Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Directory Server Enterprise Edition (ODSEE) for using Oracle Directory Server Enterprise Edition (ODSEE) as your LDAP Identity store.
Notes:
If your LDAP Identity store (Oracle Directory Server Enterprise Edition (ODSEE) or iPlanet) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.
The data used in the examples provided below is a sample data. Follow the examples and replace them with appropriate data as per your LDAP server configuration.
cn=oracleAccounts is a sample data. It is not mandatory to use this data when you preconfigure the Identity Store.
You must complete the following steps to preconfigure the Identity Store:
Create a new file iPlanetContainers.ldif. Add the following entries and save the file.
dn:cn=oracleAccounts,dc=mycompany,dc=com cn:oracleAccounts objectClass:nsContainer dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com cn:Users objectClass:nsContainer dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com cn:Groups objectClass:nsContainer dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com cn:Reserve objectClass:nsContainer
Import the containers into iPlanet Directory Server with ldapadd command. This will create the user, group and reserve containers.
ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -c -f ./iPlanetContainers.ldif
For example:
ldapadd -h localhost -p 1389 -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif
If the above gives authentication error, try the command with '-x' option with simple bind option.
ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif
Enable the moddn property for the rename of entries to happen between nodes.
..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> moddn-enabled:on
For example:
..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 moddn-enabled:on
Enable changelog.
..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> retro-cl-enabled:on
For example:
..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 retro-cl-enabled:on
Check the status.
..dsee7/bin/dsccsetup status
Stop and Start the ODSEE server instance.
..dsee7/bin/dsadm stop <ODSEE instance> ..dsee7/bin/dsadm start <ODSEE instance>
For example:
..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/ ..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/
Extend the Sun schema to include OIM-specific Object Classes and Attribute Types.
cd to $MIDDLEWARE_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
Run the following command to load the ldif file, sunOneSchema.ldif.
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f sunOneSchema.ldif
For example:
./ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w welcome1 -c -f sunOneSchema.ldif
Enable Referential Integrity for OIM's Common Name Generation feature.
Anytime the DN or RDN is being modified, then the Referential Integrity needs to be enabled in OIM and OID/Active Directory/ODSEE.
If Referential Integrity is enabled in the Directory Server, then customers need to set the OIM property XL.IsReferentialIntegrityEnabledInLDAP to TRUE as by default it is set to FALSE. To set XL.IsReferentialIntegrityEnabledInLDAP to TRUE, log into OIM and go to Advanced > System Management > System Configuration. Search for System Properties (XL.IsReferentialIntegrityEnabled), and set the property value to TRUE.
Use the following command to see the value of the referential integrity property.
..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled Enter "cn=Directory Manager" password: ref-integrity-enabled : off
Use the following commands to enable the referential integrity property.
./dsconf set-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled:on Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect. Restart ODSEE/iPlanet Server after enabling referential integrity property.
..dsee7/bin/dsadm stop <ODSEE instance> ..dsee7/bin/dsadm start <ODSEE instance>
For Example:
..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/ ..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/
Now query to see if the value has been set correctly.
..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabled Enter "cn=Directory Manager" password: ref-integrity-enabled : on
Create the OIM Admin User, Group and the ACIs. Open a new file oimadminuser.ldif. This oimadminuser would be used as a proxy user for OIM.
The root suffix is given as dc=mycompany,dc=com. This can be replaced with the appropriate root suffix of the ODSEE server.
Add the following LDAP entries and save the file oimadminuser.ldif. Run the following command to load the ldif file, oimadminuser.ldif.
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f oimadminuser.ldif dn: cn=systemids,dc=mycompany,dc=com changetype: add objectclass: nsContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com dn: cn=users,cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=users,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=changelog changetype: modify add: aci aci: (target = "ldap:///cn=changelog")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)
Use the following commands to check for the entries and ACI in the LDAP:
ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=changelog" -s sub "objectclass=*" aci ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=users,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=groups,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci