Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.1.5.0) Part Number E21032-01 |
|
|
View PDF |
This chapter explains how to prepare directories other than Oracle Internet Directory for Oracle Access Manager and Oracle Identity Manager. This requires the directory schema to be extended for supporting Oracle Access Manager-specific schema elements.
Deployments that allow schema extensions in the back-end directory use the approach explained in Section 10.1, "Preparing a Directory for Fusion Applications, Oracle Access Manager, and Oracle Identity Manager."
In deployments where the back-end schema extension is not allowed in the enterprise Identity Store, use Oracle Internet Directory as a shadow directory and use Oracle Virtual Directory to merge the entities from the directories. The configuration requirements for such deployments is described in Section 10.2, "Configuring Multiple Directories as an Identity Store: Split Profile with Oracle Virtual Directory."
Some deployments might have both internal and external entities. Configuration requirements for such deployments is described in Section 10.3, "Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories."
This chapter contains the following topics:
This section explains how to configure Active Directory.
It contains the following topics:
This section describes how to configure Active Directory. Extend the schema in Active Directory as follows.
Locate the following files:
IDM_ORACLE_HOME
/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif
IDM_ORACLE_HOME
/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif
In both these files, replace the domain-dn
with the appropriate domain-dn
value
Use ldapadd
from the command line to load the two LDIF files, as follows.
ldapadd -h activedirectoryhostname -p activedirectoryportnumber -D AD_administrator -q -c -f file
where AD_administrator
is a user which has schema extension privileges to the directory
For example:
ldapadd -h "activedirectoryhost.mycompany.com" -p 389 -D adminuser –q -c -f ADUserSchema.ldif ldapadd -h "activedirectoryhost.mycompany.com" -p 389 -D adminuser -q -c -f AD_oam_pwd_schema_add.ldi
Then go to:
MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
Run the following command to extend Active Directory schema:
sh extendadschema.sh -h AD_host -p AD_port -D 'administrator@mydomain.com' -AD "dc=mydomain,dc=com" -OAM true
The command is extendadschema.bat
on Windows.
f you are using Active Directory as your directory store you need to Disable the Access Control Flag in OVD. To do this perform the following steps:
This section describes how to configure two parallel directories. Oracle Virtual Directory links them together to present a single DIT view to clients. It contains the following topics:
Figure 10-1 shows the directory structure in the primary store and application store.
Figure 10-2 shows how the DIT appears to a user or client application.
Figure 10-3 provides an overview of the configuration.
Create the user adapter on the Oracle Virtual Directory instances running on OVDHOST1
and OVDHOST2
individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager:
Start the Administration Server and the WLS_ODSM
Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
In a web browser, go to Oracle Directory Services Manager (ODSM) at:
http://admin.mycompany.com/odsm
Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1
and OVDHOST2
, if they do not already exist.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.
Create new adapters using the New Adapter Wizard, with the parameters shown in the following tables.
Table 10-1 User/Role Adapter A1
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Use SSL/TLS |
Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory. |
|
SSL Authentication Mode |
If you connect to your LDAP directory using SSL, choose the authentication mode. If using Active Directory select |
|
Server Proxy Bind DN |
A bind DN that has administrative rights on the directory server. For example:
|
|
Proxy Password |
Password for Server Proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.
Table 10-2 User/Role Adapter A2
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Use SSL/TLS |
Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory. |
|
SSL Authentication Mode |
If you connect to your LDAP directory using SSL, choose the Authentication mode. |
|
Server Proxy Bind DN |
A bind DN that has administrative rights on the directory server. For example:
|
|
Proxy Password |
Password for Server Proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle virtual directory. If this is not the case, then modify accordingly.
Table 10-3 User/Role Adapter A3
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the Host or Virtual Name of the directory host, for example: |
|
Port |
Enter the Port to connect to the LDAP directory on. |
|
Use SSL/TLS |
Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory. |
|
SSL Authentication Mode |
If you connect to your LDAP directory using SSL, choose the Authentication mode. If using Active Directory select |
|
Server Proxy Bind DN |
A bind DN that has administrative rights on the directory server. For example:
|
|
Proxy Password |
Password for Server Proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle virtual directory. If this is not the case, then modify accordingly.
Table 10-4 User/Role Adapter J1 (JoinView Adapter)
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
Join |
Name |
Join_Adapter_J1 |
|
Adapter Template |
Default |
|
Settings |
Adapter |
|
Primary Adapter |
User_Adapter_A1 |
|
Bind Adapters |
User_Adapter_A1 |
After creating the JoinView adapter, perform the following steps:
Click Join_Adapter_J1 from the Adapters list and click the Edit button.
In the Join Rules box click Add new Join Rule.
Enter the following information:
Joined Adapter: User_Adapter_A2
Type: com.octetstring.vde.join.shadowJoiner
Condition: cn
Click OK to save the condition.
Click Apply.
Table 10-5 Changelog Adapter C1
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Proxy Password |
Password for Server Proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle virtual directory. If this is not the case, then modify accordingly.
To edit the Change Log Adapter C1, follow these steps:
Select Changelog_Adapter_C1.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, update the parameter values.Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.
Table 10-6 Values in Parameters Table
Parameter | Value | Comments |
---|---|---|
modifierDNFilter |
A bind DN that has administrative rights on the directory server, in the format:
For example:
|
Create |
sizeLimit |
1000 |
Create |
targetDNFilter |
|
Create |
mapUserState |
true |
Update |
oamEnabled |
true |
Update |
virtualDITAdapterName |
Join_Adapter_J1;User_Adapter_A1 |
Create |
Table 10-7 Changelog Adapter C2
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Proxy Password |
Password for server proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.
To edit the Change Log Adapter C2, follow these steps:
Select Changelog_Adapter_C2.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, update the parameter values.Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.
Table 10-8 Values in Parameters Table
Parameter | Value | Comments |
---|---|---|
modifierDNFilter |
A bind DN that has administrative rights on the directory server, in the format:
For example:
|
Create |
sizeLimit |
1000 |
Create |
targetDNFilter |
|
Create |
mapUserState |
true |
Update |
oamEnabled |
true |
Update |
virtualDITAdapterName |
Join_Adapter_J1;User_Adapter_A2 |
Create |
virtualDITAdapterName |
User_Adapter_A3 |
Create |
To create a Global Oracle Virtual Directory plug-in
In a web browser, go to Oracle Directory Services Manager (ODSM) at:
http://admin.mycompany.com/odsm
Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1
and OVDHOST2
, if they do not already exist.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click the +
next to Global Plugins in the left pane.
Click Create Plugin.
Create the Global Consolidated Changelog Plug-in and the Global FAUserRole Plugin as follows:
Global Consolidated Changelog Plug-in
Enter the following values to create the Global Consolidated Plug-in:
Name: Global Consolidated Changelog
Class: Click Select then choose: ConsolidatedChangelog
Click OK when finished.
Global FAUserRole Plugin
Enter the following values to create the Global Consolidated Plug-in:
Name: FA User Role Plugin
Class: Click Select then choose: FAUserRolePlugIn
Click Create Parameter
Create the following parameters:
Table 10-9 Parameters for FAUserRole Plugin
Name | Value |
---|---|
objectWrite |
|
objectWrite |
|
objectWrite |
|
objectWrite |
|
Click OK when finished.
In this configuration, all the Oracle specific attributes and Oracle specific entities are created in the Policy Store (OID) directory. Enterprise Identity Store is an LDAP directory.
Note:
The Oracle Internet Directory that is to be used is not necessarily the PolicyStore Oracle Internet Directory. Conceptually, a non-AD directory can be used as the second directory. For convenience, Policy Store Oracle Internet Directory is referred to here.The following conditions are assumed:
Enterprise Directory Identity data is in one or more directories. Application-specific attributes on the user / group are stored in the Enterprise Directory.
Application-specific entries are in Application Directory. (AppIDs and Enterprise Roles are stored in Application Directory)
This section contains the following topics:
Figure 10-5 shows the directory structure in the internal and external directories.
Figure 10-6 shows how the DIT appears to a user or client application.
Figure 10-7 provides an overview of the configuration.
Create the user adapter on the Oracle Virtual Directory instances running on OVDHOST1
and OVDHOST2
individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager:
If they are not already running, start the Administration Server and the WLS_ODSM Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
In a web browser, go to Oracle Directory Services Manager (ODSM) at:
http://admin.mycompany.com/odsm
Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1
and OVDHOST2
, if they do not already exist.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.
Create new adapters using the New Adapter Wizard, with the parameters shown in the following tables.
Table 10-10 User/Role Adapter A1
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Use SSL/TLS |
Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory. |
|
SSL Authentication Mode |
If you connect to your LDAP directory using SSL, choose the authentication mode. If using Active Directory select |
|
Server Proxy Bind DN |
The DN of a user that Oracle Virtual Directory can use to connect to AD and perform any operations. A user called |
|
Proxy Password |
Password for Server Proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.
Table 10-11 User/Role Adapter A2
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Use SSL/TLS |
Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory. |
|
SSL Authentication Mode |
If you connect to your LDAP directory using SSL, choose the authentication mode. If you are using Active Directory, choose Server Only Authentication/Mutual Authentication. |
|
Server Proxy Bind DN |
The DN of a user that Oracle Virtual Directory can use to connect to AD and perform all operations. The user |
|
Proxy Password |
Password for server proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.
Table 10-12 Changelog Adapter C1
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Proxy Password |
Password for server proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.
To edit the Change Log Adapter C1, follow these steps:
Select the OIM change log adapter Changelog_Adapter_C1.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, update the parameter values.Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.
Table 10-13 Values in Parameters Table
Parameter | Value | Comments |
---|---|---|
modifierDNFilter |
A bind DN that has administrative rights on the directory server, in the format:
For example:
|
Create |
sizeLimit |
1000 |
Create |
targetDNFilter |
|
Create |
mapUserState |
true |
Update |
oamEnabled |
true |
Update |
virtualDITAdapterName |
The adapter name of User/Role Adapter A1: |
Create |
Table 10-14 Changelog Adapter C2
Screen | Field | Value |
---|---|---|
Type |
Adapter Type |
|
Name |
|
|
Adapter Template |
Choose the correct template for the LDAP directory you are connecting to. |
|
Connection |
Use DNS for Auto Discovery |
No |
Host |
Enter the host or virtual name of the directory host, for example: |
|
Port |
Enter the port to connect to the LDAP directory on. |
|
Proxy Password |
Password for server proxy account |
|
Connection Test |
Validate that the test succeeds |
|
Namespace |
Remote Base |
|
Mapped NamespaceFoot 1 |
|
Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.
To edit the Change Log Adapter C2, follow these steps:
Select the OIM change log adapter Changelog_Adapter_C2.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, update the parameter values.Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.
Table 10-15 Values in Parameters Table
Parameter | Value | Comments |
---|---|---|
modifierDNFilter |
A bind DN that has administrative rights on the directory server, in the format:
For example:
|
Create |
sizeLimit |
1000 |
Create |
targetDNFilter |
|
Create |
mapUserState |
true |
Update |
oamEnabled |
true |
Update |
virtualDITAdapterName |
The adapter name of User/Role adapter A2: |
Create |
To create a Global Oracle Virtual Directory plug-in
In a web browser, go to Oracle Directory Services Manager (ODSM) at:
http://admin.mycompany.com/odsm
Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1
and OVDHOST2
, if they do not already exist.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click the +
next to Global Plugins in the left pane.
Click Create Plugin.
Create the Global Consolidated Changelog Plug-in and the Global FAUserRole Plugin as follows:
Global Consolidated Changelog Plug-in
Enter the following values to create the Global Consolidated Plug-in:
Name: Global Consolidated Changelog
Class: Click Select then choose: ConsolidatedChangelog
Click OK when finished.
Global FAUserRole Plugin
Enter the following values to create the Global Consolidated Plug-in:
Name: FA User Role Plugin
Class: Click Select then choose: FAUserRolePlugIn
Click Create Parameter
Create the following parameters:
Table 10-16 Parameters for FAUserRole Plugin
Name | Value |
---|---|
objectWrite |
|
objectWrite |
|
objectWrite |
|
objectWrite |
|
Click OK when finished.