Server Chaining in OID

Server Chaining in OID

1. Server chaining feature in OID is introduced in version 10.1.4.0.1

2. You use server chaining feature to map user/group/entries sitting in third party LDAP directory (AD, iPlanet) and access them through OID. This way you can avoid synchronization of entry (identity data) between OID and third party LDAP Server.

3. Currently (as of version 10.1.4.0.1) only Microsoft Active Directory & Sun iPlanet are supported for OID server chaining (as shown in figure above)
 
4. Currently only bind, compare(only for userpasswd attribute), modify and search ldap operation are supported

5. You can configure server chaining either from command line (ldap commands) or using OIDADMIN (gui tool to administer OID)
 
6. If attribute name in OID is same as attribute name in third party ldap server (iPlanet, AD) then mapping is not required (some attributes are mapped by default – orclguid, krbprincipalname)

7. Operation attributes, objects classes and OID specific attributes (starting with orcl) cannot be mapped using server chaining framework


Related Doc
OID Server Chaining guide from Oracle

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

10 comments
vamshi says August 20, 2008

hi Atul,
this topic is very minimal can you be much more detailed on this on how to sync different AD to OID and how to check if the OID is connected to AD and in sync

thanks,
Vamshi D

Reply
ali-Salmiah says September 20, 2012

hi kuman

We install the OID with EBS R12.3, But the OID in other domain extgernal the main branch is not working, if doable with Oracle OID to help more than differnet domain

Thansks

Reply
ali-Salmiah says September 20, 2012

hi kuman

I have question on Oracle OID, can you give me you mobile please

Thansks

Reply
Sam says December 4, 2012

Hi Atul,

As a project requirement we have synchronized users from AD to OID (11.1.6.0) using DIP.
OID is configured as a User Identity Store for Oracle Access Manager. We have setup pass-through authentication (Server chaining) for the users which are synchronized from AD to OID.

It is observed that the performance(Auth/sec) is low through server chaining authentication.

Could you please suggest any performance tuning required to be done for server chaining.

Currently tuning done on OID is:
1. Orclmaxcc:10
2. Orclserverprocs:2
3. Orclskiprefinsql:1

Thanks in Advance.

Regards,
Sam

Reply
    Atul Kumar says December 4, 2012

    @Sam,
    Please share which document you used for pass-through authentication . Is there any firewall between OID and AD ?

    Reply
Sam says December 4, 2012

Hi Atul,

Thanks for your reply.

I have referred: http://docs.oracle.com/cd/E21043_01/oid.1111/e10029/serverchain.htm

(36.2.1 Configuring Server Chaining by Using Oracle Directory Services Manager)

There is no firewall in between OID and AD

We ran a performance benchmarking tool “SLAMD” to get the “Authentications Completed Avg/Second” against OID and AD with following scenario.
1. Local OID Authentication
2. Active Directory Authentication
3. OID authentication for the user`s synchronized from Active Directory (Pass-through AuthN)

The test was executed for 25 Threads for 10 min, below are the test result:

1. Local OID User (Authentications Completed Avg/Second) : 3326.908
2. AD (Authentications Completed Avg/Second): 6458.750
3. OID users Syncd from AD: (Authentications Completed Avg/Second): 102.350

CPU and memory utilization for this entire test were 0% and 1.5% respectively

Regards,
Sam

Reply
Atul Kumar says December 4, 2012

@ Sam,
I would like to understand requirement of server chaining if you are syncing AD users to OID via DIP . If users password are only in AD and you wish to validate users password via AD then my view is that you don’t need server chaining, what you need is External Authentication Plug-In in OID so that OID authenticate user against AD .

More on OID Authentication Plug-in http://docs.oracle.com/cd/E17904_01/oid.1111/e10029/authentication.htm#i1022418

Reply
Sam says December 4, 2012

@Atul,

The requirement to have DIP for user sync and Server Chaining for password is due to the fact that we integrting EBS with OAM, with OID as User Identity store and AD as a source of trust.

Regards,
Sam

Reply
Atul Kumar says December 4, 2012

Sam, Drop me a mail with your phone number and timezone and I’ll share my phone number and we can chat. I don’t see any requirement for server chaining here as user is alreday in OID.

My email Address atul [at] onlineAppsDBA.com

Reply
Sam says December 5, 2012

@Atul

I have configured External Authentication plugin in my environment and could see raise in Auth Rate with Server chaining it was ~102. AuthN/Sec and with EAP its ~360 AuthN/Sec.

Appreciate your help.

Regards,
Sam

Reply
Add Your Reply