12 Configuring Oracle LDAP for an Identity and Access Manager Enterprise Deployment

If you are creating a new Oracle LDAP directory, either Oracle Unified Directory (OUD) or Oracle Internet Directory (OID), you must create the directories. The instructions for this differ depending on whether you are configuring OUD or OID.

This chapter includes the following topics:

• Configuring Oracle Unified Directory

• Configuring Oracle Internet Directory

12.1 Configuring Oracle Unified Directory

Oracle Unified Directory is an optional component in an Identity Management Enterprise Deployment. You can use it as the Identity Store, that is, for storing information about users and groups.

In this section, you configure two instances of Oracle Unified Directory by using Oracle Unified Directory configuration assistant.

• Section 12.1.1, "Prerequisites for Configuring Oracle Unified Directory Instances"

• Section 12.1.2, "Configuring the Oracle Unified Directory Instances"

• Section 12.1.3, "Creating Access Control Lists in Non-Oracle Directories"

• Section 12.1.4, "Backing Up the Oracle Unified Directory installation"

12.1.1 Prerequisites for Configuring Oracle Unified Directory Instances

Before configuring the Oracle Unified Directory Instances on LDAPHOST1 and LDAPHOST2 ensure that the following tasks have been performed:

• Synchronize the time on the individual LDAPHOSTs nodes using Greenwich Mean Time so that there is a discrepancy of no more than 250 seconds between them.

• Install and upgrade the software on LDAPHOST1 and LDAPHOST2 as described in Section 31.1, "Starting and Stopping Enterprise Deployment Components."

• Ensure that the load balancer is configured.

12.1.2 Configuring the Oracle Unified Directory Instances

Follow these steps to configure Oracle Unified Directory components in the directory tier on LDAPHOST1 and LDAPHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.

This section contains the following topics:

• Section 12.1.2.1, "Configuring Oracle Unified Directory on LDAPHOST1"

• Section 12.1.2.2, "Validating Oracle Unified Directory on LDAPHOST1"

• Section 12.1.2.3, "Configuring Oracle Unified Directory Instance on LDAPHOST2"

• Section 12.1.2.4, "Validating Oracle Unified Directory on LDAPHOST2"

• Section 12.1.2.5, "Validating Oracle Unified Directory Through the Load Balancer"

• Section 12.1.2.6, "Relaxing Oracle Unified Directory Object Creation Restrictions"

• Section 12.1.2.7, "Configuring a Password Policy on Oracle Unified Directory"

12.1.2.1 Configuring Oracle Unified Directory on LDAPHOST1

Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

netstat -an | grep "1389"

If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.

Set the environment variable JAVA_HOME

Set the environment variable INSTANCE_NAME to ../../admin/oud1. For example:

export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud1

Note the tool creates the instance home relative to the OUD_ORACLE_HOME, so you must include previous directories to get the instance created in LOCAL_CONFIG_DIR/instances.

Change Directory to OUD_ORACLE_HOME

Start the Oracle Unified Directory configuration assistant by executing the command:

./oud-setup

To configure Oracle Unified Directory:

1. On the Welcome screen, click Next.

2. On the Server Settings screen, enter:

   • Host Name: The name of the host where Oracle Unified Directory is running, for example: LDAPHOST1.example.com

   • LDAP Listener Port: 1389 (LDAP_PORT)

   • Administration Connector Port: 4444 (LDAP_ADMIN_PORT)

   • LDAP Secure Access: Click Configure

   • In the Security Options page, enter:

     • SSL Access: Selected.

     • Enable SSL on Port: 1636 (LDAP_SSL_PORT)

     • Certificate: Generate Self Signed Certificate OR provide details of your own certificate.

     • Click OK

   • Root User DN: Enter an administrative user. For example, cn=oudadmin.

   • Password: Enter the password you wish to assign to the ouadmin user.

   • Password (Confirm): Repeat the password.

   • Click Next.

3. On the Topology Options screen:

   • Select: This will server will be part of a replication topology

   • Enter: Replication Port: 8989 (OUD_REPLICATION_PORT)

   • Select: Configure As Secure, if you wish replication traffic to by encrypted.

   • There is already a server in the topology. Leave it unselected.

   Click Next.

4. On the Directory Data screen, enter:

   • Directory Base DN: dc=example, dc=com

   • Directory Data: Only create base entry

   Click Next.

5. On the Oracle Components Integration screen, click Next.

6. On the Runtime Options screen, click Next.

7. On the Review screen, verify that the information displayed is correct and click Finish.

8. On the Finished screen, click Close.

12.1.2.2 Validating Oracle Unified Directory on LDAPHOST1

After configuration, you can validate that Oracle Unified Directory is working by performing a simple search using the following command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST1.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

If Oracle Unified Directory is working correctly, you will see a list of supportedControl entries returned.

12.1.2.3 Configuring Oracle Unified Directory Instance on LDAPHOST2

Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

netstat -an | grep "1389"

If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.

Set the environment variable JAVA_HOME to JAVA_HOME.

Set the environment variable INSTANCE_NAME to ../../admin/oud2.

For example:

export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud2

Note the tool creates the instance home relative to the OUD_ORACLE_HOME, so you must include previous directories to get the instance created in LOCAL_CONFIG_DIR/instances.

Change Directory to OUD_ORACLE_HOME

Start the Oracle Unified Directory configuration assistant by executing the command:

./oud-setup

1. On the Welcome screen, click Next.

2. On the Server Settings screen, enter the following:

   • Host Name: The name of the host where Oracle Unified Directory is running, for example: LDAPHOST2

   • LDAP Listener Port: 1389 (LDAP_PORT)

   • Administration Connector Port: 4444 (LDAP_ADMIN_PORT)

   • LDAP Secure Access

     • Click Configure

     • Select SSL Access

     • Enable SSL on Port: 1636 (LDAP_SSL_PORT)

     • Certificate: Generate Self Signed Certificate OR provide details of your own certificate.

     • Click OK

   • Root User DN: Enter an administrative user for example cn=oudadmin

   • Password: Enter the password you wish to assign to the ouadmin user.

   • Password (Confirm): Repeat the password.

   • Click Next.

3. On the Topology Options screen, enter

   • This server will be part of a replication topology

   • Replication Port: 8989 (LDAP_REPLICATION_PORT)

   • Select Configure As Secure, if you wish replication traffic to by encrypted.

   • There is already a server in the topology: Selected.

     Enter the following:

     • Host Name: The name of an existing Oracle Unified Directory server host, for example: LDAPHOST1.example.com

     • Administrator Connector Port: 4444 (LDAP_ADMIN_PORT)

     • Admin User: Name of the Oracle Unified Directory admin user on LDAPHOST1, for example: cn=oudadmin

     • Admin Password: Administrator password.

     Click Next.

     If you see a certificate Not Trusted Dialogue, it is because you are using self signed certificates. Click Accept Permanently.

   Click Next.

4. On The Create Global Administrator Screen Enter:

   • Global Administrator ID: The name of an account you want to use for managing Oracle Unified Directory replication, for example: oudmanager

   • Global Administrator Password / Confirmation: Enter a password for this account.

   Click Next.

5. On the Data Replication Screen. select dc=example.com and click Next.

6. On the Oracle Components Integration screen, click Next.

7. On the Runtime Options Screen, click Next.

8. On the Review Screen, check that the information displayed is correct and click Finish.

9. On the Finished screen, click Close.

12.1.2.4 Validating Oracle Unified Directory on LDAPHOST2

After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST2.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

If Oracle Unified Directory is working correctly, you see a list supportedControl entries returned.

To check that Oracle Unified Directory replication is enabled, issue the command:

OUD_ORACLE_INSTANCE/OUD/bin/status

You are prompted for the Administrator bind DN (cn=oudadmin) and its password.

You then see output similar to the following example. Replication is set to enable.

--- Server Status ---
Server Run Status: Started
Open Connections: 2
 
--- Server Details ---
Host Name: slc01fnv
Administrative Users: cn=oudadmin
Installation Path: /u01/oracle/product/fmw/oud
Instance Path: /u01/oracle/admin/oud1/OUD
Version: Oracle Unified Directory 11.1.2.0.0
Java Version: 1.6.0_29
Administration Connector: Port 4444 (LDAPS)
 
--- Connection Handlers ---
Address:Port : Protocol : State
-------------:-------------:----------- : 
LDIF : Disabled
8989 : Replication : Enabled
0.0.0.0:161 : SNMP : Disabled
0.0.0.0:1389 : LDAP : Enabled
0.0.0.0:1636 : LDAPS : Enabled
0.0.0.0:1689 : JMX : Disabled
 
--- Data Sources ---
Base DN: dc=example ,dc=com
Backend ID: userRoot
Entries: 1
Replication: Enabled
Missing Changes: 0
Age Of Oldest Missing Change: <not available>
Status  

12.1.2.5 Validating Oracle Unified Directory Through the Load Balancer

In addition, validate that you can access Oracle Unified Directory through the load balancer by issuing the command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAP_LBR_HOST -p LDAP_LBR_PORT -D OUD_Adminisitrator -b "" -s base "(objectclass=*)" supportedControl

For example:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDSTORE.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

12.1.2.6 Relaxing Oracle Unified Directory Object Creation Restrictions

Oracle Identity Management requires that a number of object classes be created in Oracle Unified Directory. You must perform the following step so that Oracle Unified Directory allows creation of the needed object classes.

Execute the following command on each Oracle Unified Directory instance, for example: LDAPHOST2.example.com

OUD_ORACLE_INSTANCE/OUD/dsconfig -h LDAPHOST1.example.com -p 4444 -D "cn=oudadmin" -j ./password_file -n \
         set-global-configuration-prop \
         --set single-structural-objectclass-behavior:warn \
         --trustAll 

12.1.2.7 Configuring a Password Policy on Oracle Unified Directory

If you want to enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server.

In the password policy, you must define the maximum number of failed logins the source LDAP directory server requires, to lock the account.

Use the following command to configure OUD password policy.

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig -h LDAPHOST1.example.com -p <OUD Admin SSL port> -D <OUD Admin id> -j ./password_file -n set-password-policy-prop --policy-name "Default Password Policy" \--set "lockout-failure-count:10"

Repeat the command for each Oracle Unified Directory instance, for example: LDAPHOST2.

12.1.3 Creating Access Control Lists in Non-Oracle Directories

In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is not Oracle Internet Directory or Oracle Unified Directory, such as Microsoft Active Directory or Oracle Directory Server Enterprise Edition, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created, this is true even if using Oracle Virtual Directory in front of them. This section lists the artifacts created and the privileges required for the artifacts.

• Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.

• Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.

• Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.

• Oracle Identity Manager user oimLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.

• Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.

• WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory

• WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.

• Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.

12.1.4 Backing Up the Oracle Unified Directory installation

After you complete the installation and configuration of each tier and verify that the install is successful, or at some other logical point, create a backup. This is a quick backup that enables you to perform an immediate restoration if you encounter problems in later steps. The backup destination is the local disk. You can discard this backup after the enterprise deployment setup is complete. At that point, you can start using the regular deployment-specific Backup and Recovery process. For more information, see Oracle Fusion Middleware Administrator's Guide

For information about Oracle Unified Directory database backups, see "Backing up Data" in Oracle Unified Directory Administrator's Guide.

To back up the installation to this point, follow these steps:

Back up the Oracle Unified Directory instances in the directory tier:

1. Shut down the instance using the commands in link to stop commands

2. Create a backup of the Middleware home on the directory tier. On Linux, as the root user, type:

   tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
   

3. Create a backup of the Instance home on the directory tier as the root user. Type:

   tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
   

4. Start up the instance using the commands in Section 31.1.3, "Starting and Stopping Directory Services."

12.2 Configuring Oracle Internet Directory

This section describes how to create highly available Oracle Internet Directory (OID) in the enterprise deployment.

If you are using Oracle Unified Directory as your LDAP directory, you do not need Oracle Internet Directory.

This section includes the following topics:

• Section 12.2.1, "Overview of Creating an Internet Directory"

• Section 12.2.2, "Using Oracle Internet Directory in an Enterprise Deployment"

• Section 12.2.3, "Configuring the Oracle Internet Directory"

12.2.1 Overview of Creating an Internet Directory

In this chapter, you perform the following tasks:

• Configure two instances of Oracle Internet Directory by using the Oracle Identity Management 11g Configuration Wizard

• Validate the instances

• Tune Oracle Internet Directory

12.2.2 Using Oracle Internet Directory in an Enterprise Deployment

You use the Identity Store for storing information about users and groups. These instances can coexist on the same nodes or can exist on separate nodes. The data, however, must be stored in two separate databases. If policy information must reside in Oracle Internet Directory, you can place identity information into a different directory, such as Active Directory.

You must point idstore.example.com at one of the instances and policystore.example.com at the other.

12.2.3 Configuring the Oracle Internet Directory

This section describes how to install Oracle Internet Directory in a highly available manner. This procedure is not necessary of you are using Oracle Unified Directory as your LDAP directory.

This section contains the following topics:

• Section 12.2.3.1, "Configuring the First Oracle Internet Directory"

• Section 12.2.3.2, "Validating the OID installation on LDAPHOST1"

• Section 12.2.3.3, "Configuring Oracle Internet Directory on LDAPHOST2"

• Section 12.2.3.4, "Validating the Installation of OID on LDAPHOST2"

12.2.3.1 Configuring the First Oracle Internet Directory

Before starting the configuration disable the Oracle Internet Directory (OID) monitoring on the load balancer if it is configured. If you do not do so, then the OID administrator account becomes locked during configuration and the configuration fails.

1. Ensure that ports 3060 and 3061 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   netstat -an | grep "3060"
   netstat -an | grep "3061"
   

   If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

2. Copy the staticports.ini file from the REPOS_HOME/installers/idm/Disk1/stage/Response/staticports.ini to a temporary directory on the installation media.

3. Edit the staticports.ini file that you copied to the temporary directory to assign ports 3060 and 3061, as follows, uncomment the entries in the file corresponding to the entries below and set the values accordingly.

   Table 12-1 OID PORTS INFORMATION

   Entry	Value
   Oracle Internet Directory Port No.	3060
   Oracle Internet Directory (SSL) Port No.	3061

   
   

4. Start the Oracle Identity Management 11g Configuration Assistant by running the config.sh file in the following directory:

   DIR_MW_HOME/oid/bin/config.sh 
   

5. On the Welcome screen, click Next.

6. On the Select Domain screen, select Configure without a Domain.

   Click Next.

7. On the Specify Installation Location screen, specify the following values:

   • Oracle Instance Location: LOCAL_CONFIG_DIR/instances/oid1

   • Oracle Instance Name: oid1

   Click Next.

8. On the Specify Security Updates screen, choose whether to receive security updates from Oracle support and click Next.

9. On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.

10. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory, and click Next.

11. On the Specify Schema Database screen, select Use Existing Schema and specify the following values:

    • Connect String: igddb-scan.example.com:1521:igddb1^igddb-scan.example.com:1521:igdb2@oidedg.example.com

    • User Name: ODS

    • Password: Enter the password for the OID schema created by RCU.

    • Click Next.

12. On the Configure Oracle Internet Directory screen, specify the following:

    • Realm: The realm where you want your company information stored, for example: dc=example,dc=com

    • Administrator Password: Password for cn=orcladmin

    • Confirm Password: Confirm administrator password.

    Click Next.

13. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.

14. If a dialog box appears prompting you to run the oracleRoot.sh script. Run the oracleRoot.sh script, as the root user. When the following prompt appears:

    Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
    

    Enter yes.

15. On the Configuration Progress screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish. When it does, click Next.

16. On the Installation Complete screen, click Finish to confirm your choice to exit.

12.2.3.2 Validating the OID installation on LDAPHOST1

To validate the installation of the Oracle Internet Directory instance on LDAPHOST1, issue these commands:

export ORACLE_HOME=OID_ORACLE_HOME
 
ORACLE_HOME/bin/ldapbind -h ldaphost1.example.com -p 3060 -D "cn=orcladmin" -q
ORACLE_HOME/bin/ldapbind -h ldaphost1.example.com -p 3061 -D "cn=orcladmin" -q -U 1

You are prompted for your administrator password.

Note:

It is important to invoke ldapbind from the OID Oracle Home. Many LINUX systems come with an openldap version of ldapbind which is incompatible with OID.

12.2.3.3 Configuring Oracle Internet Directory on LDAPHOST2

The schema database must be running before you perform this task.

Note:

Before starting the configuration, disable the OID monitoring on the load balancer if it is configured. If you do not do so, the OID administrator account becomes locked during configuration and the configuration fails.

To install Oracle Internet Directory on LDAPHOST2:

1. Ensure that ports 3060 and 3061 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   netstat -an | grep "3060"
   netstat -an | grep "3061"
   

   If the ports are in use (that is, if the command returns output identifying either port), you must free the port or choose a different port.

2. Make the temporary staticports.ini file created in Section 12.2.3.1 available on LDAPHOST2.

3. Start the Oracle Identity Management 11g Configuration Wizard by running the following command:

   DIR_MW_HOME/oid/bin/config.sh 
   

4. On the Welcome screen, click Next.

5. On the Select Domain screen, select Configure without a Domain.

   Click Next.

6. On the Specify Installation Location screen, specify the following values:

   Oracle Instance Location: LOCAL_CONFIG_DIR/instances/oid2

   Oracle Instance Name: oid2

   Click Next.

7. On the Specify Security Updates screen, choose whether to receive security updates from Oracle support.

   Click Next.

8. On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.

9. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory, and click Next.

10. On the Specify Schema Database screen, select Use Existing Schema and specify the following values:

    • Connect String: igddb-scan.example.com:1521:igddb1^igddb-scan.example.com:1521:igdb2@oidedg.example.com

    • User Name: ODS

    • Password: Enter the password for the OID schema created by RCU.

    Click Next.

    The ODS Schema in use message appears. The ODS schema chosen is already being used by the existing Oracle Internet Directory instance. Therefore, the new Oracle Internet Directory instance being configured reuses the same schema.

    Click Yes to continue.

    A popup window with this message appears:

    Please ensure that the system time on this Identity Management Node is in sync with the time on other Identity management Nodes that are part of the Oracle Application Server Cluster (Identity Management) configuration. Failure to ensure this may result in unwanted instance failovers, inconsistent operational attributes in directory entries and potential inconsistent behavior of password state policies.
    

    Ensure that the system time between LDAPHOST1 and LDAPHOST2 is synchronized.

    Click OK to continue.

11. On the Specify OID Admin Password screen, specify the Oracle Internet Directory administration password that you specified when creating the first OID instance.

    Click Next.

12. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.

13. If a dialog box appears, prompting you to run the oracleRoot.sh script, run the oracleRoot.sh script, as the root user. When prompted:

    Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
    

    Enter yes.

14. On the Configuration Progress screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.

15. On the Installation Complete screen, click Finish to confirm your choice to exit.

12.2.3.4 Validating the Installation of OID on LDAPHOST2

To validate the installation of the Oracle Internet Directory instance on LDAPHOST2, issue these commands

export ORACLE_HOME=OID_ORACLE_HOME
 
ORACLE_HOME/bin/ldapbind -h ldaphost2.example.com -p 3060 -D "cn=orcladmin" -q
ORACLE_HOME/bin/ldapbind -h ldaphost2.example.com -p 3061 -D "cn=orcladmin" -q -U 1

Re-enable the OID virtual host on the load balancer and check that you can access OID via the load balancer.

ORACLE_HOME/bin/ldapbind -h idstore.example.com -p 3060 -D "cn=orcladmin" -q
ORACLE_HOME/bin/ldapbind -h idstore.example.com -p 3061 -D "cn=orcladmin" -q -U 1

You are prompted for your administrator password.

Note:

It is important to invoke ldapbind from the OID Oracle Home. Many LINUX systems come with an openldap version of ldapbind, which is incompatible with OID.