A Verifying Adapters for Multiple Directory Identity Stores by Using ODSM

After you have configured your Oracle Virtual Directory adapters as described in Chapter 12, "Configuring an Identity Store with Multiple Directories," you can use ODSM to view the adapters for troubleshooting purposes. This chapter explains how.

This appendix contains the following sections:

• Section A.1, "Verifying Oracle Virtual Directory Adapters for Split Profile by Using ODSM"

• Section A.2, "Verifying Adapters for Distinct User and Group Populations in Multiple Directories by Using ODSM"

A.1 Verifying Oracle Virtual Directory Adapters for Split Profile by Using ODSM

This section describes how to validate the adapters created in Chapter 12, "Configuring Oracle Virtual Directory Adapters for Split Profile."

This section contains the following topics:

• Section A.1.1, "Verifying User Adapter for Active Directory Server"

• Section A.1.2, "Verifying Shadowjoiner User Adapter"

• Section A.1.3, "Verifying JoinView Adapter"

• Section A.1.4, "Verifying User/Role Adapter for Oracle Internet Directory"

• Section A.1.5, "Verifying Changelog adapter for Active Directory Server"

• Section A.1.6, "Verifying Changelog Adapter for Oracle Internet Directory"

• Section A.1.7, "Configuring a Global Consolidated Changelog Plug-in"

• Section A.1.8, "Validate Oracle Virtual Directory Changelog"

A.1.1 Verifying User Adapter for Active Directory Server

Verify the following adapter and plug-ins for Active Directory:

Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM). The URL is of the form: http://admin.mycompany.com/odsm.

2. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

3. On the Home page, click the Adapter tab.

4. Click user_AD1 adapter.

5. Verify that the User Adapter routing as configured correctly:

   1. Visibility must be set to internal.

   2. Bind Support must be set to enable.

6. Verify the User Adapter User Management Plug-in as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. Verify that the plug-in parameters are as follows:

      Parameter	Value	Default
      directoryType	activedirectory	Yes
      exclusionMapping	orclappiduser,uid=samaccountname
      mapAttribute	orclguid=objectGuid
      mapAttribute	uniquemember=member
      addAttribute	user,samaccountname=%uid%,%orclshortuid%
      mapAttribute	mail=userPrincipalName
      mapAttribute	ntgrouptype=grouptype
      mapObjectclass	groupofUniqueNames=group
      mapObjectclass	orclidxperson=user
      pwdMaxFailure	10	Yes
      oamEnabled	TrueFoot 1
      mapObjectClass	inetorgperson=user	Yes
      mapPassword	True	Yes
      oimLanguages	Comma separated list of language codes, such as en,fr,ja

      
      

      ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Management Access Manager.

A.1.2 Verifying Shadowjoiner User Adapter

Follow these steps to verify the ShadowJoiner Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Click the Shadow4AD1 Adapter.

5. Ensure that User Adapter routing as is configured correctly:

   1. Visibility must be set to internal.

   2. Bind Support must be set to enable.

6. Verify the User Adapter as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. Verify that the parameters are as follows:

      Parameter	Value	Default
      directoryType	oid	Yes
      pwdMaxFailure	10	Yes
      oamEnabled	true
      mapObjectclass	container=orclContainer	Yes
      oimDateFormat	yyyyMMddHHmmss'z'

      
      

A.1.3 Verifying JoinView Adapter

Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to the Oracle Directory Services Manager (ODSM) page.

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Click the JoinView adapter.

5. Verify the Adapter as follows

   1. Click Joined Adapter in the adapter tree. It should exist

   2. Click OK.

A.1.4 Verifying User/Role Adapter for Oracle Internet Directory

Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Click User Adapter.

5. Verify the plug-in as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.

   4. Verify that the parameters are as follows:

      Parameter	Value	Default
      directoryType	oid	Yes
      pwdMaxFailure	10	Yes
      oamEnabled	true
      mapObjectclass	container=orclContainer	Yes
      oimDateFormat	yyyyMMddHHmmss'z'

      
      

   5. Click OK.

A.1.5 Verifying Changelog adapter for Active Directory Server

Follow these steps to verify the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to Oracle Virtual Directory.

3. On the Home page, click the Adapter tab.

4. Click the changelog_AD1 adapter.

5. Verify the plug-in as follows.

   1. Select the Changelog Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.

   4. Verify that the parameter values are as follows:

      Parameter	Value
      directoryType	activedirectory
      mapAttribute	targetGUID=objectGUID
      requiredAttribute	samaccountname
      sizeLimit	1000
      targetDNFilter	cn=users,dc=idm,dc=ad,dc=com The users container in Active Directory
      mapUserState	true
      oamEnabled	true
      virtualDITAdapterName	user_J1;user_AD1

      
      

A.1.6 Verifying Changelog Adapter for Oracle Internet Directory

To use the changelog adapter, you must first enable changelog on the connected directory. To test whether the directory is changelog enabled, type:

ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber

for example:

ldapsearch -h ldaphost1 -p 389 -D "cn=orcladmin" -q -b '' -s base 'objectclass=*' lastchangenumber

If you see lastchangenumber with a value, it is enabled. If it is not enabled, enable it as described in the Enabling and Disabling Changelog Generation by Using the Command Line section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Follow these steps to verify the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to an Oracle Virtual Directory instance.

3. On the Home page, click the Adapter tab.

4. Click the Changelog Adapter.

5. Verify the plug-in as follow.

   1. Select the Changelog Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plug-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. Verify that the parameter values are as follows:

      Parameter	Value
      directoryType	oid
      mapAttribute	targetGUID=orclguid
      requiredAttribute	orclGUID
      modifierDNFilter	cn=orcladmin
      sizeLimit	1000
      targetDNFilter	dc=mycompany,dc=com
      targetDNFilter	cn=shadowentries
      mapUserState	true
      oamEnabled	true
      virtualDITAdapterName	user_J1;shadow4AD1
      virtualDITAdapterName	User Adapter (The name of the User adapter's name)

      
      

A.1.7 Configuring a Global Consolidated Changelog Plug-in

Verify the global level consolidated changelog plug-in as follows

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to an Oracle Virtual Directory instance.

3. On the Home page, click the Advanced tab. The Advanced navigation tree appears.

4. Expand Global Plugins

5. Click the ConsolidatedChglogPlugin. The plug-in editing window appears.

A.1.8 Validate Oracle Virtual Directory Changelog

Run the following command to validate that the changelog adapter is working:

$IDM_ORACLE_HOME/bin/ldapsearch -p 6501 -D cn=orcladmin -q -b 'cn=changelog' -s base 'objectclass=*' lastchangenumber

The command should return a changelog result, such as:

Please enter bind password:
cn=Changelog
lastChangeNumber=changelog_OID:190048;changelog_AD1:363878

If ldapsearch does not return a changelog result, double check the changelog adapter configuration.

A.2 Verifying Adapters for Distinct User and Group Populations in Multiple Directories by Using ODSM

This section describes how to view the adapters created in Section 12.3.2, "Configuring Oracle Virtual Directory Adapters for Distinct User and Group Populations in Multiple Directories."

Verify the user adapter on the Oracle Virtual Directory instances running on LDAPHOST1 and LDAPHOST2 individually. Follow these steps to verify the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager:

1. If they are not already running, start the Administration Server and the WLS_ODSM Managed Servers.

2. In a web browser, go to Oracle Directory Services Manager (ODSM) at:

   http://admin.mycompany.com/odsm

3. Verify connections to each of the Oracle Virtual Directory instances running on LDAPHOST1 and LDAPHOST2, if they do not already exist.

4. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

5. On the Home page, click the Adapter tab.

6. Click the name of each adapter. Verify that it has the parameters shown in the following tables.

This section contains the following topics:

• Section A.2.1, "User/Role Adapter A1"

• Section A.2.2, "User/Role Adapter A2"

• Section A.2.3, "Changelog Adapter C1"

• Section A.2.4, "Changelog Adapter for Active Directory"

• Section A.2.5, "Changelog Adapter C2"

• Section A.2.6, "Verifying Oracle Virtual Directory Global Plug-in"

• Section A.2.7, "Configuring a Global Consolidated Changelog Plug-in"

A.2.1 User/Role Adapter A1

Verify the plug-in of the User/Role Adapter A1, as follows:

1. Select the OIM User Adapter.

2. Click the Plug-ins tab.

3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

4. Verify that the parameter values are as follows:

   Parameter	Value	Default
   directoryType	activedirectory	Yes
   exclusionMapping	orclappiduser,uid=samaccountname
   mapAttribute	orclguid=objectGuid
   mapAttribute	uniquemember=member
   addAttribute	user,samaccountname=%uid%,%orclshortuid%
   mapAttribute	mail=userPrincipalName
   mapAttribute	ntgrouptype=grouptype
   mapObjectclass	groupofUniqueNames=group
   mapObjectclass	orclidxperson=user
   pwdMaxFailure	10	Yes
   oamEnabled	TrueFoot 1
   mapObjectClass	inetorgperson=user	Yes
   mapPassword	True	Yes
   oimLanguages	Comma separated list of language codes, such as en,fr,ja

   
   

   ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Management Access Manager.

A.2.2 User/Role Adapter A2

Verify the plug-in of the User/Role Adapter A2 as follows:

1. Select the User Adapter.

2. Click the Plug-ins tab.

3. Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.

4. Verify that the parameter values are as follows:

   Parameter	Value	Default
   directoryType	oid	Yes
   pwdMaxFailure	10	Yes
   oamEnabled	trueFoot 1
   mapObjectclass	container=orclContainer	Yes

   
   

   ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Management Access Manager.

A.2.3 Changelog Adapter C1

To verify the Changelog Adapter C1 plug-in, follow these steps:

1. Select the OIM changelog adapter Changelog_Adapter_C1.

2. Click the Plug-ins tab.

3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

4. In the Parameters table, verify that the values are as shown.

   Table A-1 Values in Parameters Table

   Parameter	Value	Comments
   modifierDNFilter	A bind DN that has administrative rights on the directory server, in the format: "!(modifiersname=cn=BindDN)" For example: "!(modifiersname=cn=orcladmin,cn=systemids,dc=mycompany,dc=com)"	Create
   sizeLimit	1000	Create
   targetDNFilter	dc=us,dc=mycompany,dc=com	Create
   mapUserState	true	Update
   oamEnabled	true	Update
   virtualDITAdapterName	The adapter name of User/Role Adapter A1: User_Adapter_A1	Create

   
   

A.2.4 Changelog Adapter for Active Directory

Verify the plug-in as follows.

1. Select the OIM Changelog Adapter.

2. Click the Plug-ins tab.

3. In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.

4. In the Parameters table, verify that the parameters are as follows:

   Parameter	Value
   directoryType	activedirectory
   mapAttribute	targetGUID=objectGUID
   requiredAttribute	samaccountname
   sizeLimit	1000
   targetDNFilter	dc=mycompany,dc=com Search base from which reconciliation must happen. This value must be the same as the LDAP SearchDN that is specified during Oracle Identity Manager installation.
   mapUserState	true
   oamEnabled	trueFoot 1
   virtualDITAdapterName	The name of the User adapter's name

   
   

   ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Management Access Manager.

   Note:

   virtualDITAdapterName identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to User Adapter, which is the user adapter name. In a split-user profile scenario, you can set this parameter to J1;A2, where J1 is the JoinView adapter name, and A2 is the corresponding user adapter in the J1.

A.2.5 Changelog Adapter C2

Verify the plug-in as follows:

1. Select the OIM changelog adapter Changelog_Adapter_C2.

2. Click the Plug-ins tab.

3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

4. In the Parameters table, verify that the parameters are as follows:

   Table A-2 Values in Parameters Table

   Parameter	Value	Comments
   modifierDNFilter	A bind DN that has administrative rights on the directory server, in the format: "!(modifiersname=cn=BindDN)" For example: "!(modifiersname=cn=orcladmin,dc=mycompany,dc=com)"	Create
   sizeLimit	1000	Create
   targetDNFilter	dc=uk,dc=mycompany,dc=com	Create
   mapUserState	true	Update
   oamEnabled	true	Update
   virtualDITAdapterName	The adapter name of User/Role adapter A2: User_Adapter_A2	Create

   
   

A.2.6 Verifying Oracle Virtual Directory Global Plug-in

To verify the Global Oracle Virtual Directory plug-in, proceed as follows

1. In a web browser, go to Oracle Directory Services Manager (ODSM) at:

   http://admin.mycompany.com/odsm

2. Verify connections to each of the Oracle Virtual Directory instances running on LDAPHOST1 and LDAPHOST2, if they do not already exist.

3. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

4. On the Home page, click the Adapter tab.

5. Click the Plug-ins tab.

6. Verify that the Global Consolidated Changelog Plug-in exists.

   Click OK when finished.

A.2.7 Configuring a Global Consolidated Changelog Plug-in

Verify the global level consolidated changelog plug-in as follows

1. In a web browser, go to Oracle Directory Services Manager (ODSM).

2. Connect to an Oracle Virtual Directory instance.

3. On the Home page, click the Advanced tab. The Advanced navigation tree appears.

4. Expand Global Plugins

5. Click the ConsolidatedChglogPlugin. The plug-in editing window appears.