E Enabling LDAP Synchronization in Oracle Identity Manager

This appendix explains how to manually configure LDAP synchronization of Oracle Identity Manager with the LDAP identity store post-installation.

Note:

LDAP synchronization is required only if you are using Oracle Identity Manager in database mode, and Oracle Identity Manager is integrated with Access Manager (OAM). If your installation does not require OAM, then LDAP synchronization is not required and you can skip this appendix.

If you plan to use LDAP synchronization, there are prerequisite steps that must be taken to configure the LDAP directories. These prerequisites are described in subsequent sections in this document.

For an overview of the integration between LDAP identity store and Oracle Identity Manager, see Section 1.1.3, "About LDAP Synchronization in Oracle Identity Manager".

This appendix contains the following topics:

• Configuring LDAP Synchronization

• Managing LDAP Synchronization

E.1 Configuring LDAP Synchronization

Perform the following steps to configure LDAP synchronization:

1. Ensure that all prerequisites are performed in the identity store. See Section E.1.1, "Completing the Prerequisites for Enabling LDAP Synchronization" for more information.

2. Create the OVD adapters.

   In LDAP synchronization, Oracle Identity Manager uses the virtualization functionality of OVD. This can be used in any one of the following ways:

   • Install a standalone instance of OVD: When you use a standalone instance of OVD, you must create OVD adapters.

   • Use Identity Virtualization Library (libOVD): With libOVD, a runtime library is used by Oracle Identity Manager as part of its own process, which simplifies installation and maintenance.

   For detailed information, see Section E.1.3, "Creating OVD Adapters".

3. Enable LDAP synchronization. See Section E.1.4, "Enabling LDAP Synchronization" for information.

4. Perform post-configuration steps of LDAP synchronization. See Section E.2.1, "Running the LDAP Post-Configuration Utility" for information.

5. Verify LDAP synchronization. See Section E.2.2, "Verifying the LDAP Synchronization" for details.

E.1.1 Completing the Prerequisites for Enabling LDAP Synchronization

LDAP directory servers must be configured with default containers (including changelog), administrators, and Access Control Lists (ACIs). The exact procedure is determined by the choice of LDAP server.

• Preconfiguring OID, OUD, and standalone OVD: Preconfigure OID, OUD, and OVD by running the idmConfigTool utility. This adds user, group, and reserve containers and the appropriate ACIs. The required preconfiguration step is performed by the following command:

  idmConfigTool -preConfigIDStore
  

  The idmConfigTool is in the IAM_ORACLE_HOME/idmtools/bin/ directory. The preConfigIDStore option extends the schema in OUD or OID, adding object classes required by the integration. It also creates a number of users and groups. Based on the information you provide in the configuration file, this command will act on the appropriate identity store. For example:

  ./idmConfigTool.sh -preConfigIDStore input_file=/scratch/fwadmin/ldap_scripts/prepareIDStore.properties
  

  Note:

  On a replicated OUD instance, cn=changelog is available by default depending on the condition that this instance contains both directory server and replication server components, which is the default. The changelog has no additional cost since the replication is already up.

  On a non replicated OUD instance, cn=changelog is not available by default because there is a cost in disk and cpu that should not be paid if it is not useful. This can be easily enabled with the following command:

   $ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" \
        -j pwd-file -r 8989 -b dc=example,dc=com -X -n
  

  In an Oracle Identity Manager deployment that is integrated with Access Manager, it is a requirement that the changelog is enabled for Oracle Identity Manager LDAP synchronization with OUD to work.

  See Section E.1.2, "Configuring Changelog in OUD" for more information about enabling the external change log.

  Here, prepareIDStore.prperties files is the configuration file with the following input parameters with sample values:

  • IDSTORE_HOST: HOST_NAME

  • IDSTORE_PORT: PORT

  • IDSTORE_BINDDN: cn=oudadmin

  • IDSTORE_USERNAMEATTRIBUTE: cn

  • IDSTORE_LOGINATTRIBUTE: uid

  • IDSTORE_USERSEARCHBASE: cn=Users,dc=us,dc=example,dc=com

  • IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=example,dc=com

  • IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com

  • IDSTORE_SYSTEMIDBASE: cn=Systemids,dc=us,dc=example,dc=com

  If you are using OUD as the identity store, then the additional properties are:

  • IDSTORE_ADMIN_PORT : 4444

  • IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore

  • IDSTORE_KEYSTORE_PASSWORD : Abcd1234

    The value of the IDSTORE_KEYSTORE_PASSWORD parameter is the content of the /u01/config/instances/oud1/OUD/config/admin-keystore.pin file.

  The idmConfigTool can then be run with the following command:

  idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile
  

  For OID and OUD, to perform additional schema extensions and create additional users and groups, the following is a sample property file:

  IDSTORE_HOST : idstore.example.com
  IDSTORE_PORT : 389
  IDSTORE_BINDDN : cn=orcladmin
  IDSTORE_USERNAMEATTRIBUTE: cn
  IDSTORE_LOGINATTRIBUTE: uid
  IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com
  IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
  IDSTORE_SEARCHBASE: dc=example,dc=com
  POLICYSTORE_SHARES_IDSTORE: true
  IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
  IDSTORE_OIMADMINUSER: oimadmin
  IDSTORE_OIMADMINGROUP:OIMAdministrators
  

  If you are using OUD as the identity store, then the additional properties are:

  IDSTORE_ADMIN_PORT : 4444
  IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore
  IDSTORE_KEYSTORE_PASSWORD : Abcd1234
  

  See Appendix D, "Using the idmConfigTool Command" for more information about using the idmConfigTool utility.

  Note:

  For information about errors that might occur when synchronizing with OUD and workaround steps, see Section E.2.14, "Fixing Permission Errors with OUD ACIs".

• Preconfiguring ODSEE and AD: If Oracle Directory Server (ODSEE) or Active Directory (AD) is used, then do not use the idmConfigTool utility. Instead, manual steps must be followed, as described in subsequent sections in this document.

The following sections describe how to preconfigure the Identity Store for Active Directory and ODSEE:

• Preconfiguring Active Directory

• Preconfiguring ODSEE

E.1.1.1 Preconfiguring Active Directory

Before you can use your LDAP directory as an identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Microsoft Active Directory for using it as your LDAP identity store.

Note:

The data used in the examples provided below is sample data. Follow the examples and replace them with appropriate data according to your LDAP server configuration.

To preconfigure the identity store:

1. Create User, Group, and Reserve Container, as shown:

   dn:cn=Reserve,dc=example,dc=com
   cn:Reserve
   objectclass:top
    
   dn:cn=Groups,dc=example,dc=com
   cn:Groups
   objectclass:top
    
   dn:cn:Users,dc=example,dc=com
   cn:Users
   objectclass:top
   

2. In Active Directory, create a container outside the search base to be used for Oracle Identity Manager reconciliation. This will avoid administrative users being reconciled into Oracle Identity Manager. For example:

   dn:cn=systemids,dc=example,dc=com
   cn:systemids
   objectClass:top
   

3. Create the administrative user for Oracle Identity Manager inside this container:

   dn:cn=oimadmin,cn=systmids,dc=example,dc=com
   cn:oimadmin
   objectclass:user
   

4. In the Users container created in step 1, create the system administrator user, with uid: SYSTEM_ADMINISTRATOR and an appropriate password.

5. In the Groups container created in step 1, create a group Oim Administrators, and then assign the users oimadmin and SYSTEM_ADMINISTRATOR to this group.

6. In the container created in step 2, create a user oamadmin with a password, such as welcome11gR2.

7. In the Groups container created in step 1, create a group OAM Administrators and assign the oamadmin user to the group.

8. In the Users container created in step 1, create a user for WebLogic administration with ID as WLAdmin and password as welcome11gR2.

9. In the Groups container created in step 1, create a group WLSAdmins, and assign the WLAdmin user to that group.

10. Add ACLs that need to be setup:

    OIM Administrators group - complete read/write privileges to all the user and group entities in the directory. This group needs read/write privileges for the Reserve container also.

11. Extend the OAM schema, as follows:

    Navigate to the IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema directory, and locate the following files:

    • ADUserSchema.ldif

    • AD_oam_pwd_schema_add.ldif

    In the above LDIF files, replace the domain-dn with the appropriate domain-dn value.

    Use ldapadd from the command line to load the two LDIF files, as follows:

    1. Navigate to the following directory:

       cd IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/
       

    2. Run the ldapadd command.

       ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f ADUserSchema.ldif
        
       ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f AD_oam_pwd_schema.ldif
       

       Here, AD_administrator is the user with schema extension privileges to the directory. For example:

       ldapadd -h activedirectoryhost.mycompany.com -p 389 -D adminuser -q -c -f ADUserSchema.ldif
       

12. Extend the OIM Schema for Active Directory by using the extendadschema script.

    The extendadschema script and the OIM Schema for Active Directory is located at:

    MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
    

    This directory contains the following files used by extendadschema for extending Active Directory:

    • adOAMDisable.ldif

    • adOAMEnable.ldif

    • adOIMLanguageSubtype.ldif

    • adOIMSchema.ldif

    Run the following command to extend Active Directory schema:

    On Windows:

    extendadschema.bat -h AD_host -p AD_port -D <administrator@mydomain.com> -AD <dc=mydomain,dc=com> -OAM <true/false>
    

    On UNIX:

    extendadschema.sh -h AD_host -p AD_port -D <administrator@mydomain.com> -AD <dc=mydomain,dc=com> -OAM <true/false>
    

    Specify the value of -OAM parameter as true.

    Note:

    The extendadschema script is certified only on Active Directory 2003, 2008, 2008R2, and 2012.

13. Set Active Directory password policy. To do so:

    1. Verify that the value of the pwdMaxFailure configuration parameter for the libOVD adapter in the DOMAIN_HOME/config/fmwconfig/ovd/oim/adapters.os_xml file is set to 10.

    2. Set the lockoutThreshold value to 10 in Active Directory. For information about lockoutThreshold, refer to the following URL:

       https://technet.microsoft.com/en-us/library/cc775412%28v=ws.10%29.aspx

E.1.1.2 Preconfiguring ODSEE

Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Directory Server Enterprise Edition (ODSEE) for using Oracle Directory Server Enterprise Edition (ODSEE) as your LDAP Identity store if you are integrating with OAM, and therefore, configuring LDAP Synchronization.

Note:

• If your LDAP identity store (OIM)) has been configured for the containers and oimadminuser with the schema extension, then you need not follow the configuration steps described in this section.

• cn=oracleAccounts is sample data. Follow the examples and replace them with appropriate data as per your LDAP server configuration.

• cn=oracleAccounts is sample data suggesting a name for a directory container meant for containing information to be synchronized with OIM. It is not mandatory to use this data when you preconfigure the identity store.

To preconfigure the identity store:

1. Create a new file iPlanetContainers.ldif. Add the following entries and save the file.

   dn:cn=oracleAccounts,dc=mycompany,dc=com
   cn:oracleAccounts
   objectClass:nsContainer
    
   dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com
   cn:Users
   objectClass:nsContainer
    
   dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com
   cn:Groups
   objectClass:nsContainer
    
   dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com
   cn:Reserve
   objectClass:nsContainer
   

2. Import the containers into iPlanet Directory Server with ldapadd command. This will create the user, group and reserve containers.

   ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -c -f ./iPlanetContainers.ldif
   

   For example:

   ldapadd -h localhost -p 1389 -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif
   

   If the above gives authentication error, try the command with '-x' option with simple bind option.

   ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif
   

3. Enable the moddn property for the rename of entries to happen between nodes.

   ..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> moddn-enabled:on
   

   For example:

   ..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 moddn-enabled:on
   

4. Enable changelog.

   ..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> retro-cl-enabled:on
   

   For example:

   ..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 retro-cl-enabled:on
   

5. Check the status, as shown:

   ..dsee7/bin/dsccsetup status
   

6. Stop and Start the ODSEE server instance.

   ..dsee7/bin/dsadm stop <ODSEE instance>
   ..dsee7/bin/dsadm start <ODSEE instance>
   

   For example:

   ..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/
   ..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/
   

7. Extend the Sun schema to include OIM-specific Object Classes and Attribute Types.

   cd to $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
   

   Run the following command to load the ldif file, sunOneSchema.ldif.

   ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f sunOneSchema.ldif
   

   For example:

   ./ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w welcome1 -c -f sunOneSchema.ldif
   

8. If you want to enable OAM-OIM integration, then extend the following OAM schema:

   For ODSEE/iPlanet, to extend OAM Schema for ODSEE, locate the following files:

   Note:

   If you are not sure about the which index-root you should use, instead of iPlanet7_user_index_add.ldif, use iPlanet7_user_index_generic.ldif file, which also has step by step instructions on finding index-root.

   Use ldapmodify from the command line to load the four LDIF files:

   cd $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/
   ldapadd -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet7_user_index_add.ldif
   

   Or:

   ldapadd -h <ODSEE Server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet7_user_index_generic.ldif
   ldapmodify -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet_oam_pwd_schema_add.ldif
   ldapmodify -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet_user_schema_add.ldif
   ldapadd -h <ODSEE_server> -p <ODSEE_port> -D <ODSEE_admin_ID> -w <ODSEE_admin_password> -f iPlanet_user_index_add.ldif
   

9. Enable Referential Integrity for OIM's Common Name Generation feature.

   Anytime the DN or RDN is being modified, then the Referential Integrity needs to be enabled in OIM and OID/Active Directory/ODSEE.

   If Referential Integrity is enabled in the Directory Server, then customers need to set the OIM property XL.IsReferentialIntegrityEnabledInLDAP to TRUE as by default it is set to FALSE. To set XL.IsReferentialIntegrityEnabledInLDAP to TRUE, log into OIM and go to Advanced, System Management, System Configuration. Search for System Properties (XL.IsReferentialIntegrityEnabled), and set the property value to TRUE.

   1. Use the following command to see the value of the referential integrity property.

      ..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled
      Enter "cn=Directory Manager" password:
      ref-integrity-enabled : off
      

   2. Use the following commands to enable the referential integrity property.

      ./dsconf set-server-prop -h <ODSEE server> -p <ODSEE port>
      ref-integrity-enabled:on
      Enter "cn=Directory Manager" password:
      

      Directory Server must be restarted for changes to take effect. Restart ODSEE/iPlanet Server after enabling referential integrity property.

      ..dsee7/bin/dsadm stop <ODSEE instance>
      ..dsee7/bin/dsadm start <ODSEE instance>
      

      For example:

      ..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/
      ..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/
      

   3. Now query to see if the value has been set correctly.

      ..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port>
      ref-integrity-enabled
      Enter "cn=Directory Manager" password:
      ref-integrity-enabled : on
      

10. Create the OIM Admin User, Group and the ACIs. Open a new file oimadminuser.ldif. This oimadminuser will be used as a proxy user for OIM.

    The root suffix is given as dc=mycompany,dc=com. This must be replaced with the appropriate root suffix of the ODSEE server.

    1. Add the following LDAP entries and save the file oimadminuser.ldif. Run the following command to load the ldif file, oimadminuser.ldif.

       ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f oimadminuser.ldif
        
       dn: cn=systemids,dc=mycompany,dc=com
       changetype: add
       objectclass: nsContainer
       objectclass: top
       cn: systemids
        
       dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
       changetype: add
       objectclass: top
       objectclass: person
       objectclass: organizationalPerson
       objectclass: inetorgperson
       mail: oimAdminUser
       givenname: oimAdminUser
       sn: oimAdminUser
       cn: oimAdminUser
       uid: oimAdminUser
       userPassword: welcome1
        
       dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com
       changetype: add
       objectclass: groupOfUniqueNames
       objectclass: top
       cn: oimAdminGroup
       description: OIM administrator role
       uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
        
       dn: cn=users,cn=oracleAccounts,dc=mycompany,dc=com
       changetype: modify
       add: aci
       aci: (target = "ldap:///cn=users,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr =
        "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to
        all attributes"; allow (add, read, search, compare,write, delete, import)
        (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
        
       dn: cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com
       changetype: modify
       add: aci
       aci: (target = "ldap:///cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr =
        "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access";
        allow (read, search, compare, add, write,delete) (groupdn =
        "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
        
       dn: cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com
       changetype: modify
       add: aci
       aci: (target = "ldap:///cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr =
        "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access";
        allow (read, search, compare, add, write,delete,export) (groupdn =
        "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
        
       dn: cn=changelog
       changetype: modify
       add: aci
       aci: (target = "ldap:///cn=changelog")(targetattr = "*")(version 3.0; acl
        "Allow OIM AdminGroup to read and write access"; allow (read, search,
        compare, add, write,delete,export) (groupdn =
        "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
       

    2. Use the following commands to check for the entries and ACI in the LDAP:

       ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager"
        -w <ODSEE Admin Password> -b "cn=changelog" -s sub "objectclass=*" aci
        
       ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager"
        -w <ODSEE Admin Password> -b "cn=users,cn=oracleAccounts,dc=mycompany,dc=com" -s sub
        "objectclass=*" aci
        
       ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager"
        -w <ODSEE Admin Password> -b "cn=groups,cn=oracleAccounts,dc=mycompany,dc=com" -s sub
        "objectclass=*" aci
       ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager"
        -w <ODSEE Admin Password> -b "cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com" -s sub
        "objectclass=*" aci
       

E.1.2 Configuring Changelog in OUD

LDAP synchronization requires the creation in LDAP of a proxy user and group, different from the LDAP administrative user. This is done to permit Oracle Identity Manager to update LDAP's directory store. Without those updates being reconciled back to Oracle Identity Manager, the changes are made as the proxy user, and changes made by the proxy user are filtered out by Oracle Identity Manager during reconciliation.

Using LDAP synchronization with OUD has some additional requirements. OUD's External Changelog (ECL) must be enabled, and the proxy user must be given permissions to query it. To do so:

Note:

The examples in this section assume an OUD instance on localhost, and a simple bind password stored in a secure file (PASSWORD_FILE). Modify the commands as required for your local environment.

1. After OUD has been installed, modify its configuration file to change the global ACIs for the proxy user and group for changelog access. To do so, in the MIDDLEWARE_HOME/Oracle_OUD1/asinst_1/OUD/config/config.ldif file, replace the default:

   ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)
   

   With the following:

   ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn!="ldap:///cn=oimAdminUser,cn=systemids,dc=us,dc=mydomain,dc=com";)
    
   ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow (read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=us,dc=mydomain,dc=com";)
   

   Note:

   • The proxy user and group do not have to be created at this point.

   • OUD must be restarted for these changes to take effect. Use the stop-ds and start-ds commands in the OUD bin directory.

2. From the OUD bin directory, create the proxy user and group by using the oudadmin.ldif file:

   ./ldapmodify -h localhost -p PORT -D cn=orcladmin -j PASSWORD_FILE -c  -f FILE_LOCATION/oudadmin.ldif
   

3. Create the replication server and domain. Set the replication port number and the base-dn (for example, dc=com) appropriately for your installation, as shown:

   ./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -j PASSWORD_FILE -X -n create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:PORT --set replication-server-id:1 --type generic
    
   ./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -j PASSWORD_FILE -X -n create-replication-domain --provider-name 'Multimaster Synchronization' --set base-dn:dc=com --set replication-server:localhost:PORT --set server-id:1 --type generic --domain-name dc=com
   

4. Provide access to the ECL control, as shown:

   ./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -X -j PASSWORD_FILE -n set-access-control-handler-prop --add global-aci:\(targetcontrol=\"1.3.6.1.4.1.26027.2.3.4\"\)\(version\ 3.0\;\ acl\ \"Authenticated\ users\ control\ access\"\;\ allow\(read\)\ userdn=\"ldap:///all\"\;\)
   

5. Confirm that the proxy user has access to the changelog, both at the command line and by a manual test within Oracle Identity Manager, as follows:

   • Command line test: Ensure that the results of the following commands are identical:

     ldapsearch -h localhost -p PORT -D OIM_PROXY_USER -j PASSWORD_FILE -b "cn=changelog" -s one
      
     ldapsearch -h localhost -p PORT -D OUD_ADMIN_USER -j PASSWORD_FILE -b "cn=changelog" -s one
     

     Here, OIM_PROXY_USER is the proxy user created previously (for example, cn=oimAdminUser,cn=systemids,...), and OUD_ADMIN_USER is the administrator created when installing OUD (for example, cn=orcladmin).

   • OIM test: It is necessary to obtain the last changelog number from OUD in order to run incremental reconciliation. To do so:

     1. Create a user and/or role in Oracle Identity Manager.

     2. Verify that the user and/or role has been successfully synced to LDAP.

     3. Modify a harmless attribute, such as the display name, for the user and/or role in LDAP.

     4. Making sure that the last changelog is correctly initialized in the incremental recon scheduled task UI, run incremental user (or role) create/modify, and verify that the entity changes are reflected in Oracle Identity Manager.

   The global ACIs can be investigated directly from OUD by the following:

   ./dsconfig -h localhost -p ADMIN_PORT -D cn=orcladmin -X -j PASSWORD_FILE -n get-access-control-handler-prop --property global-aci
   

6. Get the last changelog from OUD.

   OUD uses the external changelog (ECL) for its changelog numbers. This is not numeric, but instead in a format beginning with the base name. The command to get the ECL is:

   ldapsearch -h localhost -p PORT -D "cn=orclAdmin" -j PASSWORD_FILE -b "" -s base "objectclass=*" lastExternalChangelogCookie
   

   An example command and sample ECL follows. Copy your changelog string beginning with the basename. Usually the string has a space and/or carriage return before the end. Be sure to copy the entire string, but eliminating the string and CR.

   ldapsearch -h localhost -p PORT -D "cn=orclAdmin" -j PASSWORD_FILE -b "" -s base "objectclass=*" lastExternalChangelogCookie
    
   dn:
   lastExternalChangelogCookie: dc=com:00000154c04613df0001000000
    1b;
   

   In order to use this in Oracle Identity Manager, remove the <CR>/space, if it exists, such as:

   dc=com:00000154c04613df00010000001b
   

   For test purposes, you may need to set the changelog back a few entries to get changes made before obtaining the ECL:

   dc=us,dc=mydomain,dc=com:00000154c04613df000100000010
   

E.1.3 Creating OVD Adapters

Enabling LDAP synchronization at install time also configures the libOVD or OVD adapters required for integration. In the event that LDAP synchronization is enabled after the initial Oracle Identity Manager installation, it you must manually configure the libOVD or OVD adapters.

To enable LDAP synchronization with libOVD, see Section E.1.3.2, "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager" and Section E.2.10, "Managing Identity Virtualization Library (libOVD) Adapters".

Alternately, if you have configured a standalone OVD server, then the IT Resource page for the Directory Server IT resource type must be configured with the OVD server details. See Section E.1.4.2, "Modifying the IT Resource". In addition, you must create the OVD adapters for various LDAP servers. For details, see "Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

If you are configuring OVD for integration with Oracle Identity Manager, then refer to the following topics:

• Section E.1.3.1, "Creating Oracle Virtual Directory Adapters for Oracle Internet Directory and Active Directory"

• Section E.1.3.2, "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager"

E.1.3.1 Creating Oracle Virtual Directory Adapters for Oracle Internet Directory and Active Directory

You can use the UserManagement plug-in to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.

To do this, perform the following tasks:

1. Ensure you have set all of the necessary environment variables as described in Section D.2, "Set Up Environment Variables".

2. Create a properties file for the Oracle Internet Directory adapter called ovd1.props as follows:

   Note:

   The usecase.type:single parameter is not supported for Active Directory via the configOVD option.

   ovd.host:ovdhost1.mycompany.com
   ovd.port:8899
   ovd.binddn:cn=orcladmin
   ovd.password:ovdpassword
   ovd.oamenabled:true
   ovd.ssl:true
   ldap1.type:OID
   ldap1.host:oididstore.myhost.mycompany.com
   ldap1.port:3060
   ldap1.binddn:cn=orcladmin,cn=systemids,dc=mycompany,dc=com
   ldap1.password:oidpassword
   ldap1.ssl:false
   ldap1.base:dc=mycompany,dc=com
   ldap1.ovd.base:dc=mycompany,dc=com
   usecase.type: single
   

   The following table describes the parameters used in the properties file.

   Parameter	Description
   ovd.host	Host name of a server running Oracle Virtual Directory.
   ovd.port	The https port used to access Oracle Virtual Directory.
   ovd.binddn	User DN used to connect to Oracle Virtual Directory.
   ovd.password	Password for the DN used to connect to Oracle Virtual Directory.
   ovd.oamenabled	Always true in Fusion Applications deployments. Deployments that involve integration between Oracle Identity Manager and Oracle Access Manager. For example, when the underlying Directory server is also used by Oracle Access Manager for authentication purposes.
   ovd.ssl	Set to true, as you are using an https port.
   ldap1.type	Set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.
   ldap1.host	Host on which back end directory is located. Use the load balancer name.
   ldap1.port	Port used to communicate with the back end directory.
   ldap1.binddn	Bind DN of the oimLDAP user.
   ldap1.password	Password of the oimLDAP user.
   ldap1.ssl	Set to true if you are using the back end's SSL connection, and otherwise set to false. Always set this parameter to true when creating an adapter for AD.
   ldap1.base	Base location in the directory tree.
   ldap1.ovd.base	Mapped location in Oracle Virtual Directory.
   usecase.type	Set to Single when using a single directory type.

   
   

3. Configure the adapter by using the idmConfigTool command, which is located at:

   IAM_ORACLE_HOME/idmtools/bin

   Note:

   When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

   IAM_ORACLE_HOME/idmtools/bin

   The syntax of the command on Linux is:

   idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
   

   The syntax on Windows is:

   idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
   

   For example:

   idmConfigTool.sh -configOVD input_file=ovd1.props
   

   The command requires no input. The output looks like this:

   The tool has completed its operation. Details have been logged to logfile
   

Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host in the property file.

E.1.3.2 Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager

You can configure Identity Virtualization Library (libOVD) adapters by using script and template files related to libOVD. Table E-1 lists the files used for Identity Virtualization Library (libOVD) adapter configuration.

Table E-1 Identity Virtualization Library (libOVD) Adapter Configuration Files

File	Description
Files in the $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/ directory	Files related to Identity Virtualization Library (libOVD)
Files in the $MW_HOME/oracle_common/bin/ directory: libovdadapterconfig.sh libovdconfig.sh libovdadapterconfig.bat libovdconfig.bat	Script files to configure Identity Virtualization Library (libOVD)
Files in the $MW_HOME/Oracle_IDM/libovd/ directory: adapter_template_oim_ldap.xml adapter_template_oim.xml	Template files to configure Identity Virtualization Library (libOVD)
Files in the $MW_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/ovd/ADAPTER_NAME/ directory: adapters.os_xml By default, the value of ADAPTER_NAME is oim.	Configuration file after Identity Virtualization Library (libOVD) has been configured

To configure Identity Virtualization Library (libOVD) adapters and integrate with Oracle Identity Manager:

1. Before running the scripts to configure Identity Virtualization Library (libOVD), set the following environment variables:

   • set MW_HOME to the appropriate Middleware home directory

   • set ORACLE_HOME to $MW_HOME/oracle_common

   • set WL_HOME to $MW_HOME/wlserver_10.3

   • set JAVA_HOME to the appropriate jdk path

2. To configure Identity Virtualization Library (libOVD):

   Note:

   Substitute the appropriate information of your host computer and directory path in the commands to run the scripts for configuring Identity Virtualization Library (libOVD).

   1. To create libOVD configuration files and lay out the directory structure, run the following command:

      sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME
      

      For example:

      sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myhost.mycompany.com -port 7001 -userName weblogic
      

      This command creates the directory structure containing the OVD configuration files for Oracle Identity Manager and copies the configuration file templates. In the example, the contextName is assumed to be oim, and therefore, the OVD configuration files are created in the DOMAIN_HOME/config/fmwconfig/ovd/oim/ directory. Here, DOMAIN_HOME is the directory that you are using as the home directory for your domain.

      Note:

      Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be of the same computer on which Oracle Identity Manager is installed, and not of the computer on which LDAP is installed.

      Running the command displays the following. Enter the password when prompted.

      Enter AdminServer Password: 
      Successfully created OVD config files 
      CSF Credential creation successful 
      Permission Grant successful 
      Successfully configured OVD MBeans
      

   2. To create user and changelog adapters, run the following command:

      sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME -adapterName ADAPTER_NAME -adapterTemplate $MW_HOME/Oracle_IDM1/libovd/adapter_template_oim.xml -bindDN LDAP_BIND_DN -createChangelogAdapter -dataStore LDAP_DIRECTORY_TYPE -ldapHost LDAP_HOST -ldapPort LDAP_PORT -remoteBase REMOTE_BASE -root VIRTUAL_BASE
      

      Here, template is oim template. This creates the adapters with the information you provide when running this script, based on the Oracle Identity Manager template. In the command examples shown in this step, contextName is assumed to be oim. In addition, the bindDN parameter must contain the same DN of the Oracle Identity Manager administrator account created during the LDAP preconfiguration step. In other words, if during LDAP preconfiguration, the cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com account has been created, then the bindDN must be set to cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com.

      Note:

      • Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be on the same computer on which Oracle Identity Manager is installed, and not of the computer on which LDAP server is installed.

      • In the parameters that you pass while running the tool, value for the -dataStore argument must be the backend directory type. Valid values for this parameter, when using the adapter_template_oim.xml, are OID, ACTIVE_DIRECTORY, IPLANET, and OUD.

      If the backend LDAP server port is configured over SSL, then Oracle Identity Manager user must use keytool to import the trusted certificate from the LDAP server into Identity Virtualization Library (libOVD) keystore. To do so, refer to "Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server".

      Example with non-SSL LDAP server port:

      sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3060 -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com"
       
      Enter AdminServer Password: 
       
      Enter LDAP Server Password:
      

      Example with LDAP server port configured over SSL:

      Note:

      If you are using SSL port for the LDAP port, then provide the -enableSSL parameter in the libovdadapterconfig.sh or libovdadapterconfig.bat command.

      sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3161 -enableSSL -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" 
       
      Enter AdminServer Password: 
       
      Enter LDAP Server Password:
      

3. Restart the web container and Oracle Identity Manager by running the following commands:

   cd $MW_HOME/user_projects/domains/DOMAIN_NAME/bin/ 
    
   ./stopManagedWebLogic.sh oim_server1 
    
   ./stopWebLogic.sh 
    
   ./startWebLogic.sh 
    
   ./startManagedWebLogic.sh oim_server1
   

4. To integrate Oracle Identity Manager to Oracle Identity Virtualization (libOVD):

   1. Login to Oracle Identity System Administration.

   2. Under Configuration on the left pane, click IT Resource. The Manage IT Resource page is displayed in a separate window.

   3. From the IT Resource Type list, select Directory Server, and then click Search.

   4. For the Directory Server IT resource, click Edit. The Edit IT Resource Details and Parameters page is displayed.

   5. In the Search Base field, enter a value, for example, dc=oracle,dc=com.

   6. In the User Reservation Container field, enter a value, for example, cn=reserve,dc=us,dc=oracle,dc=com.

   7. Restart the WebLogic server on which Oracle Identity Manager is deployed.

   8. Try accessing the server and manage users and roles through the Oracle Identity System Administration.

   9. Connect directly to the LDAP server by using the ldapclient tool to verify that the data is managed in the LDAP server you chose with the -dataStore option to the libovdadapterconfig.sh command.

E.1.4 Enabling LDAP Synchronization

Enabling LDAP synchronization involves the following:

• Section E.1.4.1, "Modifying the MDS"

• Section E.1.4.2, "Modifying the IT Resource"

• Section E.1.4.3, "Seeding Reconciliation Jobs"

• Section E.1.4.4, "Reverting from OVD to libOVD in LDAPSync"

E.1.4.1 Modifying the MDS

By default, MDS does not contain files required for enabling LDAP synchronization. Therefore, several configuration files must be imported into MDS. Initially, the files are not present in MDS, but template versions can be found in the Oracle Identity Manager distribution. In some case, these files need to be edited before import to reflect your own customizations.

• The template versions of these files can be found in $IAM_ORACLE_HOME/server/metadata/ directory.

• The User, Role, Role Hierarchy, and Role Membership files must be imported into MDS. If you are modifying these entities and relationships, for example, by adding UDFs, then you must create a backup of the original files before modification and import.

• In most new installations, you can import the event handlers to MDS without modifying them. Occasionally, you might modify the event handlers to customize OIM response to lifecycle events.

• The LDAPContainerRules must always be edited to allow synchronization in your environment.

• After customizations have been applied in your environment, you must first export the files from MDS in order to obtain the active versions, as the original template versions on the file system might be outdated.

To modify and import MDS files:

1. Set the OIM_ORACLE_HOME environment variable to the directory on which Oracle Identity Manager is deployed. The exact location depends on your installation. An example of this can be /u01/Oracle/Middleware/IAM.

2. Copy the following files from the MDS to a temporary staging directory, such as /tmp:

   Note:

   • The files must not be copied to the root directory (/tmp). Instead, maintain the structure listed in this step, for example, /tmp/db/LDAPUser. If the files are copied to the /tmp directory and imported to MDS, then Oracle Identity Manager will fail to run the reconciliation scheduled jobs.

   • It is mandatory to create a separate staging directory. The $OIM_ORACLE_HOME/server/metadata directory cannot be used as the staging directory because it contains some other files. If these files are imported inadvertently, then it might corrupt the Oracle Identity Manager instance.

     Here, OIM_ORACLE_HOME represents an environment variable that identifies the directory on which Oracle Identity Manager is installed. This variable is used for various Oracle Identity Manager scripts.

   • The following metadata files used for configuring reconciliation profile and reconciliation horizontal table entity definition for LDAP user, role, role hierarchy, and role membership reconciliation:

     /db/LDAPUser

     /db/LDAPRole

     /db/LDAPRoleHierarchy

     /db/LDAPRoleMembership

     /db/LDAPContainerRules.xml

     /db/RA_LDAPROLE.xml

     /db/RA_LDAPROLEHIERARCHY.xml

     /db/RA_LDAPROLEMEMBERSHIP.xml

     /db/RA_LDAPUSER.xml

     /db/RA_MLS_LDAPROLE.xml

     /db/RA_MLS_LDAPUSER.xml

     These files must be copied to a temporary location before importing, or you might corrupt your instance because oim-config.xml is also present in the same location.

   • The LDAP event handlers. The predefined event handlers are in the /db/ldapMetadata/EventHandlers.xml file.

   • The LDAPContainerRules.xml consisting of the container information for users and roles to be created.

     Note:

     The LdapContainerRules.xml file can contain rules by using only those attributes that are mapped to the directory. A rule cannot be written by using attributes from foreign objects or attributes that are not part of the entity. This is true for both user and role entities. For example, Role Email cannot be used for rules for roles, and user's Organization Name cannot be used for user entity.

3. Edit the LDAPContainerRules.xml. To do so, open LDAPContainerRules.xml, and replace $DefaultUserContainer$ and $DefaultRoleContainer$ with appropriate user and role container values. For example, replace:

   • $DefaultUserContainer$ with a value reflecting your desired container structure, such as cn=Users,dc=us,dc=sample,dc=com

   • $DefaultRoleContainer$ with a value reflecting your desired container structure, such as cn=SomeSubContainer,cn=Groups,dc=us,dc=sample,dc=com

4. Perform the import by using Oracle Enterprise Manager. For information about importing metadata files from MDS, see "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

   Note:

   Ensure that EventHandlers.xml is in the $STAGING_DIR/db/ldapMetadata/ directory when importing into MDS.

   After performing your customizations and imports, it is recommended to export the files from MDS to confirm the files are in the correct MDS location with the desired changes. The MDS documentation provides instructions for MDS export.

E.1.4.2 Modifying the IT Resource

Edit IT Resource configuration in Oracle Identity Manager. To do so:

1. Login to the Oracle Identity System Administration as the system administrator by navigating to the following URL:

   http://HOST_NAME:PORT/sysadmin

2. In the left navigation pane, under Configuration, click IT Resource. The Manage IT Resource page is displayed.

3. Search for the Directory Server IT resource.

4. Update the IT resource with Search base and Reservation container values.

   The suggested value for Search base is the root suffix or the BaseDN, for example, dc=us,dc=example,dc=com.

5. If you want to configure Oracle Identity Manager with OVD server, then enter the values for ServerURL with the OVD server host and port details.

   If you want to configure Oracle Identity Manager with Identity Virtualization Library (libOVD), then do not enter the values for ServerURL. It must be empty.

6. Enter the values for the bind credentials used for LDAP server. This is the same as used as the IDSTORE_BINDDN in the idmConfigTool.

   Admin Login: cn=oimadmin

   Admin Password: 1111111111

7. Make sure that the value for the Reservation Container is cn=reserve,VALUE_OF_THE_ROOT_SUFFIX. For example:

   Reservation Container: cn=reserve,dc=us,dc=example,dc=com

E.1.4.3 Seeding Reconciliation Jobs

For reconciliation jobs, seed the LDAP reconciliation scheduled jobs into Quartz tables, which are part of Oracle Identity Manager schema. As a prerequisite to do so, set the OIM_ORACLE_HOME environment variable. For example:

For Microsoft Windows, set the OIM_ORACLE_HOME environment variable to the C:\Oracle\Middleware\Oracle_IDM1 directory by running the following command:

set OIM_ORACLE_HOME=C:\Oracle\Middleware\Oracle_IDM

For UNIX, run the following command:

setenv OIM_ORACLE_HOME /u01/mwhome/Oracle_IDM

Seeding the LDAP reconciliation scheduled jobs can be performed in any one of the following ways:

• Seeding LDAP reconciliation scheduled jobs with parameters:

  1. Go to the $OIM_ORACLE_HOME/server/setup/deploy-files directory.

  2. Set ant home. The following are sample commands to set ant home:

     For UNIX:

     setenv ANT_HOME /u01/mwhome/modules/org.apache.ant_1.7.1
     

     For Microsoft Windows:

     set ANT_HOME=/u01/mwhome/modules/org.apache.ant_1.7.1
     

     Note:

     If ANT is not installed, then download ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:

     http://www.oracle.com/technetwork/index.html

     Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.

  3. Run the following ant command with parameters:

     $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=SCHEMA_OWNER_USERNAME -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=SCHEMA_HOST_ADDRESS -DoperationsDB.port=SCHEMA_PORT_NUMBER -DoperationsDB.serviceName=SCHEMA_SERVICE_NAME -Dssi.provisioning=ON -Dweblogic.server.dir=WEBLOGIC_SERVER_LOCATION -Dojdbc.location=OJDBC_LOCATION -Dwork.dir=seed_logs
     

     For example:

     $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver  -DoperationsDB.user=schemaowner1_OIM -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=myhost.mycompany.com -DoperationsDB.port=1521 -DoperationsDB.serviceName=oimdb.regress.rdbms.mycompany.com -Dssi.provisioning=ON -Dweblogic.server.dir=$MW_HOME/wlserver_10.3 -Dojdbc.location=$MW_HOME/wlserver_10.3/server/lib/ojdbc6.jar -Dwork.dir=seed_logs
     

• Seeding LDAP reconciliation scheduled jobs with the profile file:

  1. Set the ANT_HOME environment variable to the directory on which ANT is installed.

     Note:

     If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:

     http://www.oracle.com/technetwork/index.html

     Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.

  2. Go to the $OIM_ORACLE_HOME/server/bin/ directory.

  3. Create a property file with the properties listed in Table E-2.

     Note:

     You can also use the appserver.profile file instead of creating a new property file. Make sure that the properties listed in this step are present with the values.

     Table E-2 Parameters of the Property File

     Parameter	Description
     operationsDB.user	Oracle Identity Manager database schema owner.
     operationsDB.driver	Constant value of oracle.jdbc.OracleDriver.
     operationsDB.host	Oracle Identity Manager database schema host address.
     OIM.DBPassword	Oracle Identity Manager database schema owner's password.
     operationsDB.serviceName	Oracle Identity Manager database schema service name, for example, oimdb.regress.rdbms.mycompany.com
     operationsDB.port	Oracle Identity Manager database schema port number
     ssi.provisioning	Value must be ON
     weblogic.server.dir	Directory on which Oracle WebLogic Server is installed, for example, MW_HOME/wlserver_10.3
     ojdbc.location	Directory on which JDBC is installed, for example, MW_HOME/wlserver_10.3/server/lib/ojdbc6.jar
     work.dir	Any preferred directory on which log files will be created After successful completion of target, you can check logs at the $WORK_DIR/seed_logs/ldap/SeedSchedulerData.log file.
     appserver.type	Application server; the value is wls for WebLogic
     appserver.dir	Absolute path to the WebLogic Server directory

     
     

  4. Go to the $OIM_ORACLE_HOME/server/setup/deploy-files/ directory.

  5. Run the following command:

     $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -propertyfile $OIM_ORACLE_HOME/server/bin/PROPERTY_FILE_NAME 
     

E.1.4.4 Reverting from OVD to libOVD in LDAPSync

Either OVD or libOVD can be the front-end to all supported directory servers. However, it is recommended that libOVD, and not stand-alone OVD, is used as the front end to OUD. If you already have a OVD-OUD-OIM topology and wish to convert to libOVD-OUD-OIM, then run the following steps:

1. Disable the incremental role and user reconciliation scheduled jobs.

2. Record the last changelog entry of the directory server by running the following command:

   ldapsearch -h HOST -p PORT -D "cn=orcladmin" -w PASSWORD -b "" -s base "objectclass=*" lastchangenumber
   

   Before re-enabling the scheduled reconciliation jobs, ensure that this changelog number is placed in the IT Resource for the directory server.

3. Create the libOVD adapters. See Section E.1.3.2, "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager" for details.

4. Edit Oracle Identity Manager IT resource. See Section E.1.4.2, "Modifying the IT Resource" for details.

5. Re-enable the incremental role and user reconciliation jobs disabled in step 1.

E.2 Managing LDAP Synchronization

Managing LDAP synchronization is described in the following sections:

• Running the LDAP Post-Configuration Utility

• Verifying the LDAP Synchronization

• Customizing and Filtering Users

• Configuring LDAP Sync Using Plug-ins

• Troubleshooting and Debugging OVD

• Filtering Data in Incremental Reconciliation

• Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server

• Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP

• Disabling LDAP Synchronization

• Managing Identity Virtualization Library (libOVD) Adapters

• Enabling Access Logging for Identity Virtualization Library (libOVD)

• Configuring LDAP Authentication When LDAP Synchronization is Enabled

• Verifying the Value of pwdLockout in the Directory Password Policy

• Fixing Permission Errors with OUD ACIs

• Disabling the LDAPAddMissingObjectClasses for Users and Roles

• Setting Up LDAP Synchronization With HA Multi-Master Replication (MMR)

Note:

• Before enabling incremental reconciliation through post configuration, as described in this section, always run LDAP full reconciliation first if there is a pre-existing population of users and roles on the directory server. Make sure that incremental reconciliation is disabled until full reconciliation completes. This approach is discussed in "Approach Used for Reconciliation" in Administering Oracle Identity Manager.

  Oracle recommends using the LDAP Consolidated Full Reconciliation scheduled job, as discussed in "Managing the Scheduler" at the following URL:

  http://docs.oracle.com/cd/E37115_01/admin.1112/e27149/scheduler.htm#OMADM2773

• When using AD as the LDAP directory, disable the LDAPAddMissingObjectClasses handler before running full reconciliation, as described in Section E.2.15, "Disabling the LDAPAddMissingObjectClasses for Users and Roles".

E.2.1 Running the LDAP Post-Configuration Utility

The LDAP configuration post-setup script enables all the LDAP Sync-related incremental Reconciliation Scheduler jobs, which are disabled by default. In addition, it retrieves the last change number from the Directory Server and updates all the LDAPSync Incremental Reconciliation jobs and updates all the LDAP synchronization incremental reconciliation jobs with the last change number.

Note:

• This procedure is applicable to all the Directory Server options.

• The LDAP post-setup script and the properties files are located in the server/LDAP_CONFIG_UTIL directory under your IAM_HOME, which is the Oracle Identity and Access Management home directory for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

• The wlfullclient.jar file is required to run LDAP configuration post-setup. Generate this file as described in "Post-Configuration Steps" in Installation Guide for Oracle Identity and Access Management. In this section, the step to copy the wlfullclient.jar file to the IAM_HOME\designconsole\ext\ directory on the machine where Design Console is configured is required only if the Design Console is required for some other purpose than enabling LDAP synchronization. Configuring the Design Console is not required for the purpose of LDAP synchronization.

To run the LDAP post-configuration utility:

1. Before you run the LDAP post-configuration utility, ensure that the following environment variables are set:

   • APP_SERVER is set to the application server on which Oracle Identity Manager is running. Set APP_SERVER to weblogic.

   • JAVA_HOME is set to the directory on which JDK is installed on your machine.

   • MW_HOME is set to the Middleware home path provided during Oracle Identity Manager installation.

   • OIM_ORACLE_HOME is set to the directory on which Oracle Identity Manager is deployed. For example:

     On UNIX, it is the MW_HOME/IAM_HOME directory.

     On Windows, it is the MW_HOME\IAM_HOME directory.

   • WL_HOME is set to the wlserver_10.3 directory under your Middleware home directory. For example:

     On UNIX, it is the MW_HOME/wlserver_10.3 directory.

     On Windows, it is the MW_HOME\wlserver_10.3 directory.

   • DOMAIN_HOME is set to the domain of the WebLogic Server. For example:

     On UNIX, it is the MW_HOME/user_projects/domains/base_domain directory.

     On Windows, it is the MW_HOME\user_projects\domains\base_domain directory.

2. Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under IAM_HOME for Oracle Identity and Access Management.

3. In the ldapconfig.props file, set values for the parameters listed in Table E-3.

   Table E-3 Parameters of the ldapconfig.props File

   Parameter	Description
   OIMServerType	Specify the application server on which Oracle Identity Manager is deployed. For example: OIMServerType=WLS
   OIMProviderURL	Specify the URL for the Oracle Identity Manager provider. If the OIMServerType is WLS, then specify the URL in the following format: OIMProviderURL=t3://localhost:MANAGED_SERVER_PORT
   LDAPURL	Specify the URL for the OVD instance. If OVD server is selected during Oracle Identity Manager installation, then provide value for LDAPURL. If OVD server is not selected during Oracle Identity Manager installation, then leave the value of LDAPURL as blank. Specify the URL in the following format: LDAPURL=ldap://OVD_SERVER:OVD_PORT For example: LDAPURL=ldap://OVDserver.examplehost.exampledomain.com:6501 Note: If you have selected Active Directory, OID, ODSEE or OUD as the directory server, then do not specify a value for the LDAPURL parameter. If you are using OVD as the directory server, then enter OVD server and OVD port number and specify the URL as value only.
   LDAPAdminUsername	Specify the user name for the OVD Administrator. If OVD server is selected during Oracle Identity Manager installation, then provide the Admin user name to connect to LDAP/OVD Server. For example: LDAPAdminUsername=cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com Note: LDAPAdminUsername is the name of the user used to connect to the Identity Store, for example, cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com. This LDAPAdminUsername must not be located in the user container where customer's user accounts exist. For example, do not use cn=Users,cn=mycompanyAccounts,dc=mycompany,dc=com. This user must be outside the search scope to avoid reconciliation of this user into Oracle Identity Manager. Note: If you have selected Active Directory, OID, ODSEE, or OUD as the directory, then do not specify a value of the LDAPAdminUsername parameter after enabling LDAP synchronization. Enter the OVD user admin name as the value only if you are using OVD as the directory server.
   LIBOVD_PATH_PARAM	Specify the configuration directory path of libOVD. Provide the following value for this parameter: LIBOVD_PATH_PARAM=MW_HOME/user_projects/domains/base_domain/config/fmwconfig/ovd/oim Note: If you specify the value for the LIBOVD_PATH_PARAM parameter on Microsoft Windows, then the value must start with the forward slash (/) character. In addition, use forward slash as the path separator, for example: LIBOVD_PATH_PARAM=/C:/MW_HOME/user_projects/domains/base_domain/config/fmwconfig/ovd/oim Note: If you have selected Active Directory or ODSEE or OUD as the directory server, then specify the value of this property similar to the example given above. Note: If you have selected OVD server as the directory server, then do not specify a value of this parameter.
   ChangeLogNumber	Leave the value of this parameter as blank.

   
   

4. Ensure that the required environment variables are set, as described in step 1.

5. Start the Oracle Identity Manager Managed Server. See "Starting the Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

6. On the command line, run the LDAP configuration post-setup script as follows:

   On UNIX, run:

   LDAPConfigPostSetup.sh LOCATION_OF_THE_DIRECTORY_CONTAINING_THE_ldapconfig.props_FILE
   

   For example:

   LDAPConfigPostSetup.sh MW_HOME/IAM_HOME/server/ldap_config_util
   

   The scripts run against IPv4 stack by default. If the LDAP is setup on a host configured only with IPv6, then ipv6 must be passed explicitly as the final argument with the LDAPConfigPostSetup.sh script, as shown:

   LDAPConfigPostSetup.sh LOCATION_OF_THE_DIRECTORY_CONTAINING_THE_ldapconfig.props_FILE ipv6
   

   On Windows, run:

   LDAPConfigPostSetup.bat LOCATION_OF_THE_DIRECTORY_CONTAINING_THE_ldapconfig.props_FILE
   

   For example:

   LDAPConfigPostSetup.bat c:\Oracle\Middleware\IAM_HOME\server\ldap_config_util
   

7. When prompted, enter the Oracle Identity Manager system administrator password and the LDAP administrator password as applicable.

   If you are using Active Directory or ODSEE or OUD as the Directory Server, then you are prompted only for the Oracle Identity Manager system administrator password.

   If you are using OVD as the Directory Server, then you are prompted for both Oracle Identity Manager system administrator password and LDAP Administrator password.

E.2.2 Verifying the LDAP Synchronization

To verify the configuration of LDAP with Oracle Identity Manager:

1. Ensure that the WebLogic Administration Server and Oracle Identity Manager Managed Server are running.

2. Login to Oracle Identity System Administration.

3. Under Provisioning Configuration, click IT Resource. The Manage IT Resource page is displayed. Click Search.

   Verify the parameter values of Search Base, Reservation Container, URL, and bind DN.

   See "Managing IT Resources" in Administering Oracle Identity Manager.

4. Login to Oracle Identity Self Service, and create a user.

5. Verify that the same user is created in the chosen LDAP store or OVD by using any LDAP client.

   Note:

   Ensure that the chosen Directory Server or OVD and Oracle Identity Manager are running.

E.2.3 Customizing and Filtering Users

Customizing and filtering user creation can be done in the following ways:

• Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes

• Creating Users in Oracle Identity Manager and Not in LDAP When LDAP Synchronization is Enabled

E.2.3.1 Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes

You can add custom object classes and custom attributes while creating a new user by adding the custom attributes as user-defined fields (UDFs) in Oracle Identity Manager as well as to the LDAPUser.xml in MDS. As a prerequisite, the custom object class with one or more attributes must be created and loaded into OID.

To add custom attributes as UDFs in Oracle Identity Manager and LDAPUser.xml in MDS:

1. Add the custom attributes to the user attributes in Oracle Identity Manager, as described in "Creating a Custom Attribute" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

2. Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file from the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

3. Update the LDAPUser.xml file to add the custom attribute1 custom attribute and customObjectClass custom object class.

4. To add additional object classes on 'create', edit LDAPUser.xml and add additional <value> entries to the <parameter name="objectclass"> node. For example:

   <parameter name="objectclass">
   <value>orclIDXPerson</value>
   <value>customObjectClass</value>
   </parameter>
   

5. Add your custom attributes to the three sections of the LDAPUser.xml file. To do so:

   1. Add the attribute entry to the end of the <entity-attributes> tag, for example:

      <entity-attributes>
      ...................
      ...................
      <attribute name="custom attribute1">
      <type>string</type>
      <required>false</required>
      <attribute-group>Basic</attribute-group>
      <searchable>true</searchable>
      </attribute>
      </entity-attributes>
      

      Note:

      If you are using an OUD LDAP directory, then the custom attribute name must not contain a space. OUD does not allow creating a custom attribute with space in the attribute name.

   2. Add the attribute entry to the end of the <target-fields> tag, for example:

      <target-fields>
      ...................
      ...................
      <field name="customattr1">
      <type>string</type>
      <required>false</required>
      </field>
      </target-fields>
      

   3. Add the attribute entry to the end of the <attribute-maps> tag, for example:

      <attribute-maps>
      ...................
      ...................
      <attribute-map>
      <entity-attribute>custom attribute1</entity-attribute>
      <target-field>customattr1</target-field>
      </attribute-map>
      </attribute-maps>
      

   4. Save and close the LDAPUser.xml file.

6. Import the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

7. (Optional) If you want to change the RDN attribute from 'cn' to another attribute, then update the <parameter name="rdnattribute"> tag to the new directory attribute name, and then reimport the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository. For example:

   <parameter name="rdnattribute">
   <value>companyid</value>
   </parameter>
   

8. Test the configuration by creating the new user through Oracle Identity Manager.

E.2.3.2 Creating Users in Oracle Identity Manager and Not in LDAP When LDAP Synchronization is Enabled

When LDAP synchronization is enabled, you can configure the filter parameter 'excludeEntityFilter' in the LDAPUser.xml file to filter out user entries to be created in LDAP, but that can only reside in Oracle Identity Manager. Based on any Oracle Identity Manager attribute and its value, users can be created in Oracle Identity Manager without pushing to LDAP server although LDAP synchronization is in enabled mode.

Note:

This feature is supported only for the user entity.

For example, if you want Oracle Identity Manager accounts with act_key=2 not to be created in LDAP, then perform the following steps:

1. Import the LDAPUser.xml file from MDS.

2. Add the following filter to LDAPUser.xml:

   <parameter name="excludeEntityFilter">
   <value>act_key=2</value>
   </parameter>
   <parameter name="excludeEntityActions">
   <value>ALL</value>
   </parameter>
   

3. Export the LDAPUser.xml file to MDS.

4. Create a user in Oracle Identity Manager with organization act_key as 2. The same user will not be created in LDAP. Note that users created in Oracle Identity Manager that are assigned to organization with act_key other than 2 are successfully created in LDAP.

Another example is to create users only in Oracle Identity Manager but not in LDAP server in LDAP synchronization enabled mode if the user's role matches 'Full-Time'. To do so, use the filter parameter as shown:

<parameter name="excludeEntityFilter">
<value>Role=Full-Time</value>
</parameter>
<parameter name="excludeEntityActions">
<value>ALL</value>
</parameter> 

In the examples, certain Oracle Identity Manager users are not allowed in LDAP based on the filter and actions. By default, ALL is set for disabling the operations, and no CRUD operation is possible on these users. This is as shown:

<parameter name="excludeEntityActions">
<value>ALL</value>
</parameter>

The filter that you provide in the LDAPUser.xml file is evaluated and a boolean value is returned to determine whether or not to proceed to LDAP synchronization handlers.

Schema file is available in the product for these parameters. If you want to customize it, then configuration has to be done in the LDAPUser.xml file, which must be exported back to MDS.

E.2.4 Configuring LDAP Sync Using Plug-ins

For an integration scenario with a standalone instance of OVD, configuring LDAP synchronization using plug-ins:

Note:

This section only applies to integration with a standalone instance of Oracle Virtual Directory.

• Using the UserManagement Plug-In

• Using the Changelog Plug-In

E.2.4.1 Using the UserManagement Plug-In

This topic describes the plug-ins designed for use when Oracle Virtual Directory is a connector target for Oracle Identity Manager integrations.

The UserManagement plug-in provides data mapping for Oracle Identity Manager attributes to LDAP directory servers.

E.2.4.1.1 Configuration Parameters

The UserManagement plug-in has the following configuration parameters:

filterObjectclass

Comma-separated list of objectclasses that need to be removed on an add/modify request.

removeAttribute

Comma-separated list of attributes that will be virtually removed from entries before they are returned to the client.

exclusionMapping

Defines the exclusion of a specific attribute mapping on a specific objectclass. For example, specifying a parameter with the value inetorgperson,uid=samaccountname excludes mapping a uid to samaccountname on entries of objectclass inetorgperson. Using multiple instances of this option allows for multiple exclusions on mappings.

oimLanguages

Comma-separated list of language codes to be used in attribute language subtypes. This parameter is functional only when the directoryType parameter is set to ActiveDirectory.

oamEnabled

True or False: Indicates whether Oracle Access Management Access Manager (Access Manager) is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.

Note:

The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.

directoryType

Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.

Note:

The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.

ssladapter

The ssladapter parameter, which is operational only when the directoryType parameter is set to ActiveDirectory, identifies the name of the adapter to which the UserManagement plug-in routes requests when userPassword or unicodePwd is contained in requests. If unicodePwd is contained in the request, the request must also contain the useraccountControl attribute with a proper value.

The adapter identified by the ssladapter parameter must have:

• The same local base as the adapter the UserManagement plug-in is configured on

• Its Routing Visibility set to Internal

If no value is set for ssladapter, the current adapter is used by default.

mapAttribute

Defines the attribute translation in the form of OVD-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.

mapPassword

True or False. When the directoryType configuration parameter is set to ActiveDirectory, the mapPassword parameter controls whether to convert the user password to the unicodePwd attribute. The default value is false.

mapRDNAttribute

Defines the RDN attribute translation in the form of OVD-RDNattribute=OIM-RDNattribute, for example: uid=cn.

pwdMaxFailure

Identifies the maximum number of failed logins the source LDAP directory server requires to lock an account (as defined by the password policy effective on the user entries being exposed through the adapter on which this plug-in is deployed).

Note:

Parameter values for XL.MaxLoginAttempts, pwdMaxFailure, and lockout count must be the same in LDAP-enabled setups. In LDAP-enabled environments, the values specified for these attributes must be consistent for lock/unlock to work consistently. For example, in LDAP-enabled environment with libOVD and OUD, the value of the XL.MaxLoginAttempts system property is set to 10, and pwdMaxFailure in adapters.os_xml is set to 10. However, the OUD lockout-failure-count is set to 25. For lock/unlock to work consistently, the attribute values in OUD and adapters.os_xml must be the same.

mapObjectclass

Defines the objectclass value translation in the form of OVD-objectclass=OIM-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.

Note:

The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.

addAttribute

In the form of attribute=value pairs, this parameter identifies attributes to be added before returning the get operation result. You can prefix the attribute name with objectclass, to add the attribute and value to a specific objectclass. You can also surround a value with % to reference other attributes. For example, specifying the value user,samaccountname=%cn% assigns the value of cn to samaccountname when the entry objectclass=user. Specifying the value samaccountname=jdoe adds attribute samaccountname with value jdoe to all the entries.

E.2.4.2 Using the Changelog Plug-In

Note:

Prior to release 11.1.1.4.0, Oracle Virtual Directory had three changelog plug-ins:

• oidchangelog for use with Oracle Internet Directory

• sunonechangelog for use with Oracle Directory Server Enterprise Edition

• adchangelog for use with Microsoft Active Directory

These three plug-ins were deprecated in release 11.1.1.4.0 and a new, single Changelog plug-in is now available. You can use this plug-in with Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Microsoft Active Directory.

E.2.4.2.1 Deploying the Release 11.1.1.4.0 Changelog Plug-In

When deploying the single Changelog plug-in, you must:

• Set the adapter's Remote Base to an empty value; that is blank, nothing.

• Set the adapter's Mapped Namespace to: cn=changelog.

• If the back-end is Oracle Directory Server Enterprise Edition, be sure to enable change logging on Oracle Directory Server Enterprise Edition.

E.2.4.2.2 Deploying Changelog Plug-Ins from Prior Releases

If you are using a version of Oracle Virtual Directory that was released prior to 11.1.1.4.0, you must use the following changelog plug-ins to standardize changelog information from source directories into a suitable format for Oracle Identity Manager.

Note:

These plug-ins will not work with Oracle Virtual Directory release 11.1.1.4.0.

For Oracle Internet Directory

Use the oidchangelog plug-in with Oracle Internet Directory.

When deploying the oidchangelog plug-in, you must set the adapter's Remote Base to an empty value; that is, blank, nothing.

For Oracle Directory Server Enterprise Edition

Use the sunonechangelog plug-in with Oracle Directory Server Enterprise Edition.

When deploying the sunonechangelog plug-in, you must:

• Set the adapter's Remote Base to an empty value; that is, blank, nothing.

• Ensure change logging is enabled on the Oracle Directory Server Enterprise Edition.

• Set the adapter's Mapped Namespace to: cn=changelog

For Microsoft Active Directory

Use the adchangelog plug-in with Microsoft Active Directory.

When deploying the adchangelog plug-in, you must:

• Set the adapter's Remote Base to an empty value; that is, blank, nothing.

• Set the adapter's Mapped Namespace to: cn=changelog

E.2.4.2.3 Configuration Parameters

Each of the changelog plug-ins have the following configuration parameters:

removeAttribute

Comma-separated list of attributes that are virtually removed from entries before they are returned to the client.

oimLanguages

Comma-separated list of languages to be used in attribute language subtypes.

skipErrorChangelog

True or False. If set to false and the plug-in encounters a corrupted changelog entry, the plug-in throws a DirectoryException and stops further processing changelog entries. If set to true, the plug-in logs an error without throwing an exception, skips this changelog, and continues processing the next changelogs. The default value is false.

oamEnabled

True or False: Indicates whether Access Manager is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.

Note:

The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.

directoryType

Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.

Note:

The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.

mapObjectclass

Defines the objectclass value translation in the form of OIM-objectclass=Source-Directory-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.

In the Oracle Identity Manager use case, the following parameters are configured out-of-the-box:

• For Active Directory: inetorgperson=user, orclidxperson=user, and groupOfUniqueNames=group

• For Oracle Directory Server Enterprise Edition: container=nsContainer and changelog=changelogentry

• For Oracle Internet Directory: container=orclContainer

Note:

The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.

sizeLimit

Identifies the maximum number of changelog entries to be returned.

A zero (0) or a negative value means no size restriction.

If the incoming search request specifies a size constraint, then the smaller value is used. For example, if you specify the plug-in's sizeLimit as 100, and the search request's count limit is 200, then the actual size limit of the request is reset to 100.

mapAttribute

Defines the attribute translation in the form of Source-Directory-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.

targetDNFilter

Identifies the container to retrieve changes from. This parameter can be set multiple times to identify multiple containers to retrieve changes from. If set multiple times, the targetDN filter should look similar to the following example, and this targetDN filter is "ANDed" to the incoming filter:

"(|(targetDN=*cn=users,dc=mycom1)(targetDN=*,cn=groups,dc=mycom2))"

Sample values include:

• *,cn=xxx,dc=yyy

• *cn=xxx,dc=yyy

• cn=xxx,dc=yyy (must be a descendant of the local base of the adapter specified in virtualDITAdapterName)

All of these samples have the same meaning.

requiredAttribute

Comma-separated list of attributes to always be retrieved from the source LDAP directory server, regardless of the return attributes list specified for changelog queries to Oracle Virtual Directory.

addAttribute

Comma-separated list of attributes to be added to the normalized changelog entry. For example, orclContainerOC=1, changelogSupported=1, where =1 indicates the changes retrieved from the source directory which support changelog.

mapUserState

True or False. This parameter enables or disables the mapping of the directory specific account attributes to Oracle Virtual Directory virtual account attributes.

modifierDNFilter

Single-valued configuration parameter that defines an LDAP filter on modifiersName. This parameter is "ANDed" to the incoming filter. An example value can be "(modifiersName=cn=myadmin,cn=users,dc=mycom)".

Note:

This configuration does not take effect if directoryType=ActiveDirectory.

virtualDITAdapterName

Identifies the corresponding user profile adapter name.

For example, in a single-directory deployment, you can set this parameter value to "A1," which is the user adapter name. In a split-user profile scenario, you can set this parameter to "J1;A2," where "J1" is the JoinView adapter name, and "A2" is the corresponding user adapter in the "J1".

This parameter can be multi-valued, which means there are multiple base entry adapters configured for the same back-end directory server as this changelog adapter.

If you set this parameter to "A1," the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.

E.2.5 Troubleshooting and Debugging OVD

This topic describes how to enable debugging in Oracle Virtual Directory, which can be useful if you need to troubleshoot your Oracle Identity Manager and Oracle Virtual Directory integration.

To enable debugging, perform the following steps:

1. Open a command window and go to the following location:

   OVD ORACLE_INSTANCE/config/OVD/ovd1
   

2. Save a copy of the ovd-logging.xml file.

3. Edit the ovd-logging.xml file as follows:

   • Change line #25 from:

     <logger name='com.octetstring.vde' level='NOTIFICATION:1' useParentHandlers='false'>
     

     to

     <logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false'>
     

   • Change line #28 from:

     <logger name='com.octetstring.accesslog' level='ERROR:1' useParentHandlers='false'>
     

     to

     <logger name='com.octetstring.accesslog' level='NOTIFICATION:1' useParentHandlers='false'>
     

4. Restart Oracle Virtual Directory by typing the following:

   cd OVD_INSTANCE/bin
   ./opmnctl stopall
   ./opmnctl startall
   

See Also:

"Using My Oracle Support for Additional Troubleshooting Information" .

E.2.6 Filtering Data in Incremental Reconciliation

Changelog query returns incremental changes of user/role accounts or entries in the LDAP server to Oracle Identity Manager database during changelog reconciliation when LDAP synchronization incremental reconciliation jobs are run. However, you can choose not to return changes to Oracle Identity Manager database for some entries in LDAP based on a rule or filter during the changelog reconciliation when LDAP synchronization incremental reconcilaition jobs are run. To do so, you can use the includeEntriesFilter filter tag or filter parameter in the LDAPUser.xml file to filter out the unwanted entries and bring in only the required entries based on the rule before sending the data to the reconciliation engine, so that those entries are not in Oracle Identity Manager database. In other words, support for attribute level filtering is provided.

The following example shows how you can specify the attribute-level filtering in the LDAPUser.xml file:

<parameter name="includeEntriesFilter">
   <value>employeeNumber=123456</value>
</parameter>

Here, the <value> tag contains the employeeNumber LDAP attribute and the corresponding value. This filters out all the changelog entries or user entries from the LDAP server that match the criteria "employeeNumber=123456", and sends them to the reconciliation engine for the users to be reconciled into Oracle Identity Manager database. Other changelog entries that do not match this filter are stopped from being sent to the reconciliation engine to be reconciled into Oracle Identity Manager database.

The following is a sample of the includeEntriesFilter filter parameter:

(!(LDAP_attribute=val1)(LDAP_attribute=val2)(LDAP_attribute=val3)...)

If the values are variables, then the filter must be "ObjectClass=*". You must specify a variable value for LDAP_attribute as different users have different attribute values.

E.2.7 Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server

For SSL, you must export the server side certificates from the directory server and import into Identity Virtualization Library (libOVD), as described in the following sections:

• Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory

• Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet

• Enabling SSL Between Identity Virtualization Library (libOVD) and OID

E.2.7.1 Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory

To export the server side certificates from Active Directory and import into Identity Virtualization Library (libOVD):

1. Export the certificate from the Active Directory server by referring to the instructions in the following Microsoft TechNet documents:

   http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx
    
   http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx
   

2. Retrieve the CA signing certificate and save it to a file. To do so:

   1. Login to the Active Directory domain server as a domain administrator.

   2. Click Start, Control Panel, Administrative Tools, Certificate Authority to open the CA Microsoft Management Console (MMC).

   3. Right-click the CA computer, and select CA Properties.

   4. From the General menu, select View Certificate.

   5. Select the Details view, and click Copy to File on the lower-right corner of the window.

   6. Use the Certificate Export wizard to save the CA certificate in a file by running the following command:

      certutil -ca.cert OutCACertFile
      

      Note:

      You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.

3. Import the Active Directory server certificate created in step 3f to the Identity Virtualization Library (libOVD) keystore as a trusted entry by running the following command:

   $ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
   

E.2.7.2 Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet

To export certificates from iPlanet (ODSEE) and import into Identity Virtualization Library (libOVD) for enabling SSL between Identity Virtualization Library (libOVD) and iPlanet (ODSEE):

1. To export certificate from iPlanet (ODSEE), run the following command:

   dsadm export-cert -o OUTPUT_FILE INSTANCE_PATH CERT_ALIAS
   

   For example:

   ./dsadm export-cert -o /tmp/server-cert /scratch/aime1/iPlanet/dsInst/ defaultCert
   Choose the PKCS#12 file password:
   Confirm the PKCS#12 file password:
   
   ls -lrt /tmp
   -rw------- 1 aime1 svrtech 1684 Jan 20 00:39 server-cert
   

2. To import the iPlanet (ODSEE) certificate created in step 1 to the Identity Virtualization Library (libOVD) keystore as a trusted entry, run the following command:

   ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore
   $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass PASSWORD -alias ALIAS_VALUE_USED_FOR_EXPORT -file SERVER-CERT_FILENAME -noprompt
   

   Note:

   Provide the same certificate alias name, which you provided for exporting the certificate, for the '-alias' parameter while importing the certificate. For example:

   ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore
   $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias defaultCert -file server-cert -noprompt
   

   In addition, export/import certificates as instructed in the ODSEE documentation in the following URL:

   http://docs.oracle.com/cd/E19656-01/821-1504/gcvhu/index.html

E.2.7.3 Enabling SSL Between Identity Virtualization Library (libOVD) and OID

To export the server side certificates from OID and import into Identity Virtualization Library (libOVD):

1. Export the Oracle Internet Directory server certificate in Base64 format using the following command:

   orapki wallet export -wallet LOCATION_OF_OID_WALLET -dn DN_FOR_OID_SERVER_CERTIFICATE -cert ./b64certificate.txt
   

   Note:

   If you use a certificate alias in the orapki command, then an error is generated if the alias is not in all lower case letters.

2. Import the Oracle Internet Directory server certificate created in step 2 to the Identity Virtualization Library (libOVD) keystore as a trusted entry using the following command:

   $ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
   

E.2.8 Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP

If you create users and roles in Oracle Identity Manager deployment without LDAP synchronization, and later decide to enable LDAP synchronization, then the users and roles created before LDAP synchronization enablement must be synced with LDAP after enablement. The provisioning of users, roles, role memberships, and role hierarchy to LDAP is achieved by the following predefined scheduled jobs for LDAP:

• LDAPSync Post Enable Provision Users to LDAP

• LDAPSync Post Enable Provision Roles to LDAP

• LDAPSync Post Enable Provision Role Memberships to LDAP

• LDAPSync Post Enable Provision Role Hierarchy to LDAP

For details about these scheduled jobs, see "Predefined Scheduled Tasks" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

E.2.9 Disabling LDAP Synchronization

To disable LDAP synchronization in Oracle Identity Manager deployment:

1. Remove the /db/ldapMetadata/EventHandlers.xml file from MDS by using Oracle Enterprise Manager. See "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about deleting metadata files from MDS.

2. Login to Oracle Identity System Administration as the System Administrator.

3. Disable all scheduled jobs for LDAP sync reconciliation. These jobs are:

   • LDAP User Create and Update Reconciliation

   • LDAP Role Create and Update Reconciliation

   • LDAP Role Membership Reconciliation

   • LDAP Role Hierarchy Reconciliation

   This list can also include LDAP User Delete Reconciliation and LDAP Role Delete Reconciliation scheduled jobs. For information about these scheduled jobs, go to the following URL:

   http://docs.oracle.com/cd/E37115_01/admin.1112/e27149/scheduler.htm#OMADM2773

E.2.10 Managing Identity Virtualization Library (libOVD) Adapters

In an Oracle Identity Manager deployment with LDAP synchronization enabled and AD, iPlanet (ODSEE), or OID as a the directory server, you can manage the Identity Virtualization Library (libOVD) adapters by using the WLST command.

See Also:

Library Oracle Virtual Directory (LibOVD) Commands in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information about the WLST commands to manage Library Oracle Virtual Directory (LibOVD) adapters

To manage the Identity Virtualization Library (libOVD):

1. Start the WLST console. To do so, run $FMW_ROOT/Oracle_IDM1/common/bin/wlst.sh. This path can be referenced as $OIM_ORACLE_HOME/common/bin/wlst.sh.

   Here, $FMW_ROOT refers to your $MW_HOME directory. For example, for this binary location, it can be the /u01/apps/mwhome/ directory.

   $OIM_ORACLE_HOME refers to the directory in which Oracle Identity Manager is deployed. For example, /u01/apps/mwhome/Oracle_IDM1/ must point to OIM_ORACLE_HOME.

2. In the WLST console, run the following command:

   connect()
   

   When prompted, provide the WLST username, password, and t3 URL.

3. Run the following command to display a list of Identity Virtualization Library (libOVD) WLST commands:

   help('OracleLibOVDConfig')
   

   This lists the commands for creating, deleting, and modifying Identity Virtualization Library (libOVD), LDAP, and join adapters. The following commands act on the Identity Virtualization Library (libOVD) configuration associated with a particular OPSS context, which is passed in as a parameter:

   • addJoinRule: Adds a join rule to an existing Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

   • addLDAPHost: Adds a new remote host to an existing LDAP adapter

     Note:

     The following is an example of adding multiple remote hosts for High Availability (HA) scenario:

     addLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, contextName='myContext') 
     

     See Oracle Fusion Middleware High Availability Guide for detailed information about HA.

   • addPlugin: Adds a plug-in to an existing adapter or at the global level

     See Also:

     "Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about developing plug-ins in Oracle Identity Manager

   • addPluginParam: Add new parameter values to the existing adapter level plug-in or global plug-in

   • createJoinAdapter: Creates a new Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

   • createLDAPAdapter: Creates a new LDAP adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

   • deleteAdapter: Deletes an existing adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context

   • getAdapterDetails: Displays the details of an existing adapter that is configured for the Identity Virtualization Library (libOVD) associated with the given OPSS context

   • istAdapters: Lists the name and type of all adapters that are configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context

   • modifyLDAPAdapter: Modifies the existing LDAP adapter configuration

   • removeJoinRule: Removes a join rule from a Join adapter configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context

   • removeLDAPHost: Removes a remote host from an existing LDAP adapter configuration

   • removePlugin: Removes a plug-in from an existing adapter or at global level

   • removePluginParam: Removes an existing parameter from a configured adapter level plug-in or global plug-in

4. Run help on the individual commands to get usage, such as:

   help('addPluginParam')
   

The following are examples for updating the AD User Management adapter for the oimLanguages attribute for Multi Language Support (MLS):

• addPluginParam:

  You can use this command to add oimLanguage param to UserManagement plug-in in AD user adapter, as shown:

  add PluginParam(adapterName='ldap1', pluginName='UserManagement', paramKeys='oimLanguages', paramValues='fr,zh-CN', contextName='oim')
  

• removePluginParam:

  You can use this command to remove oimLanguage param from UserManagement plug-in in AD user adapter, as shown:

  removePluginParam(adapterName='ldap1', pluginName='UserManagement', paramKey='oimLanguages', contextName='oim')
  

• removePluginParam:

  You can use this command to remove modifierDNFilter param from Changelog plug-in, as shown:

  removePluginParam(adapterName='CHANGELOG_ldap1', pluginName='Changelog', paramKey='modifierDNFilter', contextName='oim')
  

See Also:

"Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for detailed information about creating the OVD adapters for Oracle Identity Manager change log and user management

E.2.11 Enabling Access Logging for Identity Virtualization Library (libOVD)

Enabling access logging for Identity Virtualization Library (libOVD) allows you to capture all requests and responses flowing through Identity Virtualization Library (libOVD), which can be very useful if you are trying to triage performance issues.

To enable access logging for Identity Virtualization Library (libOVD):

1. Remove any Identity Virtualization Library (libOVD) loggers that were previously configured in Debug mode. You must remove these loggers to see real performance numbers. See "Troubleshooting and Debugging OVD" for information about how to enable debugging in OVD.

2. Create a WLS logger named oracle.ods.virtualization.accesslog in WLS with NOTIFICATION level.

3. Create a WLS loghandler, specifying a file name similar to ovd-access.log and associate that log handler to the logger you created in step 2.

   This loghandler logs all Oracle Virtual Directory access log messages into a separate file.

4. Create a backup of the DOMAIN_HOME/config/fmwconfig/ovd/default/provider.os_xml file, and then add the following XML fragment (if it is not already present):

   <providers ..>
      ...
      <auditLogPublisher>
         <provider name="FMWAuditLogPublisher">
           ...
         </provider>
         <provider name="AccessLogPublisher">
    
   <configClass>oracle.ods.virtualization.config.AccessLogPublisherConfig</configClass>
            <properties>
               <property name="enabled" value="true"/>
            </properties>
         </provider>
      </auditLogPublisher>
      ...
   </providers>
   

5. Restart the WLS Admin and Managed servers.

Oracle Virtual Directory can now generate the access log in the ovd-access.log file.

E.2.12 Configuring LDAP Authentication When LDAP Synchronization is Enabled

Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.

Note:

This procedure does not enable the following functionality:

• Forced password changes, including first login, administrator password reset, and expired passwords

• Forced setting of challenge responses

1. Configure the LDAP Authenticator in WLS. To do so:

   1. Log in to WebLogic Administrative Console.

   2. Go to Security Realms, myrealm, Providers.

   3. Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.

   4. Set the Control Flag to SUFFICIENT.

   5. Click the Provider Specific settings and configure the OID connection details.

   6. In Dynamic groups section, enter the following values:

      Dynamic Group Name Attribute: cn

      Dynamic Group Object Class: orcldynamicgroup

      Dynamic Member URL Attribute: labeleduri

      User Dynamic Group DN Attribute: GroupOfUniqueNames

   7. Click the Providers tab. Remove OIM Authenticator from the list of security providers. This is to ensure that the user is not locked in Oracle Identity Manager database.

   8. Configure the OIMSignatureAuthenticator security provider in the realm. To do so:

      i) Login to the WebLogic Administrative Console.

      ii) Navigate to Security realm, myrealm, Security providers, Authentication, New.

      iii) Select OIMSignatureAuthenticator from the drop-down, and select provider name as OIMSignatureAuthenticator.

      iv) Save the changes.

   9. Click Reorder. Reorder the security providers and set their Control Flags as listed in the following table:

      Authentication Provider	Control Flag
      Default Authenticator	SUFFICIENT
      OIM Signature Authenticator	SUFFICIENT
      LDAP Authenticator	SUFFICIENT
      Default Identity Asserter	Not applicable

      
      

2. Restart all servers.

3. Validate role memberships.

   1. Login to WebLogic Admin Console.

   2. Go to Security Realms, myrealm, User and Groups.

   3. Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).

   4. Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.

E.2.13 Verifying the Value of pwdLockout in the Directory Password Policy

Correct notification is sent when a user is locked by an administrator if the pwdLockout attribute is set to TRUE by the password policy in the directory server.

A user locked by the administrator cannot be unlocked by the forgot password flow, but the notification sent to the user is misleading if the value of pwdLockout is set to FALSE.

Therefore, validate the password policy for the LDAP server and check the attributes of the entry "cn=Password Policy,cn=config". Ensure that pwdLockout is set to TRUE.

E.2.14 Fixing Permission Errors with OUD ACIs

If the following type of errors occur when synchronizing with OUD, then it is necessary to update the ACIs for OUD:

<Jan 27, 2014 9:36:12 AM PST> <Warning>
<oracle.ods.virtualization.engine.backend.jndi.CHANGELOG_oud1> <LIBOVD-40066>
<Remote Server Failure:example.com:1234.
javax.naming.NoPermissionException: [LDAP: error code 50 - The request control with Object Identifier (OID) "1.3.6.1.4.1.26027.1.5.4" cannot be used due to insufficient access rights]; remaining name 'cn=Changelog'.

Note that the list of OIDs with insufficient access rights includes, but is not limited to:

1.3.6.1.4.1.26027.1.5.4
1.3.6.1.4.1.26027.2.3.4
1.2.840.113556.1.4.319

To remedy this problem:

1. Verify that the ObjectIdentifier is defined in the Global ACI in the OUD configuration file OUD_INSTANCE/config/config.ldif.

2. If a particular ObjectIdentifier is not defined, then add the missing OID to OUD by using the dsconfig tool, as described in "Managing Global ACIs With dsconfig" in the Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory.

   If the particular control is not defined, or if it is defined but granted to a groupdn, then the following command defines it and assigns it to a userdn:

   $ dsconfig -h {Hostname} -p {Port} -D cn="Directory Manager" -j pwd-file -n \
     set-access-control-handler-prop \
     --add global-aci:\(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\" \(version 3.0; acl \"Authenticated users control
   access\"\; allow\(read\) userdn=\"ldap:///all\"\;\)
   

3. Double-check the configuration file and ensure that there are no duplicate lines.

4. Save the configuration file.

5. Restart OUD and Oracle Identity Manager servers.

E.2.14.1 Checking and Fixing ACIs With lastExternalChangelogCookie for OUD

The LDAPConfigPostConfig script normally fetches the LDAP lastchangenumber and updates incremental reconciliation jobs. For OUD, situations can arise where Oracle Identity Manager administrator cannot access the lastExternalChangeLogCookie, and the lastchangenumber cannot be updated, leading to incorrect results. This is because the ACIs are not granted successfully. To test if this is the issue, run:

ldapsearch -x -h OUD_HOST -p OUD_PORT -D OIM_ADMIN -w PASSWORD -s base -b "" "objectclass=*" lastExternalChangelogCookie

This must return results. If not, then the problem can be fixed by performing the following steps:

1. Remove the ACI that denies access to cn=changelog.

2. Add an ACI allowing your user or group access to cn=changelog.

3. For reading in cookie mode only, add an ACI allowing usage of the OUD cookie control to your user or group.

4. For reading in cookie mode only, add an ACI allowing your user or group to read the lastExternalChangelogCookie from the root entry (-s base -b "").

Note:

For detailed instructions on granting OUD change log access, see "Granting Oracle Unified Directory Change Log Access" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

All steps must be verified on the OUD instance targeted by the idmConfigTool and all other OUD instances.

E.2.14.2 Fixing External Changelog Cookie Expiration Issue When Performing Reconciliation with OUD

In some instances, reconciliation with OUD might fail with the following error:

Caused By: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 53 : [LDAP: error code 53 - Full resync required. Reason: The provided cookie is older than the start of historical in the server for the replicated domain : dc=hsgbu,dc=oracle,dc=com]

This error is caused when Oracle Identity Manager does not find for a long time any changes on LDAP matching its search filters.

Eventually, the changelog-based query fails because OUD purges its changelogs, and Oracle Identity Manager searches for changelogs older than OUD history. As a result, OUD returns an error.

To troubleshoot this issue, ensure that OUD 11.1.2.2 has been patched with the fix for 18495042, which provides new request control to allow continuing with purged cookie. You can download the patch by navigating to the My Oracle Support web site at:

https://support.oracle.com

libOVD Changelog Plugin code must be modified to use this new request control, and must set the supportCookieExceptions boolean to FALSE to avoid error code 53 UNWILLING TO PERFORM.

E.2.15 Disabling the LDAPAddMissingObjectClasses for Users and Roles

In an AD environment, there are some default AD groups that do not have orclIDXGroup objectclass. As Oracle Identity Manager requires this objectclass in groups, whenever a full reconciliation is done, Oracle Identity Manager tries to update the LDAP group with the objectclass. AD schema does not allow objectclass modification, and therefore, part of the reconciliation fails, and none of the post handlers are executed. Even if one group does not have the orclIDXGroup objectclass, the post handlers fail for every role in the batch as it is a bulk orchestration and it rolls back on failure. This prevents the handler that published the role to the Top organization from executing, and therefore, none of the roles are published resulting in authorization failures for users having these roles.

As a solution to this problem, disable the Oracle Identity Manager event handler named LDAPAddMissingObjectClasses, which tries to add objectclasses for both users and roles. This must be done right after AD is configured for LDAP synchronization and before any full reconciliation is run.

To disable the event handler:

1. Export the /db/ldapMetadata/EventHandlers.xml file from MDS, as described in "Migrating User Modifiable Metadata Files" in Developing and Customizing Applications for Oracle Identity Manager.

2. Comment out the following lines in the EventHandlers.xml file:

   <action-handler class="oracle.iam.ldapsync.impl.eventhandlers.LDAPAddMissingObjectClasses" entity-type="User" operation="CREATE" name="LDAPAddMissingObjectClasses" stage="postprocess" sync="TRUE" order="1140"/>
   
   <action-handler class="oracle.iam.ldapsync.impl.eventhandlers.LDAPAddMissingObjectClasses" entity-type="Role" operation="CREATE" name="LDAPAddMissingObjectClasses" stage="postprocess" sync="TRUE" order="1040"/>
   

3. Import the EventHandler.xml file back to MDS. Make sure that no other file (backup) exists in the import directory while importing the updated file.

4. Restart Oracle Identity Manager Managed Server.

E.2.16 Setting Up LDAP Synchronization With HA Multi-Master Replication (MMR)

When setting up LDAP synchronization, ensure that it is configured to connect with an OID node in the Multi-Master Replication (MMR) and not via Load Balancer (LBR). This is because of the limitation in OID that changenumber is local to the replica and is not global.

If LDAP synchronization needs to point to an alternate replica, then perform the following steps:

1. Stop the incremental reconcilaition scheduled jobs.

2. Capture the current changenumber from the new replica.

3. Run full reconciliation from the new replica. Update the Directory Server IT resource to point to the new replica.

   In addition, point libOVD to the new replica by referring to "Managing Identity Virtualization Library (libOVD) Adapters". You are required to run the removeLDAPHost() and then the addLDAPHost() WLST commands in order to point to the new replica.

4. Update the incremental reconciliation scheduled jobs with the change number captured in step 2.

5. Enable the incremental reconcilaition scheduled jobs.