OIM LDAP Synch.

 
Posted by at No comments:

Tuesday, October 2, 2012

ODSEE 11g: Struggle in Setting up Referral

While going through the ODSEE 11g administration guide, I came across the section "Setting Referrals". I do remember configuring referrals on  the directory server when it was known as Sun product, I think in verion 5.2.

Taking this as a perfect opportunity to referesh my memory and dirty my hands, I create two new directory server instance namely, Instance 1 (-p 11389 -P 12389) and Instance 2(-p 21389 & 22389) and populated few records in Instance2. Then, I configured the referral url in Instance2 (so that everytime I do a ldapsearch operation request on Instance2, it should be referred in Instance1) using below command:

./dsconf set-server-prop -h localhost -p 21389 ou=corporate,o=com referral-url:ldap://localhost:11389

but this gave me syntax error saying that

ou=corporate,o=com is not a valid PROP:VAL.
The operation set-server-prop failed on Instance2 21389.

I tried few more possible combinations like:

./dsconf set-server-prop -h localhost -p 21389 referral-url:ldap://localhost:11389/ou=corporate,o=com

I also tried specifying FQDN instead of localhost but nothing worked.

As per the oracle documentation, below is the syntax:

./dsconf set-server-prop -h host -p port suffix-DN referral-url:referral-URL

I don't see anything wrong in my command as per the docs. Nevertheless, I posted my issue on oracle forums and searched support.oracle.com for some clues but find nothing on it. Also, I can't find any option in DSCC to configure referrals but you can use it to remove referrals. What the heck!!

I hope to find/see some clues on this issue by tomorrow.

10/03: Tried setting smart referrals and referrals at suffix level but still no luck


Have a good day!
Sunny


Posted by at No comments:
Labels: , , , ,

Thursday, July 12, 2012

OIM-OAM Integration (LDAP Synch): LDAP User Create and Update Reconciliation task Doesn't work

Issue: LDAP User Create and Update Reconciliation task doesn't create/update the user/role in Directory Server


Troubleshooting Notes:


Kevin Pinsky -

When you configure OVD and your Change Log Adapter, you have it configured to only record changes by users in the modifyDNFilter value. To record any changes not made by the admin account, use the value "!(modifiersname=cn=orcladmin)" in the plugin. Now, if you modify a user with an account other than cn=orcladmin, your scheduled task will pick up the latest changelog events and create recon events for them. I assume this would work with newly created users as well. You'll also notice your scheduled task will update the Last Change Number attribute to the last value reconciled.

Manish Gupta

Tactical solution we used was to unlock the users manually in OID (ODSM) or OIM (OIM Console), and run full/incremental reconciliation.

2. Permanent solution was provided by a patch to OIM 11.1.1.5.2, as a reponse to our SR

a. Upgrade the OIM to 11.1.1.5.2 (i.e. BP 02);
b. Apply one off patch # 12390753

Above happned in our case when OAM & OIM were integrated.

Posted by at No comments:
Subscribe to: Posts (Atom)