One of the worst documented areas in OAM; customizing pages with DCC.
One revelation: you must use login.pl when you want logout.pl to work, as login.pl seems to build the "Callback URL" list, that logout.pl uses to destroy the session cookies.
Update sept 2014This blog entry of the ATeam looks promising: part two is on how to customize DCC login pages.
Monday, March 31, 2014
Wednesday, March 26, 2014
Access Management alternatives (Part 1: Directory Services)
Intro
At the governmental institute that hired me, I'm working hard to get the full Oracle Identity and Access Management (IAM) stack implemented.A colleague suggested OpenIAM, which -at closer look- turns out to be a fork of what I believe to be the origin of the Oracle stack, Sun's OpenSSO.
So, I started at looking at this stack, which is available from ForgeRock. Let's start with the basis: directory services.
Directory Services
As Oracle moves away from Internet Directory (OID) and Virtual Directory (OVD) towards the Unified Directory server (OUD), I found that OUD actually is the Sun Directory Server. Just look at the installation logs of OUD, there are references to
org.opends.quicksetup.installer
And OpenDS was Sun's Directory Server (of which they carried an Enterprise Edition, too: ODSEE - OpenDirectoryServer EE, now dubbed Oracle Directory Server EE).OpenDS was donated to the open source cummunity, and picked up by ForgeRock to become OpenDJ. Here is more info on that.
Acquire and Install
According to the Installation Manual, OpenDJ 2.6.1 is out, but I did not see a link on the download page. I will go for 2.6.0, noting that Oracle's plans to add capabilities to OUD are similar to OpenDJ's plans: OpenDJ V4 should be capable of virtualisation, like OVD.Compatibility with Oracle products
There are several articles to be found on how to integrate this open stack with Oracle products like Forms, Reports, OBIEE, etc. I have not found any on Enterprise User Security and TNS Name resolving combined, so I will attempt to do that, as I have done for OUD as well.Notable entries in the OUD setup log are:
$ORACLE_HOME/config/EUS/oracleContext.ldif
The installation should be simple:- create "opensso" as install directory as well as as user. - download and install the software - configure OpenDJ
Installation Details
As root:[root@openiam ~]# useradd opensso
[root@openiam ~]# passwd opensso
Changing password for user opensso.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@openiam ~]# mkdir -p /opensso/mnt
[root@openiam ~]# chown -R opensso /opensso
[root@openiam ~]# mount -o soft,intr,rsize=32768,wsize=8192,nolock 192.168.4.199:/volume1/oracle /opensso/mnt
Now, I need Java, before installing OpenDJ (the "J" does signify Java...). I have the V8 rpm already downloaded, so let's see:
[root@openiam ~]# rpm -iv /opensso/mnt/Software/java/jre-8-linux-x64.rpm
Preparing packages for installation...
jre-1.8.0-fcs
Unpacking JAR files...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
jfxrt.jar...
[root@openiam ~]# rpm -qa|grep -i jre
jre-1.8.0-fcs.x86_64
[root@openiam ~]# rpm -iv /opensso/mnt/Software/Forgerock/opendj-2.6.0-1.noarch.rpm
Preparing packages for installation...
Pre Install - initial install
opendj-2.6.0-1
Post Install - initial install
That's it. For now, I used the rpm, simply because it is the easiest way.Configure
As the installation here was done using rpm - and that is root privileged, the setup can be executed as root. That allows for the program to run on privileged ports as 389 (LDAP) and 636 (LDAPS). These are the standard LDAP ports.Whenever you do not want that, for whatever reason, do NOT run setup as non-root user, but do use the zip file; extract and run setup from whatever install directory as non-privileged user.
The latter option allows for none of the openDJ files and executables to be owned by root; the first will create an instance, owned by root (and therefor, able to open privileged ports).
The combo (install rpm as root, run setup as non-privileged user) does not work with additional fiddling (installer cannot create directories for the configuration).
Java 8 not supported
Tried to setup as root, with Java 8. It fails to generate self-signed certificates.
It also fails to launch the ControlPanel.
java.lang.Error: An unexpected error occurred launching the Control Panel.
at org.opends.quicksetup.ui.QuickSetup$3.processBackgroundTask(QuickSetup.java:444)
at org.opends.quicksetup.util.BackgroundTaskThread.run(BackgroundTaskThread.java:67)
An unexpected error occurred launching the Control Panel.
java.lang.Error: An unexpected error occurred launching the Control Panel.
at org.opends.quicksetup.ui.QuickSetup$3.processBackgroundTask(QuickSetup.java:444)
at org.opends.quicksetup.util.BackgroundTaskThread.run(BackgroundTaskThread.java:67)
An unexpected error occurred launching the Control Panel.
It will probably fail in other places, too, and -as this is not on my todo list- I will simply revert to JRE7u51:
[root@openiam ~]# rpm -e jre
error: Failed dependencies:
jre >= 1.6 is needed by (installed) opendj-2.6.0-1.noarch
[root@openiam ~]# rpm -e opendj jre
Pre Uninstall - uninstall
Server already stopped
Post Uninstall - uninstall
OpenDJ successfully removed.
[root@openiam ~]# rpm -iv /opensso/mnt/Software/java/jre-7u51-linux-x64.rpm
Preparing packages for installation...
jre-1.7.0_51-fcs
Unpacking JAR files...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
jfxrt.jar...
[root@openiam ~]# rpm -iv /opensso/mnt/Software/Forgerock/opendj-2.6.0-1.noarch.rpm
Preparing packages for installation...
Pre Install - initial install
opendj-2.6.0-1
Post Install - initial install
[root@openiam ~]# /opt/opendj/setup
Launching graphical setup...
The screens are exactly what Oracle Unified Directory uses - Oracle did not yet brand this. Obviously Oracle did add TNS and EUS as options.
And there's a graphic control option, which will double as LDAP browser:
So far, so good.
- extend the schema with Oracle specific Object Identifiers (OID's).
- extend the schema with Oracle specific ObjectClasses and ObjectTypes.
- prove TNS resolving and EUS can be used with OpenDJ.
As more people have attempted to get TNS Names resolving to work with OpenLDAP, this should not be too daunting a task.
Oracle specifics
Still on the ToDo list:- extend the schema with Oracle specific Object Identifiers (OID's).
- extend the schema with Oracle specific ObjectClasses and ObjectTypes.
- prove TNS resolving and EUS can be used with OpenDJ.
As more people have attempted to get TNS Names resolving to work with OpenLDAP, this should not be too daunting a task.
Subscribe to:
Posts (Atom)
Links
- Ubuntu Linux: Desktop as well as Server
- Oracle Technology Network
- You can always ask Tom
- Niall's Oracle Pages
- Hervé Deschamps of Oracle, on Oracle Developer tools
- Model Boats of Model Slipway
- CentOS Linux (Based on Red Hat Enterprise Server)
- The Fedora Project (Formerly Red Hat)
- Validate your Cascading Stylesheet
- Stu Nicholls CSS playground: none other required