The Identity Password Framework (IPF) password policy plugin handles the password related flows during login. Configuring the IPF password policy plugin is the most critical step in making sure that OAM and OIM LDAP applications can work in tandem.
Using the IPF password plugin in OAM makes sure that password features act across both OAM and OIM in similar ways. This section contains the following information:
The IPF password service can be enabled in a newly installed (not upgraded) environment by manually editing oam-config.xml.
Edit oam-config.xml and add the following line:
<Setting Name="pswdServiceDataVersion" Type="xsd:string">3</Setting>
This procedure assumes:
The WebLogic Server, Oracle Internet Directory, Oracle HTTP Server and a database are installed.
Oracle Access Management is installed in DB mode and configured to use OID as a user store.
WebGate 11g is installed and configured against the policy server.
The exact mechanism of extending LDAP directory for each directory type.
As a verification step, check <DOMAIN_HOME>/config/fmwconfig/oam-config.xml on each of the OAM Managed Server nodes to ensure that the updated version has propagated correctly.
Note that the password policy in OAM should be in sync with that of OAM LDAP to work consistently between both products.
See Accessing Password Policy Configuration Page for details. It is up to the administrator to ensure that the policies are indeed the same and consistent.
Depending on the type of the directory, add the required objectclass schema definitions so that the LDAP directory can use these to extend the user objectclass. The appropriate schema files are located in $IDM_HOME/modules/oracle.idm.ipf_11.1.2/scripts/ldap.
Table 24-9 documents the LDIF file to use with supported LDAP directories.
Table 24-9 Included LDIF Schema Files
| LDAP Directory | LDIF Schema File |
|---|---|
|
OID |
OID_OblixSchema.ldif, OID_OracleSchema.ldif |
|
AD |
AD_OblixSchema.ldif, AD_OracleSchema.ldif |
|
OUD |
OUD_OblixSchema.ldif, OUD_OracleSchema.ldif |
|
ODSEE |
IPLANET_OblixSchema.ldif, IPLANET_OracleSchema.ldif |
|
OPENLDAP |
OLDAP_OblixSchema.schema, OLDAP_OracleSchema.schema |
|
OVD |
OVD_OblixSchema.ldif, OVD_OracleSchema.ldif |
|
Tivoli |
TIVOLI_OblixSchema.ldif, TIVOLI_OracleSchema.ldif |
|
EDIR |
EDIR_OblixSchema.ldif, EDIR_OracleSchema.ldif |
The Password Policy Validation Authentication Module needs to be configured to use the required identity store, as well as some of the operations configuration as per installation requirements.
There are no credential collector dependencies when defining the Password Policy Validation Module for authentication. The User Password Status Step is the unique step that relies on the IPFUserPasswordPolicyPlugin. See "Password Policy Validation Authentication Module" and Configuring the PasswordPolicyValidationScheme
If the forgot password feature needs to be enabled in OAM, the IPFForgotPasswordModule is used. The forgot password authentication enables OAM users to change their password by authenticating them using previously collected challenges.
The administrator can setup forgot password URL by following the procedure documented in Administering the Forgot Password URL.