10 Preparing Directories Other than Oracle Internet Directory

This chapter explains how to prepare directories other than Oracle Internet Directory for use as an Identity Store for Fusion Application deployments. The directory schema in the back end must be extended for supporting Oracle Access Manager-specific schema elements and other Fusion Application- specific attributes. Because of enterprise deployment policies that restrict the extension of schema elements in the back end directory, Oracle has chosen not to extend the back end directory schema for Fusion Application deployments by default.

Deployments that allow schema extensions in the back-end directory use the approach explained in

In deployments where the back-end schema extension is not allowed in the enterprise Identity Store, use Oracle Internet Directory as a shadow directory and use Oracle Virtual Directory to merge the entities from the directories. The configuration requirements for such deployments is described in Section 10.1, "Configuring Multiple Directories as an Identity Store: Split Profile with Oracle Virtual Directory."

Some deployments might have users and groups divided into two different sets as internal and external. Configuration requirements for such deployments is described in Section 10.2, "Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories."

In this chapter, Active Directory is chosen as the non-Oracle Internet Directory Enterprise Directory. The solution is applicable to all enterprises having one or more Active Directories as their enterprise Identity Store.

This chapter contains the following topics:

• Section 10.1, "Configuring Multiple Directories as an Identity Store: Split Profile with Oracle Virtual Directory"

• Section 10.2, "Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories"

10.1 Configuring Multiple Directories as an Identity Store: Split Profile with Oracle Virtual Directory

This section describes how to configure multiple directories as an Identity Store. In cases where the enterprise directory schema is not extended for Fusion Applications, Oracle Internet Directory is used as a shadow directory to store these attributes. Oracle Virtual Directory links them together to present a single consolidated DIT view to clients. This is called a split directory configuration, and it was described in Section 1.5.1, "Understanding the Directory Tier."

You can configure Oracle Virtual Directory adapters either before or after Fusion Application provisioning. For ease of use, Oracle recommends that you perform this step after Fusion Applications provisioning.

In this configuration, all the Oracle specific attributes and Oracle specific entities are created in the Policy Store (OID) directory.

This section contains the following topics:

• Section 10.1.1, "Prerequisites"

• Section 10.1.2, "Repository Descriptions"

• Section 10.1.3, "Setting Up Oracle Internet Directory as a Shadow Directory"

• Section 10.1.4, "Directory Structure Overview - Shadow Join"

• Section 10.1.5, "Configuring Adapters and Plug-ins"

10.1.1 Prerequisites

The following assumptions and rules apply to this deployment topology:

• Oracle Internet Directory houses the Fusion Identity Store. This means that Oracle Internet Directory is the store for all Fusion Application specific artifacts. The artifacts include a set of enterprise roles used by Fusion Application and some user attributes required by Fusion Applications. All other stores are referred to as enterprise Identity Stores.

• The enterprise contains more than one LDAP directory. Each directory contains a distinct set of users and roles.

• The enterprise policy specifies that Fusion Application-specific attributes cannot be stored in the enterprise directory. All the extended attributes must be stored in a separate directory called the shadow directory. This shadow directory must be Oracle Internet Directory because Active Directory does not support extended attributes.

• User login IDs are unique across the directories. There is no overlap of the user login IDs between these directories.

• Oracle Identity Manager has no fine-grained authorization. If Oracle Identity Manager's mapping rules allow it to use one specific subtree of a directory, then it can perform all CRUD (Create, Read, Update, Delete) operations in that subtree of the LDAP directory. There is no way to enable Oracle Identity Manager to read user data in a subtree but not enable it to create a user or delete a user in subtree.

• Referential integrity must be turned off in Oracle Internet Directory so that an Oracle Internet Directory group can have members that are in one of the Active Directory directories. The users group memberships are not maintained across the directories with referential integrity.

10.1.2 Repository Descriptions

This section describes all the Oracle Fusion Applications-specific artifacts in the Identity store and how they can be distributed between Active Directory and Oracle Internet Directory, based on different enterprise deployment requirements.

The Artifacts that are stored in the Identity Store for Fusion Applications consumption are:

• Application IDs: These are the identities that are required to authenticate applications to communicate with each other.

• Seeded Enterprise Roles: These are the enterprise roles or LDAP group entries that are required for default functionality of Fusion Applications.

• Enterprise roles provisioned by Oracle Identity Manager: These are runtime roles created by Fusion Applications.

• Enterprise Users: These are the actual users in the enterprise where Fusion Applications are deployed.

• Enterprise Groups: These are the roles and groups that already exist in the enterprise where Fusion Applications are deployed.

In a split profile deployment, the Identity Store artifacts related to Fusion applications can be distributed among Active Directory and Oracle Internet Directory, as follows.

• Oracle Internet Directory is a repository for enterprise roles. Specifically, Oracle Internet Directory contains the following:

  • Application IDs

  • Seeded enterprise roles

  • Enterprise roles provisioned by Oracle Identity Manager

• Active Directory is the repository for:

  • Enterprise users

  • Enterprise groups (not visible to Oracle Identity Manager or HCM)

The following limitations apply:

• For Fusion Applications, the Active Directory users are members of Oracle Internet Directory. That is, if a Fusion Application user is a member of Active Directory, that user must also be a member of Oracle Internet Directory.

• The groups in Active Directory are not exposed at all. Oracle applications only manage the Oracle-created enterprise roles. The groups in Active Directory are not visible to either Oracle Identity Manager or Fusion Applications.

10.1.3 Setting Up Oracle Internet Directory as a Shadow Directory

In cases where Oracle Internet Directory is used as the shadow directory to store all the Fusion Application-specific attributes, use a separate container in Oracle Internet Directory to store the shadow attributes.

• The Shadow Entries container (cn=shadowentries) must be in a separate DIT from the parent of the users and groups container dc=mycompany,dc=com, as shown in Figure 10-1.

• The same ACL configured for dc=mycompany,dc=com within Oracle Internet Directory must be configured for cn=shadowentries. To perform this configuration, use the ldapmodify command. The syntax is as follows:

  ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile 
  

  The following is a sample LDIF file to use with ldapmodify:

  dn: cn=shadowentries
  changetype: modify
  add: orclaci
  orclaci: access to entry by group="cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=mycompany,dc=com" (browse,add,delete)
  orclaci: access to attr=(*) by group="cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=mycompany,dc=com" (read, write, search, compare)
  orclaci: access to entry by group="cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com" (browse,add,delete)
  orclaci: access to attr = (*) by group="cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com" (search,read,compare,write)
  -
  changetype: modify
  add: orclentrylevelaci
  orclentrylevelaci: access to entry by * (browse,noadd,nodelete)
  orclentrylevelaci: access to attr=(*) by * (read,search,nowrite,nocompare)
  

• If you have more than one directory for which Oracle Internet Directory is used as a Shadow directory, then you must create different shadow containers for each of the directories. The container name can be chosen to uniquely identify the specific directory for which this is a shadow entry.

10.1.4 Directory Structure Overview - Shadow Join

Figure 10-1 shows the directory structure in the primary store (Active Directory and Fusion Applications Identity Store (Oracle Internet Directory).

Figure 10-1 Directory Structure

Figure 10-2 shows how the DIT appears to a user or client application.

Figure 10-2 Client View of the DIT

10.1.5 Configuring Adapters and Plug-ins

In order to produce the client side view of the data shown in Figure 10-2, you must configure multiple adapters in Oracle Virtual Directory following the steps in this section.

This section contains the following topics:

• Section 10.1.5.1, "Creating User Adapter for Active Directory Server"

• Section 10.1.5.2, "Creating Shadowjoiner User Adapter"

• Section 10.1.5.3, "Creating JoinView Adapter"

• Section 10.1.5.4, "Creating User/Role Adapter for Oracle Internet Directory"

• Section 10.1.5.4, "Creating User/Role Adapter for Oracle Internet Directory"

• Section 10.1.5.5, "Creating Changelog adapter for Active Directory Server"

• Section 10.1.5.6, "Creating Changelog Adapter for Oracle Internet Directory"

• Section 10.1.5.7, "Validate Oracle Virtual Directory Changelog"

• Section 10.1.5.8, "Configuring a Global Consolidated Changelog Plug-in"

You use Oracle Directory Services Manager to configure adapters and plug-ins in Oracle Virtual Directory. Figure 10-3 summarizes them.

Figure 10-3 Adapter and Plug-in Configuration

The following sections describe how to configure the adapters and plug-ins.

10.1.5.1 Creating User Adapter for Active Directory Server

Create the following adapter and plug-ins for Active Directory:

Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM). The URL is of the form: http://admin.mycompany.com/odsm.

2. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry. You must be logged in as a user with write privilege to Active Directory.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	user_AD1
   	Adapter Template	FAPrimary_User_ActiveDirectory
   Connection	Use DNS for Auto Discovery	No
   	Host	Active Directory host/virtual name
   	Port	Active Directory SSL port
   	Server Proxy Bind DN	The bind DN of the orcladmin user.
   	Proxy Password	Password for the orcladmin user.
   	User SSL/TLS	Selected
   	SSL Authentication Mode	Server Only Authentication
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	cn=users,dc=idm,dc=ad,dc=com
   	Mapped Namespace	dc=idm,dc=ad

   
   

   Verify that the summary is correct and then click Finish.

6. Verify that the User Adapter routing as configured correctly:

   1. Visibility must be set to internal.

   2. Bind Support must be set to enable.

7. Edit the User Adapter User Management Plug-in as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values as follows:

      Parameter	Value	Default
      directoryType	activedirectory	Yes
      exclusionMapping	orclappiduser,uid=samaccountname
      mapAttribute	orclguid=objectGuid
      mapAttribute	uniquemember=member
      addAttribute	user,samaccountname=%uid%,%orclshortuid%
      mapAttribute	mail=userPrincipalName
      mapAttribute	ntgrouptype=grouptype
      mapObjectclass	groupofUniqueNames=group
      mapObjectclass	orclidxperson=user
      pwdMaxFailure	10	Yes
      oamEnabled	False	Yes
      mapObjectClass	inetorgperson=user	Yes
      mapPassword	True	Yes
      pwdMaxFailure	10	Yes
      filterObjectclass	oblixOrgPerson,oblixPersonPwdPolicy,OIMPersonPwdPolicy
      removeAttribute	orclAccountLocked,orclAccountEnabled,orclPwdChangeRequired

      
      

      Note:

      For language support, you must edit the User Management plug-in to add a new configuration parameter oimLanguages.

      For example, if the Managed Localization for the DisplayName while creating the user in Oracle Identity Manager is selected as French, then the value for oimLanguages in the User Management adapter plug-in should be en,fr. If you have other languages to be supported, say Japanese, then the value for the parameter should be en,fr,ja.

      The User Management plug-in has the following configuration parameter:

      oimLanguages: a comma-delimited list of language codes to be used in attribute language subtypes.

      This parameter is functional only when the directoryType parameter is set to activedirectory.

   5. Click OK.

   6. Click Apply.

10.1.5.2 Creating Shadowjoiner User Adapter

Follow these steps to create the ShadowJoiner Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	Shadow4AD1
   	Adapter Template	FAjoiner_User_OID
   Connection	Use DNS for Auto Discovery	No
   	Host	Oracle Internet Directory host/virtual name
   	Port	Oracle Internet Directory port
   	Server Proxy Bind DN	The bind DN of the orcladmin user.
   	Proxy Password	Password for the orcladmin.
   	User SSL/TLS
   	SSL Authentication Mode
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	cn=shadowentries
   	Mapped Namespace	dc=shadows

   
   

   Verify that the summary is correct and then click Finish.

6. Ensure that User Adapter routing as is configured correctly:

   1. Visibility must be set to internal.

   2. Bind Support must be set to enable.

7. Edit the User Adapter as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values as follows:

      Parameter	Value	Default
      directoryType	oid	Yes
      mapObjectclass	container=orclContainer
      pwdMaxFailure	10	Yes
      oamEnabled	True
      oimDateFormat	yyyyMMddHHmmss'z'

      
      

      Note:

      For language support, you must edit the User Management plug-in to add a new configuration parameter oimLanguages.

      For example, if the Managed Localization for the DisplayName while creating the user in Oracle Identity Manager is selected as French, then the value for oimLanguages in the User Management adapter plug-in should be en,fr. If you have other languages to be supported, say Japanese, then the value for the parameter should be en,fr,ja.

      The User Management plug-in has the following configuration parameter:

      oimLanguages: a comma-delimited list of language codes to be used in attribute language subtypes.

   5. Click OK.

   6. Click Apply.

10.1.5.3 Creating JoinView Adapter

Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to the Oracle Directory Services Manager (ODSM) page.

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	Join
   	Adapter Name	user_J1
   	Adapter Template	Default
   New Join Adapter Wizard	Adapter Suffix/Namespace	cn=users,dc=idm,dc=mycompany,dc=com
   	Primary Adapter	user_AD1
   	Bind Adapter	user_AD1

   
   

   Verify that the summary is correct and then click Finish.

6. Edit the Adapter as follows

   1. Click the adapter name in the adapter tree

   2. Click the General Tab

   3. Under Join Relationship, click Create.

   4. Select Joined Adapter and enter value ShadowAD1

   5. Select the join relationship type ShadowJoiner

   6. In the Condition field, enter cn.

   7. Click OK.

   8. Click Apply.

10.1.5.4 Creating User/Role Adapter for Oracle Internet Directory

Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	User Adapter
   	Adapter Template	User_OID
   Connection	Use DNS for Auto Discovery	No
   	Host	oidstore.mycompany.com
   	Port	OID port number
   	Server Proxy Bind DN	The bind DN of the oimLDAP user.
   	Proxy Password	The password of the oimLDAP user.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	dc=mycompany,dc=com
   	Mapped Namespace	dc=mycompany,dc=com

   
   

   Verify that the summary is correct and then click Finish.

6. Edit the User Adapter as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values as follows:

      Parameter	Value	Default
      directoryType	oid	Yes
      pwdMaxFailure	10	Yes
      oamEnabled	true
      mapObjectclass	container=orclContainer	Yes
      oimDateFormat	yyyyMMddHHmmss'z'

      
      

   5. Click OK.

   6. Click Apply.

10.1.5.5 Creating Changelog adapter for Active Directory Server

The Changelog adapter is only required if you are implementing Oracle Identity Manager.

Follow these steps to create the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	changelog_AD1
   	Adapter Template	Changelog_ActiveDirectory
   Connection	Use DNS for Auto Discovery	No
   	Host	Active Directory host/virtual name
   	Port	389
   	Server Proxy Bind DN	The bind DN of the oimLDAP user.
   	Proxy Password	Password for the oimLDAP user.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	(Do not assign.)
   	Mapped Namespace	cn=changelog
   Summary		Verify that the summary is correct, then click Finish.

   
   

6. To edit the Changelog Adapter follow these steps.

   1. Select the Changelog Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values.

      Edit the Changelog Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the, sizeLimit, and targetDNFilter properties to the adapter.

      Parameter	Value	Comments
      directoryType	activedirectory	Default
      mapAttribute	targetGUID=objectGUID	Default
      requiredAttribute	samaccountname	Default
      sizeLimit	1000	Create
      targetDNFilter	cn=users,dc=idm,dc=ad,dc=com The users container in Active Directory	Create
      mapUserState	true	Update
      oamEnabled	true
      virtualDITAdapterName	user_J1;user_AD1	Create

      
      

      Note:

      virtualDITAdapterName identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to User Adapter, which is the user adapter name. In a split-user profile scenario, you can set this parameter to J1;A2, where J1 is the View adapter name, and A2 is the corresponding user adapter in the J1.

   5. Click OK.

   6. Click Apply.

10.1.5.6 Creating Changelog Adapter for Oracle Internet Directory

To use the changelog adapter, you must first enable changelog on the connected directory. To test whether the directory is changelog enabled, type:

ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber

for example:

ldapsearch -h oidhost1 -p 389 -D "cn=orcladmin" -q -b '' -s base 'objectclass=*' lastchangenumber

If you see lastchangenumber with a value, it is enabled. If it is not enabled, enable it as described in the Enabling and Disabling Changelog Generation by Using the Command Line section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Follow these steps to create the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to an Oracle Virtual Directory instance.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	Changelog Adapter
   	Adapter Template	Changelog_OID
   Connection	Use DNS for Auto Discovery	No
   	Host	oididstore.mycompany.com
   	Port	OID port
   	Server Proxy Bind DN	The bind DN of the oimLDAP user.
   	Proxy Password	The password of the oimLDAP user.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	(Do not assign.)
   	Mapped Namespace	cn=changelog
   Summary		Verify that the summary is correct, then click Finish.

   
   

6. To edit the change adapter follow these steps.

   1. Select the Changelog Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plug-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values.

      Edit the Changelog Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

      Parameter	Value	Comments
      directoryType	oid	Default
      mapAttribute	targetGUID=orclguid	Default
      requiredAttribute	orclGUID	Default
      modifierDNFilter	cn=orcladmin	Create
      sizeLimit	1000	Create
      targetDNFilter	dc=mycompany,dc=com	Create
      targetDNFilter	cn=shadowentries	Create
      mapUserState	true	Update
      oamEnabled	true	Update
      virtualDITAdapterName	user_J1;shadow4AD1	Create
      virtualDITAdapterName	User Adapter (The name of the User adapter's name)	Create

      
      

   5. Click OK.

   6. Click Apply.

10.1.5.7 Validate Oracle Virtual Directory Changelog

Run the following command to validate that the changelog adapter is working:

$IDM_ORACLE_HOME/bin/ldapsearch -p 6501 -D cn=orcladmin -q -b 'cn=changelog' -s base 'objectclass=*' lastchangenumber

The command should return a changelog result, such as:

Please enter bind password:
cn=Changelog
lastChangeNumber=changelog_OID:190048;changelog_AD1:363878

If ldapsearch does not return a changelog result, double check the changelog adapter configuration.

10.1.5.8 Configuring a Global Consolidated Changelog Plug-in

Deploy a global level consolidated changelog plug-in to handle changelog entries from all the Changelog Adapters.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to an Oracle Virtual Directory instance.

3. On the Home page, click the Advanced tab. The Advanced navigation tree appears.

4. Expand Global Plugins

5. Click the Create Plug-In button. The Plug-In dialog box appears.

6. Enter a name for the Plug-in in the Name field.

7. Select the plug-in class ConsolidatedChglogPlugin from the list.

8. Click OK.

9. Click Apply.

10.2 Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories

In this configuration, Oracle-specific entries are stored in Oracle Internet Directory. Enterprise-specific entries that might have Fusion Applications-specific attributes are in Active Directory.

Note:

The Oracle Internet Directory that is to be used is not necessarily the PolicyStore Oracle Internet Directory. Conceptually, a non-Active Directory directory can be used as the second directory. For convenience, Policy Store Oracle Internet Directory is referred to here.

The following conditions are assumed:

• Enterprise Directory Identity data is in one or more directories. Application-specific attributes on the user / group are stored in the Enterprise Directory.

• Application-specific entries are in Application Directory. (AppIDs and Enterprise Roles are stored in Application Directory)

This section contains the following topics:

• Section 10.2.1, "Directory Structure Overview (Internal - External)"

• Section 10.2.2, "Configuring Oracle Virtual Directory Adapters and Plug-ins"

10.2.1 Directory Structure Overview (Internal - External)

Figure 10-4 shows the directory structure in the internal and external directories.

Figure 10-4 Directory Structure

Oracle Virtual Directory makes multiple directories look like a single DIT to a user or client application, as shown in Figure 10-5.

Figure 10-5 Client View of the DIT

10.2.2 Configuring Oracle Virtual Directory Adapters and Plug-ins

Figure 10-6 provides an overview of the configuration.

Figure 10-6 Configuration Overview

Create the user adapter on the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager:

1. If they are not already running, start the Administration Server and the WLS_ODSM Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

2. In a web browser, go to Oracle Directory Services Manager (ODSM) at:

   http://admin.mycompany.com/odsm

3. Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2, if they do not already exist.

4. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

5. On the Home page, click the Adapter tab.

6. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

7. Create new adapters using the New Adapter Wizard, with the parameters shown in the following tables.

10.2.2.1 User/Role Adapter A1

Table 10-1 User/Role Adapter A1

Screen	Field	Value
Type	Adapter Type	LDAP
	Name	User_Adapter_A1
	Adapter Template	User_OID User_ActiveDirectory Choose the correct template for the LDAP directory you are connecting to.
Connection	Use DNS for Auto Discovery	No
	Host	Enter the host or virtual name of the directory host, for example: ad.mycompany.com
	Port	Enter the port to connect to the LDAP directory on.
	Use SSL/TLS	Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory.
	SSL Authentication Mode	If you connect to your LDAP directory using SSL, choose the authentication mode. If using Active Directory select Server Only Authentication (Mutual Authentication).
	Server Proxy Bind DN	The DN of a user that Oracle Virtual Directory can use to connect to Active Directory and perform any operations. A user called oimLDAP is created in the section Section 11.4, "Preparing the Identity Store" which can be used for this purpose.
	Proxy Password	Password for Server Proxy account
Connection Test		Validate that the test succeeds
Namespace	Remote Base	dc=us,dc=mycompany,dc=com
	Mapped NamespaceFoot 1	dc=us,dc=mycompany,dc=com

^Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.

To edit the User/Role Adapter A1, follow these steps:

1. Select the OIM User Adapter.

2. Click the Plug-ins tab.

3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

4. In the Parameters table, update the parameter values as follows:

   Parameter	Value	Default
   directoryType	activedirectory	Yes
   exclusionMapping	orclappiduser,uid=samaccountname
   mapAttribute	orclguid=objectGuid
   mapAttribute	uniquemember=member
   addAttribute	user,samaccountname=%uid%,%orclshortuid%
   mapAttribute	mail=userPrincipalName
   mapAttribute	ntgrouptype=grouptype
   mapObjectclass	groupofUniqueNames=group
   mapObjectclass	orclidxperson=user
   pwdMaxFailure	10	Yes
   oamEnabled	TrueFoot 1
   mapObjectClass	inetorgperson=user	Yes
   mapPassword	True	Yes
   oimLanguages	Comma separated list of language codes, such as en,fr,ja

   
   

   ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.

   Note:

   For language support, you must edit the User Management plug-in to add a new configuration parameter oimLanguages.

   For example, if the Managed Localization for the DisplayName while creating the user in Oracle Identity Manager is selected as French, then the value for oimLanguages in the User Management adapter plug-in should be en,fr. If you have other languages to be supported, say Japanese, then the value for the parameter should be en,fr,ja.

   The User Management plug-in has the following configuration parameter:

   oimLanguages: a comma-delimited list of language codes to be used in attribute language subtypes.

   This parameter is functional only when the directoryType parameter is set to activedirectory.

5. Click OK.

6. Click Apply.

10.2.2.2 User/Role Adapter A2

Table 10-2 User/Role Adapter A2

Screen	Field	Value
Type	Adapter Type	LDAP
	Name	User_Adapter_A2
	Adapter Template	User_OID Choose the correct template for the LDAP directory you are connecting to.
Connection	Use DNS for Auto Discovery	No
	Host	Enter the host or virtual name of the directory host, for example: ldap.mycompany.com
	Port	Enter the port to connect to the LDAP directory on.
	Use SSL/TLS	Select this value if you connect to your LDAP directory using SSL or if you are using Active Directory.
	SSL Authentication Mode	If you connect to your LDAP directory using SSL, choose the authentication mode. If you are using Active Directory, choose Server Only Authentication/Mutual Authentication.
	Server Proxy Bind DN	The DN of a user that Oracle Virtual Directory can use to connect to Active Directory and perform all operations. The user oimLDAP, which is created in Section 11.4, "Preparing the Identity Store," can be used for this purpose.
	Proxy Password	Password for server proxy account
Connection Test		Validate that the test succeeds
Namespace	Remote Base	dc=uk,dc=mycompany,dc=com
	Mapped NamespaceFoot 1	dc=uk,dc=mycompany,dc=com

^Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.

To edit the User/Role Adapter A2, follow these steps:

1. Select the User Adapter.

2. Click the Plug-ins tab.

3. Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.

4. In the Parameters table, update the parameter values as follows:

   Parameter	Value	Default
   directoryType	oid	Yes
   pwdMaxFailure	10	Yes
   oamEnabled	trueFoot 1
   mapObjectclass	container=orclContainer	Yes

   
   

   ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.

5. Click OK.

6. Click Apply.

10.2.2.3 Changelog Adapter C1

Table 10-3 Changelog Adapter C1

Screen	Field	Value
Type	Adapter Type	LDAP
	Name	Changelog_Adapter_C1
	Adapter Template	Changelog_OID Changelog_ActiveDirectory Choose the correct template for the LDAP directory you are connecting to.
Connection	Use DNS for Auto Discovery	No
	Host	Enter the host or virtual name of the directory host, for example: ad.mycompany.com
	Port	Enter the port to connect to the LDAP directory on.
	Proxy Password	Password for server proxy account
Connection Test		Validate that the test succeeds
Namespace	Remote Base
	Mapped NamespaceFoot 1	cn=changelog

^Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.

To edit the Changelog Adapter C1, follow these steps:

1. Select the OIM changelog adapter Changelog_Adapter_C1.

2. Click the Plug-ins tab.

3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

4. In the Parameters table, update the parameter values.Edit the Changelog Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

   If Active Directory is selected, it is already documented in Section 9.8.2.2, "Changelog Adapter for Active Directory."

   Table 10-4 Values in Parameters Table

   Parameter	Value	Comments
   modifierDNFilter	A bind DN that has administrative rights on the directory server, in the format: "!(modifiersname=cn=BindDN)" For example: "!(modifiersname=cn=orcladmin,cn=systemids,dc=mycompany,dc=com)"	Create
   sizeLimit	1000	Create
   targetDNFilter	dc=us,dc=mycompany,dc=com	Create
   mapUserState	true	Update
   oamEnabled	true	Update
   virtualDITAdapterName	The adapter name of User/Role Adapter A1: User_Adapter_A1	Create

   
   

10.2.2.4 Changelog Adapter C2

Table 10-5 Changelog Adapter C2

Screen	Field	Value
Type	Adapter Type	LDAP
	Name	Changelog_Adapter_C2
	Adapter Template	Changelog_OID Choose the correct template for the LDAP directory you are connecting to.
Connection	Use DNS for Auto Discovery	No
	Host	Enter the host or virtual name of the directory host, for example: ad.mycompany.com
	Port	Enter the port to connect to the LDAP directory on.
	Proxy Password	Password for server proxy account
Connection Test		Validate that the test succeeds
Namespace	Remote Base
	Mapped NamespaceFoot 1	cn=changelog

^Footnote 1 Mapped namespace is the location in the target directory. This example assumes that the target directory has the same structure that appears in Oracle Virtual Directory. If this is not the case, then modify accordingly.

To edit the Changelog Adapter C2, follow these steps:

1. Select the OIM changelog adapter Changelog_Adapter_C2.

2. Click the Plug-ins tab.

3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

4. In the Parameters table, update the parameter values.Edit the Changelog Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

   Table 10-6 Values in Parameters Table

   Parameter	Value	Comments
   modifierDNFilter	A bind DN that has administrative rights on the directory server, in the format: "!(modifiersname=cn=BindDN)" For example: "!(modifiersname=cn=orcladmin,dc=mycompany,dc=com)"Foot 1	Create
   sizeLimit	1000	Create
   targetDNFilter	dc=uk,dc=mycompany,dc=com	Create
   mapUserState	true	Update
   oamEnabled	true	Update
   virtualDITAdapterName	The adapter name of User/Role adapter A2: User_Adapter_A2	Create

   
   

   ^Footnote 1 This will be changed in Section 11.4.8, "Creating Access Control Lists in Non-Oracle Internet Directory Directories."

10.2.2.5 Creating Oracle Virtual Directory Global Plug-in

To create a Global Oracle Virtual Directory plug-in

1. In a web browser, go to Oracle Directory Services Manager (ODSM) at:

   http://admin.mycompany.com/odsm

2. Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2, if they do not already exist.

3. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

4. On the Home page, click the Adapter tab.

5. Click the + next to Global Plugins in the left pane.

6. Click Create Plugin.

7. Create the Global Consolidated Changelog Plug-in as follows:

   Enter the following values to create the Global Consolidated Plug-in:

   • Name: Global Consolidated Changelog

   • Class: Click Select then choose: ConsolidatedChangelog

   Click OK when finished.

The environment is now ready to be configured to work with Oracle Virtual Directory as the Identity Store.