Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
After you have configured your Oracle Virtual Directory adapters as described in Chapter 13, "Configuring an Identity Store with Multiple Directories," you can use ODSM to view the adapters for troubleshooting purposes. This chapter explains how.
This appendix contains the following sections:
This section describes how to validate the adapters created in Section 13.2.5, "Configuring Oracle Virtual Directory Adapters for Split Profile."
This section contains the following topics:
Section A.1.1, "Verifying User Adapter for Active Directory Server"
Section A.1.4, "Verifying User/Role Adapter for Oracle Internet Directory"
Section A.1.5, "Verifying Changelog adapter for Active Directory Server"
Section A.1.6, "Verifying Changelog Adapter for Oracle Internet Directory"
Section A.1.7, "Configuring a Global Consolidated Changelog Plug-in"
Section A.1.8, "Validate Oracle Virtual Directory Changelog"
Verify the following adapter and plug-ins for Active Directory:
Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
In a web browser, go to Oracle Directory Services Manager (ODSM). The URL is of the form: http://admin.mycompany.com/odsm
.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click user_AD1 adapter.
Verify that the User Adapter routing as configured correctly:
Visibility must be set to internal.
Bind Support must be set to enable.
Verify the User Adapter User Management Plug-in as follows:
Select the User Adapter.
Click the Plug-ins tab.
Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
Verify that the plug-in parameters are as follows:
Parameter | Value | Default |
---|---|---|
directoryType |
|
|
exclusionMapping |
|
|
mapAttribute |
|
|
mapAttribute |
|
|
addAttribute |
|
|
mapAttribute |
|
|
mapAttribute |
|
|
mapObjectclass |
|
|
mapObjectclass |
|
|
pwdMaxFailure |
10 |
|
oamEnabled |
|
|
mapObjectClass |
|
|
mapPassword |
|
|
oimLanguages |
Comma separated list of language codes, such as |
Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.
Follow these steps to verify the ShadowJoiner Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
In a web browser, go to Oracle Directory Services Manager (ODSM).
Connect to Oracle Virtual Directory.
On the Home page, click the Adapter tab.
Click the Shadow4AD1 Adapter.
Ensure that User Adapter routing as is configured correctly:
Visibility must be set to internal.
Bind Support must be set to enable.
Verify the User Adapter as follows:
Select the User Adapter.
Click the Plug-ins tab.
Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
Verify that the parameters are as follows:
Parameter | Value | Default |
---|---|---|
directoryType |
|
|
pwdMaxFailure |
|
|
oamEnabled |
|
|
mapObjectclass |
|
|
oimDateFormat |
yyyyMMddHHmmss'z' |
Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
In a web browser, go to the Oracle Directory Services Manager (ODSM) page.
Connect to Oracle Virtual Directory.
On the Home page, click the Adapter tab.
Click the JoinView adapter.
Verify the Adapter as follows
Click Joined Adapter in the adapter tree. It should exist
Click OK.
Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
In a web browser, go to Oracle Directory Services Manager (ODSM).
Connect to Oracle Virtual Directory.
On the Home page, click the Adapter tab.
Click User Adapter.
Verify the plug-in as follows:
Select the User Adapter.
Click the Plug-ins tab.
Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.
Verify that the parameters are as follows:
Parameter | Value | Default |
---|---|---|
directoryType |
|
|
pwdMaxFailure |
|
|
oamEnabled |
|
|
mapObjectclass |
|
|
oimDateFormat |
yyyyMMddHHmmss'z' |
Click OK.
Follow these steps to verify the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
In a web browser, go to Oracle Directory Services Manager (ODSM).
Connect to Oracle Virtual Directory.
On the Home page, click the Adapter tab.
Click the changelog_AD1 adapter.
Verify the plug-in as follows.
Select the Changelog Adapter.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.
Verify that the parameter values are as follows:
Parameter | Value |
---|---|
directoryType |
|
mapAttribute |
|
requiredAttribute |
|
sizeLimit |
|
targetDNFilter |
The users container in Active Directory |
mapUserState |
|
oamEnabled |
|
virtualDITAdapterName |
user_J1;user_AD1 |
To use the changelog adapter, you must first enable changelog on the connected directory. To test whether the directory is changelog enabled, type:
ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber
for example:
ldapsearch -h oidhost1 -p 389 -D "cn=orcladmin" -q -b '' -s base 'objectclass=*' lastchangenumber
If you see lastchangenumber
with a value, it is enabled. If it is not enabled, enable it as described in the Enabling and Disabling Changelog Generation by Using the Command Line section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Follow these steps to verify the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
In a web browser, go to Oracle Directory Services Manager (ODSM).
Connect to an Oracle Virtual Directory instance.
On the Home page, click the Adapter tab.
Click the Changelog Adapter.
Verify the plug-in as follow.
Select the Changelog Adapter.
Click the Plug-ins tab.
In the Deployed Plug-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
Verify that the parameter values are as follows:
Parameter | Value |
---|---|
directoryType |
|
mapAttribute |
|
requiredAttribute |
|
modifierDNFilter |
|
sizeLimit |
|
targetDNFilter |
|
targetDNFilter |
cn=shadowentries |
mapUserState |
|
oamEnabled |
|
virtualDITAdapterName |
user_J1;shadow4AD1 |
virtualDITAdapterName |
User Adapter (The name of the User adapter's name) |
Verify the global level consolidated changelog plug-in as follows
In a web browser, go to Oracle Directory Services Manager (ODSM).
Connect to an Oracle Virtual Directory instance.
On the Home page, click the Advanced tab. The Advanced navigation tree appears.
Expand Global Plugins
Click the ConsolidatedChglogPlugin. The plug-in editing window appears.
Run the following command to validate that the changelog adapter is working:
$IDM_ORACLE_HOME/bin/ldapsearch -p 6501 -D cn=orcladmin -q -b 'cn=changelog' -s base 'objectclass=*' lastchangenumber
The command should return a changelog result, such as:
Please enter bind password: cn=Changelog lastChangeNumber=changelog_OID:190048;changelog_AD1:363878
If ldapsearch
does not return a changelog result, double check the changelog adapter configuration.
This section describes how to view the adapters created in Section 13.3.2, "Configuring Oracle Virtual Directory Adapters for Distinct User and Group Populations in Multiple Directories,"
Verify the user adapter on the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager:
If they are not already running, start the Administration Server and the WLS_ODSM Managed Servers as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
In a web browser, go to Oracle Directory Services Manager (ODSM) at:
http://admin.mycompany.com/odsm
Verify connections to each of the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2, if they do not already exist.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click the name of each adapter. Verify that it has the parameters shown in the following tables.
This section contains the following topics:
Section A.2.6, "Verifying Oracle Virtual Directory Global Plug-in"
Section A.2.7, "Configuring a Global Consolidated Changelog Plug-in"
Verify the plug-in of the User/Role Adapter A1, as follows:
Select the OIM User Adapter.
Click the Plug-ins tab.
Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
Verify that the parameter values are as follows:
Parameter | Value | Default |
---|---|---|
directoryType |
|
|
exclusionMapping |
|
|
mapAttribute |
|
|
mapAttribute |
|
|
addAttribute |
|
|
mapAttribute |
|
|
mapAttribute |
|
|
mapObjectclass |
|
|
mapObjectclass |
|
|
pwdMaxFailure |
10 |
|
oamEnabled |
|
|
mapObjectClass |
|
|
mapPassword |
|
|
oimLanguages |
Comma separated list of language codes, such as |
Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.
Verify the plug-in of the User/Role Adapter A2 as follows:
Select the User Adapter.
Click the Plug-ins tab.
Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.
Verify that the parameter values are as follows:
Parameter | Value | Default |
---|---|---|
directoryType |
|
|
pwdMaxFailure |
|
|
oamEnabled |
|
|
mapObjectclass |
|
|
Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.
To verify the Changelog Adapter C1 plug-in, follow these steps:
Select the OIM changelog adapter Changelog_Adapter_C1.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, verify that the values are as shown.
Table A-1 Values in Parameters Table
Parameter | Value | Comments |
---|---|---|
modifierDNFilter |
A bind DN that has administrative rights on the directory server, in the format:
For example:
|
Create |
sizeLimit |
1000 |
Create |
targetDNFilter |
|
Create |
mapUserState |
true |
Update |
oamEnabled |
true |
Update |
virtualDITAdapterName |
The adapter name of User/Role Adapter A1: |
Create |
Verify the plug-in as follows.
Select the OIM Changelog Adapter.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, verify that the parameters are as follows:
Parameter | Value |
---|---|
directoryType |
|
mapAttribute |
|
requiredAttribute |
|
sizeLimit |
|
targetDNFilter |
Search base from which reconciliation must happen. This value must be the same as the LDAP SearchDN that is specified during Oracle Identity Manager installation. |
mapUserState |
|
oamEnabled |
|
virtualDITAdapterName |
The name of the User adapter's name |
Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.
Note:
virtualDITAdapterName identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to User Adapter
, which is the user adapter name. In a split-user profile scenario, you can set this parameter to J1;A2
, where J1
is the JoinView adapter name, and A2
is the corresponding user adapter in the J1
.
Verify the plug-in as follows:
Select the OIM changelog adapter Changelog_Adapter_C2.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, verify that the parameters are as follows:
Table A-2 Values in Parameters Table
Parameter | Value | Comments |
---|---|---|
modifierDNFilter |
A bind DN that has administrative rights on the directory server, in the format:
For example:
|
Create |
sizeLimit |
1000 |
Create |
targetDNFilter |
|
Create |
mapUserState |
true |
Update |
oamEnabled |
true |
Update |
virtualDITAdapterName |
The adapter name of User/Role adapter A2: |
Create |
Footnote 1 This will be changed in Section 11.5.5, "Creating Access Control Lists in Non-Oracle Internet Directory Directories."
To verify the Global Oracle Virtual Directory plug-in, proceed as follows
In a web browser, go to Oracle Directory Services Manager (ODSM) at:
http://admin.mycompany.com/odsm
Verify connections to each of the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2, if they do not already exist.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click the Plug-ins tab.
Verify that the Global Consolidated Changelog Plug-in exists.
Click OK when finished.
Verify the global level consolidated changelog plug-in as follows
In a web browser, go to Oracle Directory Services Manager (ODSM).
Connect to an Oracle Virtual Directory instance.
On the Home page, click the Advanced tab. The Advanced navigation tree appears.
Expand Global Plugins
Click the ConsolidatedChglogPlugin. The plug-in editing window appears.