Tuesday, February 17, 2015

Creating Read-Only Users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :
  • LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind) 
  • Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
  • Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
  • Any kind of query only LDAP APIs used in Java Code
  • Separate password policies can be created for read-only users which are different from superusers/realm-admins
Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.
Security and Advanced tabs are not visible.

One of the ways in which the read-only users can be created is : 

  1. Create a text file (e.g., readonly.ldif) with the following:
    dn: cn=readonly, cn=Users,< subscriber domain >
    userpassword: < password >
    objectclass: top
    objectclass: person
    objectclass: organizationalPerson
    objectclass: inetorgperson
    objectclass: orcluser
    objectclass: orcluserV2
    mail: readonly
    givenname: readonly
    uid: readonly
    description: account to have readonly access
    sn: readonly
    cn: readonly

 2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif

Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .
The key is to make sure the user is not a member of any groups.

3. Check Group Memberships:

To verify the user is NOT a member of any group, issue the following search:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"

4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

Reference : Doc ID 746612.1