This appendix explains how to manually configure LDAP synchronization of Oracle Identity Manager with the LDAP identity store post-installation.
Note:
LDAP synchronization is required only if you are using Oracle Identity Manager in database mode, and Oracle Identity Manager is integrated with Access Manager (OAM). If your installation does not require OAM, then LDAP synchronization is not required and you can skip this appendix.If you plan to use LDAP synchronization, there are prerequisite steps that must be taken to configure the LDAP directories. These prerequisites are described in subsequent sections in this document.
For an overview of the integration between LDAP identity store and Oracle Identity Manager, see Section 1.1.3, "About LDAP Synchronization in Oracle Identity Manager".
This appendix contains the following topics:
Perform the following steps to configure LDAP synchronization:
Ensure that all prerequisites are performed in the identity store. See Section E.1.1, "Completing the Prerequisites for Enabling LDAP Synchronization" for more information.
Create the OVD adapters.
In LDAP synchronization, Oracle Identity Manager uses the virtualization functionality of OVD. This can be used in any one of the following ways:
Install a standalone instance of OVD: When you use a standalone instance of OVD, you must create OVD adapters.
Use Identity Virtualization Library (libOVD): With libOVD, a runtime library is used by Oracle Identity Manager as part of its own process, which simplifies installation and maintenance.
For detailed information, see Section E.1.3, "Creating OVD Adapters".
Enable LDAP synchronization. See Section E.1.4, "Enabling LDAP Synchronization" for information.
Perform post-configuration steps of LDAP synchronization. See Section E.2.1, "Running the LDAP Post-Configuration Utility" for information.
Verify LDAP synchronization. See Section E.2.2, "Verifying the LDAP Synchronization" for details.
LDAP directory servers must be configured with default containers (including changelog), administrators, and Access Control Lists (ACIs). The exact procedure is determined by the choice of LDAP server.
Preconfiguring OID, OUD, and standalone OVD: Preconfigure OID, OUD, and OVD by running the idmConfigTool
utility. This adds user, group, and reserve containers and the appropriate ACIs. The required preconfiguration step is performed by the following command:
idmConfigTool -preConfigIDStore
The idmConfigTool
is in the IAM_ORACLE_HOME/idmtools/bin/ directory. The preConfigIDStore
option extends the schema in OUD or OID, adding object classes required by the integration. It also creates a number of users and groups. Based on the information you provide in the configuration file, this command will act on the appropriate identity store. For example:
./idmConfigTool.sh -preConfigIDStore input_file=/scratch/fwadmin/ldap_scripts/prepareIDStore.properties
Note:
On a replicated OUD instance,cn=changelog
is available by default depending on the condition that this instance contains both directory server and replication server components, which is the default. The changelog has no additional cost since the replication is already up.
On a non replicated OUD instance, cn=changelog
is not available by default because there is a cost in disk and cpu that should not be paid if it is not useful. This can be easily enabled with the following command:
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" \ -j pwd-file -r 8989 -b dc=example,dc=com -X -n
In an Oracle Identity Manager deployment that is integrated with Access Manager, it is a requirement that the changelog is enabled for Oracle Identity Manager LDAP synchronization with OUD to work.
See Section E.1.2, "Configuring Changelog in OUD" for more information about enabling the external change log.
Here, prepareIDStore.prperties
files is the configuration file with the following input parameters with sample values:
IDSTORE_HOST: HOST_NAME
IDSTORE_PORT: PORT
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=us,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=Systemids,dc=us,dc=example,dc=com
If you are using OUD as the identity store, then the additional properties are:
IDSTORE_ADMIN_PORT : 4444
IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD : Abcd1234
The value of the IDSTORE_KEYSTORE_PASSWORD parameter is the content of the /u01/config/instances/oud1/OUD/config/admin-keystore.pin
file.
The idmConfigTool
can then be run with the following command:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile
For OID and OUD, to perform additional schema extensions and create additional users and groups, the following is a sample property file:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER: oimadmin IDSTORE_OIMADMINGROUP:OIMAdministrators
If you are using OUD as the identity store, then the additional properties are:
IDSTORE_ADMIN_PORT : 4444 IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD : Abcd1234
See Appendix D, "Using the idmConfigTool Command" for more information about using the idmConfigTool
utility.
Note:
For information about errors that might occur when synchronizing with OUD and workaround steps, see Section E.2.14, "Fixing Permission Errors with OUD ACIs".Preconfiguring ODSEE and AD: If Oracle Directory Server (ODSEE) or Active Directory (AD) is used, then do not use the idmConfigTool
utility. Instead, manual steps must be followed, as described in subsequent sections in this document.
The following sections describe how to preconfigure the Identity Store for Active Directory and ODSEE:
Before you can use your LDAP directory as an identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Microsoft Active Directory for using it as your LDAP identity store.
Note:
The data used in the examples provided below is sample data. Follow the examples and replace them with appropriate data according to your LDAP server configuration.To preconfigure the identity store:
Create User, Group, and Reserve Container, as shown:
dn:cn=Reserve,dc=example,dc=com cn:Reserve objectclass:top dn:cn=Groups,dc=example,dc=com cn:Groups objectclass:top dn:cn:Users,dc=example,dc=com cn:Users objectclass:top
In Active Directory, create a container outside the search base to be used for Oracle Identity Manager reconciliation. This will avoid administrative users being reconciled into Oracle Identity Manager. For example:
dn:cn=systemids,dc=example,dc=com cn:systemids objectClass:top
Create the administrative user for Oracle Identity Manager inside this container:
dn:cn=oimadmin,cn=systmids,dc=example,dc=com cn:oimadmin objectclass:user
In the Users container created in step 1, create the system administrator user, with uid: SYSTEM_ADMINISTRATOR and an appropriate password.
In the Groups container created in step 1, create a group Oim Administrators, and then assign the users oimadmin
and SYSTEM_ADMINISTRATOR to this group.
In the container created in step 2, create a user oamadmin
with a password, such as welcome11gR2
.
In the Groups container created in step 1, create a group OAM Administrators
and assign the oamadmin
user to the group.
In the Users container created in step 1, create a user for WebLogic administration with ID as WLAdmin
and password as welcome11gR2
.
In the Groups container created in step 1, create a group WLSAdmins
, and assign the WLAdmin
user to that group.
Add ACLs that need to be setup:
OIM Administrators group - complete read/write privileges to all the user and group entities in the directory. This group needs read/write privileges for the Reserve container also.
Extend the OAM schema, as follows:
Navigate to the IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema directory, and locate the following files:
ADUserSchema.ldif
AD_oam_pwd_schema_add.ldif
In the above LDIF files, replace the domain-dn with the appropriate domain-dn value.
Use ldapadd
from the command line to load the two LDIF files, as follows:
Navigate to the following directory:
cd IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/
Run the ldapadd
command.
ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f ADUserSchema.ldif ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f AD_oam_pwd_schema.ldif
Here, AD_administrator is the user with schema extension privileges to the directory. For example:
ldapadd -h activedirectoryhost.mycompany.com -p 389 -D adminuser -q -c -f ADUserSchema.ldif
Extend the OIM Schema for Active Directory by using the extendadschema
script.
The extendadschema
script and the OIM Schema for Active Directory is located at:
MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
This directory contains the following files used by extendadschema
for extending Active Directory:
adOAMDisable.ldif
adOAMEnable.ldif
adOIMLanguageSubtype.ldif
adOIMSchema.ldif
Run the following command to extend Active Directory schema:
On Windows:
extendadschema.bat -h AD_host -p AD_port -D <administrator@mydomain.com> -AD <dc=mydomain,dc=com> -OAM <true/false>
On UNIX:
extendadschema.sh -h AD_host -p AD_port -D <administrator@mydomain.com> -AD <dc=mydomain,dc=com> -OAM <true/false>
Specify the value of -OAM
parameter as true
.
Note:
Theextendadschema
script is certified only on Active Directory 2003, 2008, 2008R2, and 2012.Set Active Directory password policy. To do so:
Verify that the value of the pwdMaxFailure
configuration parameter for the libOVD adapter in the DOMAIN_HOME/config/fmwconfig/ovd/oim/adapters.os_xml file is set to 10
.
Set the lockoutThreshold
value to 10
in Active Directory. For information about lockoutThreshold, refer to the following URL:
https://technet.microsoft.com/en-us/library/cc775412%28v=ws.10%29.aspx
Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Directory Server Enterprise Edition (ODSEE) for using Oracle Directory Server Enterprise Edition (ODSEE) as your LDAP Identity store if you are integrating with OAM, and therefore, configuring LDAP Synchronization.
Note:
If your LDAP identity store (OIM)) has been configured for the containers and oimadminuser with the schema extension, then you need not follow the configuration steps described in this section.
cn=oracleAccounts
is sample data. Follow the examples and replace them with appropriate data as per your LDAP server configuration.
cn=oracleAccounts
is sample data suggesting a name for a directory container meant for containing information to be synchronized with OIM. It is not mandatory to use this data when you preconfigure the identity store.
To preconfigure the identity store:
Create a new file iPlanetContainers.ldif. Add the following entries and save the file.
dn:cn=oracleAccounts,dc=mycompany,dc=com cn:oracleAccounts objectClass:nsContainer dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com cn:Users objectClass:nsContainer dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com cn:Groups objectClass:nsContainer dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com cn:Reserve objectClass:nsContainer
Import the containers into iPlanet Directory Server with ldapadd command. This will create the user, group and reserve containers.
ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -c -f ./iPlanetContainers.ldif
For example:
ldapadd -h localhost -p 1389 -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif
If the above gives authentication error, try the command with '-x' option with simple bind option.
ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif
Enable the moddn property for the rename of entries to happen between nodes.
..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> moddn-enabled:on
For example:
..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 moddn-enabled:on
Enable changelog.
..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> retro-cl-enabled:on
For example:
..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 retro-cl-enabled:on
Check the status, as shown:
..dsee7/bin/dsccsetup status
Stop and Start the ODSEE server instance.
..dsee7/bin/dsadm stop <ODSEE instance> ..dsee7/bin/dsadm start <ODSEE instance>
For example:
..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/ ..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/
Extend the Sun schema to include OIM-specific Object Classes and Attribute Types.
cd to $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
Run the following command to load the ldif file, sunOneSchema.ldif
.
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f sunOneSchema.ldif
For example:
./ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w welcome1 -c -f sunOneSchema.ldif
If you want to enable OAM-OIM integration, then extend the following OAM schema:
For ODSEE/iPlanet, to extend OAM Schema for ODSEE, locate the following files:
Note:
If you are not sure about the which index-root you should use, instead of iPlanet7_user_index_add.ldif, use iPlanet7_user_index_generic.ldif file, which also has step by step instructions on finding index-root.Use ldapmodify from the command line to load the four LDIF files:
cd $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/ ldapadd -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet7_user_index_add.ldif
Or:
ldapadd -h <ODSEE Server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet7_user_index_generic.ldif ldapmodify -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet_oam_pwd_schema_add.ldif ldapmodify -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet_user_schema_add.ldif ldapadd -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet_user_index_add.ldif
Enable Referential Integrity for OIM's Common Name Generation feature.
Anytime the DN or RDN is being modified, then the Referential Integrity needs to be enabled in OIM and OID/Active Directory/ODSEE.
If Referential Integrity is enabled in the Directory Server, then customers need to set the OIM property XL.IsReferentialIntegrityEnabledInLDAP
to TRUE
as by default it is set to FALSE
. To set XL.IsReferentialIntegrityEnabledInLDAP
to TRUE
, log into OIM and go to Advanced, System Management, System Configuration. Search for System Properties (XL.IsReferentialIntegrityEnabled
), and set the property value to TRUE
.
Use the following command to see the value of the referential integrity property.
..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled Enter "cn=Directory Manager" password: ref-integrity-enabled : off
Use the following commands to enable the referential integrity property.
./dsconf set-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled:on Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect. Restart ODSEE/iPlanet Server after enabling referential integrity property.
..dsee7/bin/dsadm stop <ODSEE instance> ..dsee7/bin/dsadm start <ODSEE instance>
For example:
..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/ ..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/
Now query to see if the value has been set correctly.
..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled Enter "cn=Directory Manager" password: ref-integrity-enabled : on
Create the OIM Admin User, Group and the ACIs. Open a new file oimadminuser.ldif
. This oimadminuser will be used as a proxy user for OIM.
The root suffix is given as dc=mycompany,dc=com
. This must be replaced with the appropriate root suffix of the ODSEE server.
Add the following LDAP entries and save the file oimadminuser.ldif
. Run the following command to load the ldif file, oimadminuser.ldif.
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f oimadminuser.ldif dn: cn=systemids,dc=mycompany,dc=com changetype: add objectclass: nsContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com dn: cn=users,cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=users,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=changelog changetype: modify add: aci aci: (target = "ldap:///cn=changelog")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
Use the following commands to check for the entries and ACI in the LDAP:
ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=changelog" -s sub "objectclass=*" aci ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=users,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=groups,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci
LDAP synchronization requires the creation in LDAP of a proxy user and group, different from the LDAP administrative user. This is done to permit Oracle Identity Manager to update LDAP's directory store. Without those updates being reconciled back to Oracle Identity Manager, the changes are made as the proxy user, and changes made by the proxy user are filtered out by Oracle Identity Manager during reconciliation.
Using LDAP synchronization with OUD has some additional requirements. OUD's External Changelog (ECL) must be enabled, and the proxy user must be given permissions to query it. To do so:
Note:
The examples in this section assume an OUD instance on localhost, and a simple bind password stored in a secure file (PASSWORD_FILE). Modify the commands as required for your local environment.After OUD has been installed, modify its configuration file to change the global ACIs for the proxy user and group for changelog access. To do so, in the MIDDLEWARE_HOME/Oracle_OUD1/asinst_1/OUD/config/config.ldif file, replace the default:
ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)
With the following:
ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn!="ldap:///cn=oimAdminUser,cn=systemids,dc=us,dc=mydomain,dc=com";) ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow (read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=us,dc=mydomain,dc=com";)
Note:
The proxy user and group do not have to be created at this point.
OUD must be restarted for these changes to take effect. Use the stop-ds
and start-ds
commands in the OUD bin
directory.
From the OUD bin
directory, create the proxy user and group by using the oudadmin.ldif
file:
./ldapmodify -h localhost -p PORT -D cn=orcladmin -j PASSWORD_FILE -c -f FILE_LOCATION/oudadmin.ldif
Create the replication server and domain. Set the replication port number and the base-dn (for example, dc=com) appropriately for your installation, as shown:
./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -j PASSWORD_FILE -X -n create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:PORT --set replication-server-id:1 --type generic ./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -j PASSWORD_FILE -X -n create-replication-domain --provider-name 'Multimaster Synchronization' --set base-dn:dc=com --set replication-server:localhost:PORT --set server-id:1 --type generic --domain-name dc=com
Provide access to the ECL control, as shown:
./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -X -j PASSWORD_FILE -n set-access-control-handler-prop --add global-aci:\(targetcontrol=\"1.3.6.1.4.1.26027.2.3.4\"\)\(version\ 3.0\;\ acl\ \"Authenticated\ users\ control\ access\"\;\ allow\(read\)\ userdn=\"ldap:///all\"\;\)
Confirm that the proxy user has access to the changelog, both at the command line and by a manual test within Oracle Identity Manager, as follows:
Command line test: Ensure that the results of the following commands are identical:
ldapsearch -h localhost -p PORT -D OIM_PROXY_USER -j PASSWORD_FILE -b "cn=changelog" -s one ldapsearch -h localhost -p PORT -D OUD_ADMIN_USER -j PASSWORD_FILE -b "cn=changelog" -s one
Here, OIM_PROXY_USER is the proxy user created previously (for example, cn=oimAdminUser,cn=systemids,...), and OUD_ADMIN_USER is the administrator created when installing OUD (for example, cn=orcladmin).
OIM test: It is necessary to obtain the last changelog number from OUD in order to run incremental reconciliation. To do so:
Create a user and/or role in Oracle Identity Manager.
Verify that the user and/or role has been successfully synced to LDAP.
Modify a harmless attribute, such as the display name, for the user and/or role in LDAP.
Making sure that the last changelog is correctly initialized in the incremental recon scheduled task UI, run incremental user (or role) create/modify, and verify that the entity changes are reflected in Oracle Identity Manager.
The global ACIs can be investigated directly from OUD by the following:
./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -X -j PASSWORD_FILE -n get-access-control-handler-prop --property global-aci
Get the last changelog from OUD.
OUD uses the external changelog (ECL) for its changelog numbers. This is not numeric, but instead in a format beginning with the base name. The command to get the ECL is:
ldapsearch -h localhost -p PORT -D "cn=orclAdmin" -j PASSWORD_FILE -b "" -s base "objectclass=*" lastExternalChangelogCookie
An example command and sample ECL follows. Copy your changelog string beginning with the basename. Usually the string has a space and/or carriage return before the end. Be sure to copy the entire string, but eliminating the string and CR.
ldapsearch -h localhost -p PORT -D "cn=orclAdmin" -j PASSWORD_FILE -b "" -s base "objectclass=*" lastExternalChangelogCookie
dn:
lastExternalChangelogCookie: dc=com:00000154c04613df0001000000
1b;
In order to use this in Oracle Identity Manager, remove the <CR>/
space, if it exists, such as:
dc=com:00000154c04613df00010000001b
For test purposes, you may need to set the changelog back a few entries to get changes made before obtaining the ECL:
dc=us,dc=mydomain,dc=com:00000154c04613df000100000010
Enabling LDAP synchronization at install time also configures the libOVD or OVD adapters required for integration. In the event that LDAP synchronization is enabled after the initial Oracle Identity Manager installation, it you must manually configure the libOVD or OVD adapters.
To enable LDAP synchronization with libOVD, see Section E.1.3.2, "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager" and Section E.2.10, "Managing Identity Virtualization Library (libOVD) Adapters".
Alternately, if you have configured a standalone OVD server, then the IT Resource page for the Directory Server IT resource type must be configured with the OVD server details. See Section E.1.4.2, "Modifying the IT Resource". In addition, you must create the OVD adapters for various LDAP servers. For details, see "Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If you are configuring OVD for integration with Oracle Identity Manager, then refer to the following topics:
You can use the UserManagement plug-in to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.
To do this, perform the following tasks:
Ensure you have set all of the necessary environment variables as described in Section D.2, "Set Up Environment Variables".
Create a properties file for the Oracle Internet Directory adapter called ovd1.props
as follows:
Note:
Theusecase.type:single
parameter is not supported for Active Directory via the configOVD
option.ovd.host:ovdhost1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:OID ldap1.host:oididstore.myhost.mycompany.com ldap1.port:3060 ldap1.binddn:cn=orcladmin,cn=systemids,dc=mycompany,dc=com ldap1.password:oidpassword ldap1.ssl:false ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
The following table describes the parameters used in the properties file.
Parameter | Description |
---|---|
ovd.host |
Host name of a server running Oracle Virtual Directory. |
ovd.port |
The https port used to access Oracle Virtual Directory. |
ovd.binddn |
User DN used to connect to Oracle Virtual Directory. |
ovd.password |
Password for the DN used to connect to Oracle Virtual Directory. |
ovd.oamenabled |
Always true in
|
ovd.ssl |
Set to true, as you are using an https port. |
ldap1.type |
Set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory. |
ldap1.host |
Host on which back end directory is located. Use the load balancer name. |
ldap1.port |
Port used to communicate with the back end directory. |
ldap1.binddn |
Bind DN of the oimLDAP user. |
ldap1.password |
Password of the oimLDAP user. |
ldap1.ssl |
Set to true if you are using the back end's SSL connection, and otherwise set to false. Always set this parameter to true when creating an adapter for AD. |
ldap1.base |
Base location in the directory tree. |
ldap1.ovd.base |
Mapped location in Oracle Virtual Directory. |
usecase.type |
Set to Single when using a single directory type. |
Configure the adapter by using the idmConfigTool
command, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
The syntax on Windows is:
idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
For example:
idmConfigTool.sh -configOVD input_file=ovd1.props
The command requires no input. The output looks like this:
The tool has completed its operation. Details have been logged to logfile
Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host
in the property file.
You can configure Identity Virtualization Library (libOVD) adapters by using script and template files related to libOVD. Table E-1 lists the files used for Identity Virtualization Library (libOVD) adapter configuration.
Table E-1 Identity Virtualization Library (libOVD) Adapter Configuration Files
File | Description |
---|---|
Files in the $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/ directory |
Files related to Identity Virtualization Library (libOVD) |
Files in the $MW_HOME/oracle_common/bin/ directory: libovdadapterconfig.sh libovdconfig.sh libovdadapterconfig.bat libovdconfig.bat |
Script files to configure Identity Virtualization Library (libOVD) |
Files in the $MW_HOME/Oracle_IDM/libovd/ directory: adapter_template_oim_ldap.xml adapter_template_oim.xml |
Template files to configure Identity Virtualization Library (libOVD) |
Files in the $MW_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/ovd/ADAPTER_NAME/ directory: adapters.os_xml By default, the value of ADAPTER_NAME is oim. |
Configuration file after Identity Virtualization Library (libOVD) has been configured |
To configure Identity Virtualization Library (libOVD) adapters and integrate with Oracle Identity Manager:
Before running the scripts to configure Identity Virtualization Library (libOVD), set the following environment variables:
set MW_HOME to the appropriate Middleware home directory
set ORACLE_HOME to $MW_HOME/oracle_common
set WL_HOME to $MW_HOME/wlserver_10.3
set JAVA_HOME to the appropriate jdk path
To configure Identity Virtualization Library (libOVD):
Note:
Substitute the appropriate information of your host computer and directory path in the commands to run the scripts for configuring Identity Virtualization Library (libOVD).To create libOVD configuration files and lay out the directory structure, run the following command:
sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME
For example:
sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myhost.mycompany.com -port 7001 -userName weblogic
This command creates the directory structure containing the OVD configuration files for Oracle Identity Manager and copies the configuration file templates. In the example, the contextName is assumed to be oim, and therefore, the OVD configuration files are created in the DOMAIN_HOME/config/fmwconfig/ovd/oim/ directory. Here, DOMAIN_HOME is the directory that you are using as the home directory for your domain.
Note:
Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be of the same computer on which Oracle Identity Manager is installed, and not of the computer on which LDAP is installed.Running the command displays the following. Enter the password when prompted.
Enter AdminServer Password: Successfully created OVD config files CSF Credential creation successful Permission Grant successful Successfully configured OVD MBeans
To create user and changelog adapters, run the following command:
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME -adapterName ADAPTER_NAME -adapterTemplate $MW_HOME/Oracle_IDM1/libovd/adapter_template_oim.xml -bindDN LDAP_BIND_DN -createChangelogAdapter -dataStore LDAP_DIRECTORY_TYPE -ldapHost LDAP_HOST -ldapPort LDAP_PORT -remoteBase REMOTE_BASE -root VIRTUAL_BASE
Here, template is oim template. This creates the adapters with the information you provide when running this script, based on the Oracle Identity Manager template. In the command examples shown in this step, contextName is assumed to be oim. In addition, the bindDN
parameter must contain the same DN of the Oracle Identity Manager administrator account created during the LDAP preconfiguration step. In other words, if during LDAP preconfiguration, the cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
account has been created, then the bindDN
must be set to cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
.
Note:
Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be on the same computer on which Oracle Identity Manager is installed, and not of the computer on which LDAP server is installed.
In the parameters that you pass while running the tool, value for the -dataStore argument must be the backend directory type. Valid values for this parameter, when using the adapter_template_oim.xml, are OID, ACTIVE_DIRECTORY, IPLANET, and OUD.
If the backend LDAP server port is configured over SSL, then Oracle Identity Manager user must use keytool to import the trusted certificate from the LDAP server into Identity Virtualization Library (libOVD) keystore. To do so, refer to "Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server".
Example with non-SSL LDAP server port:
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3060 -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" Enter AdminServer Password: Enter LDAP Server Password:
Example with LDAP server port configured over SSL:
Note:
If you are using SSL port for the LDAP port, then provide the -enableSSL parameter in the libovdadapterconfig.sh or libovdadapterconfig.bat command.sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3161 -enableSSL -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" Enter AdminServer Password: Enter LDAP Server Password:
Restart the web container and Oracle Identity Manager by running the following commands:
cd $MW_HOME/user_projects/domains/DOMAIN_NAME/bin/ ./stopManagedWebLogic.sh oim_server1 ./stopWebLogic.sh ./startWebLogic.sh ./startManagedWebLogic.sh oim_server1
To integrate Oracle Identity Manager to Oracle Identity Virtualization (libOVD):
Login to Oracle Identity System Administration.
Under Configuration on the left pane, click IT Resource. The Manage IT Resource page is displayed in a separate window.
From the IT Resource Type list, select Directory Server, and then click Search.
For the Directory Server IT resource, click Edit. The Edit IT Resource Details and Parameters page is displayed.
In the Search Base field, enter a value, for example, dc=oracle,dc=com
.
In the User Reservation Container field, enter a value, for example, cn=reserve,dc=us,dc=oracle,dc=com
.
Restart the WebLogic server on which Oracle Identity Manager is deployed.
Try accessing the server and manage users and roles through the Oracle Identity System Administration.
Connect directly to the LDAP server by using the ldapclient
tool to verify that the data is managed in the LDAP server you chose with the -dataStore
option to the libovdadapterconfig.sh
command.
Enabling LDAP synchronization involves the following:
By default, MDS does not contain files required for enabling LDAP synchronization. Therefore, several configuration files must be imported into MDS. Initially, the files are not present in MDS, but template versions can be found in the Oracle Identity Manager distribution. In some case, these files need to be edited before import to reflect your own customizations.
The template versions of these files can be found in $IAM_ORACLE_HOME/server/metadata/ directory.
The User, Role, Role Hierarchy, and Role Membership files must be imported into MDS. If you are modifying these entities and relationships, for example, by adding UDFs, then you must create a backup of the original files before modification and import.
In most new installations, you can import the event handlers to MDS without modifying them. Occasionally, you might modify the event handlers to customize OIM response to lifecycle events.
The LDAPContainerRules must always be edited to allow synchronization in your environment.
After customizations have been applied in your environment, you must first export the files from MDS in order to obtain the active versions, as the original template versions on the file system might be outdated.
To modify and import MDS files:
Set the OIM_ORACLE_HOME environment variable to the directory on which Oracle Identity Manager is deployed. The exact location depends on your installation. An example of this can be /u01/Oracle/Middleware/IAM
.
Copy the following files from the MDS to a temporary staging directory, such as /tmp:
Note:
The files must not be copied to the root directory (/tmp). Instead, maintain the structure listed in this step, for example, /tmp/db/LDAPUser
. If the files are copied to the /tmp directory and imported to MDS, then Oracle Identity Manager will fail to run the reconciliation scheduled jobs.
It is mandatory to create a separate staging directory. The $OIM_ORACLE_HOME/server/metadata directory cannot be used as the staging directory because it contains some other files. If these files are imported inadvertently, then it might corrupt the Oracle Identity Manager instance.
Here, OIM_ORACLE_HOME represents an environment variable that identifies the directory on which Oracle Identity Manager is installed. This variable is used for various Oracle Identity Manager scripts.
The following metadata files used for configuring reconciliation profile and reconciliation horizontal table entity definition for LDAP user, role, role hierarchy, and role membership reconciliation:
/db/LDAPUser
/db/LDAPRole
/db/LDAPRoleHierarchy
/db/LDAPRoleMembership
/db/LDAPContainerRules.xml
/db/RA_LDAPROLE.xml
/db/RA_LDAPROLEHIERARCHY.xml
/db/RA_LDAPROLEMEMBERSHIP.xml
/db/RA_LDAPUSER.xml
/db/RA_MLS_LDAPROLE.xml
/db/RA_MLS_LDAPUSER.xml
These files must be copied to a temporary location before importing, or you might corrupt your instance because oim-config.xml is also present in the same location.
The LDAP event handlers. The predefined event handlers are in the /db/ldapMetadata/EventHandlers.xml file.
The LDAPContainerRules.xml consisting of the container information for users and roles to be created.
Note:
The LdapContainerRules.xml file can contain rules by using only those attributes that are mapped to the directory. A rule cannot be written by using attributes from foreign objects or attributes that are not part of the entity. This is true for both user and role entities. For example, Role Email cannot be used for rules for roles, and user's Organization Name cannot be used for user entity.Edit the LDAPContainerRules.xml. To do so, open LDAPContainerRules.xml, and replace $DefaultUserContainer$
and $DefaultRoleContainer$
with appropriate user and role container values. For example, replace:
$DefaultUserContainer$
with a value reflecting your desired container structure, such as cn=Users,dc=us,dc=sample,dc=com
$DefaultRoleContainer$
with a value reflecting your desired container structure, such as cn=SomeSubContainer,cn=Groups,dc=us,dc=sample,dc=com
Perform the import by using Oracle Enterprise Manager. For information about importing metadata files from MDS, see "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Note:
Ensure that EventHandlers.xml is in the $STAGING_DIR/db/ldapMetadata/ directory when importing into MDS.After performing your customizations and imports, it is recommended to export the files from MDS to confirm the files are in the correct MDS location with the desired changes. The MDS documentation provides instructions for MDS export.
Edit IT Resource configuration in Oracle Identity Manager. To do so:
Login to the Oracle Identity System Administration as the system administrator by navigating to the following URL:
http://HOST_NAME:PORT/sysadmin
In the left navigation pane, under Configuration, click IT Resource. The Manage IT Resource page is displayed.
Search for the Directory Server
IT resource.
Update the IT resource with Search base and Reservation container values.
The suggested value for Search base is the root suffix or the BaseDN, for example, dc=us,dc=example,dc=com
.
If you want to configure Oracle Identity Manager with OVD server, then enter the values for ServerURL with the OVD server host and port details.
If you want to configure Oracle Identity Manager with Identity Virtualization Library (libOVD), then do not enter the values for ServerURL. It must be empty.
Enter the values for the bind credentials used for LDAP server. This is the same as used as the IDSTORE_BINDDN
in the idmConfigTool.
Admin Login: cn=oimadmin
Admin Password: 1111111111
Make sure that the value for the Reservation Container is cn=reserve,VALUE_OF_THE_ROOT_SUFFIX. For example:
Reservation Container: cn=reserve,dc=us,dc=example,dc=com
For reconciliation jobs, seed the LDAP reconciliation scheduled jobs into Quartz tables, which are part of Oracle Identity Manager schema. As a prerequisite to do so, set the OIM_ORACLE_HOME environment variable. For example:
For Microsoft Windows, set the OIM_ORACLE_HOME environment variable to the C:\Oracle\Middleware\Oracle_IDM1 directory by running the following command:
set OIM_ORACLE_HOME=C:\Oracle\Middleware\Oracle_IDM
For UNIX, run the following command:
setenv OIM_ORACLE_HOME /u01/mwhome/Oracle_IDM
Seeding the LDAP reconciliation scheduled jobs can be performed in any one of the following ways:
Seeding LDAP reconciliation scheduled jobs with parameters:
Go to the $OIM_ORACLE_HOME/server/setup/deploy-files directory.
Set ant home. The following are sample commands to set ant home:
For UNIX:
setenv ANT_HOME /u01/mwhome/modules/org.apache.ant_1.7.1
For Microsoft Windows:
set ANT_HOME=/u01/mwhome/modules/org.apache.ant_1.7.1
Note:
If ANT is not installed, then download ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:http://www.oracle.com/technetwork/index.html
Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.
Run the following ant command with parameters:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=SCHEMA_OWNER_USERNAME -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=SCHEMA_HOST_ADDRESS -DoperationsDB.port=SCHEMA_PORT_NUMBER -DoperationsDB.serviceName=SCHEMA_SERVICE_NAME -Dssi.provisioning=ON -Dweblogic.server.dir=WEBLOGIC_SERVER_LOCATION -Dojdbc.location=OJDBC_LOCATION -Dwork.dir=seed_logs
For example:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=schemaowner1_OIM -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=myhost.mycompany.com -DoperationsDB.port=1521 -DoperationsDB.serviceName=oimdb.regress.rdbms.mycompany.com -Dssi.provisioning=ON -Dweblogic.server.dir=$MW_HOME/wlserver_10.3 -Dojdbc.location=$MW_HOME/wlserver_10.3/server/lib/ojdbc6.jar -Dwork.dir=seed_logs
Seeding LDAP reconciliation scheduled jobs with the profile file:
Set the ANT_HOME environment variable to the directory on which ANT is installed.
Note:
If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:http://www.oracle.com/technetwork/index.html
Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.
Go to the $OIM_ORACLE_HOME/server/bin/ directory.
Create a property file with the properties listed in Table E-2.
Note:
You can also use the appserver.profile file instead of creating a new property file. Make sure that the properties listed in this step are present with the values.Table E-2 Parameters of the Property File
Parameter | Description |
---|---|
operationsDB.user |
Oracle Identity Manager database schema owner. |
operationsDB.driver |
Constant value of |
operationsDB.host |
Oracle Identity Manager database schema host address. |
OIM.DBPassword |
Oracle Identity Manager database schema owner's password. |
operationsDB.serviceName |
Oracle Identity Manager database schema service name, for example, |
operationsDB.port |
Oracle Identity Manager database schema port number |
ssi.provisioning |
Value must be |
weblogic.server.dir |
Directory on which Oracle WebLogic Server is installed, for example, |
ojdbc.location |
Directory on which JDBC is installed, for example, |
work.dir |
Any preferred directory on which log files will be created After successful completion of target, you can check logs at the $WORK_DIR/seed_logs/ldap/SeedSchedulerData.log file. |
appserver.type |
Application server; the value is |
appserver.dir |
Absolute path to the WebLogic Server directory |
Go to the $OIM_ORACLE_HOME/server/setup/deploy-files/ directory.
Run the following command:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -propertyfile $OIM_ORACLE_HOME/server/bin/PROPERTY_FILE_NAME
Either OVD or libOVD can be the front-end to all supported directory servers. However, it is recommended that libOVD, and not stand-alone OVD, is used as the front end to OUD. If you already have a OVD-OUD-OIM topology and wish to convert to libOVD-OUD-OIM, then run the following steps:
Disable the incremental role and user reconciliation scheduled jobs.
Record the last changelog entry of the directory server by running the following command:
ldapsearch -h HOST -p PORT -D "cn=orcladmin" -w PASSWORD -b "" -s base "objectclass=*" lastchangenumber
Before re-enabling the scheduled reconciliation jobs, ensure that this changelog number is placed in the IT Resource for the directory server.
Create the libOVD adapters. See Section E.1.3.2, "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager" for details.
Edit Oracle Identity Manager IT resource. See Section E.1.4.2, "Modifying the IT Resource" for details.
Re-enable the incremental role and user reconciliation jobs disabled in step 1.
Managing LDAP synchronization is described in the following sections:
Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server
Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP
Enabling Access Logging for Identity Virtualization Library (libOVD)
Configuring LDAP Authentication When LDAP Synchronization is Enabled
Verifying the Value of pwdLockout in the Directory Password Policy
Disabling the LDAPAddMissingObjectClasses for Users and Roles
Setting Up LDAP Synchronization With HA Multi-Master Replication (MMR)
Note:
Before enabling incremental reconciliation through post configuration, as described in this section, always run LDAP full reconciliation first if there is a pre-existing population of users and roles on the directory server. Make sure that incremental reconciliation is disabled until full reconciliation completes. This approach is discussed in "Approach Used for Reconciliation" in Administering Oracle Identity Manager.
Oracle recommends using the LDAP Consolidated Full Reconciliation scheduled job, as discussed in "Managing the Scheduler" at the following URL:
http://docs.oracle.com/cd/E37115_01/admin.1112/e27149/scheduler.htm#OMADM2773
When using AD as the LDAP directory, disable the LDAPAddMissingObjectClasses
handler before running full reconciliation, as described in Section E.2.15, "Disabling the LDAPAddMissingObjectClasses for Users and Roles".
The LDAP configuration post-setup script enables all the LDAP Sync-related incremental Reconciliation Scheduler jobs, which are disabled by default. In addition, it retrieves the last change number from the Directory Server and updates all the LDAPSync Incremental Reconciliation jobs and updates all the LDAP synchronization incremental reconciliation jobs with the last change number.
Note:
This procedure is applicable to all the Directory Server options.
The LDAP post-setup script and the properties files are located in the server/LDAP_CONFIG_UTIL directory under your IAM_HOME, which is the Oracle Identity and Access Management home directory for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.
The wlfullclient.jar file is required to run LDAP configuration post-setup. Generate this file as described in "Post-Configuration Steps" in Installation Guide for Oracle Identity and Access Management. In this section, the step to copy the wlfullclient.jar file to the IAM_HOME\designconsole\ext\ directory on the machine where Design Console is configured is required only if the Design Console is required for some other purpose than enabling LDAP synchronization. Configuring the Design Console is not required for the purpose of LDAP synchronization.
To run the LDAP post-configuration utility:
Before you run the LDAP post-configuration utility, ensure that the following environment variables are set:
APP_SERVER is set to the application server on which Oracle Identity Manager is running. Set APP_SERVER to weblogic
.
JAVA_HOME is set to the directory on which JDK is installed on your machine.
MW_HOME is set to the Middleware home path provided during Oracle Identity Manager installation.
OIM_ORACLE_HOME is set to the directory on which Oracle Identity Manager is deployed. For example:
On UNIX, it is the MW_HOME/IAM_HOME directory.
On Windows, it is the MW_HOME\IAM_HOME directory.
WL_HOME is set to the wlserver_10.3 directory under your Middleware home directory. For example:
On UNIX, it is the MW_HOME/wlserver_10.3 directory.
On Windows, it is the MW_HOME\wlserver_10.3 directory.
DOMAIN_HOME is set to the domain of the WebLogic Server. For example:
On UNIX, it is the MW_HOME/user_projects/domains/base_domain directory.
On Windows, it is the MW_HOME\user_projects\domains\base_domain directory.
Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under IAM_HOME for Oracle Identity and Access Management.
In the ldapconfig.props file, set values for the parameters listed in Table E-3.
Table E-3 Parameters of the ldapconfig.props File
Parameter | Description |
---|---|
OIMServerType |
Specify the application server on which Oracle Identity Manager is deployed. For example: OIMServerType=WLS |
OIMProviderURL |
Specify the URL for the Oracle Identity Manager provider. If the OIMServerType is WLS, then specify the URL in the following format:
OIMProviderURL=t3://localhost:MANAGED_SERVER_PORT
|
LDAPURL |
Specify the URL for the OVD instance. If OVD server is selected during Oracle Identity Manager installation, then provide value for LDAPURL. If OVD server is not selected during Oracle Identity Manager installation, then leave the value of LDAPURL as blank. Specify the URL in the following format: LDAPURL=ldap://OVD_SERVER:OVD_PORT For example: LDAPURL=ldap://OVDserver.examplehost.exampledomain.com:6501 Note: If you have selected Active Directory, OID, ODSEE or OUD as the directory server, then do not specify a value for the LDAPURL parameter. If you are using OVD as the directory server, then enter OVD server and OVD port number and specify the URL as value only. |
LDAPAdminUsername |
Specify the user name for the OVD Administrator. If OVD server is selected during Oracle Identity Manager installation, then provide the Admin user name to connect to LDAP/OVD Server. For example: LDAPAdminUsername=cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com Note: LDAPAdminUsername is the name of the user used to connect to the Identity Store, for example, This LDAPAdminUsername must not be located in the user container where customer's user accounts exist. For example, do not use Note: If you have selected Active Directory, OID, ODSEE, or OUD as the directory, then do not specify a value of the LDAPAdminUsername parameter after enabling LDAP synchronization. Enter the OVD user admin name as the value only if you are using OVD as the directory server. |
LIBOVD_PATH_PARAM |
Specify the configuration directory path of libOVD. Provide the following value for this parameter: LIBOVD_PATH_PARAM=MW_HOME/user_projects/domains/base_domain/config/fmwconfig/ovd/oim Note: If you specify the value for the LIBOVD_PATH_PARAM parameter on Microsoft Windows, then the value must start with the forward slash (/) character. In addition, use forward slash as the path separator, for example:
LIBOVD_PATH_PARAM=/C:/MW_HOME/user_projects/domains/base_domain/config/fmwconfig/ovd/oim
Note: If you have selected Active Directory or ODSEE or OUD as the directory server, then specify the value of this property similar to the example given above. Note: If you have selected OVD server as the directory server, then do not specify a value of this parameter. |
ChangeLogNumber |
Leave the value of this parameter as blank. |
Ensure that the required environment variables are set, as described in step 1.
Start the Oracle Identity Manager Managed Server. See "Starting the Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
On the command line, run the LDAP configuration post-setup script as follows:
On UNIX, run:
LDAPConfigPostSetup.sh LOCATION_OF_THE_DIRECTORY_CONTAINING_THE_ldapconfig.props_FILE
For example:
LDAPConfigPostSetup.sh MW_HOME/IAM_HOME/server/ldap_config_util
The scripts run against IPv4 stack by default. If the LDAP is setup on a host configured only with IPv6, then ipv6
must be passed explicitly as the final argument with the LDAPConfigPostSetup.sh script, as shown:
LDAPConfigPostSetup.sh LOCATION_OF_THE_DIRECTORY_CONTAINING_THE_ldapconfig.props_FILE ipv6
On Windows, run:
LDAPConfigPostSetup.bat LOCATION_OF_THE_DIRECTORY_CONTAINING_THE_ldapconfig.props_FILE
For example:
LDAPConfigPostSetup.bat c:\Oracle\Middleware\IAM_HOME\server\ldap_config_util
When prompted, enter the Oracle Identity Manager system administrator password and the LDAP administrator password as applicable.
If you are using Active Directory or ODSEE or OUD as the Directory Server, then you are prompted only for the Oracle Identity Manager system administrator password.
If you are using OVD as the Directory Server, then you are prompted for both Oracle Identity Manager system administrator password and LDAP Administrator password.
To verify the configuration of LDAP with Oracle Identity Manager:
Ensure that the WebLogic Administration Server and Oracle Identity Manager Managed Server are running.
Login to Oracle Identity System Administration.
Under Provisioning Configuration, click IT Resource. The Manage IT Resource page is displayed. Click Search.
Verify the parameter values of Search Base, Reservation Container, URL, and bind DN.
See "Managing IT Resources" in Administering Oracle Identity Manager.
Login to Oracle Identity Self Service, and create a user.
Verify that the same user is created in the chosen LDAP store or OVD by using any LDAP client.
Note:
Ensure that the chosen Directory Server or OVD and Oracle Identity Manager are running.Customizing and filtering user creation can be done in the following ways:
Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes
Creating Users in Oracle Identity Manager and Not in LDAP When LDAP Synchronization is Enabled
You can add custom object classes and custom attributes while creating a new user by adding the custom attributes as user-defined fields (UDFs) in Oracle Identity Manager as well as to the LDAPUser.xml in MDS. As a prerequisite, the custom object class with one or more attributes must be created and loaded into OID.
To add custom attributes as UDFs in Oracle Identity Manager and LDAPUser.xml in MDS:
Add the custom attributes to the user attributes in Oracle Identity Manager, as described in "Creating a Custom Attribute" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file from the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Update the LDAPUser.xml file to add the custom attribute1
custom attribute and customObjectClass
custom object class.
To add additional object classes on 'create', edit LDAPUser.xml and add additional <value> entries to the <parameter name="objectclass"> node. For example:
<parameter name="objectclass"> <value>orclIDXPerson</value> <value>customObjectClass</value> </parameter>
Add your custom attributes to the three sections of the LDAPUser.xml file. To do so:
Add the attribute entry to the end of the <entity-attributes> tag, for example:
<entity-attributes> ................... ................... <attribute name="custom attribute1"> <type>string</type> <required>false</required> <attribute-group>Basic</attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
Note:
If you are using an OUD LDAP directory, then the custom attribute name must not contain a space. OUD does not allow creating a custom attribute with space in the attribute name.Add the attribute entry to the end of the <target-fields> tag, for example:
<target-fields> ................... ................... <field name="customattr1"> <type>string</type> <required>false</required> </field> </target-fields>
Add the attribute entry to the end of the <attribute-maps> tag, for example:
<attribute-maps> ................... ................... <attribute-map> <entity-attribute>custom attribute1</entity-attribute> <target-field>customattr1</target-field> </attribute-map> </attribute-maps>
Save and close the LDAPUser.xml file.
Import the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
(Optional) If you want to change the RDN attribute from 'cn' to another attribute, then update the <parameter name="rdnattribute"> tag to the new directory attribute name, and then reimport the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository. For example:
<parameter name="rdnattribute"> <value>companyid</value> </parameter>
Test the configuration by creating the new user through Oracle Identity Manager.
When LDAP synchronization is enabled, you can configure the filter parameter 'excludeEntityFilter' in the LDAPUser.xml file to filter out user entries to be created in LDAP, but that can only reside in Oracle Identity Manager. Based on any Oracle Identity Manager attribute and its value, users can be created in Oracle Identity Manager without pushing to LDAP server although LDAP synchronization is in enabled mode.
Note:
This feature is supported only for the user entity.For example, if you want Oracle Identity Manager accounts with act_key=2 not to be created in LDAP, then perform the following steps:
Import the LDAPUser.xml file from MDS.
Add the following filter to LDAPUser.xml:
<parameter name="excludeEntityFilter"> <value>act_key=2</value> </parameter> <parameter name="excludeEntityActions"> <value>ALL</value> </parameter>
Export the LDAPUser.xml file to MDS.
Create a user in Oracle Identity Manager with organization act_key as 2. The same user will not be created in LDAP. Note that users created in Oracle Identity Manager that are assigned to organization with act_key other than 2 are successfully created in LDAP.
Another example is to create users only in Oracle Identity Manager but not in LDAP server in LDAP synchronization enabled mode if the user's role matches 'Full-Time'. To do so, use the filter parameter as shown:
<parameter name="excludeEntityFilter"> <value>Role=Full-Time</value> </parameter> <parameter name="excludeEntityActions"> <value>ALL</value> </parameter>
In the examples, certain Oracle Identity Manager users are not allowed in LDAP based on the filter and actions. By default, ALL is set for disabling the operations, and no CRUD operation is possible on these users. This is as shown:
<parameter name="excludeEntityActions"> <value>ALL</value> </parameter>
The filter that you provide in the LDAPUser.xml file is evaluated and a boolean value is returned to determine whether or not to proceed to LDAP synchronization handlers.
Schema file is available in the product for these parameters. If you want to customize it, then configuration has to be done in the LDAPUser.xml file, which must be exported back to MDS.
For an integration scenario with a standalone instance of OVD, configuring LDAP synchronization using plug-ins:
Note:
This section only applies to integration with a standalone instance of Oracle Virtual Directory.This topic describes the plug-ins designed for use when Oracle Virtual Directory is a connector target for Oracle Identity Manager integrations.
The UserManagement plug-in provides data mapping for Oracle Identity Manager attributes to LDAP directory servers.
The UserManagement plug-in has the following configuration parameters:
Comma-separated list of objectclasses that need to be removed on an add/modify request.
Comma-separated list of attributes that will be virtually removed from entries before they are returned to the client.
Defines the exclusion of a specific attribute mapping on a specific objectclass. For example, specifying a parameter with the value inetorgperson,uid=samaccountname
excludes mapping a uid to samaccountname
on entries of objectclass inetorgperson
. Using multiple instances of this option allows for multiple exclusions on mappings.
Comma-separated list of language codes to be used in attribute language subtypes. This parameter is functional only when the directoryType parameter is set to ActiveDirectory.
True or False: Indicates whether Oracle Access Management Access Manager (Access Manager) is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.
Note:
The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.
Note:
The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.The ssladapter parameter, which is operational only when the directoryType parameter is set to ActiveDirectory, identifies the name of the adapter to which the UserManagement plug-in routes requests when userPassword
or unicodePwd
is contained in requests. If unicodePwd
is contained in the request, the request must also contain the useraccountControl attribute with a proper value.
The adapter identified by the ssladapter parameter must have:
The same local base as the adapter the UserManagement plug-in is configured on
Its Routing Visibility set to Internal
If no value is set for ssladapter, the current adapter is used by default.
Defines the attribute translation in the form of OVD-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.
True or False. When the directoryType configuration parameter is set to ActiveDirectory, the mapPassword parameter controls whether to convert the user password to the unicodePwd attribute. The default value is false.
Defines the RDN attribute translation in the form of OVD-RDNattribute=OIM-RDNattribute, for example: uid=cn.
Identifies the maximum number of failed logins the source LDAP directory server requires to lock an account (as defined by the password policy effective on the user entries being exposed through the adapter on which this plug-in is deployed).
Note:
Parameter values for XL.MaxLoginAttempts, pwdMaxFailure, and lockout count must be the same in LDAP-enabled setups. In LDAP-enabled environments, the values specified for these attributes must be consistent for lock/unlock to work consistently. For example, in LDAP-enabled environment with libOVD and OUD, the value of the XL.MaxLoginAttempts system property is set to 10, and pwdMaxFailure in adapters.os_xml is set to 10. However, the OUD lockout-failure-count is set to 25. For lock/unlock to work consistently, the attribute values in OUD and adapters.os_xml must be the same.Defines the objectclass value translation in the form of OVD-objectclass=OIM-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.
Note:
The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.In the form of attribute=value pairs, this parameter identifies attributes to be added before returning the get operation result. You can prefix the attribute name with objectclass,
to add the attribute and value to a specific objectclass. You can also surround a value with %
to reference other attributes. For example, specifying the value user,samaccountname=%cn%
assigns the value of cn to samaccountname when the entry objectclass=user. Specifying the value samaccountname=jdoe
adds attribute samaccountname with value jdoe to all the entries.
Note:
Prior to release 11.1.1.4.0, Oracle Virtual Directory had three changelog plug-ins:oidchangelog for use with Oracle Internet Directory
sunonechangelog for use with Oracle Directory Server Enterprise Edition
adchangelog for use with Microsoft Active Directory
These three plug-ins were deprecated in release 11.1.1.4.0 and a new, single Changelog plug-in is now available. You can use this plug-in with Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Microsoft Active Directory.
When deploying the single Changelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is blank, nothing.
Set the adapter's Mapped Namespace to: cn=changelog
.
If the back-end is Oracle Directory Server Enterprise Edition, be sure to enable change logging on Oracle Directory Server Enterprise Edition.
If you are using a version of Oracle Virtual Directory that was released prior to 11.1.1.4.0, you must use the following changelog plug-ins to standardize changelog information from source directories into a suitable format for Oracle Identity Manager.
Note:
These plug-ins will not work with Oracle Virtual Directory release 11.1.1.4.0.Use the oidchangelog plug-in with Oracle Internet Directory.
When deploying the oidchangelog plug-in, you must set the adapter's Remote Base to an empty value; that is, blank, nothing.
For Oracle Directory Server Enterprise Edition
Use the sunonechangelog plug-in with Oracle Directory Server Enterprise Edition.
When deploying the sunonechangelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is, blank, nothing.
Ensure change logging is enabled on the Oracle Directory Server Enterprise Edition.
Set the adapter's Mapped Namespace to: cn=changelog
For Microsoft Active Directory
Use the adchangelog plug-in with Microsoft Active Directory.
When deploying the adchangelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is, blank, nothing.
Set the adapter's Mapped Namespace to: cn=changelog
Each of the changelog plug-ins have the following configuration parameters:
Comma-separated list of attributes that are virtually removed from entries before they are returned to the client.
Comma-separated list of languages to be used in attribute language subtypes.
True or False. If set to false and the plug-in encounters a corrupted changelog entry, the plug-in throws a DirectoryException and stops further processing changelog entries. If set to true, the plug-in logs an error without throwing an exception, skips this changelog, and continues processing the next changelogs. The default value is false.
True or False: Indicates whether Access Manager is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.
Note:
The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.
Note:
The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.Defines the objectclass value translation in the form of OIM-objectclass=Source-Directory-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.
In the Oracle Identity Manager use case, the following parameters are configured out-of-the-box:
For Active Directory: inetorgperson=user, orclidxperson=user, and groupOfUniqueNames=group
For Oracle Directory Server Enterprise Edition: container=nsContainer and changelog=changelogentry
For Oracle Internet Directory: container=orclContainer
Note:
The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.Identifies the maximum number of changelog entries to be returned.
A zero (0) or a negative value means no size restriction.
If the incoming search request specifies a size constraint, then the smaller value is used. For example, if you specify the plug-in's sizeLimit as 100, and the search request's count limit is 200, then the actual size limit of the request is reset to 100.
Defines the attribute translation in the form of Source-Directory-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.
Identifies the container to retrieve changes from. This parameter can be set multiple times to identify multiple containers to retrieve changes from. If set multiple times, the targetDN filter should look similar to the following example, and this targetDN filter is "ANDed" to the incoming filter:
"(|(targetDN=*cn=users,dc=mycom1)(targetDN=*,cn=groups,dc=mycom2))"
Sample values include:
*,cn=xxx,dc=yyy
*cn=xxx,dc=yyy
cn=xxx,dc=yyy (must be a descendant of the local base of the adapter specified in virtualDITAdapterName)
All of these samples have the same meaning.
Comma-separated list of attributes to always be retrieved from the source LDAP directory server, regardless of the return attributes list specified for changelog queries to Oracle Virtual Directory.
Comma-separated list of attributes to be added to the normalized changelog entry. For example, orclContainerOC=1, changelogSupported=1, where =1 indicates the changes retrieved from the source directory which support changelog.
True or False. This parameter enables or disables the mapping of the directory specific account attributes to Oracle Virtual Directory virtual account attributes.
Single-valued configuration parameter that defines an LDAP filter on modifiersName. This parameter is "ANDed" to the incoming filter. An example value can be "(modifiersName=cn=myadmin,cn=users,dc=mycom)".
Note:
This configuration does not take effect if directoryType=ActiveDirectory.Identifies the corresponding user profile adapter name.
For example, in a single-directory deployment, you can set this parameter value to "A1," which is the user adapter name. In a split-user profile scenario, you can set this parameter to "J1;A2," where "J1" is the JoinView adapter name, and "A2" is the corresponding user adapter in the "J1".
This parameter can be multi-valued, which means there are multiple base entry adapters configured for the same back-end directory server as this changelog adapter.
If you set this parameter to "A1," the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.
This topic describes how to enable debugging in Oracle Virtual Directory, which can be useful if you need to troubleshoot your Oracle Identity Manager and Oracle Virtual Directory integration.
To enable debugging, perform the following steps:
Open a command window and go to the following location:
OVD ORACLE_INSTANCE/config/OVD/ovd1
Save a copy of the ovd-logging.xml
file.
Edit the ovd-logging.xml
file as follows:
Change line #25 from:
<logger name='com.octetstring.vde' level='NOTIFICATION:1' useParentHandlers='false'>
to
<logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false'>
Change line #28 from:
<logger name='com.octetstring.accesslog' level='ERROR:1' useParentHandlers='false'>
to
<logger name='com.octetstring.accesslog' level='NOTIFICATION:1' useParentHandlers='false'>
Restart Oracle Virtual Directory by typing the following:
cd OVD_INSTANCE/bin
./opmnctl stopall
./opmnctl startall
Changelog query returns incremental changes of user/role accounts or entries in the LDAP server to Oracle Identity Manager database during changelog reconciliation when LDAP synchronization incremental reconciliation jobs are run. However, you can choose not to return changes to Oracle Identity Manager database for some entries in LDAP based on a rule or filter during the changelog reconciliation when LDAP synchronization incremental reconcilaition jobs are run. To do so, you can use the includeEntriesFilter filter tag or filter parameter in the LDAPUser.xml file to filter out the unwanted entries and bring in only the required entries based on the rule before sending the data to the reconciliation engine, so that those entries are not in Oracle Identity Manager database. In other words, support for attribute level filtering is provided.
The following example shows how you can specify the attribute-level filtering in the LDAPUser.xml file:
<parameter name="includeEntriesFilter"> <value>employeeNumber=123456</value> </parameter>
Here, the <value> tag contains the employeeNumber LDAP attribute and the corresponding value. This filters out all the changelog entries or user entries from the LDAP server that match the criteria "employeeNumber=123456", and sends them to the reconciliation engine for the users to be reconciled into Oracle Identity Manager database. Other changelog entries that do not match this filter are stopped from being sent to the reconciliation engine to be reconciled into Oracle Identity Manager database.
The following is a sample of the includeEntriesFilter filter parameter:
(!(LDAP_attribute=val1)(LDAP_attribute=val2)(LDAP_attribute=val3)...)
If the values are variables, then the filter must be "ObjectClass=*". You must specify a variable value for LDAP_attribute as different users have different attribute values.
For SSL, you must export the server side certificates from the directory server and import into Identity Virtualization Library (libOVD), as described in the following sections:
Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory
Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet
Enabling SSL Between Identity Virtualization Library (libOVD) and OID
To export the server side certificates from Active Directory and import into Identity Virtualization Library (libOVD):
Export the certificate from the Active Directory server by referring to the instructions in the following Microsoft TechNet documents:
http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx
Retrieve the CA signing certificate and save it to a file. To do so:
Login to the Active Directory domain server as a domain administrator.
Click Start, Control Panel, Administrative Tools, Certificate Authority to open the CA Microsoft Management Console (MMC).
Right-click the CA computer, and select CA Properties.
From the General menu, select View Certificate.
Select the Details view, and click Copy to File on the lower-right corner of the window.
Use the Certificate Export wizard to save the CA certificate in a file by running the following command:
certutil -ca.cert OutCACertFile
Note:
You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.Import the Active Directory server certificate created in step 3f to the Identity Virtualization Library (libOVD) keystore as a trusted entry by running the following command:
$ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
To export certificates from iPlanet (ODSEE) and import into Identity Virtualization Library (libOVD) for enabling SSL between Identity Virtualization Library (libOVD) and iPlanet (ODSEE):
To export certificate from iPlanet (ODSEE), run the following command:
dsadm export-cert -o OUTPUT_FILE INSTANCE_PATH CERT_ALIAS
For example:
./dsadm export-cert -o /tmp/server-cert /scratch/aime1/iPlanet/dsInst/ defaultCert Choose the PKCS#12 file password: Confirm the PKCS#12 file password: ls -lrt /tmp -rw------- 1 aime1 svrtech 1684 Jan 20 00:39 server-cert
To import the iPlanet (ODSEE) certificate created in step 1 to the Identity Virtualization Library (libOVD) keystore as a trusted entry, run the following command:
ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass PASSWORD -alias ALIAS_VALUE_USED_FOR_EXPORT -file SERVER-CERT_FILENAME -noprompt
Note:
Provide the same certificate alias name, which you provided for exporting the certificate, for the '-alias' parameter while importing the certificate. For example:ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias defaultCert -file server-cert -noprompt
In addition, export/import certificates as instructed in the ODSEE documentation in the following URL:
http://docs.oracle.com/cd/E19656-01/821-1504/gcvhu/index.html
To export the server side certificates from OID and import into Identity Virtualization Library (libOVD):
Export the Oracle Internet Directory server certificate in Base64 format using the following command:
orapki wallet export -wallet LOCATION_OF_OID_WALLET -dn DN_FOR_OID_SERVER_CERTIFICATE -cert ./b64certificate.txt
Note:
If you use a certificate alias in the orapki command, then an error is generated if the alias is not in all lower case letters.Import the Oracle Internet Directory server certificate created in step 2 to the Identity Virtualization Library (libOVD) keystore as a trusted entry using the following command:
$ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
If you create users and roles in Oracle Identity Manager deployment without LDAP synchronization, and later decide to enable LDAP synchronization, then the users and roles created before LDAP synchronization enablement must be synced with LDAP after enablement. The provisioning of users, roles, role memberships, and role hierarchy to LDAP is achieved by the following predefined scheduled jobs for LDAP:
LDAPSync Post Enable Provision Users to LDAP
LDAPSync Post Enable Provision Roles to LDAP
LDAPSync Post Enable Provision Role Memberships to LDAP
LDAPSync Post Enable Provision Role Hierarchy to LDAP
For details about these scheduled jobs, see "Predefined Scheduled Tasks" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
To disable LDAP synchronization in Oracle Identity Manager deployment:
Remove the /db/ldapMetadata/EventHandlers.xml file from MDS by using Oracle Enterprise Manager. See "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about deleting metadata files from MDS.
Login to Oracle Identity System Administration as the System Administrator.
Disable all scheduled jobs for LDAP sync reconciliation. These jobs are:
LDAP User Create and Update Reconciliation
LDAP Role Create and Update Reconciliation
LDAP Role Membership Reconciliation
LDAP Role Hierarchy Reconciliation
This list can also include LDAP User Delete Reconciliation and LDAP Role Delete Reconciliation scheduled jobs. For information about these scheduled jobs, go to the following URL:
http://docs.oracle.com/cd/E37115_01/admin.1112/e27149/scheduler.htm#OMADM2773
In an Oracle Identity Manager deployment with LDAP synchronization enabled and AD, iPlanet (ODSEE), or OID as a the directory server, you can manage the Identity Virtualization Library (libOVD) adapters by using the WLST command.
See Also:
Library Oracle Virtual Directory (LibOVD) Commands in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information about the WLST commands to manage Library Oracle Virtual Directory (LibOVD) adaptersTo manage the Identity Virtualization Library (libOVD):
Start the WLST console. To do so, run $FMW_ROOT/Oracle_IDM1/common/bin/wlst.sh. This path can be referenced as $OIM_ORACLE_HOME/common/bin/wlst.sh.
Here, $FMW_ROOT refers to your $MW_HOME directory. For example, for this binary location, it can be the /u01/apps/mwhome/ directory.
$OIM_ORACLE_HOME refers to the directory in which Oracle Identity Manager is deployed. For example, /u01/apps/mwhome/Oracle_IDM1/ must point to OIM_ORACLE_HOME.
In the WLST console, run the following command:
connect()
When prompted, provide the WLST username, password, and t3 URL.
Run the following command to display a list of Identity Virtualization Library (libOVD) WLST commands:
help('OracleLibOVDConfig')
This lists the commands for creating, deleting, and modifying Identity Virtualization Library (libOVD), LDAP, and join adapters. The following commands act on the Identity Virtualization Library (libOVD) configuration associated with a particular OPSS context, which is passed in as a parameter:
addJoinRule: Adds a join rule to an existing Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
addLDAPHost: Adds a new remote host to an existing LDAP adapter
Note:
The following is an example of adding multiple remote hosts for High Availability (HA) scenario:addLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, contextName='myContext')
See Oracle Fusion Middleware High Availability Guide for detailed information about HA.
addPlugin: Adds a plug-in to an existing adapter or at the global level
See Also:
"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about developing plug-ins in Oracle Identity ManageraddPluginParam: Add new parameter values to the existing adapter level plug-in or global plug-in
createJoinAdapter: Creates a new Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
createLDAPAdapter: Creates a new LDAP adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
deleteAdapter: Deletes an existing adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
getAdapterDetails: Displays the details of an existing adapter that is configured for the Identity Virtualization Library (libOVD) associated with the given OPSS context
istAdapters: Lists the name and type of all adapters that are configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context
modifyLDAPAdapter: Modifies the existing LDAP adapter configuration
removeJoinRule: Removes a join rule from a Join adapter configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context
removeLDAPHost: Removes a remote host from an existing LDAP adapter configuration
removePlugin: Removes a plug-in from an existing adapter or at global level
removePluginParam: Removes an existing parameter from a configured adapter level plug-in or global plug-in
Run help on the individual commands to get usage, such as:
help('addPluginParam')
The following are examples for updating the AD User Management adapter for the oimLanguages attribute for Multi Language Support (MLS):
addPluginParam:
You can use this command to add oimLanguage param to UserManagement plug-in in AD user adapter, as shown:
add PluginParam(adapterName='ldap1', pluginName='UserManagement', paramKeys='oimLanguages', paramValues='fr,zh-CN', contextName='oim')
removePluginParam:
You can use this command to remove oimLanguage param from UserManagement plug-in in AD user adapter, as shown:
removePluginParam(adapterName='ldap1', pluginName='UserManagement', paramKey='oimLanguages', contextName='oim')
removePluginParam:
You can use this command to remove modifierDNFilter param from Changelog plug-in, as shown:
removePluginParam(adapterName='CHANGELOG_ldap1', pluginName='Changelog', paramKey='modifierDNFilter', contextName='oim')
See Also:
"Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for detailed information about creating the OVD adapters for Oracle Identity Manager change log and user managementEnabling access logging for Identity Virtualization Library (libOVD) allows you to capture all requests and responses flowing through Identity Virtualization Library (libOVD), which can be very useful if you are trying to triage performance issues.
To enable access logging for Identity Virtualization Library (libOVD):
Remove any Identity Virtualization Library (libOVD) loggers that were previously configured in Debug mode. You must remove these loggers to see real performance numbers. See "Troubleshooting and Debugging OVD" for information about how to enable debugging in OVD.
Create a WLS logger named oracle.ods.virtualization.accesslog
in WLS with NOTIFICATION level.
Create a WLS loghandler, specifying a file name similar to ovd-access.log and associate that log handler to the logger you created in step 2.
This loghandler logs all Oracle Virtual Directory access log messages into a separate file.
Create a backup of the DOMAIN_HOME/config/fmwconfig/ovd/default/provider.os_xml file, and then add the following XML fragment (if it is not already present):
<providers ..> ... <auditLogPublisher> <provider name="FMWAuditLogPublisher"> ... </provider> <provider name="AccessLogPublisher"> <configClass>oracle.ods.virtualization.config.AccessLogPublisherConfig</configClass> <properties> <property name="enabled" value="true"/> </properties> </provider> </auditLogPublisher> ... </providers>
Restart the WLS Admin and Managed servers.
Oracle Virtual Directory can now generate the access log in the ovd-access.log file.
Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.
Note:
This procedure does not enable the following functionality:Forced password changes, including first login, administrator password reset, and expired passwords
Forced setting of challenge responses
Configure the LDAP Authenticator in WLS. To do so:
Log in to WebLogic Administrative Console.
Go to Security Realms, myrealm, Providers.
Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.
Set the Control Flag to SUFFICIENT.
Click the Provider Specific settings and configure the OID connection details.
In Dynamic groups section, enter the following values:
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: orcldynamicgroup
Dynamic Member URL Attribute: labeleduri
User Dynamic Group DN Attribute: GroupOfUniqueNames
Click the Providers tab. Remove OIM Authenticator from the list of security providers. This is to ensure that the user is not locked in Oracle Identity Manager database.
Configure the OIMSignatureAuthenticator security provider in the realm. To do so:
i) Login to the WebLogic Administrative Console.
ii) Navigate to Security realm, myrealm, Security providers, Authentication, New.
iii) Select OIMSignatureAuthenticator from the drop-down, and select provider name as OIMSignatureAuthenticator.
iv) Save the changes.
Click Reorder. Reorder the security providers and set their Control Flags as listed in the following table:
Authentication Provider | Control Flag |
---|---|
Default Authenticator | SUFFICIENT |
OIM Signature Authenticator | SUFFICIENT |
LDAP Authenticator | SUFFICIENT |
Default Identity Asserter | Not applicable |
Restart all servers.
Validate role memberships.
Login to WebLogic Admin Console.
Go to Security Realms, myrealm, User and Groups.
Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).
Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.
Correct notification is sent when a user is locked by an administrator if the pwdLockout
attribute is set to TRUE
by the password policy in the directory server.
A user locked by the administrator cannot be unlocked by the forgot password flow, but the notification sent to the user is misleading if the value of pwdLockout
is set to FALSE
.
Therefore, validate the password policy for the LDAP server and check the attributes of the entry "cn=Password Policy,cn=config". Ensure that pwdLockout
is set to TRUE
.
If the following type of errors occur when synchronizing with OUD, then it is necessary to update the ACIs for OUD:
<Jan 27, 2014 9:36:12 AM PST> <Warning> <oracle.ods.virtualization.engine.backend.jndi.CHANGELOG_oud1> <LIBOVD-40066> <Remote Server Failure:example.com:1234. javax.naming.NoPermissionException: [LDAP: error code 50 - The request control with Object Identifier (OID) "1.3.6.1.4.1.26027.1.5.4" cannot be used due to insufficient access rights]; remaining name 'cn=Changelog'.
Note that the list of OIDs with insufficient access rights
includes, but is not limited to:
1.3.6.1.4.1.26027.1.5.4 1.3.6.1.4.1.26027.2.3.4 1.2.840.113556.1.4.319
To remedy this problem:
Verify that the ObjectIdentifier
is defined in the Global ACI in the OUD configuration file OUD_INSTANCE/config/config.ldif.
If a particular ObjectIdentifier
is not defined, then add the missing OID to OUD by using the dsconfig
tool, as described in "Managing Global ACIs With dsconfig" in the Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory.
If the particular control is not defined, or if it is defined but granted to a groupdn
, then the following command defines it and assigns it to a userdn
:
$ dsconfig -h {Hostname} -p {Port} -D cn="Directory Manager" -j pwd-file -n \ set-access-control-handler-prop \ --add global-aci:\(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\" \(version 3.0; acl \"Authenticated users control access\"\; allow\(read\) userdn=\"ldap:///all\"\;\)
Double-check the configuration file and ensure that there are no duplicate lines.
Save the configuration file.
Restart OUD and Oracle Identity Manager servers.
The LDAPConfigPostConfig script normally fetches the LDAP lastchangenumber
and updates incremental reconciliation jobs. For OUD, situations can arise where Oracle Identity Manager administrator cannot access the lastExternalChangeLogCookie
, and the lastchangenumber
cannot be updated, leading to incorrect results. This is because the ACIs are not granted successfully. To test if this is the issue, run:
ldapsearch -x -h OUD_HOST -p OUD_PORT -D OIM_ADMIN -w PASSWORD -s base -b "" "objectclass=*" lastExternalChangelogCookie
This must return results. If not, then the problem can be fixed by performing the following steps:
Remove the ACI that denies access to cn=changelog
.
Add an ACI allowing your user or group access to cn=changelog
.
For reading in cookie mode only, add an ACI allowing usage of the OUD cookie control to your user or group.
For reading in cookie mode only, add an ACI allowing your user or group to read the lastExternalChangelogCookie
from the root entry (-s base -b "").
Note:
For detailed instructions on granting OUD change log access, see "Granting Oracle Unified Directory Change Log Access" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.All steps must be verified on the OUD instance targeted by the idmConfigTool
and all other OUD instances.
In some instances, reconciliation with OUD might fail with the following error:
Caused By: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 53 : [LDAP: error code 53 - Full resync required. Reason: The provided cookie is older than the start of historical in the server for the replicated domain : dc=hsgbu,dc=oracle,dc=com]
This error is caused when Oracle Identity Manager does not find for a long time any changes on LDAP matching its search filters.
Eventually, the changelog-based query fails because OUD purges its changelogs, and Oracle Identity Manager searches for changelogs older than OUD history. As a result, OUD returns an error.
To troubleshoot this issue, ensure that OUD 11.1.2.2 has been patched with the fix for 18495042, which provides new request control to allow continuing with purged cookie. You can download the patch by navigating to the My Oracle Support web site at:
libOVD Changelog Plugin code must be modified to use this new request control, and must set the supportCookieExceptions
boolean to FALSE
to avoid error code 53 UNWILLING TO PERFORM
.
In an AD environment, there are some default AD groups that do not have orclIDXGroup
objectclass. As Oracle Identity Manager requires this objectclass in groups, whenever a full reconciliation is done, Oracle Identity Manager tries to update the LDAP group with the objectclass. AD schema does not allow objectclass modification, and therefore, part of the reconciliation fails, and none of the post handlers are executed. Even if one group does not have the orclIDXGroup
objectclass, the post handlers fail for every role in the batch as it is a bulk orchestration and it rolls back on failure. This prevents the handler that published the role to the Top organization from executing, and therefore, none of the roles are published resulting in authorization failures for users having these roles.
As a solution to this problem, disable the Oracle Identity Manager event handler named LDAPAddMissingObjectClasses
, which tries to add objectclasses for both users and roles. This must be done right after AD is configured for LDAP synchronization and before any full reconciliation is run.
To disable the event handler:
Export the /db/ldapMetadata/EventHandlers.xml
file from MDS, as described in "Migrating User Modifiable Metadata Files" in Developing and Customizing Applications for Oracle Identity Manager.
Comment out the following lines in the EventHandlers.xml file:
<action-handler class="oracle.iam.ldapsync.impl.eventhandlers.LDAPAddMissingObjectClasses" entity-type="User" operation="CREATE" name="LDAPAddMissingObjectClasses" stage="postprocess" sync="TRUE" order="1140"/> <action-handler class="oracle.iam.ldapsync.impl.eventhandlers.LDAPAddMissingObjectClasses" entity-type="Role" operation="CREATE" name="LDAPAddMissingObjectClasses" stage="postprocess" sync="TRUE" order="1040"/>
Import the EventHandler.xml file back to MDS. Make sure that no other file (backup) exists in the import directory while importing the updated file.
Restart Oracle Identity Manager Managed Server.
When setting up LDAP synchronization, ensure that it is configured to connect with an OID node in the Multi-Master Replication (MMR) and not via Load Balancer (LBR). This is because of the limitation in OID that changenumber is local to the replica and is not global.
If LDAP synchronization needs to point to an alternate replica, then perform the following steps:
Stop the incremental reconcilaition scheduled jobs.
Capture the current changenumber from the new replica.
Run full reconciliation from the new replica. Update the Directory Server IT resource to point to the new replica.
In addition, point libOVD to the new replica by referring to "Managing Identity Virtualization Library (libOVD) Adapters". You are required to run the removeLDAPHost()
and then the addLDAPHost()
WLST commands in order to point to the new replica.
Update the incremental reconciliation scheduled jobs with the change number captured in step 2.
Enable the incremental reconcilaition scheduled jobs.