Bulk authorizing Oracle Unified Directory (OUD) users by adding them to OUD groups from the Linux/Unix Command Line

When using Oracle Unified Directory (OUD) as an identity store, it is in some occasions needed to add OUD users to OUD groups by hand. When you have to grant privileges to one user, this is easily done through the Oracle Directory Services Manager (ODSM) interface. However doing so for more then one user and more then one group, this might easily turn into a dreadful job. Luckily there are some command line utilities which can do that for you. In this blog I’ll guide you to the process on how I have done that with a given list of user names (e.g. Steven King, Neena Kochhar etc) and a gives list of groups (e.g. cn=Marketing,cn=Groups,dc=oracle,dc=org etc).

All utilities used in this blog can be found in the ORACLE_HOME/bin directory of OUD. In order to use them you have to set the ORACLE_HOME environment variable:

export ORACLE_HOME=<your-systems-location>

Find UIDs
To begin with we have to find the unique User IDs (UIDs) of the given users by their names (displayname attribute):

while read p; do
./ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> “displayname=$p” uid | grep cn
done > users.ldif <<EOF
Steven King
Neena Kochhar
Lex De Haan
EOF

It will give you a file users.ldif like:

cn=SKING,cn=Users,dc=oracle,dc=com
cn=NKOCHHAR,cn=Users,dc=oracle,dc=com
cn=LDEHAAN,cn=Users,dc=oracle,dc=com

You should check the file carefully on containing the correct entries, since the displaynames are not unique. You might end up with duplicates (more then 1 UID on the same displayname). Another flaw is that you might be missing some uids due to spelling or unclear conventions on the displayname. You might see displayname occurences of “firstname lastname” or “lastname, firstname” in one OUD instance.

Add the found users to a given list of groups

First we have to create a LDIF file which can do that for us (using the users.ldif file created before):

while read p; do
  echo dn: $p
  echo “changetype: modify”
  echo “add: uniquemember”
  while read u; do echo uniquemember: $u; done < users.ldif; echo
done > authorizations.ldif <<EOF
cn=Administration,cn=Groups,dc=oracle,dc=org
cn=Marketing,cn=Groups,dc=oracle,dc=org
EOF

This will create a file authorizations.ldif like:

dn: cn=Administration,cn=Groups,dc=oracle,dc=org
changetype: modify
add: uniquemember
uniquemember: cn=SKING,cn=Users,dc=oracle,dc=com
uniquemember: cn=NKOCHHAR,cn=Users,dc=oracle,dc=com
uniquemember: cn=LDEHAAN,cn=Users,dc=oracle,dc=com

dn: cn=Marketing,cn=Groups,dc=oracle,dc=org
changetype: modify
add: uniquemember
uniquemember: cn=SKING,cn=Users,dc=oracle,dc=com
uniquemember: cn=NKOCHHAR,cn=Users,dc=oracle,dc=com
uniquemember: cn=LDEHAAN,cn=Users,dc=oracle,dc=com

Then use it to add the authorizations to OUD (first try with the -n flag for testing purposes) :
./ldapadd -h <host> -p <port> -D cn=orcladmin -w <password> -n -f authorizations.ldif

Eventually when adding the users by running ldapadd without the -n option, you should test if all worked correctly. For this purpose the “ldapsearch” utility can be used.

Advertisements
This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s