Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Internet Directory (OID) for using Oracle Internet Directory (OID) as your LDAP Identity store.
Note:
If your LDAP Identity store (Oracle Internet Directory (OID)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.
You must complete the following steps to preconfigure the Identity Store:
Create a new file OIDContainers.ldif. Add the following entries and save the file.
dn:cn=oracleAccounts,dc=mycompany,dc=com cn:oracleAccounts objectClass:top objectClass:orclContainer dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com cn:Users objectClass:top objectClass:orclContainer dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com cn:Groups objectClass:top objectClass:orclContainer dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com cn:Reserve objectClass:top objectClass:orclContainer
Import the containers into Oracle Internet Directory Server with ldapadd command. This will create the user, group and reserve containers.
ldapadd -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c -f ./OIDContainers.ldif For example:
ldapadd -h localhost -p 3060 -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif
If the above gives authentication error, try the command with '-x' option with simple bind option.
ldapadd -h localhost -p 3060 -x -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif
Configure OIM proxy users and acis to communicate with OID after installing OID. Create the OIM Admin User, Group and the ACIs.
The root suffix is given as 'dc=mycompany,dc=com'. This can be replaced with the appropriate root suffix of the OID server.
Open a new file oidadmin.ldif. Add the following LDAP entries and save the file oidadmin.ldif. Run the following command to load the ldif file, oidadmin.ldif.
Note:
Run the ldapmodify command in OID setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.
./ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c-v-f oidadmin.ldif dn: cn=systemids,dc=mycompany,dc=com changetype: add objectclass: orclContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: orclPrivilegeGroup objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com dn: cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: orclaci orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (add,browse,delete) by * (none) orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (read,search,write,compare) by * (none) dn: cn=changelog changetype: modify add: orclaci orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (browse) by * (none) orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (read,search,compare) by * (none)
Use the following command to check if the ACI is added.
./ldapsearch -h <OID Server> -p <OID Port> -D "cn=orcladmin" -w <OID Admin password> -b "dc=mycompany,dc=com" -s one "objectclass=*" orclaci
Use the following command to check if the proxy user is working against OID. Before running this command ensure that the changenumber is catalogued.
./ldapsearch -h <OID Server> -p <OID Port> -D "cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com" -w <OID Admin password> -b "cn=changelog" -s sub "changenumber>=0"
If the above command gives an error, try the following:
./ldapsearch -h <OID Server> -p <OID Port> -D "cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com" -w <OID Admin password> -b "cn=changelog" -s one "changenumber>=0"