| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
This appendix describes how to add support for Active Directory to your enterprise deployment.
This appendix contains the following sections:
Section A.1, "Creating Adapters in Oracle Virtual Directory"
Section A.3, "Modifying Oracle Identity Manager to Support Active Directory"
Section A.4, "Updating the Username Generation Policy for Active Directory"
Oracle Virtual Directory communicates with other directories through adapters.
The procedure is slightly different, depending on the directory you are connecting to. The following sections show how to create and validate adapters for supported directories:
Section A.1.2, "Creating an Oracle Virtual Directory Adapter for Active Directory"
Section A.1.3, "Validating the Oracle Virtual Directory Adapters"
The provisioning process created Oracle Virtual Directory adapters to Oracle Internet Directory. When you switch the identity store to Active Directory, you must remove these adapters.
Log in to ODSM at: http://admin.mycompany.com/odsm
If you have not already done so, create connections to each of your Oracle Virtual Directory instances using the steps in Section 10.3, "Creating ODSM Connections to Oracle Virtual Directory."
Select one of the Oracle Virtual Directory instances and connect to it.
Click the Adapter tab.
Click the adapter User ID.
Click Delete Selected Adapter.
Repeat for the adapter CHANGELOG_OID.
Repeat Steps 1- 7 for each Oracle Virtual Directory instance.
You can use idmConfigTool to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.
To do this, perform the following tasks on IDMHOST1:
Set the environment variable ORACLE_HOME to IAM_ORACLE_HOME.
Create a properties file for the Active Directory adapter called ovd1.props, with the following content:
ovd.host:LDAPHOST1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:AD ldap1.host:ADIDSTORE.mycompany.com ldap1.port:636 ldap1.binddn:cn=adminuser ldap1.password:adpassword ldap1.ssl:true ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
The following list describes the parameters used in the properties file.
ovd.host is the host name of a server running Oracle Virtual Directory.
ovd.port is the https port used to access Oracle Virtual Directory (OVD_ADMIN_PORT) in Section 3.7, "Fixed Ports Used by the Provisioning Wizard").
ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.
ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.
ovd.oamenabled is always true in Fusion Applications deployments.
ovd.ssl is set to true, as you are using an https port.
ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.
ldap1.host is the host on which back end directory is located. Use the load balancer name.
ldap1.port is the port used to communicate with the back end directory (OID_LDAP_PORT in Section 6.1, "Assembling Information for Identity Management Provisioning").
ldap1.binddn is the bind DN of the oimLDAP user.
ldap1.password is the password of the oimLDAP user
ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This should always be set to true when an adapter is being created for AD.
ldap1.base is the base location in the directory tree.
ldap1.ovd.base is the mapped location in Oracle Virtual Directory.
usecase.type is set to Single when using a single directory type.
Configure the adapter by using the idmConfigTool command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
Note:
When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command is:
idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
For example:
idmConfigTool.sh -configOVD input_file=ovd1.props
The command requires no input. The output looks like this:
The tool has completed its operation. Details have been logged to logfile
Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host in the property file.
Perform the following tasks by using ODSM:
Access ODSM through the load balancer at: http://ADMIN.mycompany.com/odsm
Connect to Oracle Virtual Directory.
Go the Data Browser tab.
Expand Client View so that you can see each of your user adapter root DN's listed.
Expand the user adapter root DN, if there are objects already in the back end LDAP server, you should see those objects here.
ODSM doesn't support changelog query, so you cannot expand the cn=changelog subtree.
Perform the following tasks by using the command-line:
Validate the user adapters by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b <user_search_base> -s sub "objectclass=inetorgperson" dn
For example:
ldapsearch -h LDAPHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q -b "cn=Users,dc=mycompany,dc=com" -s sub "objectclass=inetorgperson" dn
Supply the password when prompted.
You should see the user entries that already exist in the back end LDAP server.
Validate changelog adapters by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
For example:
ldapsearch -h LDAPHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
The command returns logs of data, such as creation of all the users. It returns without error if the changelog adapters are valid.
Validate lastchangenumber query by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
For example:
ldapsearch -h LDAPHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
The command returns the latest change number generated in the back end LDAP server.
Prepare Active Directory as described in the following sections:
This section describes how to configure Active Directory. Extend the schema in Active Directory as follows.
Note:
The order in which you perform the steps is critical!
Locate the following files:
IDM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif
IDM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif
In both these files, replace the domain-dn with the appropriate domain-dn value
Use ldapadd from the command line to load the two LDIF files, as follows.
ldapadd -h activedirectoryhostname -p activedirectoryportnumber -D AD_administrator -q -c -f file
where AD_administrator is a user which has schema extension privileges to the directory
For example:
ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser –q -c -f ADUserSchema.ldif ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser -q -c -f AD_oam_pwd_schema_add.ldif
Note:
After the -D you can specify either a DN or user@domain.com.
Then go to:
IAM_MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
Run the following command to extend Active Directory schema:
sh extendadschema.sh -h AD_host -p AD_port -D 'administrator@mydomain.com' -AD "dc=mydomain,dc=com" -OAM true
Create users and groups as described in the following sections.
Configure the Identity Store by using the command idmConfigTool, which is located at:
IAM_ORACLE_HOME/idmtools/bin
Note:
When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory in which the idmConfigTool is run. To ensure that the same file is appended to every time you run the tool, always run the idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=all input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props
When the command runs, it prompts you to enter the password of the account you are connecting to and passwords for the accounts that are being created.
Note:
The password must conform to the following rules:
Six characters or more
One or more numeric character
Two or more alphabetic characters
Start with alphabetic character
One or more lowercase character
Note:
This invocation of idmConfigTool creates the group orclFAOAMUserWritePrivilegeGroup.
Create a property file, idstore.props, to use when preparing the Identity Store. The file will have the following structure:
# Common IDSTORE_HOST: LDAPHOST1.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true # OAM IDSTORE_OAMADMINUSER:oamadmin IDSTORE_OAMSOFTWAREUSER:oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # Required due to bug IDSTORE_OAAMADMINUSER : oaamadmin # Fusion Applications IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa # Weblogic IDSTORE_WLSADMINUSER : weblogic_idm
Where:
IDSTORE_BINDDN is an administrative user in the Identity Store Directory
IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than Oracle Virtual Directory.
Active Directory: LDAPHOST1 and 389
IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.
IDSTORE_OAMADMINUSER is the name of the user you want to create as your Oracle Access Manager Administrator.
IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.
IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.
IDSTORE_READONLYUSER is the name of a user you want to create which has Read Only permissions on your Identity Store.
IDSTORE_READWRITEUSER is the name of a user you want to create which has Read/Write permissions on your Identity Store.
IDSTORE_SUPERUSER is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.
IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.
POLICYSTORE_SHARES_IDSTORE is set to true for IDM 11g.
IDSTORE_OAAMADMINUSER is required because of a bug in idmConfigTool.
In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a non-Oracle Internet Directory directory, such as Microsoft Active Directory, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created. This section lists the artifacts created and the privileges required for the artifacts.
Users and groups. ACLs to the users and groups container are provided in Oracle Internet Directory. Set them manually for other directories. The Oracle Identity Manager/Oracle Access Manager integration and Fusion Applications require the following artifacts to be created in the Identity store.
Group with read privileges to the users container (orclFAUserReadPrivilegeGroup). Configure the local directory ACLs so that this group has privileges to read all the attributes of the users in the Identity Store.
Group with read/write privileges to the users container (orclFAUserWritePrivilegeGroup)
Group with read privileges to the groups container (orclFAGroupReadPrivilegeGroup)
Group with read privileges to the groups container (orclFAGroupWritePrivilegeGroup)
Group with write privileges to a partial set of attributes (orclFAUserWritePrefsPrivilegeGroup)
The user specified by the IDSTORE_READONLYUSER parameter. When you run the preconfigIDstore command, this user is assigned to the groups orclFAUserReadPrivilegeGroup, orclFAWritePrefsPrivilegeGroup, and orclFAGroupReadPrivilegeGroup. The user also needs compare privileges to the userpassword attribute of the user entry.
The user specified by the IDSTORE_READWRITEUSER parameter. It is assigned to the groups orclFAUserWritePrivilegeGroup and orclFAGroupWritePrivilegeGroup.
Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Oracle Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Manager Console. No LDAP schema level privileges are required, since this is just an application user.
Oracle Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Manager user oimLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.
When first installed, Oracle Identity Manager has a set of default system properties for its operation.
If your Identity Store is in Active Directory, you must change the System property XL.DefaultUserNamePolicyImpl to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD or oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD.
To learn how to do this, see the Administering System Properties chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
If your back end directory is Active Directory, you must update Oracle Identity Manager so that it only allows user names with a maximum of 20 characters. This is a limitation of Active Directory. Update the username generation policy from DefaultComboPolicy to FirstnameLastnamepolicyforAD as follows.
Log in to the OIM Console at the URL listed in Section 16.2, "About Identity Management Console URLs."
Click Advanced on the top of the right pane.
Click Search System properties.
On the navigation bar in the left pane, search on Username Generation.
Click Default Policy for Username Generation.
In the Value field, update the entry from oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD.
Click Save.
|
 Copyright © 2004, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|