1. Enterprise Deployment Guide for Oracle Identity and Access Management
  2. Configuring the Enterprise Deployment
  3. Configuring Oracle LDAP for an Enterprise Deployment

13 Configuring Oracle LDAP for an Enterprise Deployment

Follow these instructions if you are creating a new Oracle LDAP directory (Oracle Unified Directory (OUD)).

This chapter includes the following topics:

Parent topic: Configuring the Enterprise Deployment

Configuring Oracle Unified Directory for an Enterprise Deployment

Install and configure Oracle Unified Directory (OUD).

In an enterprise deployment, each OUD instance is configured on a separate host. OUD is not installed into a domain.

Parent topic: Configuring Oracle LDAP for an Enterprise Deployment

Variables Used When Configuring Oracle Unified Directory

The procedures for installing and configuring Oracle Unified Directory reference use a series of variables that you can replace with the actual values used in your environment.

The following directory location variables are used in these procedures:

  • DIR_ORACLE_HOME

  • OUD_ORACLE_INSTANCE

  • OUD_REPLICATION_PORT

  • OUD_ADMIN_PORT

  • LDAP_PORT

  • LDAP_SSL_PORT

  • LDAP_ADMIN_PORT

  • JAVA_HOME

  • INSTANCE_NAME

  • PRIVATE_CONFIG_DIR

  • WEB_DOMAIN_HOME

  • OHS_DOMAIN_HOME

  • IDSTORE_HOST

  • IDSTORE_PORT

  • IDSTORE_DIRECTORYTYPE

  • IDSTORE_BINDDN

  • IDSTORE_SEARCHBASE

  • IDSTORE_LOGINATTRIBUTE

  • IDSTORE_USERSEARCHBASE

  • IDSTORE_GROUPSEARCHBASE

  • IDSTORE_SYSTEMIDBASE

  • IDSTORE_USERNAMEATTRIBUTE

  • IDSTORE_LOGIN_ATTRIBUTE

  • IDSTORE_ADMIN_PORT

  • IDSTORE_KEYSTORE_FILE

  • IDSTORE_KEYSTORE_PASSWORD

  • IDSTORE_NEW_SETUP

  • IDSTORE_OAMADMINUSER

  • IDSTORE_OAMSOFTWAREUSER

  • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN

  • OAM11G_SERVER_LOGIN_ATTRIBUTE

  • IDSTORE_WLSADMINUSER

  • IDSTORE_WLSADMINGROUP

  • IAD_ORACLE_HOME

  • IGD_ORACLE_HOME

  • ORACLE_HOME

Parent topic: Configuring Oracle Unified Directory for an Enterprise Deployment

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

Parent topic: Configuring Oracle Unified Directory for an Enterprise Deployment

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

http://www.oracle.com/technetwork/java/index.html

Be sure to navigate to the download for the Java SE JDK.

Installing the JDK Software

Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

You must install the JDK in the following locations:

  • On the shared storage device, install the JDK in the /u01/oracle/products/jdk directory. The JDK will be accessible from each of the application tier host computers.

  • On the local storage device for each of the Web tier host computers. The Web tier host computers, which reside in the DMZ, do not necessarily have access to the shared storage on the application tier.

  • On the local storage device for each of the directory tier host computers, in case of the directory hosts not utilizing the shared storage.

For more information about the recommended location for the JDK software, see Understanding the Recommended Directory Structure for an Enterprise Deployment.

To install JDK 1.8.0_131:
  1. Change directory to the location where you downloaded the JDK archive file.
    cd download_dir
  2. Unpack the archive into the JDK home directory, and then run the following commands:
    tar -xzvf jdk-8u131-linux-x64.tar.gz
    Note that the JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
  3. Move the JDK directory to the recommended location in the directory structure.
    For example:
    mv ./jdk1.8.0_131 /u01/oracle/products/jdk
  4. Define the JAVA_HOME and PATH environment variables for running Java on the host computer.
    For example:
    export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
  5. Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:
    java -verison
    The Java version in the output should be displayed as “1.8.0_131”.

Installing Oracle Unified Directory

You can install Oracle Unified Directory by using an interactive graphical wizard provided by the Oracle Universal Installer.

Parent topic: Configuring Oracle Unified Directory for an Enterprise Deployment

Starting the Oracle Unified Directory Installer

To start the installation program:

  1. Log in to LDAPHOST1.
  2. Go to the directory in which you downloaded the installer.
  3. Run the following Java command to launch the installation wizard:

    • On Linux

      JAVA_HOME/bin/java -d64 -jar fmw_12.2.1.3.0_oud_generic.jar

    Replace the JDK location in the above command with the actual JDK location on your system. For information about downloading the software and locating the actual installer file name for your product, see Identifying and Obtaining Software Distributions for an Enterprise Deployment.
Navigating the Oracle Unified Directory Installation Screens

The following table describes how to use the installer screens to install Oracle Unified Directory.

If you need additional help with any of the installation screens, click the screen name.

Screen Description

Welcome

This screen introduces you to the product installer.

Click Next.

Auto Updates

Select whether or not you want to receive automatic updates for this product.

Installation Location

For the purposes of this enterprise deployment, enter the value of the DIR_ORACLE_HOME variable listed in Table 9-2.

Note that run-time processes cannot write to this directory.

Installation Type

Use this screen to select the type of installation and as a consequence, the products and feature sets you want to install.

If you plan to manage OUD through WebLogic server or OUDSM, select Collocated Oracle Unified Directory Server (Managed through WebLogic server).

Note:

If you select Collocated mode, you must also install Oracle Fusion Middleware Infrastructure.

See Installing the Oracle Fusion Middleware Infrastructure.

If you plan to manage OUD independently of WebLogic server, select Standalone Oracle Unified Directory Server (Managed independently of WebLogic server).

Click Next.

Prerequisite Checks

The installer analyzes the host computer to ensure that the prerequisites are fulfilled. The results of the prerequisite checks are displayed on this screen.

If a prerequisite check fails, an error or warning message is displayed.

  • Fix the error and click Rerun. For example, if any of the required packages listed in Prerequisites for Installing Oracle Traffic Director are not available in the system, install them.

  • To ignore the error or warning and continue with the installation, click Skip.

  • To stop the prerequisite checking process, click Stop.

Click Next to continue.

Installation Summary

This screen displays the Oracle home directory that you specified earlier. It also indicates the amount of disk space that will be used for the installation and the free space available.

Review information on this screen.

To save the settings specified so far in the installation wizard in a text file (called a response file), click Save. If necessary, you can use the response file to perform the same installation from the command line.

Click Install to begin the installation.

For more information about silent or command line installation, see "Using the Oracle Universal Installer in Silent Mode" in Installing Software with the Oracle Universal Installer.

Installation Progress

This screen shows the progress and status of the installation process.

If you want to cancel the installation, click Cancel. The files that were copied to your system before you canceled the installation will remain on the system; you should remove them manually.

Click Next to continue.

Installation Complete

Click Finish.

Installing the Software on Other Host Computers

If you have configured a separate shared storage volume or partition for LDAPHOST2 , then you must also install the software on LDAPHOST2. For more information, see Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

Note that the location where you install the Oracle home (which contains the software binaries) varies, depending upon the host. To identify the proper location for your Oracle home directories, refer to the guidelines in File System and Directory Variables Used in This Guide.

Verifying the Installation

After you complete the installation, you can verify it by successfully completing the following tasks.

Parent topic: Installing Oracle Unified Directory

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that no problems were encountered. For a description of the log files and where to find them, see Understanding Installation Log Files in Installing Software with the Oracle Universal Installer.

Checking the Directory Structure

After you install the Oracle Unified Directory and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options you selected during the installation.

To check the directory structure:

  1. Change to the DIR_ORACLE_HOME directory where you installed the Oracle Unified Directory.
  2. Enter the following command:
    ls --format=single-column
    If you installed using the colocated method, the directory structure on your system must match the structure shown in the following example:
    addons
bat
bin 
common 
config 
lib 
libForUpgrade 
oud-proxy-setup 
oud-proxy-setup.bat 
oud-replication-gateway-setup 
oud-replication-gateway-setup.bat 
oud-setup 
oud-setup.bat 
plugins 
snmp 
winlib
    If you installed using the standalone method, then the directory structure should match the structure shown below:
    cfgtoollogs
inventory
OPatch
oracle_common
oraInst.loc
oud
oui
wlserver
    See What are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.
Viewing the Contents of Your Oracle Home

You can also view the contents of your Oracle home by using the viewInventory script. See Viewing the contents of an Oracle home in Installing Software with the Oracle Universal Installer.

Configuring the Oracle Unified Directory Instances

Follow these steps to configure Oracle Unified Directory (OUD) components in the directory tier on LDAPHOST1 and LDAPHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.

The following are the two option available when you install Oracle Unified Directory:

  • Standalone mode: Choose this option if you wish to manage OUD via command line tools.

  • Co-located mode: Choose this option to associate Oracle Unified directory with a domain. If you choose to associate it with a domain, you have the option to manage OUD using Oracle Unified Directory Service Manager. If you wish to use OUDSM, you must choose to install Oracle Unified Directory in co-located mode.

This section contains the following topics:

Parent topic: Configuring Oracle Unified Directory for an Enterprise Deployment

Configuring Oracle Unified Directory on LDAPHOST1

Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

netstat -an | grep "1389"

If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.

Set the environment variable JAVA_HOME

Change Directory to DIR_ORACLE_HOME/oud.

Set the environment variable INSTANCE_NAME to ../../admin/oud1. For example: 

export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud1

Note the tool creates the instance home relative to the DIR_ORACLE_HOME, so you must include previous directories to get the instance created in PRIVATE_CONFIG_DIR/instances.

Start the Oracle Unified Directory configuration assistant by executing the command:

./oud-setup

The following table describes how to use the configuration assistant screens to configure Oracle Unified Director.

Screen Description

Welcome

This screen introduces you to the product configuration assistant.

Click Next.

Server Administration Settings

Enter the following details of the server:

  • Instance Path: Enter the location of the OUD configuration files (OUD_INSTANCE_HOME).

  • Host Name: Enter the name of the host where Oracle Unified Directory is running. For example: LDAPHOST1.example.com

    For Exalogic, this is the host attached to the network you wish to use.

  • Administration Port(s): The value of this field determines how you are going to administer OUD. The following are the optional values:

    • Enable Administration only by LDAP: Enter the LDAP port that will be used for administration traffic.

      The default LDAP administration port is 4444.

    • Enable Administration by LDAP and HTTP: Enter the LDAP and HTTP ports that will be used for administration traffic.

      The default administration ports are 4444 for LDAP and 8444 for HTTP.

    • Enable Administration by HTTP: Enter the HTTP port that will be used for administration traffic.

      The default HTTP administration port is 8444.

  • LDAP Port: Enter the port that you wish to use for administering OUD via LDAP.

  • HTTP Port: Enter the port that you wish to use for administering OUD via HTTP: 8444 (OUD_ADMIN_PORT).

  • Root User DN: Enter an administrative user. For example, cn=oudadmin.

  • Password: Enter the password you wish to assign to the ouadmin user.

  • Password (Confirm): Repeat the password.

Click Next.

Ports

Enter the following details:

LDAP

  • Enable: Select if you wish to enable non SSL communications with OUD.

  • on Port: Select the Port you wish to use (LDAP_PORT).

  • Enable Start TLS for LDAP: Select Enable StartTLS for LDAP to specify that the LDAP connection handler should allow clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure connection.

LDAPS

  • Enable: Select if you wish to enable SSL communications with OUD.

  • on Port: Select the Port you wish to use (LDAP_SSL_PORT).

    If you select this option, you must provide the SSL certificate information below.

Certificate

You can use the existing certificate or generate a self signed certificate. Self signed certificates are not recommended for production deployments.

  • Generate self signed certificate: Select this if you wish OUD to generate its own certificate.

  • Use an existing certificate: Select this if you are using an existing certificate.

    Select the type of certificate, the location of the Keystore, and the Keystore pin.

Topology Options

Enter the following details:

  • This will server will be part of a replication topology: Select this.

  • Replication Port: Enter the replication port. For example: 8989 (OUD_REPLICATION_PORT)

  • Configure As Secure: Select this if you wish the replication traffic to be encrypted.

  • There is already a server in the topology. Leave it unselected.

Click Next.

Directory Data

Enter the following details:

  • Directory Base DN: dc=example,dc=com

  • Directory Data: Only create base entry.

Click Next.

Oracle Components Integration

If you are planning to use the directory for integrating with other directories, Select Enable for DIP.

If you are planning on using the directory for E Business Suite or for Oracle database name resolution, select Enable for EBS (E-Business Suite), Database Net Services and DIP.

Click Next.

If you are planning to use the directory for Enterprise User Security, select Enable fo EUS (Enterprise User Security), EBS, Database Net Services and DIP.

Server Tuning

You have the option of allocating specific resources to the OUD instance. You can choose to accept the default of change the resource allocations based on your deployment. If this server is used only for OUD as in a distributed deployment then be sure to check the box Dedicated Machine for OUD.

Click Next.

Review

Verify that the information displayed is correct. If you wish the OUD server to be started after configuration, ensure that you select the option Start the server.

Finished

Click Close.

Validating Oracle Unified Directory on LDAPHOST1

After configuration, you can validate that Oracle Unified Directory is working by performing a simple search using the following command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST1.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

If Oracle Unified Directory is working correctly, you will see a list of supportedControl entries returned.

If you have enabled SSL on the directory, you can test it using the command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST1.example.com -p 1636 --useSSL -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
Configuring Oracle Unified Directory Instance on LDAPHOST2

Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

netstat -an | grep "1389"

If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.

Set the environment variable JAVA_HOME to JAVA_HOME.

Change Directory to DIR_ORACLE_HOME/oud

Set the environment variable INSTANCE_NAME to ../../admin/oud2.

For example:

export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud2

Note the tool creates the instance home relative to the DIR_ORACLE_HOME, so you must include previous directories to get the instance created in PRIVATE_CONFIG_DIR/instances.

Start the Oracle Unified Directory configuration assistant by executing the command:

./oud-setup

The following table describes how to use the configuration assistant screens to configure Oracle Unified Director.

Screen Description

Welcome

This screen introduces you to the product configuration assistant.

Click Next.

Server Administration Settings

Enter the following details of the server:

  • Instance Path: Enter the location of the OUD configuration files (OUD_INSTANCE_HOME).

  • Host Name: Enter the name of the host where Oracle Unified Directory is running. For example: LDAPHOST2.example.com

    For Exalogic, this is the host attached to the network you wish to use.

  • Administration Port(s): The value of this field determines how you are going to administer OUD. The following are the optional values:

    • Enable Administration only by LDAP: Enter the LDAP port that will be used for administration traffic.

    • Enable Administration by LDAP and HTTP: Enter the LDAP and HTTP ports that will be used for administration traffic.

    • Enable Administration by HTTP: Enter the HTTP port that will be used for administration traffic.

  • LDAP Port: Enter the port that you wish to use for administering OUD via LDAP.

  • HTTP Port: Enter the port that you wish to use for administering OUD via HTTP. For example, 8444 (OUD_ADMIN_PORT).

  • Root User DN: Enter an administrative user. For example, cn=oudadmin.

  • Password: Enter the password you wish to assign to the ouadmin user.

  • Password (Confirm): Repeat the password.

Click Next.

Ports

Enter the following details:

LDAP

  • Enable: Select if you wish to enable non SSL communications with OUD.

  • on Port: Select the Port you wish to use (LDAP_PORT).

  • Enable Start TLS for LDAP: Select Enable StartTLS for LDAP to specify that the LDAP connection handler should allow clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure connection.

LDAPS

  • Enable: Select if you wish to enable SSL communications with OUD.

  • on Port: Select the Port you wish to use (LDAP_SSL_PORT).

    If you select this option, you must provide the SSL certificate information below.

Certificate

You can use the existing certificate or generate a self signed certificate. Self signed certificates are not recommended for production deployments.

  • Generate self signed certificate: Select this if you wish OUD to generate its own certificate.

  • Use an existing certificate: Select this if you are using an existing certificate.

    Select the type of certificate, the location of the Keystore, and the Keystore pin.

Topology Options

Enter the following details:

  • This will server will be part of a replication topology: Select this.

  • Replication Port: Enter the replication port. For example: 8989 (OUD_REPLICATION_PORT)

  • Configure As Secure: Select this if you wish the replication traffic to be encrypted.

  • There is already a server in the topology selected. Enter the following:

    • Host Name: Name of the existing Oracle Unified Directory server host. For example, LDAPHOST1.example.com

    • Administrator Connector Port: 4444 (LDAP_ADMIN_PORT)

    • Admin User: Name of the Oracle Unified Directory admin user on LDAPHOST1. For example, cn=oudadmin

    • Admin Password: Administrator password

Click Next.

If you see a Certificate Not Trusted dialogue, it is because you are using self signed certificates. Click Accept Permanently.

For more information, refer to the Setting Up Replication During Installation.

Create Global Administrator

Enter the following details:

  • Global Administrator ID: Enter the name of an account you want to use for managing Oracle Unified Directory replication. For example: oudmanager

  • Global Administrator Password / Confirmation: Enter a password for this account.

Click Next.

Data Replication

Select dc=example,dc=com.

Click Next.

Oracle Components Integration

If you selected any products to integrate with, when you configured LDAPHOST1, then select the same option here.

Click Next.

Server Tuning

You have the option of allocating specific resources to the OUD instance. You can choose to accept the default of change the resource allocations based on your deployment. If this server is used only for OUD as in a distributed deployment then be sure to check the box Dedicated Machine for OUD.

Click Next.

Review

Verify that the information displayed is correct. If you wish the OUD server to be started after configuration, ensure that you select the option Start the server.

Finished

Click Close.

Validating Oracle Unified Directory on LDAPHOST2

After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST2.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

If Oracle Unified Directory is working correctly, you see a list supportedControl entries returned.

If you have enabled SSL on the directory, you can test it using the command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST2.example.com -p 1636 --useSSL -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

To check that Oracle Unified Directory replication is enabled, issue the command:

OUD_ORACLE_INSTANCE/OUD/bin/status

You are prompted for the Administrator bind DN (cn=oudadmin) and its password.

You then see output similar to the following example. Replication is set to enable.

--- Server Status ---
Server Run Status: Started
Open Connections: 2
 
--- Server Details ---
Host Name: slc01fnv
Administrative Users: cn=oudadmin
Installation Path: /u01/oracle/products/dir/oud
Instance Path: /u02/private/oracle/config/instances/oud1/OUD 
Version: Oracle Unified Directory 12.2.1.3.0
Java Version: 1.8.0_102
Administration Connector: Port 4444 (LDAPS)
 
--- Connection Handlers ---
Address:Port : Protocol : State
-------------:-------------:----------- : 
LDIF : Disabled
8989 : Replication : Enabled
0.0.0.0:161 : SNMP : Disabled
0.0.0.0:1389 : LDAP : Enabled
0.0.0.0:1636 : LDAPS : Enabled
0.0.0.0:1689 : JMX : Disabled
 
--- Data Sources ---
Base DN: dc=example ,dc=com
Backend ID: userRoot
Entries: 1
Replication: Enabled
Missing Changes: 0
Age Of Oldest Missing Change: <not available>
Status

Installing and Configuring Oracle Unified Directory Service Manager

Oracle Unified Directory Service Manager (OUDSM) is a Graphical User Interface (GUI) tool used to manage Oracle Unified Directory.

It is not mandatory to be installed in the production environments; however, OUDSM makes managing Oracle Unified Directory easier.

It is recommended that, if you are installing OUDSM, create it in its own light-weight domain.

The following topics describe how to do it:

Parent topic: Configuring Oracle Unified Directory for an Enterprise Deployment

Creating a Domain for Oracle Unified Directory Service Manager

You can create a domain for Oracle Unified Directory Service Manager (OUDSM) without depending on the Oracle Database or the Repository Creation Utility (RCU) using the WebLogic Scripting Tool (WLST) command.

Note:

This is the Oracle preferred approach to set up a domain for OUDSM. It is recommended not to extend this domain with any other products or components. In this approach, you do not have to run config.sh.

To set up the OUDSM domain using the WLST, do the following:

  1. Launch the WLST by running the following command:
    On UNIX: 
    DIR_ORACLE_HOME/oracle_common/common/bin/wlst.sh
  2. Run the following command to create a compact domain for Oracle Unified Directory Services Manager:
    createOUDSMDomain(domainLocation=path_to_domain_home,weblogicPort=wls_port,weblogicSSLPort=ssl_port,weblogicUserName=wls_user,weblogicUserPassword=wls_password)
    In the above command, specify the values for the following parameters:

    • domainLocation: This is the absolute path to the domain home. For example, PRIVATE_CONFIG_DIR/domains/OUDSMDomain.

    • weblogicPort: This is the WebLogic port. This value must be unique to the server.

    • weblogicSSLPort: This is the WebLogic SSL port. This parameter is optional and is not enabled if not passed.

    • weblogicUserName: This is the WebLogic user name. This parameter is optional. If not specified, the default value weblogic is passed.

    • weblogicUserPassword: This is the WebLogic Administration Server user password.

    For example:

    createOUDSMDomain(domainLocation="/u02/private/oracle/config/domains/OUDSMDomain",weblogicPort=7001,weblogicSSLPort=7002,weblogicUserPassword='<password>')

  3. Enter exit() to exit out of wlst.
Starting the Oracle Unified Directory Service Manager Domain

After configuring the Oracle Unified Directory Service Manager domain, start the Administration Server to manage the domain.

To do this, complete the following steps:
  1. Start the Administration Server using the following command:
    PRIVATE_CONFIG_DIR/domain/OUDSMDomain/bin/startWebLogic.sh
  2. Verify that the Administration Server is up and running by accessing the Oracle Unified Directory Services Manager at the following URL:
    http://hostname:port/oudsm
    In the above command, hostname is the name of the server on which WebLogic Server is installed. port is the administrative port for the WebLogic Administration Server. The default port value is 7001.

Configuring Oracle HTTP Server for Oracle Unified Directory Services Manager

If you want to access the Oracle Unified Directory Services Manager (OUDSM) console through Oracle Web Servers, then you must add the necessary entry to one of your administrative virtual hosts.

Once you have configured your Oracle HTTP server as described in Configuring Oracle HTTP Server for an Enterprise Deployment, then you can configure the Oracle HTTP Server to route requests to the Oracle Unified Directory Services Manager. To do this:
  1. Add the following entries to the iadadmin_vh.conf or igd_admin_vh.conf files located at WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/:
    <Location /oudsm>
		WebLogicHost LDAPHOST1.example.com
		WebLogicPort 7001
</Location>

    Note:

    There are separate directories for configuration and runtime instance files. The runtime files under the .../OHS/instances/ohsn/* folder should not be edited directly. Edit only the .../OHS/ohsn/* configuration files.
  2. Copy the igdadmin_vh.conf or iadadmin_vh.conf file to the following configuration directory of the second Oracle HTTP Server instance (ohs2):
    OHS_DOMAIN_HOME/config/fmwconfig/components/ohs2/moduleconf/
  3. Restart the Oracle HTTP server instances on WEBHOST1 and WEBHOST2.

Parent topic: Configuring Oracle LDAP for an Enterprise Deployment

Preparing an Existing LDAP Directory

Before you can use an LDAP directory with Oracle Identity and Access Management, it must be extended with object classes required by Oracle Access Manager.

In addition, certain users and groups need to be seeded into the directory. These users and groups will be used by the various Oracle Identity and Access Management products as described later.

Note:

This procedure involves running a utility provided as part of the Oracle Identity and Access Management suite. You must have installed the software for either Oracle Access Manager (Installing the Oracle Fusion Middleware Infrastructure) or Oracle Identity Manager (Installing the Oracle Fusion Middleware Infrastructure on OIMHOST1) to continue.

This section includes the following topics:

Parent topic: Configuring Oracle LDAP for an Enterprise Deployment

About the Enterprise Deployment Users and Groups

The following topics provide important information on the purpose and characteristics of the enterprise deployment administration users and groups.

Parent topic: Preparing an Existing LDAP Directory

About Using Unique Administration Users for Each Domain

When you use a central LDAP user store, you can provision users and groups for use with multiple Oracle WebLogic Server domains. As a result, there is a possibility that one WebLogic administration user can have access to all the domains within an enterprise.

It is a best practice to create and assign a unique distinguished name (DN) within the directory tree for the users and groups that you provision for the administration of your Oracle Fusion Middleware domains.

For example, create two users called oamLDAP and oimLDAP which is used to connect the WebLogic domain to LDAP. This allows the domain to see the users and groups which exist in the directory. You can create a different user for each domain or use a single user for multiple domains. Under no circumstances should the default LDAP administration user be used for this purpose. You must create these users in the systemids container. This container is used for system users that are not normally visible to users. Placing the user into the systemids container ensures that customers who have Oracle Identity Governance do not reconcile this user.

Using a different user for Oracle Access Management (OAM) and Oracle Identity Manager (OIM) LDAP connections ensures that the user that OAM uses to connect to LDAP has a restricted privilege set.

Create a user called weblogic_iam and an administration group called WLSAdministrators. Users in the WLSAdministrators group will be allowed to access the following:

  • Oracle Fusion Middleware Control

  • Oracle WebLogic Administration Console

Create a user called oamadmin and an administration group called OAMAdministrators. Users in the OAMAdministrators group are allowed to access the following:

  • Oracle Access Policy Manager

  • Oracle Access Manager Console

Creating a Configuration File

Create a property file iam.props, to use when preparing the Identity Store and as a basis for later integration and configuration processes. The file will have the structure described in this section. When creating the file do not include any blank lines.

The property files in this section are complete examples. Some of the parameters specified in the file will not be used until later configuration steps in the guide. It is only necessary to include the properties for the products you are going to use.

This section includes the following topics:

Parent topic: Preparing an Existing LDAP Directory

Oracle Unified Directory Example

The following is and example configuration file for Oracle Unified Directory:

# Common
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
IDSTORE_ADMIN_PORT: 4444
IDSTORE_KEYSTORE_FILE: OUD_INSTANCE_HOME/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD: Password key
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
# OAM
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_iam
IDSTORE_WLSADMINGROUP : WLSAdministrators
Explanation of Property Values

This section explains the configuration file property values.

LDAP Properties

  • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIM they should point to the load balancer entry point.

    For Exalogic setup, you must specify the OTD fail-over group name for this host.

  • IDSTORE_DIRECTORYTYPE is the type of directory you are using. Valid value is OUD.

  • IDSTORE_BINDDN is an administrative user in the Identity Store Directory

  • IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.

  • IDSTORE_LOGINATTRIBUTE is the LDAP attribute, which contains the users Login name.

  • IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.

  • IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.

  • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where system users can be placed when you do not want them in the main user container.

  • IDSTORE_USERNAMEATTRIBUTE this is the name of the LDAP attribute which stores a users name.

  • IDSTORE_LOGIN_ATTRIBUTE this is the name of the LDAP attribute where userids are stored.

OUD Properties

  • IDSTORE_ADMIN_PORT is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • IDSTORE_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_INSTANCE_HOME/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • IDSTORE_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_INSTANCE_HOME/OUD/config/admin-keystore.pin.

  • IDSTORE_NEW_SETUP this parameter is used when preparing a directory for the first time.

OAM Properties

  • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIM they should point to the load balancer entry point.

    If you are using an OTD Failover group for accessing the identity store, then you should specify this value here.

  • IDSTORE_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator.

  • IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.

  • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group, which is used to allow access to the OAM console. Only users assigned to this group will be able to access the OAM Console.

  • OAM11G_SERVER_LOGIN_ATTRIBUTE this is the name of the LDAP attribute where userids are stored, this should be the same as the IDSTORE_LOGIN_ATTRIBUTE.

Note:

You can create different administrator accounts and groups for each of the products or use a single administration user. The example above uses a single Administration User and Group.

The OAMSOFTWAREUSER is the user that OAM uses to connect to LDAP. The OIMADMINUSER is the user that OIM uses to connect to LDAP. You can create separate users for each product or just use the same user.

OIM Properties

  • IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Governance administrative users.

  • IDSTORE_OIMADMINUSER is the user that Oracle Identity Governance uses to connect to the Identity store.

Note:

The OAMSOFTWAREUSER is the user that OAM uses to connect to LDAP. The OIMADMINUSER is the user that OIG uses to connect to LDAP. You can create separate users for each product or just use the same user.

WebLogic Properties

  • IDSTORE_WLSADMINUSER: The username to be created for logging in to the web logic domain once it is enabled by Single Sign-On.

  • IDSTORE_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.

Preparing OUD as the Identity Store

Before an Oracle LDAP directory can be used with Oracle Identity and Access Management, the directory needs to be pre-configured.

This process involves the creation of additional object classes within the directory and the seeding of users that the Oracle Identity and Access Management suite will use to connect to the directory. There are two phases to the configuration process:

  • Pre-configure: This adds the required object classes.

  • Seeding of Users.

To do this, perform the following tasks on LDAPHOST1 if you are extending Oracle Unified Directory:

Parent topic: Preparing an Existing LDAP Directory

Directory Pre-Configuration

Before an Oracle LDAP directory can be used with Oracle Identity and Access Management, the directory needs to be pre-configured.

This process involves the creation of additional object classes within the directory and the seeding of users that the Oracle Identity and Access Management suite will use to connect to the directory. There are two phases to the configuration process:

  • Pre-configure: This adds the required object classes.

  • Seeding of Users.

To do this, perform the following tasks on LDAPHOST1 if you are extending Oracle Unified Directory:

Note:

The preparation of LDAP is performed using a tool called idmConfigTool. This tool comes bundled with the Oracle Identity and Access Management software. Before you perform the steps in this section, you must install the Oracle Identity and Access Management. See Installing the Oracle Fusion Middleware Infrastructure. The steps in this section can be run from either OAMHOST1 or OIMHOST1.

If your Directory is on a different host to the IAD_ORACLE_HOME, then the idmconfigTool.sh tool will need to be run from that host. If you have a firewall between the IAD_ORACLE_HOME and your directory server, you will be required to open up the LDAP ports in that firewall for the duration of this step.

If you are installing OIM only and wish to configure your directory, use IGD_ORACLE_HOME instead of IAD_ORACLE_HOME. The idmtool is the same in both the locations.

  1. Set the environment variables:
    • MW_HOME: Set it to either IAD_ORACLE_HOME or IGD_ORACLE_HOME
    • JAVA_HOME: Set it to Java Home.
    • ORACLE_HOME: Set it to MW_HOME/idm
  2. Configure the Identity Store using the command idmConfigTool from the location ORACLE_HOME/idmtools/bin.

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory IAD_ORACLE_HOME/idmtools/bin.

    The syntax of the command on Linux is:

    idmConfigTool.sh -preConfigIDStore input_file=configfile

    For example:

    idmConfigTool.sh -preConfigIDStore input_file=iam.props

    When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.

    Check the log file for any errors or warnings, and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Seeding Users and Groups

You must seed the Identity Store with users and groups that are required by the Identity Management components.

To seed the Identity Store, perform the following tasks on OAMHOST1 or OIMHOST1:

  1. Set the environment variables:
    • MW_HOME: Set it to either IAD_ORACLE_HOME or IGD_ORACLE_HOME
    • JAVA_HOME: Set it to Java Home.
    • ORACLE_HOME: Set it to MW_HOME/idm

    Note:

    Replace IAM_ORACLE_HOME with either IGD_ORACLE_HOME or IAD_ORACLE_HOME depending on whether the idmConfigTool is being run on OIMHOST1 or OAMHOST1.

  2. Configure the Identity Store using the command idmConfigTool, at the following location:
    ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the directory from which idmConfigTool is run. To ensure that each time you run the tool, it appends the same file, always run the idmConfigTool from the following directory: 

    ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -prepareIDStore mode=MODE input_file=configfile  pwd_file=passwordfile

    The value selected for MODE determines the type of users to be created. Possible values for MODE are: OAM, OIM, and WLS.

    • In all topologies, when you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control. Type: 

      idmConfigTool.sh -prepareIDStore mode=WLS input_file=iam.props

    • If your topology includes Access Manager, you must seed the Identity Store with users that are required by Access Manager. Type:

      idmConfigTool.sh -prepareIDStore mode=OAM input_file=iam.props

    • If your topology includes Oracle Identity Governance, you must seed the Identity Store with the xelsysadm user and assign it to an Oracle Identity Governance administrative group. You must also create a user outside of the standard cn=Users location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory. Type 

      idmConfigTool.sh -prepareIDStore mode=OIM input_file=iam.props

Note:

This command also creates a container in your Identity Store for reservations.

Note:

When entering a password for xelsysadm ensure that it is the same at the OIM policy that is it must be at least 8 characters long, contain an Uppercase character, and a number.

When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Granting OUD changelog Access

If you are using Oracle Unified Directory, you must grant access to the changelog, by performing the following steps on LDAPHOST1 and LDAPHOST2:

  1. Create a file called passwordfile which contains the password you use to connect to OUD.
  2. Remove the existing change log by issuing the command:
    OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop \
--remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"  \
--hostname OUD Host \
--port OUD Admin Port \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt

    For example:

    OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop \
--remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
--hostname LDAPHOST1.example.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
  3. Add the new ACI:
    OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop \
--add \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
--hostname OUD Host \
--port OUD Admin Port \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt

    For example:

    OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop \
--add \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
--hostname LDAPHOST1.example.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
  4. Then, add the following ACI:
    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")(version 3.0;acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \
--hostname OUD_HOST \
--port OUD_ADMIN_PORT \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")(version 3.0;acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \
--hostname LDAPHOST1.example.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
  5. Next, add the following ACI:
    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn="ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
--hostname OUD_HOST \
--port OUD_ADMIN_PORT \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-VisiblelastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
--hostname LDAPHOST1.example.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
Updating Oracle Unified Directory ACIs

The following is a workaround for an Oracle Unified Directory operations failure when OIG integration is enabled.

Update OUD_ORACLE_INSTANCE/OUD/config/config.ldif on all OUD instances with below changes:

Note:

Save a copy of the original file before editing.

  1. Look for the following line:
    ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)

    Remove the Object Identifier 1.2.840.113556.1.4.319 from the above aci and add it to following aci as shown: 

    ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
  2. Add Object Identifiers 1.3.6.1.4.1.26027.1.5.4 and 1.3.6.1.4.1.26027.2.3.4 to the following aci as shown:
    ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
  3. Restart the Oracle Unified Directory server on both LDAPHOSTs.
Creating OUD Indexes

When you ran the idmConfigTool to prepare an OUD identity store, it creates indexes for the data on the instance against which it is run. These indexes must be manually created on each of the OUD instances in LDAPHOST2.

To do this, run the following commands on LDAPHOST2:

OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j  passwordfile -c \-f IAD_ORACLE_HOME/idm/idmtools/templates/oud/oud_indexes_extn.ldif

Rebuild the Indexes

Once the indexes have been created on all of the LDAP Hosts, the indexes should be rebuilt using the commands:

  1. Shutdown OUD by issuing the command:
    OUD_ORACLE_INSTANCE/OUD/bin/stop-ds
  2. Execute the command:
    OUD_ORACLE_INSTANCE/OUD/bin/rebuild-index --rebuildAll -b "dc=example,dc=com"
  3. Restart OUD by issuing the command:
    OUD_ORACLE_INSTANCE/OUD/bin/start-ds
  4. Repeat for every LDAPHOST including the host, which the idmTool was run against, to maintain availability only stop the directory for which you are rebuilding the indexes.

Creating Access Control Lists in Non-Oracle Directories

In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is not Oracle Unified Directory, Oracle Directory Server Enterprise Edition, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created, this is true even if using Oracle Virtual Directory in front of them. This section lists the artifacts created and the privileges required for the artifacts.

  • Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.

  • Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.

  • Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.

  • Oracle Identity Governance user oigLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.

  • Oracle Identity Governance administration group. The Oracle Identity Governance user is added as its member. The Oracle Identity Governance admin group is given complete read/write privileges to all the user and group entities in the directory.

  • WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory

  • WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.

  • Reserve container. Permissions are provided to the Oracle Identity Governance admin group to perform read/write operations.

Parent topic: Preparing an Existing LDAP Directory