This chapter explains how to configure Oracle Virtual Directory for integration with Oracle Identity Manager (OIM).
The topics include:
You can use idmConfigTool to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.
To do this, perform the following tasks on IDMHOST1:
Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.
Set IDM_HOME to IDM_ORACLE_HOME
Set ORACLE_HOME to IAM_ORACLE_HOME
Create a properties file for the adapter you are configuring called ovd1.props. The contents of this file depends on whether you are configuring the Oracle Internet Directory adapter or the Active Directory Adapter.
Oracle Internet Directory adapter properties file:
ovd.host:ovdhost1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:OID ldap1.host:oididstore.myhost.mycompany.com ldap1.port:3060 ldap1.binddn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com ldap1.password:oidpassword ldap1.ssl:false ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
Active Directory adapter properties file:
ovd.host:ovdhost1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:AD ldap1.host:adidstore.myhost.mycompany.com ldap1.port:636 ldap1.binddn:cn=adminuser ldap1.password:adpassword ldap1.ssl:true ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
The following list describes the parameters used in the properties file.
ovd.host is the host name of a server running Oracle Virtual Directory.
ovd.port is the https port used to access Oracle Virtual Directory.
ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.
ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.
ovd.oamenabled is always true in Fusion Applications deployments.
ovd.ssl is set to true, as you are using an https port.
ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.
ldap1.host is the host on which back end directory is located. Use the load balancer name.
ldap1.port is the port used to communicate with the back end directory.
ldap1.binddn is the bind DN of the oimLDAP user.
ldap1.password is the password of the oimLDAP user.
ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This parameter should always be set to true when an adapter is being created for AD.
ldap1.base is the base location in the directory tree.
ldap1.ovd.base is the mapped location in Oracle Virtual Directory.
usecase.type is set to Single when using a single directory type.
Configure the adapter by using the idmConfigTool command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
Note:
When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
The syntax on Windows is:
idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
For example:
idmConfigTool.sh -configOVD input_file=ovd1.props
The command requires no input. The output looks like this:
The tool has completed its operation. Details have been logged to logfile
Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host in the property file.
This topic describes the plug-ins designed for use when Oracle Virtual Directory is a connector target for Oracle Identity Manager integrations.
The UserManagement plug-in provides data mapping for Oracle Identity Manager attributes to LDAP directory servers.
The UserManagement plug-in has the following configuration parameters:
Comma-separated list of objectclasses that need to be removed on an add/modify request.
Comma-separated list of attributes that will be virtually removed from entries before they are returned to the client.
Defines the exclusion of a specific attribute mapping on a specific objectclass. For example, specifying a parameter with the value inetorgperson,uid=samaccountname excludes mapping a uid to samaccountname on entries of objectclass inetorgperson. Using multiple instances of this option allows for multiple exclusions on mappings.
Comma separated list of language codes to be used in attribute language subtypes. This parameter is functional only when the directoryType parameter is set to ActiveDirectory.
True or False: Indicates whether Oracle Access Management Access Manager (Access Manager) is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.
Note:
The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.
Note:
The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
The ssladapter parameter, which is operational only when the directoryType parameter is set to ActiveDirectory, identifies the name of the adapter to which the UserManagement plug-in routes requests when userPassword or unicodePwd is contained in requests. If unicodePwd is contained in the request, the request must also contain the useraccountControl attribute with a proper value.
The adapter identified by the ssladapter parameter must have:
The same local base as the adapter the UserManagement plug-in is configured on
Its Routing Visibility set to Internal
If no value is set for ssladapter, the current adapter is used by default.
Defines the attribute translation in the form of OVD-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.
True or False. When the directoryType configuration parameter is set to ActiveDirectory, the mapPassword parameter controls whether to convert the user password to the unicodePwd attribute. The default value is false.
Defines the RDN attribute translation in the form of OVD-RDNattribute=OIM-RDNattribute, for example: uid=cn.
Identifies the maximum number of failed logins the source LDAP directory server requires to lock an account (as defined by the password policy effective on the user entries being exposed through the adapter on which this plug-in is deployed).
Defines the objectclass value translation in the form of OVD-objectclass=OIM-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.
Note:
The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
In the form of attribute=value pairs, this parameter identifies attributes to be added before returning the get operation result. You can prefix the attribute name with objectclass, to add the attribute and value to a specific objectclass. You can also surround a value with % to reference other attributes. For example, specifying the value user,samaccountname=%cn% assigns the value of cn to samaccountname when the entry objectclass=user. Specifying the value samaccountname=jdoe adds attribute samaccountname with value jdoe to all the entries.
Note:
Prior to release 11.1.1.4.0, Oracle Virtual Directory had three changelog plug-ins:
oidchangelog for use with Oracle Internet Directory
sunonechangelog for use with Oracle Directory Server Enterprise Edition
adchangelog for use with Microsoft Active Directory
These three plug-ins were deprecated in release 11.1.1.4.0 and a new, single Changelog plug-in is now available. You can use this plug-in with Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Microsoft Active Directory.
When deploying the single Changelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is blank, nothing.
Set the adapter's Mapped Namespace to: cn=changelog.
If the back-end is Oracle Directory Server Enterprise Edition, be sure to enable change logging on Oracle Directory Server Enterprise Edition.
If you are using a version of Oracle Virtual Directory that was released prior to 11.1.1.4.0, you must use the following changelog plug-ins to standardize changelog information from source directories into a suitable format for Oracle Identity Manager.
Note:
These plug-ins will not work with Oracle Virtual Directory release 11.1.1.4.0.
Use the oidchangelog plug-in with Oracle Internet Directory.
When deploying the oidchangelog plug-in, you must set the adapter's Remote Base to an empty value; that is, blank, nothing.
For Oracle Directory Server Enterprise Edition
Use the sunonechangelog plug-in with Oracle Directory Server Enterprise Edition.
When deploying the sunonechangelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is, blank, nothing.
Ensure change logging is enabled on the Oracle Directory Server Enterprise Edition.
Set the adapter's Mapped Namespace to: cn=changelog
For Microsoft Active Directory
Use the adchangelog plug-in with Microsoft Active Directory.
When deploying the adchangelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is, blank, nothing.
Set the adapter's Mapped Namespace to: cn=changelog
Each of the changelog plug-ins have the following configuration parameters:
Comma-separated list of attributes that are virtually removed from entries before they are returned to the client.
Comma-separated list of languages to be used in attribute language subtypes.
True or False. If set to false and the plug-in encounters a corrupted changelog entry, the plug-in throws a DirectoryException and stops further processing changelog entries. If set to true, the plug-in logs an error without throwing an exception, skips this changelog, and continues processing the next changelogs. The default value is false.
True or False: Indicates whether Access Manager is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.
Note:
The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.
Note:
The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Defines the objectclass value translation in the form of OIM-objectclass=Source-Directory-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.
In the Oracle Identity Manager use case, the following parameters are configured out-of-the-box:
For Active Directory: inetorgperson=user, orclidxperson=user, and groupOfUniqueNames=group
For Oracle Directory Server Enterprise Edition: container=nsContainer and changelog=changelogentry
For Oracle Internet Directory: container=orclContainer
Note:
The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Identifies the maximum number of changelog entries to be returned.
A zero (0) or a negative value means no size restriction.
If the incoming search request specifies a size constraint, then the smaller value is used. For example, if you specify the plug-in's sizeLimit as 100, and the search request's count limit is 200, then the actual size limit of the request is reset to 100.
Defines the attribute translation in the form of Source-Directory-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.
Identifies the container to retrieve changes from. This parameter can be set multiple times to identify multiple containers to retrieve changes from. If set multiple times, the targetDN filter should look similar to the following example, and this targetDN filter is "ANDed" to the incoming filter:
"(|(targetDN=*cn=users,dc=mycom1)(targetDN=*,cn=groups,dc=mycom2))"
Sample values include:
*,cn=xxx,dc=yyy
*cn=xxx,dc=yyy
cn=xxx,dc=yyy (must be a descendant of the local base of the adapter specified in virtualDITAdapterName)
All of these samples have the same meaning.
Comma-separated list of attributes to always be retrieved from the source LDAP directory server, regardless of the return attributes list specified for changelog queries to Oracle Virtual Directory.
Comma-separated list of attributes to be added to the normalized changelog entry. For example, orclContainerOC=1, changelogSupported=1, where =1 indicates the changes retrieved from the source directory which support changelog.
True or False. This parameter enables or disables the mapping of the directory specific account attributes to Oracle Virtual Directory virtual account attributes.
Single-valued configuration parameter that defines an LDAP filter on modifiersName. This parameter is "ANDed" to the incoming filter. An example value can be "(modifiersName=cn=myadmin,cn=users,dc=mycom)".
Note:
This configuration does not take effect if directoryType=ActiveDirectory.
Identifies the corresponding user profile adapter name.
For example, in a single-directory deployment, you can set this parameter value to "A1," which is the user adapter name. In a split-user profile scenario, you can set this parameter to "J1;A2," where "J1" is the JoinView adapter name, and "A2" is the corresponding user adapter in the "J1".
This parameter can be multi-valued, which means there are multiple base entry adapters configured for the same back-end directory server as this changelog adapter.
If you set this parameter to "A1," the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.
This section describes how to enable debugging in Oracle Virtual Directory, which can be useful if you need to troubleshoot your Oracle Identity Manager and Oracle Virtual Directory integration.
To enable debugging, perform the following steps:
Open a command window and go to the following location:
OVD ORACLE_INSTANCE/config/OVD/ovd1
Save a copy of the ovd-logging.xml file.
Edit the ovd-logging.xml file as follows:
Change line #25 from:
<logger name='com.octetstring.vde' level='NOTIFICATION:1' useParentHandlers='false'>
to
<logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false'>
Change line #28 from:
<logger name='com.octetstring.accesslog' level='ERROR:1' useParentHandlers='false'>
to
<logger name='com.octetstring.accesslog' level='NOTIFICATION:1' useParentHandlers='false'>
Restart Oracle Virtual Directory by typing the following:
cd ORACLE_INSTANCE/bin ./opmnctl stopproc ias-component=ovd1 ./opmnctl startproc ias-component=ovd1