Skip Headers
Oracle® Fusion Middleware Integration Overview for Oracle Identity Management Suite
11g Release 1 (11.1.1)

Part Number E15477-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

11 Configuring an Identity Store with Multiple Directories

This chapter explains how to prepare directories other than Oracle Internet Directory for use as an Identity Store.

This chapter contains the following topics:

11.1 Overview of Configuring Multiple Directories as an Identity Store

This chapter describes how to configure Oracle Virtual Directory for two multiple directory scenarios. In both scenarios, you have some user data in a third-party directory, such as Active Directory, and other user data in Oracle Internet Directory.

In both scenarios, you use Oracle Virtual Directory to present all the identity data in a single consolidated view that Oracle Identity Management components can interpret.

The scenarios are as follows:

In this chapter, Active Directory is chosen as the non-Oracle Internet Directory Enterprise Directory. The solution is applicable to all enterprises having one or more Active Directories as their enterprise Identity Store.

11.2 Using idmConfigTool configOVD to Configure Oracle Virtual Directory

To configure Oracle Virtual Directory adapters as described in this chapter, you must use the -configOVD option to the idmConfigTool command. Before attempting to use this option with Oracle Fusion Middleware 11gR1 (11.1.1.5), ensure that you have applied the latest patches for Oracle Identity Management.

The syntax and properties for this option are as follows:

Syntax

./idmConfigTool.sh -configOVD input_file=input_Properties

Properties

Table 11-1 lists the command properties (where n=1,2..).

Table 11-1 configOVD properties

Property Required?

OVD_HOST

YES

OVD_PORT

YES

OVD_BINDDN

YES

OVD_SSL

 

LDAPn_TYPE

 

LDAPn_HOST

YES

LDAPn_PORT

YES

LDAPn_BINDDN

YES

LDAPn_SSL

 

LDAPn_BASE

YES

LDAPn_OVD_BASE

YES

USECASE_TYPE

YES


11.3 Configuring Multiple Directories as an Identity Store: Split Profile

This section describes how to configure multiple directories as an Identity Store. In cases where the Active Directory schema cannot be extended, you use Oracle Internet Directory as a shadow directory to store these attributes. Oracle Virtual Directory links them together to present a single consolidated DIT view to clients. This is called a split profile or split directory configuration. In this configuration, all the Oracle specific attributes and Oracle specific entities are created in Oracle Internet Directory.

This section contains the following topics:

11.3.1 Prerequisites

The following assumptions and rules apply to this deployment topology:

  • Oracle Internet Directory houses the Fusion Identity Store. This means that Oracle Internet Directory is the store for all Fusion Application-specific artifacts. The artifacts include a set of enterprise roles used by Fusion Application and some user attributes required by Fusion Applications. All other stores are referred to as enterprise Identity Stores.

  • The enterprise contains more than one LDAP directory. Each directory contains a distinct set of users and roles.

  • The enterprise policy specifies that specific user attributes, such as Fusion Application-specific attributes, cannot be stored in the enterprise directory. All the extended attributes must be stored in a separate directory called the shadow directory. This shadow directory must be Oracle Internet Directory because Active Directory does not allow you to extend the schema.

  • User login IDs are unique across the directories. There is no overlap of the user login IDs between these directories.

  • Oracle Identity Manager has no fine-grained authorization. If Oracle Identity Manager's mapping rules allow it to use one specific subtree of a directory, then it can perform all CRUD (Create, Read, Update, Delete) operations in that subtree of the LDAP directory. There is no way to enable Oracle Identity Manager to read user data in a subtree but not enable it to create a user or delete a user in subtree.

  • Referential integrity must be turned off in Oracle Internet Directory so that an Oracle Internet Directory group can have members that are in one of the Active Directory directories. The users group memberships are not maintained across the directories with referential integrity.

11.3.2 Repository Descriptions

This section describes the artifacts in the Identity store and how they can be distributed between Active Directory and Oracle Internet Directory, based on different enterprise deployment requirements.

The Artifacts that are stored in the Identity Store are:

  • Application IDs: These are the identities that are required to authenticate applications to communicate with each other.

  • Seeded Enterprise Roles: These are the enterprise roles or LDAP group entries that are required for default functionality.

  • Enterprise roles provisioned by Oracle Identity Manager: These are runtime roles.

  • Enterprise Users: These are the actual users in the enterprise.

  • Enterprise Groups: These are the roles and groups that already exist in the enterprise.

In a split profile deployment, the Identity Store artifacts can be distributed among Active Directory and Oracle Internet Directory, as follows.

  • Oracle Internet Directory is a repository for enterprise roles. Specifically, Oracle Internet Directory contains the following:

    • Application IDs

    • Seeded enterprise roles

    • Enterprise roles provisioned by Oracle Identity Manager

  • Active Directory is the repository for:

    • Enterprise users

    • Enterprise groups (not visible to Oracle Identity Manager or Fusion Applications)

The following limitations apply:

  • The Active Directory users must be members of Oracle Internet Directory groups.

  • The groups in Active Directory are not exposed at all. Oracle applications only manage the Oracle-created enterprise roles. The groups in Active Directory are not visible to either Oracle Identity Manager or Fusion Applications.

11.3.3 Setting Up Oracle Internet Directory as a Shadow Directory

In cases where Oracle Internet Directory is used as the shadow directory to store certain attributes, such as all the Fusion Application-specific attributes, use a separate container in Oracle Internet Directory to store the shadow attributes.

  • The Shadow Entries container (cn=shadowentries) must be in a separate DIT from the parent of the users and groups container dc=mycompany,dc=com, as shown in Figure 11-1.

  • The same ACL configured for dc=mycompany,dc=com within Oracle Internet Directory must be configured for cn=shadowentries. To perform this configuration, use the ldapmodify command. The syntax is as follows:

    ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile 
    

    The following is a sample LDIF file to use with ldapmodify:

    dn: cn=shadowentries
    changetype: modify
    add: orclaci
    orclaci: access to entry by group="cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=mycompany,dc=com" (browse,add,delete)
    orclaci: access to attr=(*) by group="cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=mycompany,dc=com" (read, write, search, compare)
    orclaci: access to entry by group="cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com" (browse,add,delete)
    orclaci: access to attr = (*) by group="cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com" (search,read,compare,write)
    -
    changetype: modify
    add: orclentrylevelaci
    orclentrylevelaci: access to entry by * (browse,noadd,nodelete)
    orclentrylevelaci: access to attr=(*) by * (read,search,nowrite,nocompare)
    
  • If you have more than one directory for which Oracle Internet Directory is used as a Shadow directory, then you must create different shadow containers for each of the directories. The container name can be chosen to uniquely identify the specific directory for which this is a shadow entry.

11.3.4 Directory Structure Overview - Shadow Join

Figure 11-1 shows the directory structure in the primary and shadow directories. The containers cn=reservation, cn=appIDUsers, cn=FusionGroups, and cn=DataRoleGroups are speciric to Fusion Applications.

Figure 11-1 Directory Structure

Surrounding text describes Figure 11-1 .

Figure 11-2 shows how the DIT appears to a user or client application. The containers cn=appIDUsers, cn=FusionGroups, and cn=DataRoleGroups are speciric to Fusion Applications.

Figure 11-2 Client View of the DIT

Surrounding text describes Figure 11-2 .

Figure 11-3 summarizes the adapters and plug-ins. The containers cn=appIDUsers, and cn=FusionGroups are speciric to Fusion Applications.

Figure 11-3 Adapter and Plug-in Configuration

Surrounding text describes Figure 11-3 .

11.3.5 Configuring Oracle Virtual Directory Adapters for Split Profile

In order to produce the client side view of the data shown in Figure 11-2, you must configure multiple adapters in Oracle Virtual Directory following the steps in this section.

You can use idmConfigTool to create the adapters to facilitate this configuration.

See Also:

Section B.1, "Verifying Oracle Virtual Directory Adapters for Split Profile by Using ODSM" for instructions on viewing the adapters using Oracle Directory Services Manager.

To create the adapters using idmConfigTool, perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME

    Set ORACLE_HOME to IAM_ORACLE_HOME

  2. Create a properties file for the adapter you are configuring called splitprofile.props, with the following content:

    ovd.host:ldaphost1.mycompany.com
    ovd.port:8899 
    ovd.binddn:cn=orcladmin 
    ovd.ssl:true 
    ldap1.type:AD 
    ldap1.host:adhost.mycompany.com 
    ldap1.port:636 
    ldap1.binddn:administrator@idmqa.com 
    ldap1.ssl:true 
    ldap1.base:dc=idmqa,dc=com 
    ldap1.ovd.base:dc=idmqa,dc=com
    usecase.type:split
    ldap2.type:OID 
    ldap2.host:ldaphost.mycompany.com
    ldap2.port:3060 
    ldap2.binddn:cn=oimLDAP,cn=users,dc=mycompany,dc=com 
    ldap2.ssl:false 
    ldap2.base:dc=mycompany,dc=com 
    ldap2.ovd.base:dc=mycompany,dc=com 
    
    

    The following list describes the parameters used in the properties file.

    • ovd.host is the host name of a server running Oracle Virtual Directory.

    • ovd.port is the https port used to access Oracle Virtual Directory.

    • ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.

    • ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.

    • ovd.oamenabled is set to true if you are using Oracle Access Management Access Manager, otherwise set to false.

      ovd.oamenabled is always true in Fusion Applications deployments.

    • ovd.ssl is set to true, as you are using an https port.

    • ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.

    • ldap1.host is the Active Directory host. Use the load balancer name where the host is highly available.

    • ldap2.host: The Oracle Internet Directory host. Use the load balancer name where the host is highly available.

    • ldap1.port is the port used to communicate with the back end directory.

    • ldap1.binddn is the bind DN of the oimLDAP user.

    • ldap1.password is the password of the oimLDAP user

    • ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This should always be set to true when an adapter is being created for AD.

    • ldap1.base is the base location in the directory tree.

    • ldap1.ovd.base is the mapped location in Oracle Virtual Directory.

    • usecase.type is set to Single when using a single directory type.

  3. Configure the adapter by using the idmConfigTool command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool -configOVD input_file=splitprofile.props
    

    During the running of the command you will be prompted for the passwords to each of the directories you will be accessing.

    The command must be run once for each Oracle Virtual Directory instance.

11.3.6 Configuring a Global Consolidated Changelog Plug-in

Deploy a global level consolidated changelog plug-in to handle changelog entries from all the Changelog Adapters.

  1. In a web browser, go to Oracle Directory Services Manager (ODSM).

  2. Connect to an Oracle Virtual Directory instance.

  3. On the Home page, click the Advanced tab. The Advanced navigation tree appears.

  4. Expand Global Plugins

  5. Click the Create Plug-In button. The Plug-In dialog box appears.

  6. Enter a name for the Plug-in in the Name field.

  7. Select the plug-in class ConsolidatedChglogPlugin from the list.

  8. Click OK.

  9. Click Apply.

11.3.7 Validating the Oracle Virtual Directory Changelog

Run the following command to validate that the changelog adapter is working:

$IDM_ORACLE_HOME/bin/ldapsearch -p 6501 -D cn=orcladmin -q -b 'cn=changelog' -s base 'objectclass=*' lastchangenumber

The command should return a changelog result, such as:

Please enter bind password:
cn=Changelog
lastChangeNumber=changelog_OID:190048;changelog_AD1:363878

If ldapsearch does not return a changelog result, double check the changelog adapter configuration.

11.4 Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories

In this configuration, you store Oracle-specific entries in Oracle Internet Directory and enterprise-specific entries in Active Directory. If necessary, extend the Active Directory schema as described in "Configuring Active Directory for Use with Oracle Access Management Access Manager and Oracle Identity Manager" in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

Note:

The Oracle Internet Directory that is to be used is not necessarily the PolicyStore Oracle Internet Directory. Conceptually, a non-Active Directory directory can be used as the second directory. For convenience, this section refers to the Policy Store Oracle Internet Directory.

The following conditions are assumed:

This section contains the following topics:

11.4.1 Directory Structure Overview for Distinct User and Group Populations in Multiple Directories

Figure 11-4 shows the directory structure in the two directories, listed here as internal and external. The containers cn=appIDUsers, cn=FusionGroups, and cn=RGX_FusionGroups are Fusion Applications-specific.

Figure 11-4 Directory Structure

Surrounding text describes Figure 11-4 .

Oracle Virtual Directory makes multiple directories look like a single DIT to a user or client application, as shown in Figure 11-5. The containers cn=appIDUsers, cn=FusionGroups, and cn=RGX_FusionGroups are Fusion Applications-specific.

Figure 11-5 Client View of the DIT

Surrounding text describes Figure 11-5 .

Figure 11-6 provides an overview of the adapter configuration. The classes inetOrgPerson, orclIDXPerson, and orclIDXGroup and the containers cn=appIDusers and cn=fusionGroups are required only for Fusion Applications.

Figure 11-6 Configuration Overview

Surrounding text describes Figure 11-6 .

11.4.2 Configuring Oracle Virtual Directory Adapters for Distinct User and Group Populations in Multiple Directories

Create the user adapter on the Oracle Virtual Directory instances running on LDAPHOST1 and LDAPHOST2 individually, as described in the following sections

11.4.2.1 Create Enterprise Directory Adapters

Create Oracle Virtual Directory adapters for the Enterprise Directory. The type of adapter that is created will be dependent on whether or not the back end directory resides in Oracle Internet Directory or Active Directory.

You can use idmconfgTool to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory.

See Also:

Section B.2, "Verifying Adapters for Distinct User and Group Populations in Multiple Directories by Using ODSM" for instructions on viewing the adapters using Oracle Directory Services Manager.

Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.

To create the adapters using idmconfgTool, perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME

    Set ORACLE_HOME to IAM_ORACLE_HOME

  2. Create a properties file for the adapter you are configuring called ovd1.props. The contents of this file depends on whether you are configuring the Oracle Internet Directory adapter or the Active Directory Adapter.

    • Oracle Internet Directory adapter properties file:

      ovd.host:ldaphost1.mycompany.com
      ovd.port:8899
      ovd.binddn:cn=orcladmin
      ovd.password:ovdpassword
      ovd.oamenabled:true
      ovd.ssl:true
      ldap1.type:OID
      ldap1.host:oididstore.us.oracle.com
      ldap1.port:3060
      ldap1.binddn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
      ldap1.password:oidpassword
      ldap1.ssl:false
      ldap1.base:dc=mycompany,dc=com
      ldap1.ovd.base:dc=mycompany,dc=com
      usecase.type: single
      
    • Active Directory adapter properties file:

      ovd.host:ldaphost1.mycompany.com
      ovd.port:8899
      ovd.binddn:cn=orcladmin
      ovd.password:ovdpassword
      ovd.oamenabled:true
      ovd.ssl:true
      ldap1.type:AD
      ldap1.host:adidstore.us.oracle.com
      ldap1.port:636
      ldap1.binddn:cn=adminuser
      ldap1.password:adpassword
      ldap1.ssl:true
      ldap1.base:dc=mycompany,dc=com
      ldap1.ovd.base:dc=mycompany,dc=com
      usecase.type: single
      

    The following list contains the parameters used in the properties file and their descriptions.

    • ovd.host is the host name of a server running Oracle Virtual Directory.

    • ovd.port is the https port used to access Oracle Virtual Directory.

    • ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.

    • ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.

    • ovd.oamenabled is set to true if you are using Oracle Access Management Access Manager, otherwise set to false.

      ovd.oamenabled is always true in Fusion Applications deployments.

    • ovd.ssl is set to true, as you are using an https port.

    • ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.

    • ldap1.host Back end directory host.

    • ldap1.port is the port used to communicate with the back end directory.

    • ldap1.binddn is the bind DN of the oimLDAP user.

    • ldap1.password is the password of the oimLDAP user

    • ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This should always be set to true when an adapter is being created for AD.

    • ldap1.base is the base location in the directory tree.

    • ldap1.ovd.base is the mapped location in Oracle Virtual Directory.

    • usecase.type is set to Single when using a single directory type.

  3. Configure the adapter by using the idmConfigTool command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
    

    The syntax on Windows is:

    idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
    

    For example:

    idmConfigTool.sh -configOVD input_file=ovd1.props
    

    The command requires no input. The output looks like this:

    The tool has completed its operation. Details have been logged to logfile
    

Run this command on each Oracle Virtual Directory host in your topology, with the appropriate value for ovd.host in the property file.

11.4.2.2 Create Application Directory Adapters

Create Oracle Virtual Directory adapters for the Application Directory. The back end directory for the application directory is always Oracle Internet Directory.

You can use idmconfgTool to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.

To do this, perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME

    Set ORACLE_HOME to IAM_ORACLE_HOME

  2. Create a properties file for the adapter you are configuring called ovd1.props. The contents of this file is as follows.

    Oracle Internet Directory adapter properties file:

    ovd.host:ldaphost1.mycompany.com
    ovd.port:8899
    ovd.binddn:cn=orcladmin
    ovd.password:ovdpassword
    ovd.oamenabled:true
    ovd.ssl:true
    ldap1.type:OID
    ldap1.host:oididstore.us.oracle.com
    ldap1.port:3060
    ldap1.binddn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
    ldap1.password:oidpassword
    ldap1.ssl:false
    ldap1.base:dc=mycompany,dc=com
    ldap1.ovd.base:dc=mycompany,dc=com
    usecase.type: single
    

    The following list describes the parameters used in the properties file.

    • ovd.host is the host name of a server running Oracle Virtual Directory.

    • ovd.port is the https port used to access Oracle Virtual Directory.

    • ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.

    • ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.

    • ovd.oamenabled is set to true if you are using Oracle Access Management Access Manager, otherwise set to false.

      ovd.oamenabled is always true in Fusion Applications deployments.

    • ovd.ssl is set to true, as you are using an https port.

    • ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.

    • ldap1.host is the host on which back end directory is located. Use the load balancer name.

    • ldap1.port is the port used to communicate with the back end directory.

    • ldap1.binddn is the bind DN of the oimLDAP user.

    • ldap1.password is the password of the oimLDAP user

    • ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This should always be set to true when an adapter is being created for AD.

    • ldap1.base is the base location in the directory tree.

    • ldap1.ovd.base is the mapped location in Oracle Virtual Directory.

    • usecase.type is set to Single when using a single directory type.

  3. Configure the adapter by using the idmConfigTool command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
    

    The syntax on Windows is:

    idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
    

    For example:

    idmConfigTool.sh -configOVD input_file=ovd1.props
    

    The command requires no input. The output looks like this:

    The tool has completed its operation. Details have been logged to logfile
    

Run this command on each Oracle Virtual Directory host in your topology, with the appropriate value for ovd.host in the property file.

11.4.3 Creating a Global Plug-in

To create a Global Oracle Virtual Directory plug-in, proceed as follows:

  1. In a web browser, go to Oracle Directory Services Manager (ODSM).

  2. Create connections to each of the Oracle Virtual Directory instances running on LDAPHOST1 and LDAPHOST2, if they do not already exist.

  3. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

  4. On the Home page, click the Advanced tab. The Advanced navigation tree appears.

  5. Click the + next to Global Plugins in the left pane.

  6. Click Create Plugin.

  7. Create the Global Consolidated Changelog Plug-in as follows:

    Enter the following values to create the Global Consolidated Plug-in:

    • Name: Global Consolidated Changelog

    • Class: Click Select then choose: ConsolidatedChangelog

    Click OK when finished.

The environment is now ready to be configured to work with Oracle Virtual Directory as the Identity Store.

11.5 Additional Configuration Tasks

If you have previously integrated Oracle Identity Manager with a single directory and you are now reintegrating it with multiple directories, you must reset the changelog number for each of the incremental jobs to zero. The changelog numbers are repopulated on the next run.