C Configuring for Active Directory with LDAP

This chapter summarizes procedures to set up Oracle Access Manager with Active Directory forests using LDAP as the communication protocol.

This appendix contains the following topics:

• Overview

• Setting Up the Policy Manager for LDAP

• Setting Up the Access Server for LDAP

• Setting Active Directory Timeouts for LDAP

• Enabling LDAP Authentication with ADSI

For additional information and procedures, see the Oracle Access Manager Installation Guide.

Note:

The instructions here apply only if you are using LDAP as the protocol between the Access System and Active Directory. If your environment differs, skip this discussion.

C.1 Overview

The Access System supports Active Directory forests with some modifications.

Note:

The Microsoft Global Catalog is no longer required for the Access System.

The steps in this section are based on the following example. In this case, the Identity System was configured using the two domains shown in Figure C-1. For example:

• dc=maverick,dc=oblix,dc=com

• dc=iceman,dc=oblix,dc=com

Figure C-1 Active Directory Forest with Two Domains

Complete the following procedures to set up the Access System for multiple domains using LDAP between the Access System and Active Directory:

• Setting Up the Policy Manager for LDAP

• Setting Up the Access Server for LDAP

• Setting Active Directory Timeouts for LDAP

Note:

In the following discussions, install_dir refers to the installation directory you specified for the named component. For example, PolicyManager_install_dir is the directory where you installed the Policy Manager.

C.2 Setting Up the Policy Manager for LDAP

The Oracle Access Manager-related configuration information is located in the \PolicyManager_install_dir\access\oblix\config\ldap directory and must be accessed directly. The following are relevant files:

• AppDB.xmlConfigDB.xmlWebResrcDB.xml

Suppose the Identity System was set up as shown earlier with the configuration data in the dc=iceman,dc=oblix,dc=com domain.

In this case, the Policy Manager must also be set up for this domain. To accomplish this, you must specify the same configuration DN for the Policy Manager and the Identity Server.

For more information about the configuration DN, see the Oracle Access Manager Installation Guide.

To set up the Policy Manager for Active Directory

1. Navigate to the Policy Manager setup page:

   http://hostname:port/access/oblix

2. Set up the Policy Manager with the same configuration DN as the Identity Server.

   For example, against the machine containing the domain: dc=iceman,dc=oblix,dc=com

3. Before starting the Web server, change the port to 3268 (open LDAP) to ensure that users and groups are accessible from both domains.

4. See the appendix "Deploying with Active Directory" for information about configuring the credential_mapping plug-in required in your authentication schemes and setting up SSO.

C.3 Setting Up the Access Server for LDAP

This section only applies if you are using LDAP as the protocol between the Access Server and Active Directory.

To set up the Access Server for Active Directory

1. Configure the Access Server using the same configuration DN as the Identity Server.

   For example, against the machine containing the domain: dc=iceman,dc=oblix,dc=com domain

2. Make sure Active Directory time out is handled correctly, as described under "Setting Active Directory Timeouts for LDAP".

3. Create a copy of ConfigDBfailover.xml located in \AccessServer_install_dir\access\oblix\apps\config and name it AppDBfailover.xml.

   Both files should reside in the same directory.

C.4 Setting Active Directory Timeouts for LDAP

If you are using LDAP, you need to configure timeouts for the Access Server when it is installed against Active Directory.

The Access Server, which runs as a service, opens connections to Active Directory. Active Directory times out idle connections after a period of inactivity, which means that the Access Server can try to access the directory and fail.

If you want to avoid this problem, you need to establish new connections before the Active Directory Idle Session Time is reached. The failover information can be specified when:

• You are prompted to specify failover information at the end of the Access Server installation. You reconfigure failover information after installation is complete, using the configureAAAServer application in AccessServer_install_dir/access/oblix/tools/configureAAAServer, as described in the following procedure.

  The following files are created when you use the ConfigAAAServer.exe tool to configure failover between a second directory server and the Access Server:

  ConfigDBfailoverAppDBfailoverWeb...DBfailover

To specify Access Server failover after installation

1. Locate the configureAAAServer application.

   AccessServer_install_dir\access\oblix\tools\configureAAAServer
   
   

2. Launch the configureAAAServer application using the following command.

   configureAAAServer install AS_install_dir
   
   

3. Answer No, when asked if you want to reconfigure Access Server.

4. Answer Yes, when asked if you want to specify failover information.

5. When asked where different types of data are stored, respond appropriately for your environment.

   For example:

   • Separate Directory Servers, Choose Option 8: If policy and Configuration DN are separate from user data, choose option 8 (Modify Common Parameters) and specify values appropriate for your system.

   • Same Directory Server, Choose Option 4: If policy, Configuration DN, and user information is on the same directory server, choose option 4 (Modify Common Parameters) and enter values appropriate for your system. For example:

     Maximum Connections: 1 Sleep For (seconds): 60 Failover Threshold: 1 Maximum Session Time (seconds): 120

     After every Maximum Session Time, a new connection is created to Active Directory, and the old connection is dropped, whether the Access Server was idle or not.

     Note:

     Make sure the Maximum Session Time (in seconds) is less than the Active Directory Idle Timeout (typically less than 600 seconds).

6. Choose the option to quit.

7. When asked if you want to commit the changes, answer Yes.

For more information about failover, see the Oracle Access Manager Deployment Guide.

C.5 Enabling LDAP Authentication with ADSI

ADSI authentication may be slower than LDAP. For that reason, you may wish to use LDAP for authentication while other operations such as authorization and auditing are handled by ADSI.

To enable LDAP authentication for the Access Server

1. Open globalparams.xml with a text editor.

   AccesServer_install_dir\access\oblix\apps\common\bin\globalparams.xml
   
   

2. Change the value of useLDAPBind to true.

3. Save globalparams.xml.

4. Create a copy of ConfigDBfailover.xml located in:

   AccesServer_install_dir\access\oblix\config\ldap\ConfigDBfailover.xml
   
   

5. Name it AppDBfailover.xml.

   Both files should reside in the same directory.

6. Save.