Generic LDAPv3

Before You Begin

Introduction

Configure Oracle Identity Cloud Service to perform Authoritative Synchronization and Provisioning for Generic LDAPv3 Directory.

About Generic LDAPv3 Compliant Directory

A Generic LDAPv3 compliant directory provides a central repository for storing and managing identity profiles, access privileges, application and network resource information.

After integrating Generic LDAPv3 compliant directory with Oracle Identity Cloud Service:

  • Admins can synchronize users, groups and user-group memberships into Oracle Identity Cloud Service.
  • Admins can assign and revoke user access to Generic LDAP using the Oracle Identity Cloud Service administration console.
  • Admins can manage user group membership through Oracle Identity Cloud Service.

What Do You Need?

Ensure you have the following prerequisites before you get started.

  • A fully installed and running provisioning bridge from Generic LDAP Directory. Once this is done, to confirm, make sure that the app shows an Active status in Oracle Identity Cloud Service. See Manage Provisioning Bridges for Oracle Identity Cloud Service..
  • An Oracle Identity Cloud Service Identity Domain Administrator or Application Administrator account so that you can manage apps and user accounts.
  • Generic LDAP server connectivity details such as administrator credentials, host name and the port number.

Enable SSL between Generic LDAPv3 Compliant Directory Server and Provisioning Bridge

The steps are optional but must be performed if you want to enable SSL between Generic LDAP and the provisioning bridge.

  1. On Generic LDAP Server, ensure that SSL is enabled and a port is specified to accept connections from LDAP clients.
  2. Generate a self-signed certificate and import it into the Generic LDAP Server instance. Note: For more information on the above two steps, refer to the Generic LDAP Server documentation.
  3. Import the certificate into the Java keystore of the machine on which the provisioning bridge is installed by following the steps mentioned in Certificate as a Trusted Certificate.
  4. Restart the provisioning bridge.

For detailed information on performing these steps, refer to Generic LDAP target documentation.

Register and Activate Generic LDAPv3 Directory Server

Register and activate Generic LDAP Server, and configure Authoritative Synchronization for Generic LDAP Server so that you can then perform user, group and user-group synchronization from Generic LDAP Server.

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click App Catalog.
  3. Search for Generic LDAPv3 Provisioning, click Add, and then click Next.
  4. In the Name field, enter Generic LDAPv3 Provisioning, and add a valid description in the Description field.
  5. In the Provisioning Bridge drop-down, from the list of all active and inactive provisioning bridges, select the bridge that you installed as a part of the What Do You Need? section.
  6. Click Next to enable provisioning and synchronization for Generic LDAPv3. See Enable SSL between Generic LDAP Directory Server and Provisioning Bridge.
  7. Click Finish. Oracle Identity Cloud Service displays a confirmation message.
  8. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for Generic LDAPv3 Server

Learn how to synchronize user accounts from Generic LDAP Server to Oracle Identity Cloud Service.

Enable Provisioning for Generic LDAPv3 Directory Server

  1. On the Provisioning page, select Enable Provisioning.
  2. In the Grant Consent dialog box, click Continue.

  3. Use this table to configure connectivity for establishing a connection with Oracle Cloud through Oracle Identity Cloud Service. Note that this table lists the parameters that Oracle Identity Cloud Service requires to connect to Generic LDAPv3.

    Option Description
    Host Name Enter the host name of the server that hosts Oracle Directory Server Enterprise Edition. For example, host name value: app.cpdmqa01.com Note: The host name value is dynamic and changes for each instance of LDAPv3 Server.
    Port Number Enter the port number at which LDAPv3 Server is listening. For example, port number value: 1389
    Administrator Username Enter the LDAPv3 Server service account user name.
    Administrator Password Enter the LDAPv3 Server service account password.
    SSL Enabled Select this checkbox if SSL communication is enabled between LDAPv3 Server and the provisioning bridge as explained in section “Enable SSL between LDAPv3 Server and Provisioning Bridge”.
    Base Contexts Enter the root dn values from which all users and groups are synchronized. For example, base context value: dc=example,dc=com. One or more base context values can be specified, which are separated by a carriage return. For example, base context value: dc=example, dc=com and dc=example2, dc=com. Note: The base contexts value is dynamic and changes for each instance of LDAPv3 Server.
    Change Log Block Size Enter the block size to be used for an incremental synchronization operation. By default, the value selected is 100.
    Block Size Enter the block size to be used for a full synchronization operation. By default, the value selected is 100.
    Use Page Result Control This specifies whether a simple paged search should be used for a full synchronization operation or not.
    Account User Name Attribute This specifies the user name attribute.
    UID Attribute Name Provide the UID Attribute Name which uniquely identifies the entry in the DIT.
    Use Standard Change Log Enable this option to use standard changelog mechanism for synchronization.
    Changelog BaseDN Provide the distinguished name of the entry which contains the set of entries comprising this server's changelog.
    ChangelogUidAttribute Provide the UID attribute name which uniquely identifies the changelog entry
    Change Number Attribute Provide the Attribute name for the change number that is used to uniquely identifies a change made to a directory entry.
    Use Modify Timestamps Enable this option to use Modify Timestamps based for Synchronization if Standard changelog is not supported.
    Create Timestamp Attribute Provide the attribute name which gives the created timestamp of an entry.
    Modify Timestamp Attribute Provide attribute name which gives the modified timestamp of an entry.
  4. Click Test Connectivity to verify the connection with Generic LDAPv3. Oracle Identity Cloud Service displays a confirmation message. Note: To test the connectivity, the associated bridge must be in Active status and must be started on the client network.

  5. Use this table to configure a User Object required to synchronize users from Generic LDAPv3 to Oracle Identity Cloud Service. This table lists the parameters that Oracle Identity Cloud Service requires to configure users to Generic LDAPv3.

    Option Description
    User Object Class Enter a list of object classes required for a User Object.
    User Enabled Attribute Enter the attribute name that signifies if an user is enabled or disabled in LDAPv3 Server. By default, the value selected is ENABLED.
    User Enabled Value Enter the value present in Account Enabled Attribute when a user is active in LDAPv3 Server. By default, the value selected is DISABLED.
    User Disabled Value Enter the value present in Account Enabled Attribute when a user is inactive in LDAPv3 Server.

  6. Use this table to configure a Group Object required to synchronize users from Generic LDAPv3 to Oracle Identity Cloud Service. This table lists the parameters that Oracle Identity Cloud Service requires to configure groups to Generic LDAPv3.

    Option Description
    Group Object Class Enter a list of object classes required for a Group Object.
    Group Member Attribute Enter the attribute name that signifies a user’s membership to the group in LDAPv3 Server.
    Group UID Attribute Enter the unique identifier attribute of the group.

  7. The Configure Attributes section defines predefined attribute mappings between the user account fields defined in Generic LDAPv3 and the corresponding fields defined in Oracle Identity Cloud Service.

    a. To view and subsequently add Generic LDAPv3 user attributes: Click Add to view the available list of Generic LDAPv3 user attributes. In the Add Attribute dialog box, click Refresh to get a latest list of user attributes from the Generic LDAPv3. Select the attribute that you wish to add, and select OK.

    b. To view the predefined attribute mappings between the user account fields defined in Generic LDAPv3 and the corresponding fields defined in LDAPv3 Server, click Attribute Mapping, and click OK. Note: To add a new attribute, click Add Row, specify attributes in the User and Generic LDAPv3 columns, and then click OK.

  8. Specify the provisioning operations that you want to enable for Generic LDAPv3.

    • Authoritative Sync: Configures Generic LDAPv3 as an authoritative source of Oracle Identity Cloud Service. In the authoritative sync configuration, users, roles, and user role memberships are created or modified on Generic LDAPv3 and the information is synchronized into Oracle Identity Cloud Service. Note: By default, Authoritative Sync check box is selected and all other check boxes are disabled.

Note: User Life cycle management is supported for this application.

Enable Synchronization for Generic LDAPv3 Server

  1. On the Provisioning page, select Enable Synchronization.
  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from Generic LDAPv3 with an existing record in Oracle Identity Cloud Service. Note: By default, User Name is selected. It is recommended to leave this default attribute for an accurate synchronization of user records.
  3. From the Application Identifier drop-down list, define a matching rule that links a record fetched from Generic LDAPv3 with an existing record in Oracle Identity Cloud Service. Note: By default, UserUid is selected. This value represents the Uid attribute of a user in Generic LDAPv3. It is recommended to leave this default attribute for an accurate synchronization of user records.

  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    • Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.
    • Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.
  5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.
  6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be removed during the synchronization run.

  7. From the Synchronization schedule drop-down list, select the intervals at which you want the synchronization operation to be performed. Note: By default, Never is selected. It is recommended to change this value as per your requirement.

After enabling provisioning and synchronization for Generic LDAPv3, you can synchronize the existing account details from Generic LDAPv3 and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see Import User Accounts from a Software as a Service Application.

Discover the Schema for Generic LDAPv3

  1. On the Provisioning Setting tab, under Configuration Attributes, click Add Attribute.
  2. Click Refresh to display the unmapped attribute from Generic LDAPv3 whether it’s out of the box or custom.

Troubleshooting

For any issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type. Complete your service request.