Skip Navigation Links | |
Exit Print View | |
Oracle Identity Analytics System Integrator's Guide 11g Release 1 |
1. Integrating With Oracle Identity Manager, Preferred Method
2. Integrating With Oracle Identity Manager, Deprecated Method
3. Integrating With Oracle Waveset (Sun Identity Manager)
4. Integrating With Other Provisioning Servers
To Configure the LDAP URL and BASE_DN
To Configure User Context Search
To Configure the User Account Search Key
6. Integrating With Intellitactics Security Manager
7. Configuring Oracle Identity Analytics For Web Access Control
The ldap.properties file is located in the $RBACX_HOME/conf folder.
The LDAP URL specifies how to connect to and search the LDAP server. The URL takes the following form:
ldap://hostname:portnumber/ or
ldaps://hostname:portnumber/ - (For SSL)
where:
hostname is the name (or IP address in dotted format) of the LDAP server.
portnumber is the port number of the LDAP server (for example, 49153). The default standard LDAP port is 389.
The LDAP URL is identified by the ldapAuthentication.url field in the ldap.properties file. Multiple URLs can be specified by using a semicolon (;) as a delimiter.
For example: ldap://vaau1123:389/;ldap://vaau1398:389/
The Base_DN is identified by the ldapAuthentication.rootContext field in the ldap.properties file. If Multiple URLs are used, for each URL a corresponding Base_DN must be defined using a semicolon (;) as a delimiter.
For example: DC=vaau,DC=corp,DC=net{}; {}DC=vaau,DC=corp,DC=net
If Active Directory (AD) is being utilized as an LDAP server, the full Windows name of an AD object is in the form NetBIOSDomain\sAMAccountName.
For example: Vaau\rbacxadmin
The domain name can be configured such that users do not need to type the domainName\username sAMAccountName prefix. To do this, uncomment the ldapAuthentication.userContextPrefix field in ldap.properties and set it to the correct domain name.
For example:
If users log in using Vaau as the domain, and Vaau\rbacxadmin as the user's log in, then uncomment the ldapAuthentication.userContext field and edit it as follows: ldapAuthentication.userContext=Vaau//
If Multiple URLs are used, a userContext must be specified for each of the URL separated by a semicolon ( ; ).ldapAuthentication.userContext=Vaau//;Vaau//
Note 1 - For AD
Oracle Identity Analytics users need to be created using the format domain/username in the Oracle Identity Analytics database. In order to create the user as just username in the RM database the following parameter needs to be set to false. Uncomment the ldapAuthentication.keepContextPrefix field in ldap.properties and set it to false.
A double slash at the end of the domain name is mandatory. The above settings are specific to AD. For all other LDAP only the following have to be configured correctly.
Note 2 - For Non-AD
Uncomment the ldapAuthentication.keepContextPrefix field in ldap.properties and set it to false.
Uncomment the ldapAuthentication.isAD field in ldap.properties and set it to false.
If LDAP does not allow anonymous login, the following parameters should be uncommented and set with the values received from the LDAP administrator for the service account.
ldapAuthentication.securityPrincipal=CN=User,DC=vaau,DC=corp,DC=net
ldapAuthentication.securityCredential=password
If Multiple URLs are used, above parameters must be specified for each of the URL separated by a semicolon ( ; ).
The ldapAuthentication.userContext field can be used as a filter to look for authorized users.
In the event of AD acting as the directory server, ldapAuthentication.userContext is specified as {0}. If multiple AD URLs are utilized, then a filter has to be specified for each URL separated by a semicolon ( ; ).
For example:
ldapAuthentication.url=ldap://vaau1123:389/DC=vaau,DC=corp,DC=net; ldap://vaau1398:389/DC=vaau,DC=corp,DC=net
Next, set ldapAuthentication.userContext={0};{0}.
The ldapAuthentication.userAccountSearchKey field specifies the user account search key. This field is used to retrieve the user name and is set to the default value sAMAccountName.
If sAMAccountName is not utilized (AD), then set ldapAuthentication.userAccountSearchKey to the starting value of user object usually "cn" (Sometimes this value could be "uid").
ldapAuthentication.firstNameSearchKey specifies the first name search key and is set to givenName by default.
ldapAuthentication.lastNameSearchKey specifies the last name search key and is set to sn by default.
Note:
If Multiple URLs are used, above parameters must be specified for each of the URL separated by a semicolon ( ; ).