This chapter describes how to prepare the Identity Store in an Oracle Identity Management enterprise deployment.
It contains the following sections:
Preparing the Identity Store involves extending the schema of the directory to support Oracle Access Management Access Manager and Oracle Identity Manager, then seeding the Identity Store with system users that will be used when building the Identity Management topology.
The procedures described in this chapter change the configuration of the LDAP directories that host the Identity Store. Before performing any of these tasks, back up your LDAP directories, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."
Before proceeding, ensure that the following statements are true:
A High Availability LDAP directory, such as Oracle Unified Directory, is available.
Other directories, such as Active Directory, are installed and available (if required).
This section describes how to prepare the Identity Store. It contains the following topics:
Section 9.4.3, "Preparing a Directory for Access Manager and Oracle Identity Manager"
Section 9.4.5, "Add Missing Oracle Internet Directory Object Class"
Section 9.4.6, "Add Missing Oracle Unified Directory Permission"
Section 9.4.7, "Granting Oracle Unified Directory Change Log Access"
Before you can use a directory to support Access Manager, you must extend the directory to include Object classes required by Access Manager in the LDAP directory you are using.
In addition to extending the directory schema, you must create a number of users. These users are used later on in the guide for such things as:
Accessing the directory using a dedicated user.
Accessing Access Manager, the directory, and WebLogic after these products have off loaded authentication to an external directory.
Create a property file, idstore.props
, on IDMHOST1 to use when preparing the Identity Store. The file will have the following structure:
Oracle Unified Directory Example
# Common IDSTORE_HOST: IDMHOST1.mycompany.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_KEYSTORE_FILE: OUD_ORACLE_INSTANCE/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD: Password key IDSTORE_BINDDN: cn=oudadmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com IDSTORE_NEW_SETUP: true POLICYSTORE_SHARES_IDSTORE: true # OAM IDSTORE_OAMADMINUSER:oamadmin IDSTORE_OAMSOFTWAREUSER:oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # WebLogic IDSTORE_WLSADMINUSER : weblogic_idm IDSTORE_WLSADMINGROUP : WLSAdmins
Oracle Internet Directory Example
# Common IDSTORE_HOST: OIDHOST1.mycompany.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_NEW_SETUP: true # OAM IDSTORE_OAMADMINUSER:oamadmin IDSTORE_OAMSOFTWAREUSER:oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # WebLogic IDSTORE_WLSADMINUSER : weblogic_idm IDSTORE_WLSADMINGROUP : WLSAdmins
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than OVD. In the case of OID and OUD, specify, respectively, one of the Oracle Internet Directory or Oracle Unified Directory instances, for example:
OID: OIDHOST1
and 3060
OUD: IDMHOST1
and 1389
IDSTORE_ADMIN_PORT
(LDAP_DIR_ADMIN_PORT
) is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.
IDSTORE_KEYSTORE_FILE
is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore
and is located in OUD_ORACLE_INSTANCE/OUD/config
. If you are not using Oracle Unified Directory, you can leave out this parameter. This file must be located on the same host that the idmConfigTool
command is running on. The command uses this file to authenticate itself with OUD.
IDSTORE_KEYSTORE_PASSWORD
is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_INSTANCE
/OUD/config/admin-keystore.pin
. If you are not using Oracle Unified Directory, you can leave out this parameter.
IDSTORE_BINDDN
is an administrative user in the Identity Store Directory
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are Stored.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
IDSTORE_USERNAMEATTRIBUTE
is the name of the directory attribute containing the user's name. Note that this is different from the login name.
IDSTORE_LOGINATTRIBUTE
is the LDAP attribute which contains the users Login name.
IDSTORE_USERSEARCHBASE
is the location in the directory where Users are Stored.
IDSTORE_NEW_SETUP
is always set to true for Oracle Unified Directory. If you are not using OUD, you do not need to specify this attribute.
POLICYSTORE_SHARES_IDSTORE
is set to true
for IDM 11g.
IDSTORE_OAMADMINUSER
is the name of the user you want to create as your Access Manager Administrator.
IDSTORE_OAMSOFTWAREUSER
is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
is the name of the group which is used to allow access to the OAM console.
IDSTORE_SYSTEMIDBASE
is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_OIMADMINGROUP
Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
IDSTORE_OIMADMINUSER
is the user that Oracle Identity Manager uses to connect to the Identity store.
IDSTORE_WLSADMINUSER
: The username to be used for logging in to the web logic domain once it is enabled by SSO.
IDSTORE_WLSADMINGROUP
: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.
Use OIM entries only if your topology includes Oracle Identity Manager. Use OAM entries only if your topology includes Access Manager.
This section explains how to deploy Identity Management components to support Oracle Unified Directory, Oracle Internet Directory, or Active Directory as the identity store.
It contains the following topics:
Pre-configuring the Identity Store extends the schema in Oracle Unified Directory or Oracle Internet Directory.
Note:
You do not need to preconfigure the Identity Store unless you are using Access Manager or Oracle Identity Manager.
To do this, perform the following tasks on IDMHOST1:
Set MW_HOME
to IAM_MW_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -preConfigIDStore input_file=configfile
For example:
idmConfigTool.sh -preConfigIDStore input_file=idstore.props
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.
Sample command output:
Enter ID Store Bind DN password : Dec 4, 2012 11:39:19 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_schema_extn.ldif Dec 4, 2012 11:39:20 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif Dec 4, 2012 11:39:20 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif Dec 4, 2012 11:39:20 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/add_oraclecontext_container.ldif Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_indexes_extn.ldif Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_template.ldif Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_acl_template.ldif Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/systemid_pwdpolicy.ldif Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/fa_pwdpolicy.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.
Note:
In addition to creating users, idmConfigTool
creates the following groups:
orclFAUserReadPrivilegeGroup
orclFAUserWritePrivilegeGroup
orclFAUserWritePrefsPrivilegeGroup
orclFAGroupReadPrivilegeGroup
orclFAGroupWritePrivilegeGroup
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
This section describes how to configure Active Directory. Extend the schema in Active Directory as follows.
Note:
The order in which you perform the steps is critical!
Locate the following files:
IDM_ORACLE_HOME
/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif
IDM_ORACLE_HOME
/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif
In both these files, replace the domain-dn
with the appropriate domain-dn
value
Use ldapadd
from the command line to load the two LDIF files, as follows.
ldapadd -h activedirectoryhostname -p activedirectoryportnumber -D AD_administrator -q -c -f file
where AD_administrator
is a user which has schema extension privileges to the directory
For example:
ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser –q -c -f ADUserSchema.ldif ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser -q -c -f AD_oam_pwd_schema_add.ldif
Note:
After the -D
you can specify either a DN or user@domain.com
.
Then go to:
IAM_MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
Run the following command to extend Active Directory schema:
sh extendadschema.sh -h AD_host -p AD_port -D 'administrator@mydomain.com' -AD "dc=mydomain,dc=com" -OAM true
The command is extendadschema.Excluding Users from OIM Reconcilliationbat
on Windows.
You must seed the Identity Store with users and groups that are required by the Identity Management components.
To seed the Identity Store, perform the following tasks on IDMHOST1:
Set MW_HOME
to IAM_MW_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=MODE input_file=configfile
The value selected for MODE
determines the type of users to be created. Possible values for MODE include: OAM
, OIM
, and WLS.
Run the command once for each of the components that is in your topology.
In all topologies, when you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control. Type:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=idstore.props
Run this command first.
If your topology includes Access Manager, you must seed the Identity Store with users that are required by Access Manager. Type:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=idstore.props
If your topology includes Oracle Identity Manager, you must seed the Identity Store with the xelsysadm
user and assign it to an Oracle Identity Manager administrative group. You must also create a user outside of the standard cn=Users
location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory. Type:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=idstore.props
Note:
This command also creates a container in your Identity Store for reservations.
The password assigned to the xelsysadm
user must conform to the following rules:
Six characters or more
One or more numeric character
Two or more alphabetic characters
Start with alphabetic character
One or more lowercase character
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.
After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log
is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
Bug 14341069 is caused by a missing object class in Oracle Internet Directory. The workaround it is to add this object class manually.
Create a file called update_oid.ldif with the following contents:
dn: cn=subschemasubentry changetype: modify delete: objectclasses objectclasses: ( 2.16.840.1.113894.200.2.1 NAME 'orclIDXPerson' SUP inetorgperson AUXILIARY MAY ( middleName $ orclActiveStartDate $ orclActiveEndDate $ orclIsEnabled $ orclTimeZone $ c $ orclGenerationQualifier $ orclHireDate $ orclAccessibilityMode $ orclColorContrast $ orclFontSize $ orclnumberFormat $ orclcurrency $ orcldateFormat $ orcltimeFormat $ orclembeddedHelp $ orclFALanguage $ orclFATerritory $ orclDisplayNameLanguagePreference $ orclImpersonationGranter $ orclImpersonationGrantee $ orclMTTenantGUID $ orclMTTenantUName $ orclMTUid $ orclFAUserID $ orclFAPersonID $ orclFAPartyID )) dn: cn=subschemasubentry changetype: modify add: attributetypes attributetypes: ( 2.16.840.1.113894.200.1.7 NAME 'orclPwdExpirationDate' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAGE userApplications ) dn: cn=subschemasubentry changetype: modify add: objectclasses objectclasses: ( 2.16.840.1.113894.200.2.1 NAME 'orclIDXPerson' SUP inetorgperson AUXILIARY MAY ( middleName $ orclActiveStartDate $ orclActiveEndDate $ orclIsEnabled $ orclTimeZone $ c $ orclGenerationQualifier $ orclHireDate $ orclAccessibilityMode $ orclColorContrast $ orclFontSize $ orclnumberFormat orclcurrency $ orcldateFormat $ orcltimeFormat $ orclembeddedHelp $ orclFALanguage $ orclFATerritory $ orclDisplayNameLanguagePreference $ orclImpersonationGranter $ orclImpersonationGrantee $ orclMTTenantGUID $ orclMTTenantUName $ orclMTUid $ orclFAUserID $ orclFAPersonID $ orclFAPartyID $ orclPwdExpirationDate ) )
Update Oracle Internet Directory using the command:
ldapmodify –D cn=orcladmin –h OIDHOST1.mycompany.com –p 3060 –f update_oid.ldif
This section describes a workaround for a missing permission in Oracle Unified Directory.
Create a file called add_password_reset.ldif with the following contents:
dn: cn=oimLDAP,cn=systemids, dc=mycompany,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset dn: cn=Reserve,dc=mycompany,dc=com changetype: modify delete: aci aci: (version 3.0; acl "oim reserve group container acl"; allow (read,add,delete) groupdn="ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com"; deny (all) userdn="ldap:///anyone";) dn: cn=Reserve,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=Reserve,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdministrators Group add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com");)
Update Oracle Unified Directory using the command:
ldapmodify –D cn=oudadmin –h IDMHOST1.mycompany.com –p 1389 –f add_password_reset.ldif
If you are using Oracle Unified Directory and Oracle Identity Manager, you must now grant access to the changelog. You do this by performing the following steps on all OUD hosts, that is, on IDMHOST1 and IDMHOST2:
On the host where OUD is running (for example, IDMHOST), create a file called mypasswordfile
that contains the password you use to connect to OUD.
Remove the existing change log permission by issuing the command on one of the replicated OUD hosts:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following new ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following new ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=mycompany,dc=com\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \--add global-aci:"(targetcontrol="\1.3.6.1.4.1.26027.1.5.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname OUD_HOST \
--port OUD_ADMIN_PORT \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
When you run the idmConfigTool
to prepare an Oracle Unified Directory identity store, it creates indexes for the data on the instance against which it is run. You must manually create these indexes on each of the remaining Oracle Unified Directory instances in the configuration.
To do this, on IDMHOST2, issue the following commands:
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c -f IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c -f IAM_ORACLE_HOME/idmtools/templates/oud/oud_indexes_extn.ldif
Once the indexes have been created on every IDMHOST, rebuild the indexes as follows:
Shut down Oracle Unified Directory by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/stop-ds
Execute the command:
OUD_ORACLE_INSTANCE/OUD/bin/rebuild-index --rebuildAll -b "dc=mycompany,dc=com"
Restart Oracle Unified Directory by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/start-ds
Repeat Steps 1-3 to rebuild the indexes for every IDMHOST, including the host which the idmConfigTool
was run against, to maintain availability only stop the directory for which you are rebuilding the indexes.
In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a directory other than Oracle Internet Directory or Oracle Unified Directory, such as Microsoft Active Directory, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created. This section lists the artifacts created and the privileges required for the artifacts.
Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.
Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Manager user oimLDAP
under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.
If you access your LDAP directory through Oracle Virtual Directory, you must link Oracle Virtual Directory to the back end LDAP directory by creating adapters. This section describes how.
The procedure is slightly different, depending on the directory you are connecting to. The following sections show how to create and validate adapters for supported directories:
Section 9.5.1, "Ensuring the Change Log Generation is Enabled in Oracle Internet Directory"
Section 9.5.3, "Validating the Oracle Virtual Directory Adapters"
Before you create a change log adapter in Oracle Virtual Directory, you must ensure that the back end Oracle Internet Directory servers have changelog generation enabled.
To test whether a directory server has changelog generation enabled, type:
ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber
For example:
ldapsearch -h OIDHOST1 -p 3060 -D "cn=orcladmin" -q -b '' -s base 'objectclass=*' lastchangenumber
If the command output includes lastchangenumber
with a value, changelog generation is enabled. If changelog generation is not enabled, enable it as described in the "Enabling and Disabling Changelog Generation by Using the Command Line" section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
You can use idmConfgTool
to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.
To do this, perform the following tasks on IDMHOST1:
Set MW_HOME
to IAM_MW_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Create a properties file for the adapter you are configuring called ovd1.props
. The contents of this file depends on whether you are configuring the Oracle Internet Directory adapter or the Active Directory Adapter.
Oracle Internet Directory adapter properties file:
ovd.host:OVDHOST1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:OID ldap1.host:OIDIDSTORE.mycompany.com ldap1.port:3060 ldap1.binddn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com ldap1.password:oidpassword ldap1.ssl:false ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
Active Directory adapter properties file:
ovd.host:OVDHOST1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:AD ldap1.host:ADIDSTORE.mycompany.com ldap1.port:636 ldap1.binddn:cn=adminuser ldap1.password:adpassword ldap1.ssl:true ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
The following list describes the parameters used in the properties file.
ovd.host
is the host name of a server running Oracle Virtual Directory.
ovd.port
is the https port used to access Oracle Virtual Directory.
ovd.binddn
is the user DN you use to connect to Oracle Virtual Directory.
ovd.password
is the password for the DN you use to connect to Oracle Virtual Directory.
ovd.oamenabled
is always true
in Fusion Applications deployments.
ovd.ssl
is set to true
, as you are using an https port.
ldap1.type
is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.
ldap1.host
is the host on which back end directory is located. Use the load balancer name.
ldap1.port
is the port used to communicate with the back end directory.
ldap1.binddn
is the bind DN of the oimLDAP
user.
ldap1.password
is the password of the oimLDAP
user
ldap1.ssl
is set to true
if you are using the back end's SSL connection, and otherwise set to false
. This should always be set to true
when an adapter is being created for AD.
ldap1.base
is the base location in the directory tree.
ldap1.ovd.base
is the mapped location in Oracle Virtual Directory.
usecase.type
is set to Single
when using a single directory type.
Configure the adapter by using the idmConfigTool
command, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
For example:
idmConfigTool.sh -configOVD input_file=ovd1.props
The command requires no input. The output looks like this:
The tool has completed its operation. Details have been logged to logfile
Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host
in the property file.
Perform the following tasks by using ODSM:
Access ODSM at:
http://HOSTNAME.mycompany.com:port/odsm
Connect to Oracle Virtual Directory.
Go the Data Browser tab.
Expand Client View so that you can see each of your user adapter root DN's listed.
Expand the user adapter root DN, if there are objects already in the back end LDAP server, you should see those objects here.
ODSM doesn't support changelog query, so you cannot expand the cn=changelog
subtree.
Perform the following tasks by using the command-line:
Validate the user adapters by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b <user_search_base> -s sub "objectclass=inetorgperson" dn
For example:
ldapsearch -h OVDHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q -b "cn=Users,dc=mycompany,dc=com" -s sub "objectclass=inetorgperson" dn
Supply the password when prompted.
You should see the user entries that already exist in the back end LDAP server.
Validate changelog adapters by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
For example:
ldapsearch -h OVDHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
The command returns logs of data, such as creation of all the users. It returns without error if the changelog adapters are valid.
Validate lastchangenumber query by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
For example:
ldapsearch -h OVDHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
The command returns the latest change number generated in the back end LDAP server.
Back up your LDAP directories, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."