Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) for using Oracle Unified Directory (OUD) as your LDAP Identity store.
Notes:
If your LDAP Identity store (Oracle Unified Directory (OUD)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.
The data used in the examples provided below is a sample data. Follow the examples and replace them with appropriate data as per your LDAP server configuration.
cn=oracleAccounts is a sample data. It is not mandatory to use this data when you preconfigure the Identity Store.
You must complete the following steps to preconfigure the Identity Store:
Create a new file OUDContainers.ldif. Add the following entries and save the file.
dn:cn=oracleAccounts,dc=mycompany,dc=com cn:oracleAccounts objectClass:top objectClass:orclContainer dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=com cn:Users objectClass:top objectClass:orclContainer dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com cn:Groups objectClass:top objectClass:orclContainer dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=com cn:Reserve objectClass:top objectClass:orclContainer
Import the containers into Oracle Unified Directory Server with ldapadd command. This will create the user, group and reserve containers.
ldapadd -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -c -f ./OUDContainers.ldif For example:
ldapadd -h localhost -p 3389 -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif
If the above gives authentication error, try the command with '-x' option with simple bind option.
ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif
Configure OIM proxy users and acis to communicate with OUD after installing OUD. Create the OIM Admin User, Group and the ACIs.
The root suffix is given as dc=mycompany,dc=com. This can be replaced with the appropriate root suffix of the OUD server.
Open a new file oudadmin.ldif. Add the following LDAP entries and save the file oudadmin.ldif. Run the following command to load the ldif file, oudadmin.ldif.
Note:
Run the ldapmodify command in OUD setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.
The OIMAdmin proxy user must have the ACI allowing to write/reset the userPassword.
The OIMAdmin proxy user must have the password-reset privilege. The password-reset privilege is assigned with a ldapmodify on the user entry.
cd <OUD instance>/bin ./ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -j <pwd.txt> -c-v-f oudadmin.ldif Note: In the above command pwd.txt is the text file containing the OUD Admin password. dn: cn=systemids,dc=mycompany,dc=com changetype: add objectclass: orclContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com dn: cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
Perform the following steps to configure the changelog on OUD server:
Note:
Perform these steps only if the replication has not been configured during the installation of OUD server.
Create a replication server using dsconfig command:
dsconfig -h <OUD host> -p <OUD Admin SSL Port> -D <OUD Admin id> -j <password file> -X -n create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:8989 --set replication-server-id:1 --type generic
Create a replication domain using dsconfig command:
dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n create-replication-domain --provider-name 'Multimaster Synchronization' --set base-dn:<dc=myDomain,dc=com> --set replication-server:<OUD host>:8989 --set server-id:1 --type generic --domain-name <dc=myDomain,dc=com>
Use the following command to check if the ACI is added.
./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=Directory Manager" -j <pwd.txt> -b "dc=mycompany,dc=com" -s base "objectclass=*" aci Note: In the above command pwd.txt is the text file containing the OUD Admin password.
Use the following command to check if the proxy user is working against OUD.
./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=oimAdminUser,cn=systemids,dc=oracle,dc=com" -j <pwd.txt> -b "cn=changelog" -s sub "changenumber>=0" Note: In the above command pwd.txt is the text file containing the OUD Admin password.
Complete the following steps for the access controls in OUD (ACI):
Add the global-aci to changelog node in OUD.
Refer to the "Using dsconfig in Interactive Mode" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory 11g Release 2 (11.1.2) available at the following link:
Follow the steps in the document mentioned above and add the global-aci to cn=changelog entry in OUD:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com";) dn: cn=Reserve,dc=mycompany,dc=com changetype: modify add: aci aci: (target="ldap:///cn=Reserve,dc=mycompany,dc=com")(targetattr="*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export)(groupdn = "ldap:///cn=oimAdminGroup,cn=Groups,dc=mycompany,dc=com");)
You must remove deny from this global-aci and allow the oim proxy user, otherwise deny will take priority.
Note:
If you are using OUD 11.1.1.5.0, use the following ACI:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access";deny (all) groupdn!="ldap:///cn=oimAdminGroup,cn=systemids,dc=myDomain,dc=com";)
Refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory 11g Release 2 (11.1.2) available at the following link:
Follow the steps in the document mentioned above and delete the default deny global-aci from cn=changelog entry in OUD.
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)
If you want to enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server.
In the password policy, you must define the maximum number of failed logins the source LDAP directory server requires, to lock the account. This max number must have the same value as defined in the User Management plugin (pwdMaxFailure parameter) in Section 5.9.5.2.4, "Creating Adapters for Oracle Unified Directory (OUD)".
Use the following command to configure OUD password policy (for instance 3 failures locks the account):
dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n set-password-policy-prop --policy-name 'Default Password Policy' --set lockout-failure-count:3