This appendix explains how to manually configure LDAP synchronization of Oracle Identity Manager with the LDAP identity store post-installation.
Note:
If you have enabled LDAP synchronization in the Oracle Identity Manager Configuration Wizard at the time of installation, then post-installation enablement of LDAP synchronization is not required, and therefore, you can skip this appendix.
In earlier releases of Oracle Identity Manager, LDAP synchronization can be enabled only at the time of installing Oracle Identity Manager, and postinstallation enablement of LDAP synchronization is not allowed. From Oracle Identity Manager 11g Release 1 (11.1.1.5.0) onwards, postinstallation enablement of LDAP synchronization is supported. Oracle Identity Manager 11g Release 2 (11.1.2.2.0) also supports postinstallation enablement of LDAP synchronization.
See Also:
"Integration Between LDAP Identity Store and Oracle Identity Manager" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about LDAP synchronization
When Oracle identity Manager with Oracle Internet Directory (OID) or iplanet (ODSEE) or Active Directory (AD) or Oracle Unified Directory (OUD) is selected during installation, the virtualization functionality of Oracle Virtual Directory (OVD) is utilized. Oracle Identity Manager includes the Identity Virtualization Library (libOVD) instead of the stand-alone OVD server. Oracle Identity Manager deployment can be with or without Identity Virtualization Library (libOVD). With Identity Virtualization Library (libOVD) included in Oracle Identity Manager, the common library is used by Oracle Identity Manager without running its own instance of OVD. Without Identity Virtualization Library (libOVD), Oracle Identity Manager must use an instance of OVD separately.
Note:
The common library is the definition for Identity Virtualization Library (libOVD) that resides in the same Java Virtual Machine (JVM) as Oracle Identity Manager. It is a library in Oracle Identity Manager and not a separate server.
When you select LDAP synchronization in the Oracle Identity Manager installer, you can select any one of the AD, iPlanet (ODSEE), OID, OVD, and OUD options. If you select any of AD, iPlanet (ODSEE), OID, or OUD, then Oracle Identity Manager is installed with Identity Virtualization Library (libOVD). If you select OVD, then LDAP synchronization is enabled, and no manual configuration steps for enabling LDAP synchronization is required. However, postinstall manual configuration to enable LDAP synchronization is required when LDAP synchronization has not been enabled at the time of installing Oracle Identity Manager.
This appendix describes the following configurations for postinstallation enablement of LDAP synchronization:
Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes
Creating Users in Oracle Identity Manager and Not in LDAP When LDAP Synchronization is Enabled
Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server
In addition, this appendix contains the following sections:
Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP
Enabling Access Logging for Identity Virtualization Library (libOVD)
Configuring LDAP Authentication When LDAP Synchronization is Enabled
To enable LDAP synchronization after Oracle Identity Manager has been deployed:
Note:
In Oracle Identity Manager 11g Release 2 (11.1.2.2.0), the idmConfigTool utility must be run to preconfigure LDAP synchronization. Preconfiguring LDAP means making the LDAP directory ready to have default containers, administrators, and Access Control Lists (ACIs) for Oracle Identity Manager to perform correctly. The procedure to do so is described in "Preconfiguring the Identity Store" in the Oracle Fusion Middleware Installation Guide for Identity and Access Management.
See Appendix D, "Using the idmConfigTool Command" for information about using the idmConfigTool utility.
The idmConfigTool is run in the Enterprise Deployment environment. See Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for details. This is another way of setting up the prerequisites for LDAP synchronization.
In stand-alone Oracle Identity Manager deployment, for the steps to setup the prerequisites for LDAP synchronization, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If idmConfigTool is not used to setup the prerequisites, then the database schema must be extended and other steps must be performed, as described in "Completing the Prerequisites for Enabling LDAP Synchronization" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Set the OIM_HOME environment variable to the directory on which Oracle Identity Manager is deployed.
Copy the following files from the MDS to a temporary staging directory, such as /tmp:
Note:
It is mandatory to create a separate staging directory. The $OIM_ORACLE_HOME/server/metadata directory cannot be used as the staging directory because it contains some other files. If these files are imported inadvertently, then it might corrupt the Oracle Identity Manager instance.
The following metadata files used for configuring reconciliation profile and reconciliation horizontal table entity definition for LDAP user, role, role hierarchy, and role membership reconciliation:
/db/LDAPUser
/db/LDAPRole
/db/LDAPRoleHierarchy
/db/LDAPRoleMembership
/db/RA_LDAPROLE.xml
/db/RA_LDAPROLEHIERARCHY.xml
/db/RA_LDAPROLEMEMBERSHIP.xml
/db/RA_LDAPUSER.xml
/db/RA_MLS_LDAPROLE.xml
/db/RA_MLS_LDAPUSER.xml
These files must be copied to a temporary location before importing, or you might corrupt your instance because oim-config.xml is also present in the same location.
The LDAP event handlers. The predefined event handlers are in the /db/ldapMetadata/EventHandlers.xml file.
The LDAPContainerRules.xml consisting of the container information for users and roles to be created.
Note:
The LdapContainerRules.xml file can contain rules by using only those attributes that are mapped to the directory. A rule cannot be written by using attributes from foreign objects or attributes that are not part of the entity. This is true for both user and role entities. For example, Role Email cannot be used for rules for roles, and user's Organization Name cannot be used for user entity.
Edit the LDAPContainerRules.xml. To do so, open LDAPContainerRules.xml, and replace $DefaultUserContainer$ and $DefaultRoleContainer$ with appropriate user and role container values. For example, replace:
$DefaultUserContainer$ with a value, such as cn=ADRUsers,cn=Users,dc=us,dc=oracle,dc=com
$DefaultRoleContainer$ with a value, such as cn=ADRGroups,cn=Groups,dc=us,dc=oracle,dc=com
Perform the import by using Oracle Enterprise Manager. For information about importing metadata files from MDS, see "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Note:
Make sure that EventHandlers.xml is in the /db/ldapMetadata/ directory when imported into MDS.
Edit IT Resource configuration in Oracle Identity Manager. To do so:
Login to the Oracle Identity System Administration as the System Administrator.
In the left navigation pane, under Configuration, click IT Resource. The Manage IT Resource page is displayed.
Search for the Directory Server
IT resource.
Update the IT resource with Search base and Reservation container values.
The suggested value for Search base is the root suffix or the BaseDN, for example, dc=us,dc=oracle,dc=com.
If you want to configure Oracle Identity Manager with OVD server, then enter the values for ServerURL with the OVD server host and port details.
If you want to configure Oracle Identity Manager with Identity Virtualization Library (libOVD), then do not enter the values for ServerURL. It must be empty.
Enter the values for the bind credentials, as shown:
Admin Login: cn=oimadmin
Admin Password: 1111111111
Note:
The Oracle Identity Manager proxy user DN is in the following format:
PROXY_USER,cn=system,ROOT_SUFFIX
For example: cn=oimadmin,cn=system, dc=us,dc=oracle,dc=com
Make sure that the value for the Reservation Container is cn=reserve,VALUE_OF_THE_ROOT_SUFFIX. For example:
Reservation Container: cn=reserve,dc=us,dc=oracle,dc=com
For reconciliation jobs, seed the LDAP reconciliation scheduled jobs into Quartz tables, which are part of Oracle Identity Manager schema. As a prerequisite to do so, set the OIM_ORACLE_HOME environment variable. For example:
For Microsoft Windows, set the OIM_ORACLE_HOME environment variable to the C:\Oracle\Middleware\Oracle_IDM1 directory by running the following command:
set OIM_ORACLE_HOME=C:\Oracle\Middleware\Oracle_IDM
For UNIX, run the following command:
setenv OIM_ORACLE_HOME /u01/mwhome/Oracle_IDM
Seeding the LDAP reconciliation scheduled jobs can be performed in any one of the following ways:
Seeding LDAP reconciliation scheduled jobs with parameters:
Go to the $OIM_ORACLE_HOME/server/setup/deploy-files directory.
Set ant home. The following are sample commands to set ant home:
For UNIX:
setenv ANT_HOME /u01/mwhome/modules/org.apache.ant_1.7.1
For Microsoft Windows:
set ANT_HOME=/u01/mwhome/modules/org.apache.ant_1.7.1
Note:
If ANT is not installed, then download ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:
http://www.oracle.com/technetwork/index.html
Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.
Run the following ant command with parameters:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=SCHEMA_OWNER_USERNAME -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=SCHEMA_HOST_ADDRESS -DoperationsDB.port=SCHEMA_PORT_NUMBER -DoperationsDB.serviceName=SCHEMA_SERVICE_NAME -Dssi.provisioning=ON -Dweblogic.server.dir=WEBLOGIC_SERVER_LOCATION -Dojdbc.location=OJDBC_LOCATION -Dwork.dir=seed_logs
For example:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=schemaowner1_OIM -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=myhost.mycompany.com -DoperationsDB.port=1234 -DoperationsDB.serviceName=oimdb.regress.rdbms.mycompany.com -Dssi.provisioning=ON -Dweblogic.server.dir=MW_HOME/wlserver_10.3 -Dojdbc.location=MW_HOME/oracle_common/inventory/Scripts/ext/jlib/ojdbc6.jar -Dwork.dir=seed_logs
Seeding LDAP reconciliation scheduled jobs with the profile file:
Set the following environment variables:
OIM_ORACLE_HOME to the OIM_HOME directory.
Set ANT_HOME to the directory on which ANT is installed.
Note:
If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:
http://www.oracle.com/technetwork/index.html
Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.
Go to the $OIM_ORACLE_HOME/server/bin/ directory.
Create a property file with the properties listed in Table E-1.
Note:
You can also use the appserver.profile file instead of creating a new property file. Make sure that the properties listed in this step are present with the values.
Table E-1 Parameters of the Property File
Parameter | Description |
---|---|
operationsDB.user |
Oracle Identity Manager database schema owner. |
operationsDB.driver |
Constant value of |
operationsDB.host |
Oracle Identity Manager database schema host address. |
OIM.DBPassword |
Oracle Identity Manager database schema owner's password. |
operationsDB.serviceName |
Oracle Identity Manager database schema service name, for example, |
operationsDB.port |
Oracle Identity Manager database schema port number |
ssi.provisioning |
Value must be |
weblogic.server.dir |
Directory on which Oracle WebLogic Server is installed, for example, |
ojdbc.location |
Directory on which JDBC is installed, for example, |
work.dir |
Any preferred directory on which log files will be created After successful completion of target, you can check logs at the $WORK_DIR/seed_logs/ldap/SeedSchedulerData.log file. |
Go to the $OIM_ORACLE_HOME/server/setup/deploy-files/ directory.
Run the following command:
$ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -propertyfile $OIM_ORACLE_HOME/server/bin/PROPERTY_FILE_NAME
You can add custom object classes and custom attributes while creating a new user by adding the custom attributes as user-defined fields (UDFs) in Oracle Identity Manager as well as to the LDAPUser.xml in MDS. As a prerequisite, the custom object class with one or more attributes must be created and loaded into OID.
To add custom attributes as UDFs in Oracle Identity Manager and LDAPUser.xml in MDS:
Add the custom attributes to the user attributes in Oracle Identity Manager, as described in "Creating a Custom Attribute" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file from the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Update the LDAPUser.xml file to add the custom attribute1
custom attribute and customObjectClass
custom object class.
To add additional object classes on 'create', edit LDAPUser.xml and add additional <value> entries to the <parameter name="objectclass"> node. For example:
<parameter name="objectclass"> <value>orclIDXPerson</value> <value>customObjectClass</value> </parameter>
Add your custom attributes to the three sections of the LDAPUser.xml file. To do so:
Add the attribute entry to the end of the <entity-attributes> tag, for example:
<entity-attributes> ................... ................... <attribute name="custom attribute1"> <type>string</type> <required>false</required> <attribute-group>Basic</attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
Note:
If you are using an OUD LDAP directory, then the custom attribute name must not contain a space. OUD does not allow creating a custom attribute with space in the attribute name.
Add the attribute entry to the end of the <target-fields> tag, for example:
<target-fields> ................... ................... <field name="customattr1"> <type>string</type> <required>false</required> </field> </target-fields>
Add the attribute entry to the end of the <attribute-maps> tag, for example:
<attribute-maps> ................... ................... <attribute-map> <entity-attribute>custom attribute1</entity-attribute> <target-field>customattr1</target-field> </attribute-map> </attribute-maps>
Save and close the LDAPUser.xml file.
Import the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository, as described in "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
(Optional) If you want to change the RDN attribute from 'cn' to another attribute, then update the <parameter name="rdnattribute"> tag to the new directory attribute name, and then reimport the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file into the repository. For example:
<parameter name="rdnattribute"> <value>companyid</value> </parameter>
Test the configuration by creating the new user through Oracle Identity Manager.
Changelog query returns incremental changes of user/role accounts or entries in the LDAP server to Oracle Identity Manager database during changelog reconciliation when LDAP synchronization incremental reconciliation jobs are run. However, you can choose not to return changes to Oracle Identity Manager database for some entries in LDAP based on a rule or filter during the changelog reconciliation when LDAP synchronization incremental reconcilaition jobs are run. To do so, you can use the includeEntriesFilter filter tag or filter parameter in the LDAPUser.xml file to filter out the unwanted entries and bring in only the required entries based on the rule before sending the data to the reconciliation engine, so that those entries are not in Oracle Identity Manager database. In other words, support for attribute level filtering is provided.
The following example shows how you can specify the attribute-level filtering in the LDAPUser.xml file:
<parameter name="includeEntriesFilter"> <value>employeeNumber=123456</value> </parameter>
Here, the <value> tag contains the employeeNumber LDAP attribute and the corresponding value. This filters out all the changelog entries or user entries from the LDAP server that match the criteria "employeeNumber=123456", and sends them to the reconciliation engine for the users to be reconciled into Oracle Identity Manager database. Other changelog entries that do not match this filter are stopped from being sent to the reconciliation engine to be reconciled into Oracle Identity Manager database.
The following is a sample of the includeEntriesFilter filter parameter:
(!(LDAP_attribute=val1)(LDAP_attribute=val2)(LDAP_attribute=val3)...)
If the values are variables, then the filter must be "ObjectClass=*". You must specify a variable value for LDAP_attribute as different users have different attribute values.
When LDAP synchronization is enabled, you can configure the filter parameter 'excludeEntityFilter' in the LDAPUser.xml file to filter out user entries to be created in LDAP, but that can only reside in Oracle Identity Manager. Based on any Oracle Identity Manager attribute and its value, users can be created in Oracle Identity Manager without pushing to LDAP server although LDAP synchronization is in enabled mode.
Note:
This feature is supported only for the user entity.
For example, if you want Oracle Identity Manager accounts with act_key=2 not to be created in LDAP, then perform the following steps:
Import the LDAPUser.xml file from MDS.
Add the following filter to LDAPUser.xml:
<parameter name="excludeEntityFilter"> <value>act_key=2</value> </parameter> <parameter name="excludeEntityActions"> <value>ALL</value> </parameter>
Export the LDAPUser.xml file to MDS.
Create a user in Oracle Identity Manager with organization act_key as 2. The same user will not be created in LDAP. Note that users created in Oracle Identity Manager that are assigned to organization with act_key other than 2 are successfully created in LDAP.
Another example is to create users only in Oracle Identity Manager but not in LDAP server in LDAP synchronization enabled mode if the user's role matches 'Full-Time'. To do so, use the filter parameter as shown:
<parameter name="excludeEntityFilter"> <value>Role=Full-Time</value> </parameter> <parameter name="excludeEntityActions"> <value>ALL</value> </parameter>
In the examples, certain Oracle Identity Manager users are not allowed in LDAP based on the filter and actions. By default, ALL is set for disabling the operations, and no CRUD operation is possible on these users. This is as shown:
<parameter name="excludeEntityActions"> <value>ALL</value> </parameter>
The filter that you provide in the LDAPUser.xml file is evaluated and a boolean value is returned to determine whether or not to proceed to LDAP synchronization handlers.
Schema file is available in the product for these parameters. If you want to customize it, then configuration has to be done in the LDAPUser.xml file, which must be exported back to MDS.
You can configure Identity Virtualization Library (libOVD) adapters by using script and template files related to libOVD. Table E-2 lists the files used for Identity Virtualization Library (libOVD) adapter configuration.
Table E-2 Identity Virtualization Library (libOVD) Adapter Configuration Files
File | Description |
---|---|
Files in the $MIDDLEWARE_HOME/oracle_common/modules/oracle.ovd_11.1.1/ directory |
Files related to Identity Virtualization Library (libOVD) |
Files in the $MIDDLEWARE_HOME/oracle_common/bin/ directory: libovdadapterconfig.sh libovdconfig.sh libovdadapterconfig.bat libovdconfig.bat |
Script files to configure Identity Virtualization Library (libOVD) |
Files in the $MIDDLEWARE_HOME/Oracle_IDM/libovd/ directory: adapter_template_oim_ldap.xml adapter_template_oim.xml |
Template files to configure Identity Virtualization Library (libOVD) |
Files in the $MIDDLEWARE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/ovd/ADAPTER_NAME/ directory: adapters.os_xml By default, the value of ADAPTER_NAME is oim. |
Configuration file after Identity Virtualization Library (libOVD) has been configured |
To configure Identity Virtualization Library (libOVD) adapters and integrate with Oracle Identity Manager:
Before running the scripts to configure Identity Virtualization Library (libOVD), set the following environment variables:
set MIDDLEWARE_HOME to the appropriate Middleware home directory
set ORACLE_HOME to $MIDDLEWARE_HOME/oracle_common
set WL_HOME to $MIDDLEWARE_HOME/wlserver_10.3
set JAVA_HOME to appropriate jdk6 path ../jdk6
To configure Identity Virtualization Library (libOVD):
Note:
Substitute the appropriate information of your host computer and directory path in the commands to run the scripts for configuring Identity Virtualization Library (libOVD).
To create libOVD configuration files and layout the directory structure, run the following command:
sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME
For example:
sh $MW_HOME/oracle_common/bin/libovdconfig.sh -domainPath $MIDDLEWARE_HOME/user_projects/domains/base_domain -contextName oim -host myhost.mycompany.com -port 7001 -userName weblogic
This command creates the directory structure containing the OVD configuration files for Oracle Identity Manager and copies the configuration file templates. In the example, the contextName is assumed to be oim, and therefore, the OVD configuration files are created in the DOMAIN_HOME/config/fmwconfig/ovd/oim/ directory. Here, DOMAIN_HOME is the directory that you are using as the home directory for your domain.
Note:
Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be of the same computer on which Oracle Identity Manager is installed, and not of the computer on which OID is installed.
Running the command displays the following. Enter the password when prompted.
Enter AdminServer Password: Successfully created OVD config files CSF Credential creation successful Permission Grant successful Successfully configured OVD MBeans
To create user and changelog adapters, run the following command:
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath FULL_PATH_OF_DOMAIN -contextName oim -host ADMINSERVER_HOST -port ADMINSERVER_PORT -userName ADMINSERVER_USERNAME -adapterName ADAPTER_NAME -adapterTemplate adapter_template_oim.xml -bindDN LDAP_BIND_DN -createChangelogAdapter -dataStore LDAP_DIRECTORY_TYPE -ldapHost LDAP_HOST -ldapPort LDAP_PORT -remoteBase REMOTE_BASE -root VIRTUAL_BASE
Here, template is oim template. This creates the adapters with the information you provide when running this script, based on the Oracle Identity Manager template. In the command examples shown in this step, contextName is assumed to be oim.
Note:
Because Identity Virtualization Library (libOVD) is included in Oracle Identity Manager, both are deployed on the same web container. Therefore, the Admin Server host and Admin Server port must be of the same computer on which Oracle Identity Manager is installed, and not of the computer on which OID is installed.
In the parameters that you pass while running the tool, value for the -dataStore argument must be the backend directory type. Valid values for this parameter, when using the adapter_template_oim.xml, are OID, ACTIVE_DIRECTORY, IPLANET, and OUD.
If the backend LDAP server port is configured over SSL, then Oracle Identity Manager user must use keytool to import the trusted certificate from the LDAP server into Identity Virtualization Library (libOVD) keystore. To do so, refer to "Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server".
Example with non-SSL LDAP server port:
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3060 -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" Enter AdminServer Password: Enter LDAP Server Password:
Example with LDAP server port configured over SSL:
Note:
If you are using SSL port for the LDAP port, then provide the -enableSSL parameter in the libovdadapterconfig.sh or libovdadapterconfig.bat command.
sh $MW_HOME/oracle_common/bin/libovdadapterconfig.sh -domainPath $MW_HOME/user_projects/domains/base_domain -contextName oim -host myadminserver.mycompany.com -port 7001 -userName weblogic -adapterName LDAP1 -adapterTemplate adapter_template_oim.xml -bindDN "cn=orcladmin" -createChangelogAdapter -dataStore OID -ldapHost myldaphost.mycompany.com -ldapPort 3161 -enableSSL -remoteBase "dc=us,dc=oracle,dc=com" -root "dc=us,dc=oracle,dc=com" Enter AdminServer Password: Enter LDAP Server Password:
Restart the web container and Oracle Identity Manager by running the following commands:
cd $MIDDLEWARE_HOME/user_projects/domains/DOMAIN_NAME/bin/ ./stopManagedWebLogic.sh oim_server1 ./stopWebLogic.sh ./startWebLogic.sh ./startManagedWebLogic.sh oim_server1
To integrate Oracle Identity Manager to Oracle Identity Virtualization (libOVD):
Login to Oracle Identity System Administration.
Under Configuration on the left pane, click IT Resource. The Manage IT Resource page is displayed in a separate window.
From the IT Resource Type list, select Directory Server, and then click Search.
For the Directory Server IT resource, click Edit. The Edit IT Resource Details and Parameters page is displayed.
In the Search Base field, enter a value, for example, dc=oracle,dc=com
.
In the User Reservation Container field, enter a value, for example, cn=reserve,dc=us,dc=oracle,dc=com
.
Restart the WebLogic server on which Oracle Identity Manager is deployed.
Try accessing the server and manage users and roles through the Oracle Identity System Administration.
To verify that the data is managed in the LDAP server configured with the -dataStore option, connect to the LDAP server directly through the ldapclient tool.
For SSL, you must export the server side certificates from the directory server and import into Identity Virtualization Library (libOVD), as described in the following sections:
Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory
Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet
Enabling SSL Between Identity Virtualization Library (libOVD) and OID
To export the server side certificates from Active Directory and import into Identity Virtualization Library (libOVD):
Export the certificate from the Active Directory server by referring to the instructions in the following Microsoft TechNet documents:
http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx
Retrieve the CA signing certificate and save it to a file. To do so:
Login to the Active Directory domain server as a domain administrator.
Click Start, Control Panel, Administrative Tools, Certificate Authority to open the CA Microsoft Management Console (MMC).
Right-click the CA computer, and select CA Properties.
From the General menu, select View Certificate.
Select the Details view, and click Copy to File on the lower-right corner of the window.
Use the Certificate Export wizard to save the CA certificate in a file by running the following command:
certutil -ca.cert OutCACertFile
Note:
You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.
Import the Active Directory server certificate created in step 3f to the Identity Virtualization Library (libOVD) keystore as a trusted entry by running the following command:
$ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
To export certificates from iPlanet (ODSEE) and import into Identity Virtualization Library (libOVD) for enabling SSL between Identity Virtualization Library (libOVD) and iPlanet (ODSEE):
To export certificate from iPlanet (ODSEE), run the following command:
dsadm export-cert -o OUTPUT_FILE INSTANCE_PATH CERT_ALIAS
For example:
./dsadm export-cert -o /tmp/server-cert /scratch/aime1/iPlanet/dsInst/ defaultCert Choose the PKCS#12 file password: Confirm the PKCS#12 file password: ls -lrt /tmp -rw------- 1 aime1 svrtech 1684 Jan 20 00:39 server-cert
To import the iPlanet (ODSEE) certificate created in step 1 to the Identity Virtualization Library (libOVD) keystore as a trusted entry, run the following command:
ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass PASSWORD -alias ALIAS_VALUE_USED_FOR_EXPORT -file SERVER-CERT_FILENAME -noprompt
Note:
Provide the same certificate alias name, which you provided for exporting the certificate, for the '-alias' parameter while importing the certificate. For example:
ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias defaultCert -file server-cert -noprompt
In addition, export/import certificates as instructed in the ODSEE documentation in the following URL:
http://docs.oracle.com/cd/E19656-01/821-1504/gcvhu/index.html
To export the server side certificates from OID and import into Identity Virtualization Library (libOVD):
Export the Oracle Internet Directory server certificate in Base64 format using the following command:
orapki wallet export -wallet LOCATION_OF_OID_WALLET -dn DN_FOR_OID_SERVER_CERTIFICATE -cert ./b64certificate.txt
Note:
If you use a certificate alias in the orapki command, then an error is generated if the alias is not in all lower case letters.
Import the Oracle Internet Directory server certificate created in step 2 to the Identity Virtualization Library (libOVD) keystore as a trusted entry using the following command:
$ORACLE_HOME/jdk/jre/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/keystores/adapters.jks -storepass password -alias alias -file OutCACertFile -noprompt
If you create users and roles in Oracle Identity Manager deployment without LDAP synchronization, and later decide to enable LDAP synchronization, then the users and roles created before LDAP synchronization enablement must be synced with LDAP after enablement. The provisioning of users, roles, role memberships, and role hierarchy to LDAP is achieved by the following predefined scheduled jobs for LDAP:
LDAPSync Post Enable Provision Users to LDAP
LDAPSync Post Enable Provision Roles to LDAP
LDAPSync Post Enable Provision Role Memberships to LDAP
LDAPSync Post Enable Provision Role Hierarchy to LDAP
For details about these scheduled jobs, see "Predefined Scheduled Tasks" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
To disable LDAP synchronization in Oracle Identity Manager deployment:
Remove the /db/ldapMetadata/EventHandlers.xml file from MDS by using Oracle Enterprise Manager. See "Migrating User Modifiable Metadata Files" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about deleting metadata files from MDS.
Login to Oracle Identity System Administration as the System Administrator.
Disable all scheduled jobs mentioned in "Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP".
When you select OID or ODSEE or AD during Oracle Identity Manager installation, and if LDAP synchronization is enabled at that time, then Identity Virtualization Library (libOVD) adapters are generated in the back-end.
If you do not enable LDAP synchronization during Oracle Identity Manager installation, and want to enable LDAP synchronization after installing Oracle Identity Manager, then you must create and configure libOVD adapters. See "Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager" and "Managing Identity Virtualization Library (libOVD) Adapters" for details.
If you have OVD server configured and want to enable LDAP synchronization after installing Oracle Identity Manager, then the IT Resource page for the Directory Server IT resource type must be configured with the OVD server details. See step 5 in "Enabling Postinstallation LDAP Synchronization".
If OVD server is not configured for the adapters, then you must create the OVD adapters for various default LDAP servers. For details, see "Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If you are configuring OVD for integration with Oracle Identity Manager, then refer to the following topics for information about creating OVD adapters for OID and AD:
You can use the UserManagement plug-in to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.
To do this, perform the following tasks on IDMHOST1:
Ensure you have set all of the necessary environment variables as described in Section D.2, "Set Up Environment Variables".
Create a properties file for the Oracle Internet Directory adapter called ovd1.props
as follows:
Note:
The usecase.type:single
parameter is not supported for Active Directory via the configOVD
option.
ovd.host:ovdhost1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:OID ldap1.host:oididstore.myhost.mycompany.com ldap1.port:3060 ldap1.binddn:cn=orcladmin,cn=systemids,dc=mycompany,dc=com ldap1.password:oidpassword ldap1.ssl:false ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
The following table describes the parameters used in the properties file.
Parameter | Description |
---|---|
|
Host name of a server running Oracle Virtual Directory. |
|
The https port used to access Oracle Virtual Directory. |
|
User DN used to connect to Oracle Virtual Directory. |
|
Password for the DN used to connect to Oracle Virtual Directory. |
|
Always true in
|
|
Set to true, as you are using an https port. |
|
Set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory. |
|
Host on which back end directory is located. Use the load balancer name. |
|
Port used to communicate with the back end directory. |
|
Bind DN of the oimLDAP user. |
|
Password of the oimLDAP user. |
|
Set to true if you are using the back end's SSL connection, and otherwise set to false. Always set this parameter to true when creating an adapter for AD. |
|
Base location in the directory tree. |
|
Mapped location in Oracle Virtual Directory. |
|
Set to Single when using a single directory type. |
Configure the adapter by using the idmConfigTool
command, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
The syntax on Windows is:
idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
For example:
idmConfigTool.sh -configOVD input_file=ovd1.props
The command requires no input. The output looks like this:
The tool has completed its operation. Details have been logged to logfile
Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host
in the property file.
This topic describes the plug-ins designed for use when Oracle Virtual Directory is a connector target for Oracle Identity Manager integrations.
The UserManagement plug-in provides data mapping for Oracle Identity Manager attributes to LDAP directory servers.
The UserManagement plug-in has the following configuration parameters:
Comma-separated list of objectclasses that need to be removed on an add/modify request.
Comma-separated list of attributes that will be virtually removed from entries before they are returned to the client.
Defines the exclusion of a specific attribute mapping on a specific objectclass. For example, specifying a parameter with the value inetorgperson,uid=samaccountname
excludes mapping a uid to samaccountname
on entries of objectclass inetorgperson
. Using multiple instances of this option allows for multiple exclusions on mappings.
Comma separated list of language codes to be used in attribute language subtypes. This parameter is functional only when the directoryType parameter is set to ActiveDirectory.
True or False: Indicates whether Oracle Access Management Access Manager (Access Manager) is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.
Note:
The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.
Note:
The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
The ssladapter parameter, which is operational only when the directoryType parameter is set to ActiveDirectory, identifies the name of the adapter to which the UserManagement plug-in routes requests when userPassword
or unicodePwd
is contained in requests. If unicodePwd
is contained in the request, the request must also contain the useraccountControl attribute with a proper value.
The adapter identified by the ssladapter parameter must have:
The same local base as the adapter the UserManagement plug-in is configured on
Its Routing Visibility set to Internal
If no value is set for ssladapter, the current adapter is used by default.
Defines the attribute translation in the form of OVD-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.
True or False. When the directoryType configuration parameter is set to ActiveDirectory, the mapPassword parameter controls whether to convert the user password to the unicodePwd attribute. The default value is false.
Defines the RDN attribute translation in the form of OVD-RDNattribute=OIM-RDNattribute, for example: uid=cn.
Identifies the maximum number of failed logins the source LDAP directory server requires to lock an account (as defined by the password policy effective on the user entries being exposed through the adapter on which this plug-in is deployed).
Note:
Parameter values for XL.MaxLoginAttempts, pwdMaxFailure, and lockout count must be the same in LDAP-enabled setups. In LDAP-enabled environments, the values specified for these attributes must be consistent for lock/unlock to work consistently. For example, in LDAP-enabled environment with libOVD and OUD, the value of the XL.MaxLoginAttempts system property is set to 10, and pwdMaxFailure in adapters.os_xml is set to 10. However, the OUD lockout-failure-count is set to 25. For lock/unlock to work consistently, the attribute values in OUD and adapters.os_xml must be the same.
Defines the objectclass value translation in the form of OVD-objectclass=OIM-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.
Note:
The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
In the form of attribute=value pairs, this parameter identifies attributes to be added before returning the get operation result. You can prefix the attribute name with objectclass,
to add the attribute and value to a specific objectclass. You can also surround a value with %
to reference other attributes. For example, specifying the value user,samaccountname=%cn%
assigns the value of cn to samaccountname when the entry objectclass=user. Specifying the value samaccountname=jdoe
adds attribute samaccountname with value jdoe to all the entries.
Note:
Prior to release 11.1.1.4.0, Oracle Virtual Directory had three changelog plug-ins:
oidchangelog for use with Oracle Internet Directory
sunonechangelog for use with Oracle Directory Server Enterprise Edition
adchangelog for use with Microsoft Active Directory
These three plug-ins were deprecated in release 11.1.1.4.0 and a new, single Changelog plug-in is now available. You can use this plug-in with Oracle Internet Directory, Oracle Directory Server Enterprise Edition, and Microsoft Active Directory.
When deploying the single Changelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is blank, nothing.
Set the adapter's Mapped Namespace to: cn=changelog
.
If the back-end is Oracle Directory Server Enterprise Edition, be sure to enable change logging on Oracle Directory Server Enterprise Edition.
If you are using a version of Oracle Virtual Directory that was released prior to 11.1.1.4.0, you must use the following changelog plug-ins to standardize changelog information from source directories into a suitable format for Oracle Identity Manager.
Note:
These plug-ins will not work with Oracle Virtual Directory release 11.1.1.4.0.
Use the oidchangelog plug-in with Oracle Internet Directory.
When deploying the oidchangelog plug-in, you must set the adapter's Remote Base to an empty value; that is, blank, nothing.
For Oracle Directory Server Enterprise Edition
Use the sunonechangelog plug-in with Oracle Directory Server Enterprise Edition.
When deploying the sunonechangelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is, blank, nothing.
Ensure change logging is enabled on the Oracle Directory Server Enterprise Edition.
Set the adapter's Mapped Namespace to: cn=changelog
For Microsoft Active Directory
Use the adchangelog plug-in with Microsoft Active Directory.
When deploying the adchangelog plug-in, you must:
Set the adapter's Remote Base to an empty value; that is, blank, nothing.
Set the adapter's Mapped Namespace to: cn=changelog
Each of the changelog plug-ins have the following configuration parameters:
Comma-separated list of attributes that are virtually removed from entries before they are returned to the client.
Comma-separated list of languages to be used in attribute language subtypes.
True or False. If set to false and the plug-in encounters a corrupted changelog entry, the plug-in throws a DirectoryException and stops further processing changelog entries. If set to true, the plug-in logs an error without throwing an exception, skips this changelog, and continues processing the next changelogs. The default value is false.
True or False: Indicates whether Access Manager is deployed with Oracle Identity Manager. By default, Access Manager is not deployed, therefore the default setting for this parameter is false.
Note:
The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID.
Note:
The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Defines the objectclass value translation in the form of OIM-objectclass=Source-Directory-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses.
In the Oracle Identity Manager use case, the following parameters are configured out-of-the-box:
For Active Directory: inetorgperson=user, orclidxperson=user, and groupOfUniqueNames=group
For Oracle Directory Server Enterprise Edition: container=nsContainer and changelog=changelogentry
For Oracle Internet Directory: container=orclContainer
Note:
The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values.
Identifies the maximum number of changelog entries to be returned.
A zero (0) or a negative value means no size restriction.
If the incoming search request specifies a size constraint, then the smaller value is used. For example, if you specify the plug-in's sizeLimit as 100, and the search request's count limit is 200, then the actual size limit of the request is reset to 100.
Defines the attribute translation in the form of Source-Directory-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes.
Identifies the container to retrieve changes from. This parameter can be set multiple times to identify multiple containers to retrieve changes from. If set multiple times, the targetDN filter should look similar to the following example, and this targetDN filter is "ANDed" to the incoming filter:
"(|(targetDN=*cn=users,dc=mycom1)(targetDN=*,cn=groups,dc=mycom2))"
Sample values include:
*,cn=xxx,dc=yyy
*cn=xxx,dc=yyy
cn=xxx,dc=yyy (must be a descendant of the local base of the adapter specified in virtualDITAdapterName)
All of these samples have the same meaning.
Comma-separated list of attributes to always be retrieved from the source LDAP directory server, regardless of the return attributes list specified for changelog queries to Oracle Virtual Directory.
Comma-separated list of attributes to be added to the normalized changelog entry. For example, orclContainerOC=1, changelogSupported=1, where =1 indicates the changes retrieved from the source directory which support changelog.
True or False. This parameter enables or disables the mapping of the directory specific account attributes to Oracle Virtual Directory virtual account attributes.
Single-valued configuration parameter that defines an LDAP filter on modifiersName. This parameter is "ANDed" to the incoming filter. An example value can be "(modifiersName=cn=myadmin,cn=users,dc=mycom)".
Note:
This configuration does not take effect if directoryType=ActiveDirectory.
Identifies the corresponding user profile adapter name.
For example, in a single-directory deployment, you can set this parameter value to "A1," which is the user adapter name. In a split-user profile scenario, you can set this parameter to "J1;A2," where "J1" is the JoinView adapter name, and "A2" is the corresponding user adapter in the "J1".
This parameter can be multi-valued, which means there are multiple base entry adapters configured for the same back-end directory server as this changelog adapter.
If you set this parameter to "A1," the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.
This topic describes how to enable debugging in Oracle Virtual Directory, which can be useful if you need to troubleshoot your Oracle Identity Manager and Oracle Virtual Directory integration.
To enable debugging, perform the following steps:
Open a command window and go to the following location:
OVD ORACLE_INSTANCE/config/OVD/ovd1
Save a copy of the ovd-logging.xml
file.
Edit the ovd-logging.xml
file as follows:
Change line #25 from:
<logger name='com.octetstring.vde' level='NOTIFICATION:1' useParentHandlers='false'>
to
<logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false'>
Change line #28 from:
<logger name='com.octetstring.accesslog' level='ERROR:1' useParentHandlers='false'>
to
<logger name='com.octetstring.accesslog' level='NOTIFICATION:1' useParentHandlers='false'>
Restart Oracle Virtual Directory by typing the following:
cd ORACLE_INSTANCE/bin ./opmnctl stopproc ias-component=ovd1 ./opmnctl startproc ias-component=ovd1
In an Oracle Identity Manager deployment with LDAP synchronization enabled and AD, iPlanet (ODSEE), or OID as a the directory server, you can manage the Identity Virtualization Library (libOVD) adapters by using the WLST command.
See Also:
Library Oracle Virtual Directory (LibOVD) Commands in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information about the WLST commands to manage Library Oracle Virtual Directory (LibOVD) adapters
To manage the Identity Virtualization Library (libOVD):
Start the WLST console. To do so, run $FMW_ROOT/Oracle_IDM1/common/bin/wlst.sh. This path can be referenced as $OIM_ORACLE_HOME/common/bin/wlst.sh.
Here, $FMW_ROOT refers to your $MW_HOME directory. For example, for this binary location, it can be the /u01/apps/mwhome/ directory.
$OIM_ORACLE_HOME refers to the directory in which Oracle Identity Manager is deployed. For example, /u01/apps/mwhome/Oracle_IDM1/ must point to OIM_ORACLE_HOME.
In the WLST console, run the following command:
connect()
When prompted, provide the WLST username, password, and t3 URL.
Run the following command to display a list of Identity Virtualization Library (libOVD) WLST commands:
help('OracleLibOVDConfig')
This lists the commands for creating, deleting, and modifying Identity Virtualization Library (libOVD), LDAP, and join adapters. The following commands act on the Identity Virtualization Library (libOVD) configuration associated with a particular OPSS context, which is passed in as a parameter:
addJoinRule: Adds a join rule to an existing Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
addLDAPHost: Adds a new remote host to an existing LDAP adapter
Note:
The following is an example of adding multiple remote hosts for High Availability (HA) scenario:
addLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, contextName='myContext')
See Oracle Fusion Middleware High Availability Guide for detailed information about HA.
addPlugin: Adds a plug-in to an existing adapter or at the global level
See Also:
"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about developing plug-ins in Oracle Identity Manager
addPluginParam: Add new parameter values to the existing adapter level plug-in or global plug-in
createJoinAdapter: Creates a new Join adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
createLDAPAdapter: Creates a new LDAP adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
deleteAdapter: Deletes an existing adapter for the Identity Virtualization Library (libOVD) associated with the given OPSS context
getAdapterDetails: Displays the details of an existing adapter that is configured for the Identity Virtualization Library (libOVD) associated with the given OPSS context
istAdapters: Lists the name and type of all adapters that are configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context
modifyLDAPAdapter: Modifies the existing LDAP adapter configuration
removeJoinRule: Removes a join rule from a Join adapter configured for this Identity Virtualization Library (libOVD) associated with the given OPSS Context
removeLDAPHost: Removes a remote host from an existing LDAP adapter configuration
removePlugin: Removes a plug-in from an existing adapter or at global level
removePluginParam: Removes an existing parameter from a configured adapter level plug-in or global plug-in
Run help on the individual commands to get usage, such as:
help('addPluginParam')
The following are examples for updating the AD User Management adapter for the oimLanguages attribute for Multi Language Support (MLS):
addPluginParam:
You can use this command to add oimLanguage param to UserManagement plug-in in AD user adapter, as shown:
add PluginParam(adapterName='ldap1', pluginName='UserManagement', paramKeys='oimLanguages', paramValues='fr,zh-CN', contextName='oim')
removePluginParam:
You can use this command to remove oimLanguage param from UserManagement plug-in in AD user adapter, as shown:
removePluginParam(adapterName='ldap1', pluginName='UserManagement', paramKey='oimLanguages', contextName='oim')
removePluginParam:
You can use this command to remove modifierDNFilter param from Changelog plug-in, as shown:
removePluginParam(adapterName='CHANGELOG_ldap1', pluginName='Changelog', paramKey='modifierDNFilter', contextName='oim')
See Also:
"Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for detailed information about creating the OVD adapters for Oracle Identity Manager change log and user management
Enabling access logging for Identity Virtualization Library (libOVD) allows you to capture all requests and responses flowing through Identity Virtualization Library (libOVD), which can be very useful if you are trying to triage performance issues.
To enable access logging for Identity Virtualization Library (libOVD):
Remove any Identity Virtualization Library (libOVD) loggers that were previously configured in Debug mode. You must remove these loggers to see real performance numbers.
Create a WLS logger named oracle.ods.virtualization.accesslog
in WLS with NOTIFICATION level.
Create a WLS loghandler, specifying a file name similar to ovd-access.log and associate that log handler to the logger you created in step 2.
This loghandler logs all Oracle Virtual Directory access log messages into a separate file.
Create a backup of the DOMAIN_HOME/config/fmwconfig/ovd/default/provider.os_xml file, and then add the following XML fragment (if it is not already present):
<providers ..> ... <auditLogPublisher> <provider name="FMWAuditLogPublisher"> ... </provider> <provider name="AccessLogPublisher"> <configClass>oracle.ods.virtualization.config.AccessLogPublisherConfig</configClass> <properties> <property name="enabled" value="true"/> </properties> </provider> </auditLogPublisher> ... </providers>
Restart the WLS Admin and Managed servers.
Oracle Virtual Directory can now generate the access log in the ovd-access.log file.
Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.
Note:
This procedure does not enable the following functionality:
Forced password changes, including first login, administrator password reset, and expired passwords
Forced setting of challenge responses
Configure the LDAP Authenticator in WLS. To do so:
Log in to WebLogic Administrative Console.
Go to Security Realms, myrealm, Providers.
Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.
Set the Control Flag to SUFFICIENT.
Click the Provider Specific settings and configure the OID connection details.
In Dynamic groups section, enter the following values:
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: orcldynamicgroup
Dynamic Member URL Attribute: labeleduri
User Dynamic Group DN Attribute: GroupOfUniqueNames
Click the Providers tab. Remove OIM Authenticator from the list of security providers. This is to ensure that the user is not locked in Oracle Identity Manager database.
Configure the OIMSignatureAuthenticator security provider in the realm. To do so:
i) Login to the WebLogic Administrative Console.
ii) Navigate to Security realm, myrealm, Security providers, Authentication, New.
iii) Select OIMSignatureAuthenticator from the drop-down, and select provider name as OIMSignatureAuthenticator.
iv) Save the changes.
Click Reorder. Reorder the security providers and set their Control Flags as listed in the following table:
Authentication Provider | Control Flag |
---|---|
Default Authenticator |
SUFFICIENT |
OIM Signature Authenticator |
SUFFICIENT |
LDAP Authenticator |
SUFFICIENT |
Default Identity Asserter |
Not applicable |
Restart all servers.
Validate role memberships.
Login to WebLogic Admin Console.
Go to Security Realms, myrealm, User and Groups.
Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).
Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.