EUS and OUD proxy: configure the proxy to use a non-directory manager user

When OUD is used for EUS as a proxy server, it needs specific credentials to connect to the LDAP server that is actually storing the users and groups.

Those credentials are set in the configuration of the proxy-ldap-workflow-element, through the parameters remote-ldap-server-bind-dn and remote-root-dn. Usually, the credentials for the LDAP server administrator are used: cn=directory manager for ODSEE or OUD, cn=administrator,cn=users,<baseDN> for Active Directory.

Some customers do not want to use the LDAP administrator credentials. In this case, it is possible to use an alternate user identity, but this user must comply with specific requirements depending on the LDAP server flavour.

It is also possible to use 2 different users, one that will be used as remote-root-dn and another one for remote-ldap-server-bind-dn.

Reminder: the remote-ldap-server-bind-dn is the identity used to connect to the LDAP server for all the operations directly performed by the Database. The remote-root-dn is the identity used to perform internal operations triggered by the Database.

For instance, if the database connects to OUD proxy and performs a search for (uid=joe) with a control requesting the user account status, the search may have to be handled in multiple steps by OUD proxy, depending on the LDAP server flavour. A first step would be the actual search on the LDAP server, and a second step would translate the control into an internal extended operation requesting the user account status.

Follow the steps corresponding to your LDAP server.

Active Directory deployments

  • The remote-ldap-server-bind-dn must be able to read all the attributes on dc=example,dc=com.
  • The remote-root-dn must be able to read all the attributes on dc=example,dc=com.

ODSEE deployments

  • The remote-ldap-server-bind-dn must be able to read dc=example,dc=com. You can use the following command to define the required ACI on ODSEE (replace cn=eusproxy,dc=example,dc=com with the appropriate value):
$ ldapmodify -h odseehost -p odseeport -D odseeadmin -w odseepassword
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Read access to eus proxy user"; allow (read, search, compare) userdn="ldap:///cn=eusproxy,dc=example,dc=com";)
  • The remote-root-dn must be able to read dc=example,dc=com (replace cn=eusroot,dc=example,dc=com with the appropriate value):
$ ldapmodify -h odseehost -p odseeport -D odseeadmin -w odseepassword
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "example"; allow (read,search,compare) userdn="ldap:///cn=eusroot,dc=example,dc=com";)
  • The remote-root-dn must be able to use the Password Policy Account Management extended operation
$ ldapmodify -h odseehost -p odseeport -D odseeadmin -w odseepassword
dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config
changetype: modify
add: act
aci: (targetattr != "aci")(version 3.0; acl "Pwd Policy Acct Mgt for eus proxy  user"; allow (read, search, compare) userdn="ldap:///cn=eusroot,dc=example,dc=com";)
  • The remote-root-dn must be able to use the Account Usable Control (already allowed by default).

OUD deployments

  • The remote-ldap-server-bind-dn must be able to use the control 2.16.840.1.113894.1.8.16. Define a global-aci using:
$ dsconfig -h oudhost -p oudadminport -D "cn=directory manager" -j pwd.txt -X -n set-access-control-handler-prop --add global-aci:\(targetcontrol=\"2.16.840.1.113894.1.8.16\"\)\(version\ 3.0\; acl\ \"Allow\ eusproxy\ user\ to\ use\ EUS\ control\"\; allow\(read\)\ userdn=\"ldap:///cn=eusproxy,dc=example,dc=com\"\;\)
  • The remote-ldap-server-bind-dn must be able to read dc=example,dc=com and to write orclaccountstatusevent attribute on users below dc=example,dc=com. Use ldapmodify to create the following aci:
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="orclaccountstatusevent")(version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) userdn="ldap:///cn=eusproxy,dc=example,dc=com";)
aci: (targetattr="*")(version 3.0; acl "EUS reads users and groups"; allow (read,search,compare) userdn="ldap:///cn=eusproxy,dc=example,dc=com";)
  • The remote-root-dn must be able to use the Password Policy State extended operation. Define a global-aci using:
$ dsconfig -h oudhost -p oudadminport -D "cn=directory manager" -j pwd.txt -X -n set-access-control-handler-prop --add global-aci:\(extop=\"1.3.6.1.4.1.26027.1.6.1\"\)\(version\ 3.0\; acl\ \"Allow\ eusroot\ user\ to\ use\ extop\"\; allow\(read\)\ userdn=\"ldap:///cn=eusroot,dc=example,dc=com\"\;\)
  • The remote-root-dn must have the password reset privilege. Use ldapmodify to add the privilege:
dn: cn=eusroot,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset
  • The remote-root-dn must have the rights to read the tree below the base DN. Use ldapmodify to define the following act:
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "EUS reads users and groups"; allow (read,search,compare) userdn="ldap:///cn=eusroot,dc=example,dc=com";)

Novell eDirectory deployments

Refer to Novell documentation to define the appropriate eDirectory rights:

  • The remote-ldap-server-bind-dn must have read access to all the attributes on dc=example,dc=com.
  • The remote-root-dn must be able to retrieve the Universal Password and to write on dc=example,dc=com
Advertisements

Use an alternate identity for EUS configuration

During EUS setup, the administrator needs to provide a user DN and password to authenticate to the directory server (for instance during the dbca step, or while using eusm or Enterprise Manager).

 

In some companies, the database and the LDAP server are managed by different teams and the LDAP administrator credentials cannot be provided to the database administrator. In this case, it is possible to administer EUS using an alternate identity, i.e not cn=directory manager. The requirements for this alternate identity are the following:

  • the user must be a member of the group cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<base DN>
  • the user must have the password-reset privilege

 

Here is an example of configuration steps: create a input.ldif file with the following content

$ cat input.ldif
dn: cn=eusadmin,cn=oraclecontext
changetype: add
objectclass: inetorgperson
cn: eusadmin
sn: eusadmin
uid: eusadmin
userpassword: password

dn: cn=eusadmin,,cn=oraclecontext
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

dn: cn=OracleContextAdmin,cn=groups,cn=OracleContext,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=eusadmin,cn=oraclecontext

And perform

$ $ORACLE_HOME/bin/ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w password -f input.ldif

Note 1: this EUS admin user can be stored in your preferred location inside the DIT, but NOT BELOW cn=oraclecontext,<base DN>. For instance, cn=eusadmin,ou=people,dc=example,dc=com is valid, but cn=eusadmin,cn=oraclecontext,dc=example,dc=com is NOT valid.

Note 2: the EUS admin user does not have to be named eususer.

Note 3: if OUD is installed as a proxy server, then the EUS admin user must be stored locally inside OUD proxy, and for instance cn=eususer,cn=oraclecontext would be a valid location.