How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

Migrating Oracle DSEE roles to DS

Last updated Jan 12, 2023

The purpose of this article is to provide information on migrating Oracle® Directory Server Enterprise Edition (ODSEE) roles to DS, including examples.

3 readers recommend this article


This is a proprietary feature of ODSEE which allows the administrator to associate entries with different roles; somewhat similar to groups but reversed: groups have DNs pointing at members, role members have DNs (nsRole attribute) pointing at each role entry.

In general, ODSEE roles are better implemented in DS using groups and virtual attributes such as isMemberOf or virtual attributes with the is-member-of type. See Best practice for managing groups in DS (All versions) for further information.

Roles are defined in an LDAP subentry. There are three kinds of roles:

  • Managed Role - Each entry has an nsRoleDN attribute pointing at each managed role the entry has.
  • Filtered Role - The role subentry contains a filter; each entry within the role’s scope and matching the filter is given the role.
  • Nested Role - The role subentry identifies a number of other roles (nsRoleDN) that belong to the role.

To determine “role” membership, retrieve the isMemberOf attribute on the user entry in DS. Do not read the group entries.

Managed role

ODSEE Example

Managed roles in ODSEE are defined using a role (nsManagedRoleDefinition) entry. Entries are assigned the role using a nsRoleDN with a value of the dn: equating to the role entry itself.

In the following example, uid (user.0) gets assigned to the cn=Managed Role by adding the nsRoleDN: cn=Managed Role,ou=People,dc=example,dc=com to its entry.

dn: cn=Managed Role,ou=People,dc=example,dc=com cn: Managed Role description: ODSEE Managed Role objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsSimpleRoleDefinition objectclass: nsManagedRoleDefinition dn: uid=user.0,ou=People,dc=example,dc=com nsRoleDN: cn=Managed Role,ou=People,dc=example,dc=com dn: uid=user.1,ou=People,dc=example,dc=com nsRoleDN: cn=Managed Role,ou=People,dc=example,dc=com dn: uid=user.2,ou=People,dc=example,dc=com nsRoleDN: cn=Managed Role,ou=People,dc=example,dc=com

DS Example

This is the most straightforward mapping; the resultant group entry has a member/uniqueMember attribute for each member of the group/entry with the role.

dn: cn=Managed Role,ou=Groups,dc=example,dc=com cn: Managed Role description: Like nsManagedRoleDefinition objectClass: groupOfUniqueNames objectClass: top uniqueMember: uid=user.0,ou=People,dc=example,dc=com uniqueMember: uid=user.1,ou=People,dc=example,dc=com uniqueMember: uid=user.2,ou=People,dc=example,dc=com

Filtered role

ODSEE Example

A filtered role (nsFilteredRoleDefinition) uses a basic LDAP search filter to return its members. Unlike a managed role, the nsRoleDN is not added to the users' physical entry.


nsRole must be requested for the role to be returned.

dn: cn=Filtered Role,ou=People,dc=example,dc=com cn: Filtered Role description: ODSEE Filtered Role description: All Norwegian Employees objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsFilteredRoleDefinition nsRoleFilter: (c=NO) bash-4.2# ./ldapsearch -h localhost -p 10389 -D "cn=Directory Manager" -w ****** -s sub -b "dc=example,dc=com" "(uid=user.0)" nsRole version: 1 dn: uid=user.0, ou=People, dc=example,dc=com nsRole: cn=filtered role,dc=example,dc=com

DS Example

This is also straightforward. Take the filter from the role subentry and use it in a groupOfURLs dynamic group entry. Testing group membership must be done by inspecting isMemberOf.

dn: cn=Filtered Role,ou=Groups,dc=example,dc=com cn: Filtered Role description: Like nsFilteredRoleDefinition memberURL: ldap:///ou=People,dc=example,dc=com??sub?(c=NO) objectClass: top objectClass: groupOfURLs

Nested role

ODSEE Example

Combinations of managed and filtered roles can be used to create nested roles.

dn: cn=Nested Role,ou=People,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsNestedRoleDefinition cn: Nested Role nsRoleDN: cn=Managed Role,ou=People,dc=example,dc=com nsRoleDN: cn=Filtered Role,ou=People,dc=example,dc=com nsRoleScopeDN: ou=People,dc=example,dc=com

DS Example

Only a limited range of nested roles can be converted, as DS’s group nesting is limited to members of a static group. In other words, you cannot nest a dynamic group inside a static group.

If you need dynamic groups containing other dynamic groups, you could create a new dynamic group which copies the memberURL attributes from the other “nested” dynamic groups.

dn: cn=Filtered Managed Role,ou=Groups,dc=example,dc=com cn: Filtered Managed Role description: A dynamic group mirroring nested groups memberURL: ldap:///ou=People,dc=example,dc=com??sub?(isMemberOf=cn=Managed Role,ou=Groups,dc=example,dc=com) memberURL: ldap:///ou=People,dc=example,dc=com??sub?(isMemberOf=cn=Filtered Role,ou=Groups,dc=example,dc=com) objectClass: top objectClass: groupOfURLs

See Also

What do I need to consider when planning a migration from Oracle DSEE to DS?

Migrating Oracle DSEE CoS to DS

FAQ: Moving from Oracle DSEE to DS



Oracle DSEE - Directory Server Roles

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.