This chapter explains how to manually configure LDAP synchronization of Oracle Identity Manager with the LDAP identity store post-installation. However, the procedures for postinstallation enablement of LDAP synchronization, as described in this chapter, are not required if LDAP synchronization has already been enabled by Oracle Identity Manager Configuration Wizard at the time of installation.
In earlier releases of Oracle Identity Manager, LDAP synchronization can be enabled only at the time of installing Oracle Identity Manager, and postinstallation enablement of LDAP synchronization is not allowed. From Oracle Identity Manager 11g Release 1 (11.1.1.5.0) onwards, postinstallation enablement of LDAP synchronization is supported. Oracle Identity Manager 11g Release 2 (11.1.2.1.0) also supports postinstallation enablement of LDAP synchronization.
See Also:
"Integration Between LDAP Identity Store and Oracle Identity Manager" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about LDAP synchronization
When Oracle identity Manager with Oracle Internet Directory (OID) or iplanet (ODSEE) or Active Directory (AD) or Oracle Unified Directory (OUD) is selected during installation, the virtualization functionality of Oracle Virtual Directory (OVD) is utilized. Oracle Identity Manager includes the Identity Virtualization Library (libOVD) instead of the stand-alone OVD server. Oracle Identity Manager deployment can be with or without Identity Virtualization Library (libOVD). With Identity Virtualization Library (libOVD) included in Oracle Identity Manager, the common library is used by Oracle Identity Manager without running its own instance of OVD. Without Identity Virtualization Library (libOVD), Oracle Identity Manager must use an instance of OVD separately.
Note:
The common library is the definition for Identity Virtualization Library (libOVD) that resides in the same Java Virtual Machine (JVM) as Oracle Identity Manager. It is a library in Oracle Identity Manager and not a separate server.
When you select LDAP synchronization in the Oracle Identity Manager installer, you can select any one of the AD, iPlanet (ODSEE), OID, OVD, and OUD options. If you select any of AD, iPlanet (ODSEE), OID, or OUD, then Oracle Identity Manager is installed with Identity Virtualization Library (libOVD). If you select OVD, then LDAP synchronization is enabled, and no manual configuration steps for enabling LDAP synchronization is required. However, postinstall manual configuration to enable LDAP synchronization is required when LDAP synchronization has not been enabled at the time of installing Oracle Identity Manager.
This chapter describes the following configurations for postinstallation enablement of LDAP synchronization:
Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes
Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server
In addition, this chapter contains the following sections:
Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP
Enabling Access Logging for Identity Virtualization Library (libOVD)
Configuring LDAP Authentication When LDAP Synchronization is Enabled
To enable LDAP synchronization after Oracle Identity Manager has been deployed:
Note:
In Oracle Identity Manager 11g Release 2 (11.1.2.1.0), the idmConfigTool utility must be run to preconfigure LDAP synchronization. Running the LDAPConfigPreSetup script to preconfigure LDAP synchronization generates errors. See "Using the idmConfigTool Command" for information about using the idmConfigTool utility.
The idmConfigTool is run in the Enterprise Deployment environment. See Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for details. This is another way of setting up the prerequisites for LDAP synchronization.
In stand-alone Oracle Identity Manager deployment, for the steps to setup the prerequisites for LDAP synchronization, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If idmConfigTool is not used to setup the prerequisites, then the database schema must be extended and other steps must be performed, as described in "Completing the Prerequisites for Enabling LDAP Synchronization" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Set the OIM_HOME environment variable to the directory on which Oracle Identity Manager is deployed.
Copy the following files from the MDS to a temporary staging directory, such as /tmp:
Note:
It is mandatory to create a separate staging directory. The $OIM_ORACLE_HOME/server/metadata directory cannot be used as the staging directory because it contains some other files. If these files are imported inadvertently, then it might corrupt the Oracle Identity Manager instance.
The following metadata files used for configuring reconciliation profile and reconciliation horizontal table entity definition for LDAP user, role, role hierarchy, and role membership reconciliation:
/db/LDAPUser
/db/LDAPRole
/db/LDAPRoleHierarchy
/db/LDAPRoleMembership
/db/RA_LDAPROLE.xml
/db/RA_LDAPROLEHIERARCHY.xml
/db/RA_LDAPROLEMEMBERSHIP.xml
/db/RA_LDAPUSER.xml
/db/RA_MLS_LDAPROLE.xml
/db/RA_MLS_LDAPUSER.xml
These files must be copied to a temporary location before importing, or you might corrupt your instance because oim-config.xml is also present in the same location.
The LDAP event handlers. The predefined event handlers are in the /db/ldapMetadata/EventHandlers.xml file.
The LDAPContainerRules.xml consisting of the container information for users and roles to be created.
Note:
The LdapContainerRules.xml file can contain rules by using only those attributes that are mapped to the directory. A rule cannot be written by using attributes from foreign objects or attributes that are not part of the entity. This is true for both user and role entities. For example, Role Email cannot be used for rules for roles, and user's Organization Name cannot be used for user entity.
Edit the LDAPContainerRules.xml. To do so, open LDAPContainerRules.xml, and replace $DefaultUserContainer$ and $DefaultRoleContainer$ with appropriate user and role container values. For example, replace:
$DefaultUserContainer$ with a value, such as cn=ADRUsers,cn=Users,dc=us,dc=oracle,dc=com
$DefaultRoleContainer$ with a value, such as cn=ADRGroups,cn=Groups,dc=us,dc=oracle,dc=com
Perform the import by using Oracle Enterprise Manager. For information about importing metadata files from MDS, see "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Note:
Make sure that EventHandlers.xml is in the /db/ldapMetadata/ directory when imported into MDS.
Edit IT Resource configuration in Oracle Identity Manager. To do so:
Login to the Oracle Identity System Administration as the System Administrator.
In the left navigation pane, under Configuration, click IT Resource. The Manage IT Resource page is displayed.
Search for the Directory Server IT resource.
Update the IT resource with Search base and Reservation container values.
The suggested value for Search base is the root suffix or the BaseDN, for example, dc=us,dc=oracle,dc=com.
If you want to configure Oracle Identity Manager with OVD server, then enter the values for ServerURL with the OVD server host and port details.
If you want to configure Oracle Identity Manager with Identity Virtualization Library (libOVD), then do not enter the values for ServerURL. It must be empty.
Enter the values for the bind credentials, as shown:
Admin Login: cn=oimadmin
Admin Password: 1111111111
Note:
The Oracle Identity Manager proxy user DN is in the following format:
PROXY_USER,cn=system,ROOT_SUFFIX
For example: cn=oimadmin,cn=system, dc=us,dc=oracle,dc=com
Make sure that the value for the Reservation Container is cn=reserve,VALUE_OF_THE_ROOT_SUFFIX. For example:
Reservation Container: cn=reserve,dc=us,dc=oracle,dc=com
For reconciliation jobs, seed the LDAP reconciliation scheduled jobs into Quartz tables, which are part of Oracle Identity Manager schema. As a prerequisite to do so, set the OIM_ORACLE_HOME environment variable. For example:
For Microsoft Windows, set the OIM_ORACLE_HOME environment variable to the C:\Oracle\Middleware\Oracle_IDM1 directory by running the following command:
set OIM_ORACLE_HOME=C:\Oracle\Middleware\Oracle_IDM
For UNIX, run the following command:
setenv OIM_ORACLE_HOME /u01/mwhome/Oracle_IDM
Seeding the LDAP reconciliation scheduled jobs can be performed in any one of the following ways:
Seeding LDAP reconciliation scheduled jobs with parameters:
Go to the $OIM_ORACLE_HOME/server/setup/deploy-files directory.
Set ant home. The following are sample commands to set ant home:
For UNIX:
setenv ANT_HOME /u01/mwhome/modules/org.apache.ant_1.7.1
For Microsoft Windows:
set ANT_HOME=/u01/mwhome/modules/org.apache.ant_1.7.1
Note:
If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:
http://www.oracle.com/technetwork/index.html
Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.
Run the following ant command with parameters:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=SCHEMA_OWNER_USERNAME -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=SCHEMA_HOST_ADDRESS -DoperationsDB.port=SCHEMA_PORT_NUMBER -DoperationsDB.serviceName=SCHEMA_SERVICE_NAME -Dssi.provisioning=ON -Dweblogic.server.dir=WEBLOGIC_SERVER_LOCATION -Dojdbc.location=OJDBC_LOCATION -Dwork.dir=seed_logs
For example:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=schemaowner1_OIM -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=myhost.mycompany.com -DoperationsDB.port=1234 -DoperationsDB.serviceName=oimdb.regress.rdbms.mycompany.com -Dssi.provisioning=ON -Dweblogic.server.dir=MW_HOME/wlserver_10.3 -Dojdbc.location=MW_HOME/oracle_common/inventory/Scripts/ext/jlib/ojdbc6.jar -Dwork.dir=seed_logs
Seeding LDAP reconciliation scheduled jobs with the profile file:
Set the following environment variables:
OIM_ORACLE_HOME to the OIM_HOME directory.
Set ANT_HOME to the directory on which ANT is installed.
Note:
If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:
http://www.oracle.com/technetwork/index.html
Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.
Go to the $OIM_ORACLE_HOME/server/bin/ directory.
Create a property file with the properties listed in Table 3-1.
Note:
You can also use the appserver.profile file instead of creating a new property file. Make sure that the properties listed in this step are present with the values.
Table 3-1 Parameters of the Property File
| Parameter | Description |
|---|---|
|
operationsDB.user |
Oracle Identity Manager database schema owner. |
|
operationsDB.driver |
Constant value of |
|
operationsDB.host |
Oracle Identity Manager database schema host address. |
|
OIM.DBPassword |
Oracle Identity Manager database schema owner's password. |
|
operationsDB.serviceName |
Oracle Identity Manager database schema service name, for example, |
|
operationsDB.port |
Oracle Identity Manager database schema port number |
|
ssi.provisioning |
Value must be |
|
weblogic.server.dir |
Directory on which Oracle WebLogic Server is installed, for example, |
|
ojdbc.location |
Directory on which JDBC is installed, for example, |
|
work.dir |
Any preferred directory on which log files will be created After successful completion of target, you can check logs at the $WORK_DIR/seed_logs/ldap/SeedSchedulerData.log file. |
Go to the $OIM_ORACLE_HOME/server/setup/deploy-files/ directory.
Run the following command:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -propertyfile $OIM_ORACLE_HOME/server/bin/PROPERTY_FILE_NAME
You can add custom object classes and custom attributes while creating a new user by adding the custom attributes as user-defined fields (UDFs) in Oracle Identity Manager as well as to the LDAPUser.xml in MDS. As a prerequisite, the custom object class with one or more attributes must be created and loaded into OID.
To add custom attributes as UDFs in Oracle Identity Manager and LDAPUser.xml in MDS:
Add the custom attributes to the user attributes in Oracle Identity Manager, as described in "Creating a Custom Attribute" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file from the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Update the LDAPUser.xml file to add the custom attribute1 custom attribute and customObjectClass custom object class.
To add additional object classes on 'create', edit LDAPUser.xml and add additional <value> entries to the <parameter name="objectclass"> node. For example:
<parameter name="objectclass"> <value>orclIDXPerson</value> <value>customObjectClass</value> </parameter>
Add your custom attributes to the three sections of the LDAPUser.xml file. To do so:
Add the attribute entry to the end of the <entity-attributes> tag, for example:
<entity-attributes> ................... ................... <attribute name="custom attribute1"> <type>string</type> <required>false</required> <attribute-group>Basic</attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
Add the attribute entry to the end of the <target-fields> tag, for example:
<target-fields> ................... ................... <field name="customattr1"> <type>string</type> <required>false</required> </field> </target-fields>
Add the attribute entry to the end of the <attribute-maps> tag, for example:
<attribute-maps> ................... ................... <attribute-map> <entity-attribute>custom attribute1</entity-attribute> <target-field>customattr1</target-field> </attribute-map> </attribute-maps>
Save and close the LDAPUser.xml file.
Import the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
(Optional) If you want to change the RDN attribute from 'cn' to another attribute, then update the <parameter name="rdnattribute"> tag to the new directory attribute name, and then reimport the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository. For example:
<parameter name="rdnattribute"> <value>companyid</value> </parameter>
Test the configuration by creating the new user through Oracle Identity Manager.
You can configure Identity Virtualization Library (libOVD) adapters by using script and template files related to libOVD. Table 3-2 lists the files used for Identity Virtualization Library (libOVD) adapter configuration.
Table 3-2 Identity Virtualization Library (libOVD) Adapter Configuration Files
| File | Description |
|---|---|
|
Files in the $MIDDLEWARE_HOME/oracle_common/modules/oracle.ovd_11.1.1/ directory |
Files related to Identity Virtualization Library (libOVD) |
|
Files in the $MIDDLEWARE_HOME/oracle_common/bin/ directory: libovdadapterconfig.sh libovdconfig.sh libovdadapterconfig.bat libovdconfig.bat |
Script files to configure Identity Virtualization Library (libOVD) |
|
Files in the $MIDDLEWARE_HOME/Oracle_IDM/libovd/ directory: adapter_template_oim_ldap.xml adapter_template_oim.xml |
Template files to configure Identity Virtualization Library (libOVD) |
|
Files in the $MIDDLEWARE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/ovd/ADAPTER_NAME/ directory: adapters.os_xml By default, the value of ADAPTER_NAME is oim. |
Configuration file after Identity Virtualization Library (libOVD) has been configured |
To configure Identity Virtualization Library (libOVD) adapters and integrate with Oracle Identity Manager:
Before running the scripts to configure Identity Virtualization Library (libOVD), set the following environment variables:
set MIDDLEWARE_HOME to the appropriate Middleware home directory
set ORACLE_HOME to $MIDDLEWARE_HOME/oracle_common
set WL_HOME to $MIDDLEWARE_HOME/wlserver_10.3
set JAVA_HOME to appropriate jdk6 path ../jdk6
To configure Identity Virtualization Library (libOVD):
Note:
Substitute the appropriate information of your host computer and directory path in the commands to run the scripts for configuring Identity Virtualization Library (libOVD).
To create libOVD configuration files and layout the directory structure, run the following command:
sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME
For example:
sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath $MIDDLEWARE_HOME/user_projects/domains/base_domain -contextName oim -host myhost.mycompany.com -port 7001 -userName weblogic
This command creates the directory structure containing the OVD configuration files for Oracle Identity Manager and copies the configuration file templates. In the example, the contextName is assumed to be oim, and therefore, the OVD configuration files are created in the DOMAIN_HOME/config/fmwconfig/ovd/oim/ directory. Here, DOMAIN_HOME is the directory that you are using as the home directory for your domain.
Note:
Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be of the same computer on which Oracle Identity Manager is installed, and not of the computer on which OID is installed.
Running the command displays the following. Enter the password when prompted.
Enter AdminServer Password: Successfully created OVD config files CSF Credential creation successful Permission Grant successful Successfully configured OVD MBeans
To create user and changelog adapters, run the following command:
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME -adapterName ADAPTER_NAME -adapterTemplate adapter_template_oim.xml -bindDN LDAP_BIND_DN -createChangelogAdapter -dataStore LDAP_DIRECTORY_TYPE -ldapHost LDAP_HOST -ldapPort LDAP_PORT -remoteBase REMOTE_BASE -root VIRTUAL_BASE
Here, template is oim template. This creates the adapters with the information you provide when running this script, based on the Oracle Identity Manager template. In the command examples shown in this step, contextName is assumed to be oim.
Note:
Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be of the same computer on which Oracle Identity Manager is installed, and not of the computer on which OID is installed.
In the parameters that you pass while running the tool, value for the -dataStore argument must be the backend directory type. Valid values for this parameter, when using the adapter_template_oim.xml, are OID, ACTIVE_DIRECTORY, IPLANET, and OUD.
If the backend LDAP server port is configured over SSL, then Oracle Identity Manager user must use keytool to import the trusted certificate from the LDAP server into Identity Virtualization Library (libOVD) keystore. To do so, refer to "Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server".
Example with non-SSL LDAP server port:
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3060 -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" Enter AdminServer Password: Enter LDAP Server Password:
Example with LDAP server port configured over SSL:
Note:
If you are using SSL port for the LDAP port, then provide the -enableSSL parameter in the libovdadapterconfig.sh or libovdadapterconfig.bat command.
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3161 -enableSSL -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" Enter AdminServer Password: Enter LDAP Server Password:
Restart the web container and Oracle Identity Manager by running the following commands:
cd $MIDDLEWARE_HOME/user_projects/domains/DOMAIN_NAME/bin/ ./stopManagedWebLogic.sh oim_server1 ./stopWebLogic.sh ./startWebLogic.sh ./startManagedWebLogic.sh oim_server1
To integrate Oracle Identity Manager to Oracle Identity Virtualization (libOVD):
Login to Oracle Identity System Administration.
Under Configuration on the left pane, click IT Resource. The Manage IT Resource page is displayed in a separate window.
From the IT Resource Type list, select Directory Server, and then click Search.
For the Directory Server IT resource, click Edit. The Edit IT Resource Details and Parameters page is displayed.
In the Search Base field, enter a value, for example, dc=oracle,dc=com.
In the User Reservation Container field, enter a value, for example, cn=reserve,dc=us,dc=oracle,dc=com.
Restart the WebLogic server on which Oracle Identity Manager is deployed.
Try accessing the server and manage users and roles through the Oracle Identity System Administration.
To verify that the data is managed in the LDAP server configured with the -dataStore option, connect to the LDAP server directly through the ldapclient tool.
For SSL, you must export the server side certificates from the directory server and import into Identity Virtualization Library (libOVD), as described in the following sections:
Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory
Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet
Enabling SSL Between Identity Virtualization Library (libOVD) and OID
To export the server side certificates from Active Directory and import into Identity Virtualization Library (libOVD):
Export the certificate from the Active Directory server by referring to the instructions in the following Microsoft TechNet web site URLs:
http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx
Retrieve the CA signing certificate and save it to a file. To do so:
Login to the Active Directory domain server as a domain administrator.
Click Start, Control Panel, Administrative Tools, Certificate Authority to open the CA Microsoft Management Console (MMC).
Right-click the CA computer, and select CA Properties.
From the General menu, select View Certificate.
Select the Details view, and click Copy to File on the lower-right corner of the window.
Use the Certificate Export wizard to save the CA certificate in a file by running the following command:
certutil -ca.cert OutCACertFile
Note:
You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.
Import the Active Directory server certificate created in step 3f to the Identity Virtualization Library (libOVD) keystore as a trusted entry by running the following command:
$ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
To export certificates from iPlanet (ODSEE) and import into Identity Virtualization Library (libOVD) for enabling SSL between Identity Virtualization Library (libOVD) and iPlanet (ODSEE):
To export certificate from iPlanet (ODSEE), run the following command:
dsadm export-cert -o OUTPUT_FILE INSTANCE_PATH CERT_ALIAS
For example:
./dsadm export-cert -o /tmp/server-cert /scratch/aime1/iPlanet/dsInst/ defaultCert Choose the PKCS#12 file password: Confirm the PKCS#12 file password: ls -lrt /tmp -rw------- 1 aime1 svrtech 1684 Jan 20 00:39 server-cert
To import the iPlanet (ODSEE) certificate created in step 1 to the Identity Virtualization Library (libOVD) keystore as a trusted entry, run the following command:
ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass PASSWORD -alias ALIAS_VALUE_USED_FOR_EXPORT -file SERVER-CERT_FILENAME -noprompt
Note:
Provide the same certificate alias name, which you provided for exporting the certificate, for the '-alias' parameter while importing the certificate. For example:
ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias defaultCert -file server-cert -noprompt
In addition, export/import certificates as instructed in the ODSEE documentation in the following URL:
http://docs.oracle.com/cd/E19656-01/821-1504/gcvhu/index.html
To export the server side certificates from OID and import into Identity Virtualization Library (libOVD):
Export the Oracle Internet Directory server certificate in Base64 format using the following command:
orapki wallet export -wallet LOCATION_OF_OID_WALLET -dn DN_FOR_OID_SERVER_CERTIFICATE -cert ./b64certificate.txt
Note:
If you use a certificate alias in the orapki command, then an error is generated if the alias is not in all lower case letters.
Import the Oracle Internet Directory server certificate created in step 2 to the Identity Virtualization Library (libOVD) keystore as a trusted entry using the following command:
$ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
If you create users and roles in Oracle Identity Manager deployment without LDAP synchronization, and later decide to enable LDAP synchronization, then the users and roles created before LDAP synchronization enablement must be synced with LDAP after enablement. The provisioning of users, roles, role memberships, and role hierarchy to LDAP is achieved by the following predefined scheduled jobs for LDAP:
LDAPSync Post Enable Provision Users to LDAP
LDAPSync Post Enable Provision Roles to LDAP
LDAPSync Post Enable Provision Role Memberships to LDAP
LDAPSync Post Enable Provision Role Hierarchy to LDAP
For details about these scheduled jobs, see "Predefined Scheduled Tasks" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
To disable LDAP synchronization in Oracle Identity Manager deployment:
Remove the /db/ldapMetadata/EventHandlers.xml file from MDS by using Oracle Enterprise Manager. See "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about deleting metadata files from MDS.
Login to Oracle Identity System Administration as the System Administrator.
Disable all scheduled jobs mentioned in "Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP".
When you select OID or ODSEE or AD during Oracle Identity Manager installation, and if LDAP synchronization is enabled at that time, then Identity Virtualization Library (libOVD) adapters are generated in the backend.
If you do not enable LDAP synchronization during Oracle Identity Manager installation, and want to enable LDAP synchronization after installing Oracle Identity Manager, then you must create and configure libOVD adapters. See "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager" and "Managing Identity Virtualization Library (libOVD) Adapters" for details.
If you have OVD server configured and want to enable LDAP synchronization after installing Oracle Identity Manager, then the IT Resource page for the Directory Server IT resource type must be configured with the OVD server details. See step 5 in "Enabling Postinstallation LDAP Synchronization".
If OVD server is not configured for the adapters, then you must create the OVD adapters for various default LDAP servers. For details, see "Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
See Also:
"Configuring Oracle Virtual Directory for Integration with Oracle Identity Manager" for information about configuring OVD for integration with Oracle Identity Manager
In an Oracle Identity Manager deployment with LDAP synchronization enabled and AD, iPlanet (ODSEE), or OID as a the directory server, you can manage the Identity Virtualization Library (libOVD) adapters by using the WLST command.
See Also:
Library Oracle Virtual Directory (LibOVD) Commands in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information about the WLST commands to manage Library Oracle Virtual Directory (LibOVD) adapters
To manage the Identity Virtualization Library (libOVD):
Start the WLST console. To do so, run $FMW_ROOT/Oracle_IDM1/common/bin/wlst.sh. This path can be referenced as $OIM_ORACLE_HOME/common/bin/wlst.sh.
Here, $FMW_ROOT refers to your $MW_HOME directory. For example, for this binary location, it can be the /u01/apps/mwhome/ directory.
$OIM_ORACLE_HOME refers to the directory in which Oracle Identity Manager is deployed. For example, /u01/apps/mwhome/Oracle_IDM1/ must point to OIM_ORACLE_HOME.
In the WLST console, run the following command:
connect()
When prompted, provide the WLST username, password, and t3 URL.
Run the following command to display a list of Identity Virtualization Library (libOVD) WLST commands:
help('OracleLibOVDConfig')
This lists the commands for creating, deleting, and modifying Identity Virtualization Library (libOVD), LDAP, and join adapters. The following commands act on the Identity Virtualization Library (libOVD) configuration associated with a particular OPSS context, which is passed in as a parameter:
addJoinRule: Adds a join rule to an existing Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
addLDAPHost: Adds a new remote host to an existing LDAP adapter
Note:
The following is an example of adding multiple remote hosts for High Availability (HA) scenario:
addLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, contextName='myContext')
See Oracle Fusion Middleware High Availability Guide for detailed information about HA.
addPlugin: Adds a plug-in to an existing adapter or at the global level
See Also:
"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about developing plug-ins in Oracle Identity Manager
addPluginParam: Add new parameter values to the existing adapter level plug-in or global plug-in
createJoinAdapter: Creates a new Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
createLDAPAdapter: Creates a new LDAP adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
deleteAdapter: Deletes an existing adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
getAdapterDetails: Displays the details of an existing adapter that is configured for the Identity Virtualization Library (libOVD) associated with the given OPSS context
istAdapters: Lists the name and type of all adapters that are configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context
modifyLDAPAdapter: Modifies the existing LDAP adapter configuration
removeJoinRule: Removes a join rule from a Join adapter configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context
removeLDAPHost: Removes a remote host from an existing LDAP adapter configuration
removePlugin: Removes a plug-in from an existing adapter or at global level
removePluginParam: Removes an existing parameter from a configured adapter level plug-in or global plug-in
Run help on the individual commands to get usage, such as:
help('addPluginParam')
The following are examples for updating the AD User Management adapter for the oimLanguages attribute for Multi Language Support (MLS):
addPluginParam:
You can use this command to add oimLanguage param to UserManagement plug-in in AD user adapter, as shown:
add PluginParam(adapterName='ldap1', pluginName='UserManagement', paramKeys='oimLanguages', paramValues='fr,zh-CN', contextName='oim')
removePluginParam:
You can use this command to remove oimLanguage param from UserManagement plug-in in AD user adapter, as shown:
removePluginParam(adapterName='ldap1', pluginName='UserManagement', paramKey='oimLanguages', contextName='oim')
removePluginParam:
You can use this command to remove modifierDNFilter param from Changelog plug-in, as shown:
removePluginParam(adapterName='CHANGELOG_ldap1', pluginName='Changelog', paramKey='modifierDNFilter', contextName='oim')
See Also:
"Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for detailed information about creating the OVD adapters for Oracle Identity Manager change log and user management
Enabling access logging for Identity Virtualization Library (libOVD) allows you to capture all requests and responses flowing through Identity Virtualization Library (libOVD), which can be very useful if you are trying to triage performance issues.
To enable access logging for Identity Virtualization Library (libOVD):
Remove any Identity Virtualization Library (libOVD) loggers that were previously configured in Debug mode. You must remove these loggers to see real performance numbers.
Create a WLS logger named oracle.ods.virtualization.accesslog in WLS with NOTIFICATION level.
Create a WLS loghandler, specifying a file name similar to ovd-access.log and associate that log handler to the logger you created in step 2.
This loghandler logs all Oracle Virtual Directory access log messages into a separate file.
Create a backup of the DOMAIN_HOME/config/fmwconfig/ovd/default/provider.os_xml file, and then add the following XML fragment (if it is not already present):
<providers ..>
...
<auditLogPublisher>
<provider name="FMWAuditLogPublisher">
...
</provider>
<provider name="AccessLogPublisher">
<configClass>oracle.ods.virtualization.config.AccessLogPublisherConfig</configClass>
<properties>
<property name="enabled" value="true"/>
</properties>
</provider>
</auditLogPublisher>
...
</providers>
Restart the WLS Admin and Managed servers.
Oracle Virtual Directory can now generate the access log in the ovd-access.log file.
Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.
Note:
This procedure does not enable the following functionality:
Forced password changes, including first login, administrator password reset, and expired passwords
Forced setting of challenge responses
Configure the LDAP Authenticator in WLS. To do so:
Log in to WebLogic Administrative Console.
Go to Security Realms, myrealm, Providers.
Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.
Set the Control Flag to SUFFICIENT.
Click the Provider Specific settings and configure the OID connection details.
In Dynamic groups section, enter the following values:
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: orcldynamicgroup
Dynamic Member URL Attribute: labeleduri
User Dynamic Group DN Attribute: GroupOfUniqueNames
Click the Providers tab. Remove OIM Authenticator from the list of security providers. This is to ensure that the user is not locked in Oracle Identity Manager database.
Configure the OIMSignatureAuthenticator security provider in the realm. To do so:
i) Login to the WebLogic Administrative Console.
ii) Navigate to Security realm, myrealm, Security providers, Authentication, New.
iii) Select OIMSignatureAuthenticator from the drop-down, and select provider name as OIMSignatureAuthenticator.
iv) Save the changes.
Click Reorder. Reorder the security providers as listed in the following table:
| Authentication Provider | Control Flag |
|---|---|
|
Default Authenticator |
SUFFICIENT |
|
OIM Signature Authenticator |
SUFFICIENT |
|
LDAP Authenticator |
SUFFICIENT |
|
Default Identity Asserter |
No value |
Restart all servers.
Validate role memberships.
Login to WebLogic Admin Console.
Go to Security Realms, myrealm, User and Groups.
Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).
Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.