Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2)

Part Number E27301-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

F Preconfiguring Oracle Internet Directory (OID)

Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Internet Directory (OID) for using Oracle Internet Directory (OID) as your LDAP Identity store.

Note:

If your LDAP Identity store (Oracle Internet Directory (OID)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

You must complete the following steps to preconfigure the Identity Store:

  1. Create a new file OIDContainers.ldif. Add the following entries and save the file.

    dn:cn=oracleAccounts,dc=mycompany,dc=com
    cn:oracleAccounts
    objectClass:top
    objectClass:orclContainer
    
    dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com
    cn:Users
    objectClass:top
    objectClass:orclContainer
    
    dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com
    cn:Groups
    objectClass:top
    objectClass:orclContainer
    
    dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com
    cn:Reserve
    objectClass:top
    objectClass:orclContainer
    
  2. Import the containers into Oracle Internet Directory Server with ldapadd command. This will create the user, group and reserve containers.

    ldapadd -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c -f ./OIDContainers.ldif
    
    For example:
    
    ldapadd -h localhost -p 3060 -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif
    

    If the above gives authentication error, try the command with '-x' option with simple bind option.

    ldapadd -h localhost -p 3060 -x -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif
    
  3. Configure OIM proxy users and acis to communicate with OID after installing OID. Create the OIM Admin User, Group and the ACIs.

    The root suffix is given as 'dc=mycompany,dc=com'. This can be replaced with the appropriate root suffix of the OID server.

    1. Open a new file oidadmin.ldif. Add the following LDAP entries and save the file oidadmin.ldif. Run the following command to load the ldif file, oidadmin.ldif.

      Note:

      Run the ldapmodify command in OID setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.

      ./ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c-v-f oidadmin.ldif
      
      dn: cn=systemids,dc=mycompany,dc=com
      changetype: add
      objectclass: orclContainer
      objectclass: top
      cn: systemids
      
      dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
      changetype: add
      objectclass: top
      objectclass: person
      objectclass: organizationalPerson
      objectclass: inetorgperson
      objectclass: orcluser
      objectclass: orcluserV2
      mail: oimAdminUser
      givenname: oimAdminUser
      sn: oimAdminUser
      cn: oimAdminUser
      uid: oimAdminUser
      userPassword: welcome1
      
      dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com
      changetype: add
      objectclass: groupOfUniqueNames
      objectclass: orclPrivilegeGroup
      objectclass: top
      cn: oimAdminGroup
      description: OIM administrator role
      uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
      
      dn: cn=oracleAccounts,dc=mycompany,dc=com
      changetype: modify
      add: orclaci
      orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (add,browse,delete) by * (none)
      orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (read,search,write,compare) by * (none)
      
      dn: cn=changelog
      changetype: modify
      add: orclaci
      orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (browse) by * (none)
      orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (read,search,compare) by * (none)
      
    2. Use the following command to check if the ACI is added.

      ./ldapsearch -h <OID Server> -p <OID Port> -D "cn=orcladmin"
       -w <OID Admin password> -b "dc=mycompany,dc=com" -s one "objectclass=*" orclaci
      
    3. Use the following command to check if the proxy user is working against OID. Before running this command ensure that the changenumber is catalogued.

      ./ldapsearch -h <OID Server> -p <OID Port> -D
       "cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com" -w <OID Admin password> -b
       "cn=changelog" -s sub "changenumber>=0"
      

      If the above command gives an error, try the following:

      ./ldapsearch -h <OID Server> -p <OID Port> -D
       "cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com" -w <OID Admin password> -b
       "cn=changelog" -s one "changenumber>=0"