Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) for using Oracle Unified Directory (OUD) as your LDAP Identity store.
Note:
If your LDAP Identity store (Oracle Unified Directory (OUD)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.
You must complete the following steps to preconfigure the Identity Store:
Create a new file OUDContainers.ldif
. Add the following entries and save the file.
dn:cn=oracleAccounts,dc=mycompany,dc=com cn:oracleAccounts objectClass:top objectClass:orclContainer dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com cn:Users objectClass:top objectClass:orclContainer dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com cn:Groups objectClass:top objectClass:orclContainer dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com cn:Reserve objectClass:top objectClass:orclContainer
Import the containers into Oracle Unified Directory Server with ldapadd
command. This will create the user, group and reserve containers.
ldapadd -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -c -f ./OUDContainers.ldif For example:
ldapadd -h localhost -p 3389 -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif
If the above gives authentication error, try the command with '-x' option with simple bind option.
ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif
Configure OIM proxy users and acis to communicate with OUD after installing OUD. Create the OIM Admin User, Group and the ACIs.
The root suffix is given as dc=mycompany,dc=com
. This can be replaced with the appropriate root suffix of the OUD server.
Open a new file oudadmin.ldif
. Add the following LDAP entries and save the file oudadmin.ldif
. Run the following command to load the ldif file, oudadmin.ldif
.
Note:
Run the ldapmodify
command in OUD setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.
The OIMAdmin proxy user must have the ACI allowing to write/reset the userPassword.
The OIMAdmin proxy user must have the password-reset
privilege. The password-reset
privilege is assigned with a ldapmodify on the user entry.
cd <OUD instance>/bin ./ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -j <pwd.txt> -c-v-f oudadmin.ldif Note: In the above command pwd.txt is the text file containing the OUD Admin password. dn: cn=systemids,dc=mycompany,dc=com changetype: add objectclass: orclContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com dn: cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
Perform the following steps to configure the changelog on OUD server:
Note:
Perform these steps only if the replication has not been configured during the installation of OUD server.
Create a replication server using dsconfig
command:
dsconfig -h <OUD host> -p <OUD Admin SSL Port> -D <OUD Admin id> -j <password file> -X -n create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:8989 --set replication-server-id:1 --type generic
Create a replication domain using dsconfig
command:
dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n create-replication-domain --provider-name 'Multimaster Synchronization' --set base-dn:<dc=myDomain,dc=com> --set replication-server:<OUD host>:8989 --set server-id:1 --type generic --domain-name <dc=myDomain,dc=com>
Use the following command to check if the ACI is added.
./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=Directory Manager" -j <pwd.txt> -b "dc=mycompany,dc=com" -s base "objectclass=*" aci Note: In the above command pwd.txt is the text file containing the OUD Admin password.
Use the following command to check if the proxy user is working against OUD.
./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=oimAdminUser,cn=systemids,dc=oracle,dc=com" -j <pwd.txt> -b "cn=changelog" -s sub "changenumber>=0" Note: In the above command pwd.txt is the text file containing the OUD Admin password.
Add the global-aci to changelog node in OUD.
Refer to the Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) available at the following link:
http://docs.oracle.com/cd/E22289_01/html/821-1279/dsconfig.html
Follow the steps in the document mentioned above and add the global-aci to cn=changelog
entry in OUD:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com";)
You must remove deny
from this global-aci and allow
the oim proxy user, otherwise deny
will take priority.
Note:
If you are using OUD 11.1.1.5.0, use the following ACI:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access";deny (all) groupdn!="ldap:///cn=oimAdminGroup,cn=systemids,dc=myDomain,dc=com";)
Refer to the Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) available at the following link:
http://docs.oracle.com/cd/E22289_01/html/821-1279/dsconfig.html
Follow the steps in the document mentioned above and delete the default deny
global-aci from cn=changelog
entry in OUD.
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)
If you want to enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server.
In the password policy, you must define the maximum number of failed logins the source LDAP directory server requires, to lock the account. This max number must have the same value as defined in the User Management plugin (pwdMaxFailure
parameter) in Section 5.7.5.2.4, "Creating Adapters for Oracle Unified Directory (OUD)".
Use the following command to configure OUD password policy (for instance 3 failures locks the account):
dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n set-password-policy-prop --policy-name 'Default Password Policy' --set lockout-failure-count:3