If you are creating a new Oracle LDAP directory, either Oracle Unified Directory (OUD) or Oracle Internet Directory (OID), you must create the directories. The instructions for this differ depending on whether you are configuring OUD or OID.
This chapter includes the following topics:
Oracle Unified Directory is an optional component in an Identity Management Enterprise Deployment. You can use it as the Identity Store, that is, for storing information about users and groups.
In this section, you configure two instances of Oracle Unified Directory by using Oracle Unified Directory configuration assistant.
Section 12.1.1, "Prerequisites for Configuring Oracle Unified Directory Instances"
Section 12.1.2, "Configuring the Oracle Unified Directory Instances"
Section 12.1.3, "Creating Access Control Lists in Non-Oracle Directories"
Section 12.1.4, "Backing Up the Oracle Unified Directory installation"
Before configuring the Oracle Unified Directory Instances on LDAPHOST1 and LDAPHOST2 ensure that the following tasks have been performed:
Synchronize the time on the individual LDAPHOSTs nodes using Greenwich Mean Time so that there is a discrepancy of no more than 250 seconds between them.
Install and upgrade the software on LDAPHOST1 and LDAPHOST2 as described in Section 31.1, "Starting and Stopping Enterprise Deployment Components."
Ensure that the load balancer is configured.
Follow these steps to configure Oracle Unified Directory components in the directory tier on LDAPHOST1 and LDAPHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.
This section contains the following topics:
Section 12.1.2.1, "Configuring Oracle Unified Directory on LDAPHOST1"
Section 12.1.2.2, "Validating Oracle Unified Directory on LDAPHOST1"
Section 12.1.2.3, "Configuring Oracle Unified Directory Instance on LDAPHOST2"
Section 12.1.2.4, "Validating Oracle Unified Directory on LDAPHOST2"
Section 12.1.2.5, "Validating Oracle Unified Directory Through the Load Balancer"
Section 12.1.2.6, "Relaxing Oracle Unified Directory Object Creation Restrictions"
Section 12.1.2.7, "Configuring a Password Policy on Oracle Unified Directory"
Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services
file and restart the services or restart the computer.
Set the environment variable JAVA_HOME
Set the environment variable INSTANCE_NAME to ../../admin/oud1
. For example:
export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud1
Note the tool creates the instance home relative to the OUD_ORACLE_HOME
, so you must include previous directories to get the instance created in LOCAL_CONFIG_DIR
/instances
.
Change Directory to OUD_ORACLE_HOME
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
To configure Oracle Unified Directory:
On the Welcome screen, click Next.
On the Server Settings screen, enter:
Host Name: The name of the host where Oracle Unified Directory is running, for example: LDAPHOST1.example.com
LDAP Listener Port: 1389 (LDAP_PORT)
Administration Connector Port: 4444 (LDAP_ADMIN_PORT)
LDAP Secure Access: Click Configure
In the Security Options page, enter:
SSL Access: Selected.
Enable SSL on Port: 1636 (LDAP_SSL_PORT)
Certificate: Generate Self Signed Certificate OR provide details of your own certificate.
Click OK
Root User DN: Enter an administrative user. For example, cn=oudadmin
.
Password: Enter the password you wish to assign to the ouadmin
user.
Password (Confirm): Repeat the password.
Click Next.
On the Topology Options screen:
Select: This will server will be part of a replication topology
Enter: Replication Port: 8989 (OUD_REPLICATION_PORT)
Select: Configure As Secure, if you wish replication traffic to by encrypted.
There is already a server in the topology. Leave it unselected.
Click Next.
On the Directory Data screen, enter:
Directory Base DN: dc=example, dc=com
Directory Data: Only create base entry
Click Next.
On the Oracle Components Integration screen, click Next.
On the Runtime Options screen, click Next.
On the Review screen, verify that the information displayed is correct and click Finish.
On the Finished screen, click Close.
After configuration, you can validate that Oracle Unified Directory is working by performing a simple search using the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST1.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you will see a list of supportedControl
entries returned.
Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
Remove the entries for ports 1389
, 1636
, 4444
, and 8989
in the /etc/services
file and restart the services or restart the computer.
Set the environment variable JAVA_HOME
to JAVA_HOME
.
Set the environment variable INSTANCE_NAME
to ../../admin/oud2
.
For example:
export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud2
Note the tool creates the instance home relative to the OUD_ORACLE_HOME
, so you must include previous directories to get the instance created in LOCAL_CONFIG_DIR
/instances
.
Change Directory to OUD_ORACLE_HOME
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
On the Welcome screen, click Next.
On the Server Settings screen, enter the following:
Host Name: The name of the host where Oracle Unified Directory is running, for example: LDAPHOST2
LDAP Listener Port: 1389
(LDAP_PORT
)
Administration Connector Port: 4444
(LDAP_ADMIN_PORT
)
LDAP Secure Access
Click Configure
Select SSL Access
Enable SSL on Port: 1636
(LDAP_SSL_PORT
)
Certificate: Generate Self Signed Certificate OR provide details of your own certificate.
Click OK
Root User DN: Enter an administrative user for example cn=oudadmin
Password: Enter the password you wish to assign to the ouadmin
user.
Password (Confirm): Repeat the password.
Click Next.
On the Topology Options screen, enter
This server will be part of a replication topology
Replication Port: 8989
(LDAP_REPLICATION_PORT
)
Select Configure As Secure, if you wish replication traffic to by encrypted.
There is already a server in the topology: Selected.
Enter the following:
Host Name: The name of an existing Oracle Unified Directory server host, for example: LDAPHOST1.example.com
Administrator Connector Port: 4444
(LDAP_ADMIN_PORT
)
Admin User: Name of the Oracle Unified Directory admin user on LDAPHOST1, for example: cn=oudadmin
Admin Password: Administrator password.
Click Next.
If you see a certificate Not Trusted Dialogue, it is because you are using self signed certificates. Click Accept Permanently.
Click Next.
On The Create Global Administrator Screen Enter:
Global Administrator ID: The name of an account you want to use for managing Oracle Unified Directory replication, for example: oudmanager
Global Administrator Password / Confirmation: Enter a password for this account.
Click Next.
On the Data Replication Screen. select dc=example.com
and click Next.
On the Oracle Components Integration screen, click Next.
On the Runtime Options Screen, click Next.
On the Review Screen, check that the information displayed is correct and click Finish.
On the Finished screen, click Close.
After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST2.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you see a list supportedControl
entries returned.
To check that Oracle Unified Directory replication is enabled, issue the command:
OUD_ORACLE_INSTANCE/OUD/bin/status
You are prompted for the Administrator bind DN (cn=oudadmin
) and its password.
You then see output similar to the following example. Replication is set to enable.
--- Server Status --- Server Run Status: Started Open Connections: 2 --- Server Details --- Host Name: slc01fnv Administrative Users: cn=oudadmin Installation Path: /u01/oracle/product/fmw/oud Instance Path: /u01/oracle/admin/oud1/OUD Version: Oracle Unified Directory 11.1.2.0.0 Java Version: 1.6.0_29 Administration Connector: Port 4444 (LDAPS) --- Connection Handlers --- Address:Port : Protocol : State -------------:-------------:----------- : LDIF : Disabled 8989 : Replication : Enabled 0.0.0.0:161 : SNMP : Disabled 0.0.0.0:1389 : LDAP : Enabled 0.0.0.0:1636 : LDAPS : Enabled 0.0.0.0:1689 : JMX : Disabled --- Data Sources --- Base DN: dc=example ,dc=com Backend ID: userRoot Entries: 1 Replication: Enabled Missing Changes: 0 Age Of Oldest Missing Change: <not available> Status
In addition, validate that you can access Oracle Unified Directory through the load balancer by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAP_LBR_HOST -p LDAP_LBR_PORT -D OUD_Adminisitrator -b "" -s base "(objectclass=*)" supportedControl
For example:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDSTORE.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
Oracle Identity Management requires that a number of object classes be created in Oracle Unified Directory. You must perform the following step so that Oracle Unified Directory allows creation of the needed object classes.
Execute the following command on each Oracle Unified Directory instance, for example: LDAPHOST2.example.com
OUD_ORACLE_INSTANCE/OUD/dsconfig -h LDAPHOST1.example.com -p 4444 -D "cn=oudadmin" -j ./password_file -n \
set-global-configuration-prop \
--set single-structural-objectclass-behavior:warn \
--trustAll
If you want to enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server.
In the password policy, you must define the maximum number of failed logins the source LDAP directory server requires, to lock the account.
Use the following command to configure OUD password policy.
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig -h LDAPHOST1.example.com -p <OUD Admin SSL port> -D <OUD Admin id> -j ./password_file -n set-password-policy-prop --policy-name "Default Password Policy" \--set "lockout-failure-count:10"
Repeat the command for each Oracle Unified Directory instance, for example: LDAPHOST2.
In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is not Oracle Internet Directory or Oracle Unified Directory, such as Microsoft Active Directory or Oracle Directory Server Enterprise Edition, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created, this is true even if using Oracle Virtual Directory in front of them. This section lists the artifacts created and the privileges required for the artifacts.
Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.
Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Manager user oimLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.
After you complete the installation and configuration of each tier and verify that the install is successful, or at some other logical point, create a backup. This is a quick backup that enables you to perform an immediate restoration if you encounter problems in later steps. The backup destination is the local disk. You can discard this backup after the enterprise deployment setup is complete. At that point, you can start using the regular deployment-specific Backup and Recovery process. For more information, see Oracle Fusion Middleware Administrator's Guide
For information about Oracle Unified Directory database backups, see "Backing up Data" in Oracle Unified Directory Administrator's Guide.
To back up the installation to this point, follow these steps:
Back up the Oracle Unified Directory instances in the directory tier:
Shut down the instance using the commands in link to stop commands
Create a backup of the Middleware home on the directory tier. On Linux, as the root user, type:
tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
Create a backup of the Instance home on the directory tier as the root user. Type:
tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
Start up the instance using the commands in Section 31.1.3, "Starting and Stopping Directory Services."
This section describes how to create highly available Oracle Internet Directory (OID) in the enterprise deployment.
If you are using Oracle Unified Directory as your LDAP directory, you do not need Oracle Internet Directory.
This section includes the following topics:
Section 12.2.1, "Overview of Creating an Internet Directory"
Section 12.2.2, "Using Oracle Internet Directory in an Enterprise Deployment"
In this chapter, you perform the following tasks:
Configure two instances of Oracle Internet Directory by using the Oracle Identity Management 11g Configuration Wizard
Validate the instances
Tune Oracle Internet Directory
You use the Identity Store for storing information about users and groups. These instances can coexist on the same nodes or can exist on separate nodes. The data, however, must be stored in two separate databases. If policy information must reside in Oracle Internet Directory, you can place identity information into a different directory, such as Active Directory.
You must point idstore.example.com
at one of the instances and policystore.example.com
at the other.
This section describes how to install Oracle Internet Directory in a highly available manner. This procedure is not necessary of you are using Oracle Unified Directory as your LDAP directory.
This section contains the following topics:
Section 12.2.3.1, "Configuring the First Oracle Internet Directory"
Section 12.2.3.2, "Validating the OID installation on LDAPHOST1"
Section 12.2.3.3, "Configuring Oracle Internet Directory on LDAPHOST2"
Section 12.2.3.4, "Validating the Installation of OID on LDAPHOST2"
Before starting the configuration disable the Oracle Internet Directory (OID) monitoring on the load balancer if it is configured. If you do not do so, then the OID administrator account becomes locked during configuration and the configuration fails.
Ensure that ports 3060
and 3061
are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
netstat -an | grep "3060" netstat -an | grep "3061"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
Copy the staticports.ini
file from the REPOS_HOME
/installers/idm/Disk1/stage/Response/staticports.ini
to a temporary directory on the installation media.
Edit the staticports.ini
file that you copied to the temporary directory to assign ports 3060 and 3061, as follows, uncomment the entries in the file corresponding to the entries below and set the values accordingly.
Start the Oracle Identity Management 11g Configuration Assistant by running the config.sh
file in the following directory:
DIR_MW_HOME/oid/bin/config.sh
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: LOCAL_CONFIG_DIR
/instances/oid1
Oracle Instance Name: oid1
Click Next.
On the Specify Security Updates screen, choose whether to receive security updates from Oracle support and click Next.
On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini
file that you edited in the temporary directory, and click Next.
On the Specify Schema Database screen, select Use Existing Schema and specify the following values:
Connect String: igddb-scan.example.com:1521:igddb1^igddb-scan.example.com:1521:igdb2@oidedg.example.com
User Name: ODS
Password: Enter the password for the OID schema created by RCU.
Click Next.
On the Configure Oracle Internet Directory screen, specify the following:
Realm: The realm where you want your company information stored, for example: dc=example,dc=com
Administrator Password: Password for cn=orcladmin
Confirm Password: Confirm administrator password.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
If a dialog box appears prompting you to run the oracleRoot.sh
script. Run the oracleRoot.sh
script, as the root user. When the following prompt appears:
Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
Enter yes.
On the Configuration Progress screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish. When it does, click Next.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Internet Directory instance on LDAPHOST1, issue these commands:
export ORACLE_HOME=OID_ORACLE_HOME ORACLE_HOME/bin/ldapbind -h ldaphost1.example.com -p 3060 -D "cn=orcladmin" -q ORACLE_HOME/bin/ldapbind -h ldaphost1.example.com -p 3061 -D "cn=orcladmin" -q -U 1
You are prompted for your administrator password.
Note:
It is important to invokeldapbind
from the OID Oracle Home. Many LINUX systems come with an openldap
version of ldapbind
which is incompatible with OID.The schema database must be running before you perform this task.
Note:
Before starting the configuration, disable the OID monitoring on the load balancer if it is configured. If you do not do so, the OID administrator account becomes locked during configuration and the configuration fails.To install Oracle Internet Directory on LDAPHOST2:
Ensure that ports 3060
and 3061
are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
netstat -an | grep "3060" netstat -an | grep "3061"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port or choose a different port.
Make the temporary staticports.ini
file created in Section 12.2.3.1 available on LDAPHOST2.
Start the Oracle Identity Management 11g Configuration Wizard by running the following command:
DIR_MW_HOME/oid/bin/config.sh
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: LOCAL_CONFIG_DIR
/instances/oid2
Oracle Instance Name: oid2
Click Next.
On the Specify Security Updates screen, choose whether to receive security updates from Oracle support.
Click Next.
On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini
file that you edited in the temporary directory, and click Next.
On the Specify Schema Database screen, select Use Existing Schema and specify the following values:
Connect String: igddb-scan.example.com:1521:igddb1^igddb-scan.example.com:1521:igdb2@oidedg.example.com
User Name: ODS
Password: Enter the password for the OID schema created by RCU.
Click Next.
The ODS Schema in use message appears. The ODS schema chosen is already being used by the existing Oracle Internet Directory instance. Therefore, the new Oracle Internet Directory instance being configured reuses the same schema.
Click Yes to continue.
A popup window with this message appears:
Please ensure that the system time on this Identity Management Node is in sync with the time on other Identity management Nodes that are part of the Oracle Application Server Cluster (Identity Management) configuration. Failure to ensure this may result in unwanted instance failovers, inconsistent operational attributes in directory entries and potential inconsistent behavior of password state policies.
Ensure that the system time between LDAPHOST1 and LDAPHOST2 is synchronized.
Click OK to continue.
On the Specify OID Admin Password screen, specify the Oracle Internet Directory administration password that you specified when creating the first OID instance.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
If a dialog box appears, prompting you to run the oracleRoot.sh
script, run the oracleRoot.sh
script, as the root user. When prompted:
Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
Enter yes.
On the Configuration Progress screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Internet Directory instance on LDAPHOST2, issue these commands
export ORACLE_HOME=OID_ORACLE_HOME ORACLE_HOME/bin/ldapbind -h ldaphost2.example.com -p 3060 -D "cn=orcladmin" -q ORACLE_HOME/bin/ldapbind -h ldaphost2.example.com -p 3061 -D "cn=orcladmin" -q -U 1
Re-enable the OID virtual host on the load balancer and check that you can access OID via the load balancer.
ORACLE_HOME/bin/ldapbind -h idstore.example.com -p 3060 -D "cn=orcladmin" -q ORACLE_HOME/bin/ldapbind -h idstore.example.com -p 3061 -D "cn=orcladmin" -q -U 1
You are prompted for your administrator password.
Note:
It is important to invokeldapbind
from the OID Oracle Home. Many LINUX systems come with an openldap
version of ldapbind
, which is incompatible with OID.