Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)

Part Number E14308-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

10 Enabling LDAP Synchronization

In earlier release of Oracle Identity Manager, LDAP synchronization can be enabled only at the time of installing Oracle Identity Manager, and postinstallation enablement of LDAP synchronization is not allowed. Oracle Identity Manager 11g Release 1 (11.1.1) supports postinstallation enablement of LDAP synchronization.

See Also:

"Integration Between LDAP Identity Store and Oracle Identity Manager" in Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information about LDAP synchronization

When Oracle identity Manager with Oracle Internet Directory (OID) or iplanet (ODSEE) or Active Directory (AD) is selected during installation, the virtualization functionality of Oracle Virtual Directory (OVD) is utilized. Oracle Identity Manager includes the Identity Virtualization Library (libOVD) instead of the stand-alone OVD server. Oracle Identity Manager deployment can be with or without Identity Virtualization Library (libOVD). With Identity Virtualization Library (libOVD) included in Oracle Identity Manager, the common library is used by Oracle Identity Manager without running its own instance of OVD. Without Identity Virtualization Library (libOVD), Oracle Identity Manager must use an instance of OVD separately.

When you select LDAP synchronization in the Oracle Identity Manager installer, you can select any one of the AD, iPlanet (ODSEE), OID, and OVD options. If you select any of AD, iPlanet (ODSEE), or OID, then Oracle Identity Manager is installed with Identity Virtualization Library (libOVD). If you select OVD, then LDAP synchronization is enabled, and no manual configuration steps for enabling LDAP synchronization is required. However, postinstall manual configuration to enable LDAP synchronization is required when LDAP synchronization has not been enabled at the time of installing Oracle Identity Manager.

This chapter describes the following configurations for postinstallation enablement of LDAP synchronization:

In addition, this chapter contains the following sections:

10.1 Enabling Postinstallation LDAP Synchronization

To enable LDAP synchronization after Oracle Identity Manager has been deployed:

Note:

In Oracle Identity Manager 11g Release 1 (11.1.1), the idmConfigTool must be run to preconfigure LDAP synchronization. Running the LDAPConfigPreSetup script to preconfigure LDAP synchronization generates errors. See "Preparing Third-Party Directories" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for information about using the idmConfigTool.

  1. Set the OIM_HOME environment variable to the directory on which Oracle Identity Manager is deployed.

  2. Copy the following files from the MDS to a temporary staging directory, such as /tmp:

    Note:

    It is mandatory to create a separate staging directory. The $OIM_ORACLE_HOME/server/metadata directory cannot be used as the staging directory because it contains some other files. If these files are imported inadvertently, then it might corrupt the Oracle Idenitity Manager instance.

    • The following metadata files used for configuring reconciliation profile and reconciliation horizontal table entity definition for LDAP user, role, role hierarchy, and role membership reconciliation:

      /db/LDAPUser

      /db/LDAPRole

      /db/LDAPRoleHierarchy

      /db/LDAPRoleMembership

      /db/RA_LDAPROLE.xml

      /db/RA_LDAPROLEHIERARCHY.xml

      /db/RA_LDAPROLEMEMBERSHIP.xml

      /db/RA_LDAPUSER.xml

      /db/RA_MLS_LDAPROLE.xml

      /db/RA_MLS_LDAPUSER.xml

      These files must be copied to a temporary location before importing, or you might corrupt your instance because oim-config.xml is also present in the same location.

    • The LDAP event handlers. The predefined event handlers are in the /db/ldapMetadata/EventHandlers.xml file.

    • The LDAPContainerRules.xml consisting of the container information for users and roles to be created.

      Note:

      The LdapContainerRules.xml file can contain rules by using only those attributes that are mapped to the directory. A rule cannot be written by using attributes from foreign objects or attributes that are not part of the entity. This is true for both user and role entities. For example, Role Email cannot be used for rules for roles, and user's Organization Name cannot be used for user entity.

  3. Edit the LDAPContainerRules.xml. To do so, open LDAPContainerRules.xml, and replace $DefaultUserContainer$ and $DefaultRoleContainer$ with appropriate user and role container values. For example, replace:

    • $DefaultUserContainer$ with a value, such as cn=ADRUsers,cn=Users,dc=us,dc=oracle,dc=com

    • $DefaultRoleContainer$ with a value, such as cn=ADRGroups,cn=Groups,dc=us,dc=oracle,dc=com

  4. Perform the import. To do so:

    1. Using the MDS utilities, such as weblogicImportMetadata.sh, available in the OIM_HOME/bin/ directory, import all the files listed in step 2.

      Note:

      • See "MDS Utilities and User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the MDS utilities.

      • Make sure that EventHandlers.xml is in the /db/ldapMetadata/ directory when imported into MDS.

      • MDS import utility imports everything in the staging directory, and therefore, only the files that are to be imported must be kept there. Otherwise, the Oracle Identity Manager instance can get corrupted.

    2. Navigate to the OIM_HOME/bin/ directory.

    3. In a text editor, open the weblogic.properties file. Provide values for the following properties:

      • wls_servername=oim_server1

        wls_servername is the name of the Oracle WebLogic Server on which Oracle Identity Manager is deployed.

      • application_name=oim

        If you are importing or exporting any default event handlers, the value is oim. For rest of the predefined metadata, value is OIMMetadata. If you are importing or exporting any custom data, then use application name as OIMMetadata.

      • metadata_from_loc=/tmp

        This is the directory location from which XML file is to be imported. For example, if you want to import User.xml and it is in the location /scratc/USER/temp/oim/file/User.xml, then you can specify location value as /scratc/USER/temp/oim. Make sure that no other files exist in this directory or in its subdirectories. Import utility tries to recursively import all the files from location directory. This property is only used by weblogicImportMetadata.sh.

        Note:

        Similarly, to export the files, such as EventHandlers.xml, the path /db/ldapMetadata/EventHandlers.xml must be used. The value of metadata_files in weblogic.properties must be:

        metadata_files=/db/ldapMetadata/EventHandlers.xml

        OIM_HOME/metadata contains two directories, db and ldapReconJobs. The metadata_from_loc location pointing to this directory results in import of both the directories into MDS.

    4. Run the following command to import the configuration files into MDS:

      sh ./weblogicImportMetadata.sh

      You are prompted for WebLogic login information. Provide the following information:

      Please enter your username [weblogic] :weblogic
      Please enter your password [weblogic] :PASSWORD
      Please enter your server URL [t3://localhost:7001] :t3://localhost:8003
      

      This imports the configuration files.

  5. Edit IT Resource configuration in Oracle Identity Manager. To do so:

    1. Login to the Oracle Identity Manager Administrative and User Console by using administrator credentials, and navigate to Advanced Administration.

    2. In the Welcome page of the Advanced Administration, under Configuration, click Manage IT Resource. Alternatively, click the Configuration tab, click Resource Management, and then select Manage IT Resource.

    3. Search for the Directory Server IT resource.

    4. Update the IT resource with Search base and Reservation container values.

      The suggested value for Search base is the root suffix or the BaseDN, for example, dc=us,dc=oracle,dc=com.

    5. If you want to configure Oracle Identity Manager with OVD server, then enter the values for ServerURL with the OVD server host and port details.

      If you want to configure Oracle Identity Manager with Identity Virtualization Library (libOVD), then do not enter the values for ServerURL. It must be empty.

    6. Enter the values for the bind credentials, as shown:

      bind dn: cn=oimadmin

      bind password: 1111111111

      Note:

      The Oracle Identity Manager proxy user DN is in the following format:

      PROXY_USER,cn=system,ROOT_SUFFIX

      For example: cn=oimadmin,cn=system, dc=us,dc=oracle,dc=com

    7. Make sure that the value for the Reservation Container is cn=reserve,VALUE_OF_THE_ROOT_SUFFIX. For example:

      Reservation Container: cn=reserve,dc=us,dc=oracle,dc=com

  6. For reconciliation jobs, seed the LDAP Reconciliation jobs or Load LDAP Recon jobs into Quartz tables, which are part of Oracle Identity Manager schema. to do so:

    1. Seed the LDAP Recon jobs by using the patch_weblogic.sh MDS utility available in OIM_HOME/bin/.

      Note:

      In a text editor, open the $OIM_ORACLE_HOME/server/bin/weblogic.profile file, and enter values for the properties before executing the patch_weblogic.sh script.

    2. Set ANT_HOME and JAVA_HOME accordingly.

    3. Create a backup of a $OIM_ORACLE_HOME/server/setup/deploy-files/setup.xml.

    4. In a text editor, open the $OIM_ORACLE_HOME/server/setup/deploy-files/setup.xml file.

    5. If the target for seeding Recon jobs is commented by default, then uncomment the following and have only that target in that file to seed the reconciliation jobs:

      <target name="patch" description="This contains the list of targets to be invoked post-patching">
                     <antcall target="explode-archived-apps"/>
                     <antcall target="seed-ootb-jobs"/>
                     <!--antcall target="seed-ldap-recon-jobs"/--> == Uncomment this line.
                     <antcall target="update-oes-ootb-policies"/>
                     <antcall target="seed-ootb-templates"/>
                     <antcall target="unzip-db-deliverables-archive"/>
                     <!--ant antfile="${appserver.type}/setup.xml" target="patch" inheritrefs="true" /-->
      </target>
      

      The required target to seed the Recon jobs is seed-ldap-recon-jobs.

    6. Run the patch_weblogic.sh script.

10.2 Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server

For SSL, you must export the server side certificates from the directory server and import into Identity Virtualization Library (libOVD), as described in the following sections:

10.2.1 Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory

To export the server side certificates from Active Directory and import into Identity Virtualization Library (libOVD):

  1. Export the certificate from the Active Directory server by referring to the instructions in the following Microsoft TechNet Website URLs:

    http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx

  2. Retrieve the CA signing certificate and save it to a file. To do so:

    1. Login to the Active Directory domain server as a domain administrator.

    2. Click Start, Control Panel, Administrative Tools, Certificate Authority to open the CA Microsoft Management Console (MMC).

    3. Right-click the CA computer, and select CA Properties.

    4. From the General menu, select View Certificate.

    5. Select the Details view, and click Copy to File on the lower-right corner of the window.

    6. Use the Certificate Export wizard to save the CA certificate in a file by running the following command:

      certutil -ca.cert OutCACertFile
      

      Note:

      You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.

  3. Import the Active Directory server certificate created in step 3f to the Identity Virtualization Library (libOVD) keystore as a trusted entry by running the following command:

    $ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
    

10.2.2 Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet

To export certificates from iPlanet (ODSEE) and import into Identity Virtualization Library (libOVD) for enabling SSL between Identity Virtualization Library (libOVD) and iPlanet (ODSEE):

  1. To export certificate from iPlanet (ODSEE), run the following command:

    dsadm export-cert -o OUTPUT_FILE INSTANCE_PATH CERT_ALIAS
    

    For example:

    ./dsadm export-cert -o /tmp/server-cert /scratch/aime1/iPlanet/dsInst/ defaultCert
    Choose the PKCS#12 file password:
    Confirm the PKCS#12 file password:
    
    ls -lrt /tmp
    -rw------- 1 aime1 svrtech 1684 Jan 20 00:39 server-cert
    
  2. To import the iPlanet (ODSEE) certificate created in step 1 to the Identity Virtualization Library (libOVD) keystore as a trusted entry, run the following command:

    ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file server-cert -noprompt
    

10.2.3 Enabling SSL Between Identity Virtualization Library (libOVD) and OID

To export the server side certificates from OID and import into Identity Virtualization Library (libOVD):

  1. Export the Oracle Internet Directory server certificate in Base64 format using the following command:

    orapki wallet export -wallet LOCATION_OF_OID_WALLET -dn DN_FOR_OID_SERVER_CERTIFICATE -cert ./b64certificate.txt
    

    Note:

    If you use a certificate alias in the orapki command, then an error is generated if the alias is not in all lower case letters.

  2. Import the Oracle Internet Directory server certificate created in step 2 to the Identity Virtualization Library (libOVD) keystore as a trusted entry using the following command:

    $ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
    

10.3 Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP

If you create users and roles in Oracle Identity Manager deployment without LDAP synchronization, and later decide to enable LDAP synchronization, then the users and roles created before LDAP synchronization enablement must be synced with LDAP after enablement. The provisioning of users, roles, role memberships, and role hierarchy to LDAP is achieved by the following predefined scheduled jobs for LDAP:

For details about these scheduled jobs, see "Predefined Scheduled Tasks".

10.4 Disabling LDAP Synchronization

To disable LDAP synchronization in Oracle Identity Manager deployment:

  1. Remove the /db/ldapMetadata/EventHandlers.xml file from MDS by using MDS utilities. To delete the XML file, modify the following values in the weblogic.properties file and run the weblogicDeleteMetadata.sh or weblogicDeleteMetadata.bat script:

    • wls_servername=OIM_SERVER_NAME, for example oim_server1

    • application_name=oim

      If you are importing or exporting any predefined event handlers, then value is oim. For the rest of the default metadata, value is OIMMetadata. If you are importing or exporting any custom data, then always use application.

    • metadata_files=/metadata/user/custom/EventHandlers.xml

  2. Login to Oracle Identity Manager Administrative and User Console with administrator credentials.

  3. Disable all scheduled jobs mentioned in "Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP".

10.5 Managing Identity Virtualization Library (libOVD) Adapters

In an Oracle Identity Manager deployment with LDAP synchronization enabled and AD, iPlanet (ODSEE), or OID as a the directory server, you can manage the Identity Virtualization Library (libOVD) adapters by using the WLST command.

To manage the Identity Virtualization Library (libOVD):

  1. Start the WLST console. To do so, run oracle_common/common/bin/wlst.sh.

  2. In the WLST console, run the following command:

    connect()
    

    When prompted, provide the WLST username, password, and t3 URL.

  3. Run the following command to display a list of Identity Virtualization Library (libOVD) WLST commands:

    help('OracleLibOVDConfig')
    

    This lists the commands for creating, deleting, and modifying Identity Virtualization Library (libOVD), LDAP, and join adapters. The following commands act on the Identity Virtualization Library (libOVD) configuration assosicated with a particular OPSS context, which is passed in as a parameter:

    • addJoinRule: Adds a join rule to an existing Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

    • addLDAPHost: Adds a new remote host to an existing LDAP adapter

      Note:

      The following is an example of adding multiple remote hosts for High Availability (HA) scenario:

      addLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, contextName='myContext') 
      

      See Oracle Fusion Middleware High Availability Guide for detailed information about HA.

    • addPlugin: Adds a plug-in to an existing adapter or at the global level

      See Also:

      "Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about developing plug-ins in Oracle Identity Manager

    • addPluginParam: Add new parameter values to the existing adapter level plug-in or global plug-in

    • createJoinAdapter: Creates a new Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

    • createLDAPAdapter: Creates a new LDAP adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

    • deleteAdapter: Deletes an existing adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

    • getAdapterDetails: Displays the details of an existing adapter that is configured for the Identity Virtualization Library (libOVD) associated with the given OPSS context

    • listAdapters: Lists the name and type of all adapters that are configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context

    • modifyLDAPAdapter: Modifies the existing LDAP adapter configuration

    • removeJoinRule: Removes a join rule from a Join adapter configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context

    • removeLDAPHost: Removes a remote host from an existing LDAP adapter configuration

    • removePlugin: Removes a plug-in from an existing adapter or at global level

    • removePluginParam: Removes an existing parameter from a configured adapter level plug-in or global plug-in

  4. Run help on the individual commands to get usage, such as:

    help('addPluginParam')
    

The following are examples for updating the AD User Management adapter for the oimLanguages attribute for Multi Language Support (MLS):

See Also:

"Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for detailed information about creating the OVD adapters for Oracle Identity Manager change log and user management

10.6 Configuring LDAP Authentication When LDAP Synchronization is Enabled

Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.

Note:

This procedure does not enable the following functionality:

  • Forced password changes, including first login, administrator password reset, and expired passwords

  • Forced setting of challenge responses

  1. Add a dynamic group in Oracle Internet Directory (OID).

    1. Create an oimusers.ldif file that defines a dynamic group. The format of the LDIF file should be similar to the following:

      dn: cn=oimusers, <group search base>
      objectclass: orclDynamicGroup
      objectclass: groupOfUniqueNames
      labeleduri:ldap://LDAP_HOST:LDAP_PORT/<UserSearchBase>??sub?(objectclass=inetOrgPerson)
      

      For example:

      dn: cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com
      objectclass: orclDynamicGroup
      objectclass: groupOfUniqueNames
      labeleduri: ldap://LDAP_HOST:3060/cn=Users,dc=us,dc=oracle,dc=com??sub?(objectclass=inetOrgPerson)
      
    2. Use the ldapadd command to upload the oimusers.ldif file to OID. The command should have the following format:

      ldapadd -h LDAP_HOST -p LDAP_PORT -D <root dn> -w <password> -f oimusers.ldif
      

      For example:

      ldapadd -h LDAP_HOST -p 3060 -D cn=orcladmin -w welcome1 -f oimusers.ldif
      
    3. Use the ldapsearch command to validate group members. The command should have the following format:

      ldapsearch -h LDAP_HOST -p LDAP_PORT -D <root dn> -w <password> -b "cn=oimusers,<groupsearchbase>" -s base "objectclass=*"
      

      For example:

      ldapsearch  -h LDAP_HOST -p 3060 -Dcn=orcladmin -wwelcome1 -b "cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com" -s base "objectclass=*"
      
  2. Configure the LDAP Authenticator in WLS.

    1. Log in to WebLogic Administrative Console.

    2. Go to Security Realms, myrealm, Providers.

    3. Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.

    4. Set the Control Flag to SUFFICIENT.

    5. Click the Provider Specific settings and configure the OID connection details.

    6. In Dynamic groups section, enter the following values:

      Dynamic Group Name Attribute: cn

      Dynamic Group Object Class: orcldynamicgroup

      Dynamic Member URL Attribute: labeleduri

      User Dynamic Group DN Attribute: GroupOfUniqueNames

    7. Click the Providers tab and then click Reorder. Reorder the LDAP authenticator so this is placed before the OIM Authenticator.

  3. Restart all servers.

  4. Validate role memberships.

    1. Login to WebLogic Admin Console.

    2. Go to Security Realms, myrealm, User and Groups.

    3. Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).

    4. Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.