Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Microsoft Active Directory for using it as your LDAP Identity store.
You must complete the following steps to preconfigure the Identity Store:
Note:
The data used in the examples provided below is a sample data. Follow the examples and replace them with appropriate data as per your LDAP server configuration.
Create Reserve Container.
dn:cn=Reserve,dc=extranetdev,dc=lan cn:Reserve objectClass:top
Create user for OIM - uid: oimadmin pw:welcome11gR2 -in the Directory Server outside the search base used for OIM reconciliation.
Create user - uid: xelsysadm pw:welcome11gR2
Create a group OIM Administrators and assign the users oimadmin and xelsysadm users to the group
If you want to enable OAM-OIM integration, then create user for OAM - uid:oamadmin pw:welcome11gR2
If you want to enable OAM-OIM integration, then create a group OAM Administrators and assign the oamadmin user to the group
If you want to enable OAM-OIM integration, then create user for WebLogic Administration - uid:WLAdmin pw:welcome11gR2
If you want to enable OAM-OIM integration, then create a group WLSAdmins and assign the oamadmin user to the group
Add the ACLs that needs to be setup:
OIM Administrators group - complete read/write privileges to all the user and group entities in the directory. This group needs read/write privileges for the Reserve container also.
Extend the OIM Schema for Active Directory.
The OIM Schema for Active Directory is located at:
MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
The following LDIF files are located at the IAM_HOME
/oam/server/oim-intg/ldif/ad/schema
directory:
adOAMDisable.ldif
adOAMEnable.ldif
adOIMLanguageSubtype.ldif
adOIMSchema.ldif
Run the following command to extend Active Directory schema:
On Windows:
extendadschema.bat -h AD_host -p AD_port -D <administrator@mydomain.com> -AD <dc=mydomain,dc=com> -OAM <true/false>
On UNIX:
extendadschema.sh -h AD_host -p AD_port -D <administrator@mydomain.com> -AD <dc=mydomain,dc=com> -OAM <true/false>
Specify the value of -OAM
patameter as true
if you want to enable OAM-OIM integration.
Specify the value of -OAM
patameter as false
if you do not want to enable OAM-OIM integration.
Note:
The extendadschema
script is certified only on Active Directory 2003, 2008 and 2008R2.
If you want to enable OAM-OIM integration, extend the OAM schema, as follows:
Navigate to the IAM_HOME
/oam/server/oim-intg/ldif/ad/schema
directory, and locate the following files:
ADUserSchema.ldif
AD_oam_pwd_schema_add.ldif
In the above LDIF files, replace the domain-dn with the appropriate domain-dn value.
Use ldapadd
from the command line to load the two LDIF files, as follows:
Navigate to thefollowing directory:
cd IAM_HOME
/oam/server/oim-intg/ldif/ad/schema/
Run the ldapadd command.
ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f ADUserSchema.ldif ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f AD_oam_pwd_schema.ldif
where AD_administrator
is the user with schema extension privileges to the directory.
For example:
ldapadd -h activedirectoryhost.mycompany.com -p 389 -D adminuser -q -c -f ADUserSchema.ldif