DevTech101

DevTech101
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)
Loading...
Below is a continuation on how to migrate ODSEE, ISW To OUD and DIP. you can access Part 1 here. Since the migration is quite complex, I am splitting the configuration into separate parts. This is part 2, Configuring OUD, Install and configure OUD Gateway.

Creating an OUD instance and configuration

To install and configure and OUD instance, just run the below.
/oud/Oracle/Middleware/Oracle_Home/oud/oud-setup
Select: ldap and http for the new reset API interface. Select: Certificate key create in Part 1 (with key name ldap-cert if asked) On the first OUD instance configure replication user/port and create a replication password. Select: Check Enable DIP (not EUS) Set memory for your configuration. (I used 4Gb) Completed the configuration. Screen captures are below. If Joining an existing replication configuration Tip: On all additional OUD instance(s), select to join the existing replication, specify any other existing instance to join then accept the certificate. Note: Do not configure any additional OUD instances yet, we first need to configure the replication gateway as outlined below.

Configuring OUD instance

Set the below configuration, this might be required for your ODSEE instances. Run on all OUD instances (after installed). Note: This settings are not replicated and need to be set on each instance separately.
dsconfig set-global-configuration-prop --set single-structural-objectclass-behavior:accept -n -j /tmp/pw.txt --trustAll
dsconfig set-attribute-syntax-prop --syntax-name Directory\ String --set allow-zero-length-values:true -n -j /tmp/pw.txt --trustAll

# the below will allow invalid characters
dsconfig set-global-configuration-prop --set allow-attribute-name-exceptions:true -n -j /tmp/pw.txt --trustAll
Next, copy your costume schema files (if you have)
cp /var/tmp/schema/* asinst_1/OUD/config/schema/
Migrate all other roles/indexes (pre final stage) from ODSEE
$Oracle_Home/asinst_1/OUD/bin/ds2oud --migrateAll \
-D "cn=directory manager" -j /tmp/pw \
-h odsee_ldap1.domain.com \
-p 389 \
--oudBindDN "cn=directory manager" \
--oudBindPasswordFile /tmp/pw \
--oudHostname ldap1.domain.com \
--oudAdminPort 4444 \
--oudPort 1389
Below is a list of items you might need to change while running the above script
  1. Change global index-entry-limit value from 4000 > 8000
  2. Remove approximate from index matching rule 1.3.6.1.4.1.42.2.27.9.4.150 – (ds-cfg-attribute=objectclass,cn=Index,cn=userRoot,cn=Workflow elements,cn=config)
  3. Remove the two attributes below for this plugin to work Entry cn=Referential Integrity,cn=Plugins seeAlso: Equality owner: Equality

OUD replication gateway configuration

We are now ready to start configuring the OUD replication gateway, you do so by running the below.
/oud/Oracle/Middleware/Oracle_Home/oud/oud-replication-gateway-setup
Leave all the defaults. Select > ODSEE => OUD and OUD => ODSEE (if you like two way updates. Note: I had issues using/setting SSL from OUD => ODSEE as it wasn’t working with any certificates I tested. OUD Gateway setup screen captures are below. Next, get a one time export from your ODSEE instance.
dsadm export \
-f opends-export \
--exclude uid=PSWConnector,dc=domain,dc=com \
/odsee_ldap_path \
dc=domain,dc=com \
/tmp/dsee_export.ldif
Exclude the passwordObject objectclass (you might have other things to exclude) cat /oud/certs/dsee_export.ldif-org |egrep -v “passwordObject” >/oud/certs/dsee_export.ldif Also, exclude users:
  1. uid=PSWConnector
  2. cn=nsManagedDisabledRole
  3. cn=nsDisabledRole
Note: You OUD instance path’s are asinst_1/.. and asinst_2 is the OUD reapplication gateway instance. Run the pre-external-initialization configuration
/oud/Oracle/Middleware/Oracle_Home/asinst_2/OUD/bin/dsreplication pre-external-initialization \
--hostname ldap1.domain.com \
--port 4444 \
--adminUID admin \
--adminPasswordFile /oud/certs/pw.txt \
--baseDN dc=domain,dc=com \
--trustAll \
--no-prompt \
--noPropertiesFil
Next, we need a one time import of all data from ODSEE => OUD, you do so by running the below. Note: Use the odsee dsee_export.ldif export file from above.
#Stop the OUD instance
/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin/stop-ds

/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin/import-ldif -l /oud/certs/dsee_export.ldif \
-b dc=domain,dc=com \
--skipSchemaValidation \
--skipDNValidation  \
--overwrite \
--rejectFile rejected.ldif \
--skipFile skipped.ldif
/oud/Oracle/Middleware/Oracle_Home/asinst_2/OUD/bin/import-ldif \
--hostname ldap1.domain.com \
--port 4444 \
--bindDN cn=directory\ manager \
--bindPasswordFile /oud/certs/pw.txt \
--includeBranch dc=domain,dc=com \
--excludeAttribute nsAccountLock \
--excludeAttribute nsRoleDN \
--excludeAttribute nsTimeLimit \
--ldifFile /oud/certs/dsee_export.ldif \
--rejectFile rejected.ldif \
--skipFile skipped.ldif \
--skipSchemaValidation \
--clearBackend --trustAll \
--noPropertiesFile

Start the OUD instance
/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin/start-ds
Next, run the post-external-initialization on the gateway.
/oud/Oracle/Middleware/Oracle_Home/asinst_2/OUD/bin/dsreplication post-external-initialization \
--hostname ldap1.domain.com \
--port 4444 \
--adminUID admin \
--adminPasswordFile /oud/certs/pw.txt \
--baseDN dc=domain,dc=com \
--trustAll \
--no-prompt \
--noPropertiesFile
Lastly, (optional)you might wont to rebuild index(s), do so by running the below.
/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin/rebuild-index \
--hostname ldap.domain.com \
--port 4444 \
--bindDN cn=directory\ manager \
--bindPasswordFile /oud/certs/pw.txt \
-b dc=domain,dc=com --rebuildAll --trustAll

# If the above is not working, you can try the below (you will have to stop the instance to do so.
/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin/rebuild-index --baseDN "dc=domain,dc=com" --rebuildAll
Additional OUD configuration changes. Enable un-index search’s with dsconfig. Run dsconfig
  1. General Configuration > Global Configuration > View and edit the Global
  2. Configuration > disabled-privilege
  3. Select > unindexed-search and proxy-authid.
To fix the error issue / below – make sure to edit ACI in OUDSM (or by commend line).
[24/May/2018:09:00:26 -0400] SEARCH RES conn=282 op=2613 msgID=2614 result=50 message="The request control with Object Identifier (OID) "1.3.6.1.4.1.42.2.27.9.5.8" cannot be used due to insufficient access rights" nentries=0 etime=0
Note: Fix the above error/issue by changing on each directory as ACI’s are not reduplicated.
  • Authenticated users control access > from userdn = “ldap:///all” to userdn = “ldap:///anyone”
  • And add to target control, the 1.3.6.1.4.1.42.2.27.9.5.8 control

Complete OUD Multi Master configuration

After the First OUD instance is working and populated with all ODSEE data, and OUD replication gateway is up and working. Next, complete the installation of all other OUD instances, by running the same steps outlined above for the OUD instance. Note: Only install/run the OUD instance and join the first instance with replication. there is no need to configure another replication gateway unless you would like to have another instance for HA. Also, on all other OUD instances you might need to create manually the VLV Index(s) and regular index’s, you can do so by running the below. Note: This is usually only needed if you have native LDAP (solaris/linux). Examples:
#Regular index
dsconfig --hostname localhost --port 4444 -X create-local-db-index --element-name userRoot --index-name membernisnetgroup \
--set index-type:presence \
--set index-type:equality \
--set index-type:substring \
--set index-entry-limit:8000 \
--bindDN cn=Directory\ Manager \
--bindPasswordFile /oud/certs/pw.txt \
--trustAll --no-prompt

#Regular vlv-index
dsconfig -h localhost -p 4444 \
-X create-local-db-vlv-index \
--element-name userRoot --index-name domain.com.getauduent \
--set sort-order:"cn uid" \
--set base-dn:ou=people,o=bhphoto.com,dc=domain,dc=com \
--set filter:"(objectClass=SolarisAuditUser)" \
--set scope:whole-subtree \
--bindDN cn=Directory\ Manager \
--bindPasswordFile /oud/certs/pw.txt \
--trustAll --no-prompt

# Rebuild index
rebuild-index --baseDN userRoot --index domain.com.getauduent
You can get the full index and VLV-index script from here. Tip: To uninstall an instance run the below.
asinst_1/OUD/uninstall -i -n -a
In the article we have completed the OUD configuration. In Part 3 I am going to show you – how to Install, Configure WLS, OID, OUD required for DIP Instance. To continue reading Part 3 click here. Like what you’re reading? please provide feedback, any feedback is appreciated.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: