Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2)

Part Number E27301-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

E Preconfiguring Oracle Unified Directory (OUD)

Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) for using Oracle Unified Directory (OUD) as your LDAP Identity store.

Note:

If your LDAP Identity store (Oracle Unified Directory (OUD)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

You must complete the following steps to preconfigure the Identity Store:

  1. Create a new file OUDContainers.ldif. Add the following entries and save the file.

    dn:cn=oracleAccounts,dc=mycompany,dc=com
    cn:oracleAccounts
    objectClass:top
    objectClass:orclContainer
    
    dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com
    cn:Users
    objectClass:top
    objectClass:orclContainer
    
    dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com
    cn:Groups
    objectClass:top
    objectClass:orclContainer
    
    dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com
    cn:Reserve
    objectClass:top
    objectClass:orclContainer
    
  2. Import the containers into Oracle Unified Directory Server with ldapadd command. This will create the user, group and reserve containers.

    ldapadd -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -c -f ./OUDContainers.ldif
    
    For example:
    
    ldapadd -h localhost -p 3389 -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif
    

    If the above gives authentication error, try the command with '-x' option with simple bind option.

    ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif
    
  3. Configure OIM proxy users and acis to communicate with OUD after installing OUD. Create the OIM Admin User, Group and the ACIs.

    The root suffix is given as dc=mycompany,dc=com. This can be replaced with the appropriate root suffix of the OUD server.

    1. Open a new file oudadmin.ldif. Add the following LDAP entries and save the file oudadmin.ldif. Run the following command to load the ldif file, oudadmin.ldif.

      Note:

      Run the ldapmodify command in OUD setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.

      • The OIMAdmin proxy user must have the ACI allowing to write/reset the userPassword.

      • The OIMAdmin proxy user must have the password-reset privilege. The password-reset privilege is assigned with a ldapmodify on the user entry.

      cd <OUD instance>/bin
      
      ./ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -j <pwd.txt> -c-v-f oudadmin.ldif
      Note: In the above command pwd.txt is the text file containing the OUD Admin password.
      
      dn: cn=systemids,dc=mycompany,dc=com
      changetype: add
      objectclass: orclContainer
      objectclass: top
      cn: systemids
      
      dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
      changetype: add
      objectclass: top
      objectclass: person
      objectclass: organizationalPerson
      objectclass: inetorgperson
      mail: oimAdminUser
      givenname: oimAdminUser
      sn: oimAdminUser
      cn: oimAdminUser
      uid: oimAdminUser
      userPassword: welcome1
      
      dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com
      changetype: add
      objectclass: groupOfUniqueNames
      objectclass: top
      cn: oimAdminGroup
      description: OIM administrator role
      uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
      
      dn: cn=oracleAccounts,dc=mycompany,dc=com
      changetype: modify
      add: aci
      aci: (target = "ldap:///cn=oracleAccounts,dc=mycompany,dc=com")(targetattr =
       "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to
       all attributes"; allow (add, read, search, compare,write, delete, import,export)
       (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
      
      dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
      changetype: modify
      add: ds-privilege-name
      ds-privilege-name: password-reset
      
    2. Perform the following steps to configure the changelog on OUD server:

      Note:

      Perform these steps only if the replication has not been configured during the installation of OUD server.

      Create a replication server using dsconfig command:

      dsconfig -h <OUD host> -p <OUD Admin SSL Port> -D <OUD Admin id> -j
       <password file> -X -n create-replication-server --provider-name
       'Multimaster Synchronization' --set replication-port:8989 --set
       replication-server-id:1 --type generic
      

      Create a replication domain using dsconfig command:

      dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j
       <password file> -X -n create-replication-domain --provider-name
       'Multimaster Synchronization' --set base-dn:<dc=myDomain,dc=com> --set 
      replication-server:<OUD host>:8989 --set server-id:1 --type generic 
      --domain-name <dc=myDomain,dc=com>
      
    3. Use the following command to check if the ACI is added.

      ./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=Directory Manager"
       -j <pwd.txt> -b "dc=mycompany,dc=com" -s base "objectclass=*" aci
      Note: In the above command pwd.txt is the text file containing the OUD Admin password.
      
    4. Use the following command to check if the proxy user is working against OUD.

      ./ldapsearch -h <OUD Server> -p <OUD Port> -D
       "cn=oimAdminUser,cn=systemids,dc=oracle,dc=com" -j <pwd.txt> -b
       "cn=changelog" -s sub "changenumber>=0"
      Note: In the above command pwd.txt is the text file containing the OUD Admin password.
      
  4. Add the global-aci to changelog node in OUD.

    Refer to the Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) available at the following link:

    http://docs.oracle.com/cd/E22289_01/html/821-1279/dsconfig.html

    Follow the steps in the document mentioned above and add the global-aci to cn=changelog entry in OUD:

    (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com";)
    

    You must remove deny from this global-aci and allow the oim proxy user, otherwise deny will take priority.

    Note:

    If you are using OUD 11.1.1.5.0, use the following ACI:

    (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl
     "External changelog access";deny (all) groupdn!="ldap:///cn=oimAdminGroup,cn=systemids,dc=myDomain,dc=com";)
    

    Refer to the Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) available at the following link:

    http://docs.oracle.com/cd/E22289_01/html/821-1279/dsconfig.html

    Follow the steps in the document mentioned above and delete the default deny global-aci from cn=changelog entry in OUD.

    (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)

  5. If you want to enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server.

    In the password policy, you must define the maximum number of failed logins the source LDAP directory server requires, to lock the account. This max number must have the same value as defined in the User Management plugin (pwdMaxFailure parameter) in Section 5.7.5.2.4, "Creating Adapters for Oracle Unified Directory (OUD)".

    Use the following command to configure OUD password policy (for instance 3 failures locks the account):

    dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n set-password-policy-prop --policy-name 'Default Password Policy'
    --set lockout-failure-count:3