13 Configuring Oracle LDAP for an Enterprise Deployment
Follow these instructions if you are creating a new Oracle LDAP directory (Oracle Unified Directory (OUD)).
This chapter includes the following topics:
- Configuring Oracle Unified Directory for an Enterprise Deployment
Install and configure Oracle Unified Directory (OUD). - Configuring Oracle HTTP Server for Oracle Unified Directory Services Manager
If you want to access the Oracle Unified Directory Services Manager (OUDSM) console through Oracle Web Servers, then you must add the necessary entry to one of your administrative virtual hosts. - Preparing an Existing LDAP Directory
Before you can use an LDAP directory with Oracle Identity and Access Management, it must be extended with object classes required by Oracle Access Manager.
Parent topic: Configuring the Enterprise Deployment
Configuring Oracle Unified Directory for an Enterprise Deployment
Install and configure Oracle Unified Directory (OUD).
In an enterprise deployment, each OUD instance is configured on a separate host. OUD is not installed into a domain.
- Variables Used When Configuring Oracle Unified Directory
The procedures for installing and configuring Oracle Unified Directory reference use a series of variables that you can replace with the actual values used in your environment. - Installing a Supported JDK
- Installing Oracle Unified Directory
You can install Oracle Unified Directory by using an interactive graphical wizard provided by the Oracle Universal Installer. - Configuring the Oracle Unified Directory Instances
- Installing and Configuring Oracle Unified Directory Service Manager
Oracle Unified Directory Service Manager (OUDSM) is a Graphical User Interface (GUI) tool used to manage Oracle Unified Directory.
Parent topic: Configuring Oracle LDAP for an Enterprise Deployment
Variables Used When Configuring Oracle Unified Directory
The procedures for installing and configuring Oracle Unified Directory reference use a series of variables that you can replace with the actual values used in your environment.
The following directory location variables are used in these procedures:
-
DIR_ORACLE_HOME
-
OUD_ORACLE_INSTANCE
-
OUD_REPLICATION_PORT
-
OUD_ADMIN_PORT
-
LDAP_PORT
-
LDAP_SSL_PORT
-
LDAP_ADMIN_PORT
-
JAVA_HOME
-
INSTANCE_NAME
-
PRIVATE_CONFIG_DIR
-
WEB_DOMAIN_HOME
-
OHS_DOMAIN_HOME
-
IDSTORE_HOST
-
IDSTORE_PORT
-
IDSTORE_DIRECTORYTYPE
-
IDSTORE_BINDDN
-
IDSTORE_SEARCHBASE
-
IDSTORE_LOGINATTRIBUTE
-
IDSTORE_USERSEARCHBASE
-
IDSTORE_GROUPSEARCHBASE
-
IDSTORE_SYSTEMIDBASE
-
IDSTORE_USERNAMEATTRIBUTE
-
IDSTORE_LOGIN_ATTRIBUTE
-
IDSTORE_ADMIN_PORT
-
IDSTORE_KEYSTORE_FILE
-
IDSTORE_KEYSTORE_PASSWORD
-
IDSTORE_NEW_SETUP
-
IDSTORE_OAMADMINUSER
-
IDSTORE_OAMSOFTWAREUSER
-
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
-
OAM11G_SERVER_LOGIN_ATTRIBUTE
-
IDSTORE_WLSADMINUSER
-
IDSTORE_WLSADMINGROUP
-
IAD_ORACLE_HOME
-
IGD_ORACLE_HOME
-
ORACLE_HOME
Installing a Supported JDK
Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.
- Locating and Downloading the JDK Software
- Installing the JDK Software
Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.
Locating and Downloading the JDK Software
To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.
After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:
http://www.oracle.com/technetwork/java/index.html
Be sure to navigate to the download for the Java SE JDK.
Parent topic: Installing a Supported JDK
Installing the JDK Software
Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.
You must install the JDK in the following locations:
-
On the shared storage device, install the JDK in the
/u01/oracle/products/jdk
directory. The JDK will be accessible from each of the application tier host computers. -
On the local storage device for each of the Web tier host computers. The Web tier host computers, which reside in the DMZ, do not necessarily have access to the shared storage on the application tier.
-
On the local storage device for each of the directory tier host computers, in case of the directory hosts not utilizing the shared storage.
For more information about the recommended location for the JDK software, see Understanding the Recommended Directory Structure for an Enterprise Deployment.
Parent topic: Installing a Supported JDK
Installing Oracle Unified Directory
You can install Oracle Unified Directory by using an interactive graphical wizard provided by the Oracle Universal Installer.
Starting the Oracle Unified Directory Installer
To start the installation program:
Parent topic: Installing Oracle Unified Directory
Navigating the Oracle Unified Directory Installation Screens
The following table describes how to use the installer screens to install Oracle Unified Directory.
If you need additional help with any of the installation screens, click the screen name.
Screen | Description |
---|---|
This screen introduces you to the product installer. Click Next. |
|
Select whether or not you want to receive automatic updates for this product. |
|
For the purposes of this enterprise deployment, enter the value of the DIR_ORACLE_HOME variable listed in Table 9-2. Note that run-time processes cannot write to this directory. |
|
Use this screen to select the type of installation and as a consequence, the products and feature sets you want to install. If you plan to manage OUD through WebLogic server or OUDSM, select Collocated Oracle Unified Directory Server (Managed through WebLogic server). Note: If you select Collocated mode, you must also install Oracle Fusion Middleware Infrastructure. See Installing the Oracle Fusion Middleware Infrastructure.If you plan to manage OUD independently of WebLogic server, select Standalone Oracle Unified Directory Server (Managed independently of WebLogic server). Click Next. |
|
The installer analyzes the host computer to ensure that the prerequisites are fulfilled. The results of the prerequisite checks are displayed on this screen. If a prerequisite check fails, an error or warning message is displayed.
Click Next to continue. |
|
This screen displays the Oracle home directory that you specified earlier. It also indicates the amount of disk space that will be used for the installation and the free space available. Review information on this screen. To save the settings specified so far in the installation wizard in a text file (called a response file), click Save. If necessary, you can use the response file to perform the same installation from the command line. Click Install to begin the installation. For more information about silent or command line installation, see "Using the Oracle Universal Installer in Silent Mode" in Installing Software with the Oracle Universal Installer. |
|
This screen shows the progress and status of the installation process. If you want to cancel the installation, click Cancel. The files that were copied to your system before you canceled the installation will remain on the system; you should remove them manually. Click Next to continue. |
|
Click Finish. |
Parent topic: Installing Oracle Unified Directory
Installing the Software on Other Host Computers
If you have configured a separate shared storage volume or partition for LDAPHOST2 , then you must also install the software on LDAPHOST2. For more information, see Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.
Note that the location where you install the Oracle home (which contains the software binaries) varies, depending upon the host. To identify the proper location for your Oracle home directories, refer to the guidelines in File System and Directory Variables Used in This Guide.
Parent topic: Installing Oracle Unified Directory
Verifying the Installation
After you complete the installation, you can verify it by successfully completing the following tasks.
- Reviewing the Installation Log Files
- Checking the Directory Structure
After you install the Oracle Unified Directory and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options you selected during the installation. - Viewing the Contents of Your Oracle Home
Parent topic: Installing Oracle Unified Directory
Reviewing the Installation Log Files
Review the contents of the installation log files to make sure that no problems were encountered. For a description of the log files and where to find them, see Understanding Installation Log Files in Installing Software with the Oracle Universal Installer.
Parent topic: Verifying the Installation
Checking the Directory Structure
After you install the Oracle Unified Directory and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options you selected during the installation.
To check the directory structure:
Parent topic: Verifying the Installation
Viewing the Contents of Your Oracle Home
You can also view the contents of your Oracle home by using the viewInventory
script. See Viewing the contents of an Oracle home in Installing Software with the Oracle Universal Installer.
Parent topic: Verifying the Installation
Configuring the Oracle Unified Directory Instances
Follow these steps to configure Oracle Unified Directory (OUD) components in the directory tier on LDAPHOST1 and LDAPHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.
The following are the two option available when you install Oracle Unified Directory:
-
Standalone mode: Choose this option if you wish to manage OUD via command line tools.
-
Co-located mode: Choose this option to associate Oracle Unified directory with a domain. If you choose to associate it with a domain, you have the option to manage OUD using Oracle Unified Directory Service Manager. If you wish to use OUDSM, you must choose to install Oracle Unified Directory in co-located mode.
This section contains the following topics:
Configuring Oracle Unified Directory on LDAPHOST1
Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services
file and restart the services or restart the computer.
Set the environment variable JAVA_HOME
Change Directory to DIR_ORACLE_HOME/oud
.
Set the environment variable INSTANCE_NAME to ../../admin/oud1
. For example:
export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud1
Note the tool creates the instance home relative to the DIR_ORACLE_HOME
, so you must include previous directories to get the instance created in PRIVATE_CONFIG_DIR
/instances
.
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
The following table describes how to use the configuration assistant screens to configure Oracle Unified Director.
Screen | Description |
---|---|
Welcome |
This screen introduces you to the product configuration assistant. Click Next. |
Server Administration Settings |
Enter the following details of the server:
Click Next. |
Ports |
Enter the following details: LDAP
LDAPS
Certificate You can use the existing certificate or generate a self signed certificate. Self signed certificates are not recommended for production deployments.
|
Topology Options |
Enter the following details:
Click Next. |
Directory Data |
Enter the following details:
Click Next. |
Oracle Components Integration |
If you are planning to use the directory for integrating with other directories, Select Enable for DIP. If you are planning on using the directory for E Business Suite or for Oracle database name resolution, select Enable for EBS (E-Business Suite), Database Net Services and DIP. Click Next. If you are planning to use the directory for Enterprise User Security, select Enable fo EUS (Enterprise User Security), EBS, Database Net Services and DIP. |
Server Tuning |
You have the option of allocating specific resources to the OUD instance. You can choose to accept the default of change the resource allocations based on your deployment. If this server is used only for OUD as in a distributed deployment then be sure to check the box Dedicated Machine for OUD. Click Next. |
Review |
Verify that the information displayed is correct. If you wish the OUD server to be started after configuration, ensure that you select the option Start the server. |
Finished |
Click Close. |
Parent topic: Configuring the Oracle Unified Directory Instances
Validating Oracle Unified Directory on LDAPHOST1
After configuration, you can validate that Oracle Unified Directory is working by performing a simple search using the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST1.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you will see a list of supportedControl
entries returned.
If you have enabled SSL on the directory, you can test it using the command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST1.example.com -p 1636 --useSSL -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
Parent topic: Configuring the Oracle Unified Directory Instances
Configuring Oracle Unified Directory Instance on LDAPHOST2
Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
Remove the entries for ports 1389
, 1636
, 4444
, and 8989
in the /etc/services
file and restart the services or restart the computer.
Set the environment variable JAVA_HOME
to JAVA_HOME
.
Change Directory to DIR_ORACLE_HOME/oud
Set the environment variable INSTANCE_NAME
to ../../admin/oud2
.
For example:
export INSTANCE_NAME=../../../../u02/private/oracle/config/instances/oud2
Note the tool creates the instance home relative to the DIR_ORACLE_HOME
, so you must include previous directories to get the instance created in PRIVATE_CONFIG_DIR
/instances
.
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
The following table describes how to use the configuration assistant screens to configure Oracle Unified Director.
Screen | Description |
---|---|
Welcome |
This screen introduces you to the product configuration assistant. Click Next. |
Server Administration Settings |
Enter the following details of the server:
Click Next. |
Ports |
Enter the following details: LDAP
LDAPS
Certificate You can use the existing certificate or generate a self signed certificate. Self signed certificates are not recommended for production deployments.
|
Topology Options |
Enter the following details:
Click Next. If you see a Certificate Not Trusted dialogue, it is because you are using self signed certificates. Click Accept Permanently. For more information, refer to the Setting Up Replication During Installation. |
Create Global Administrator |
Enter the following details:
Click Next. |
Data Replication |
Select dc=example,dc=com. Click Next. |
Oracle Components Integration |
If you selected any products to integrate with, when you configured LDAPHOST1, then select the same option here. Click Next. |
Server Tuning |
You have the option of allocating specific resources to the OUD instance. You can choose to accept the default of change the resource allocations based on your deployment. If this server is used only for OUD as in a distributed deployment then be sure to check the box Dedicated Machine for OUD. Click Next. |
Review |
Verify that the information displayed is correct. If you wish the OUD server to be started after configuration, ensure that you select the option Start the server. |
Finished |
Click Close. |
Parent topic: Configuring the Oracle Unified Directory Instances
Validating Oracle Unified Directory on LDAPHOST2
After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST2.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you see a list supportedControl
entries returned.
If you have enabled SSL on the directory, you can test it using the command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAPHOST2.example.com -p 1636 --useSSL -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
To check that Oracle Unified Directory replication is enabled, issue the command:
OUD_ORACLE_INSTANCE/OUD/bin/status
You are prompted for the Administrator bind DN (cn=oudadmin
) and its password.
You then see output similar to the following example. Replication is set to enable.
--- Server Status --- Server Run Status: Started Open Connections: 2 --- Server Details --- Host Name: slc01fnv Administrative Users: cn=oudadmin Installation Path: /u01/oracle/products/dir/oud Instance Path: /u02/private/oracle/config/instances/oud1/OUD Version: Oracle Unified Directory 12.2.1.3.0 Java Version: 1.8.0_102 Administration Connector: Port 4444 (LDAPS) --- Connection Handlers --- Address:Port : Protocol : State -------------:-------------:----------- : LDIF : Disabled 8989 : Replication : Enabled 0.0.0.0:161 : SNMP : Disabled 0.0.0.0:1389 : LDAP : Enabled 0.0.0.0:1636 : LDAPS : Enabled 0.0.0.0:1689 : JMX : Disabled --- Data Sources --- Base DN: dc=example ,dc=com Backend ID: userRoot Entries: 1 Replication: Enabled Missing Changes: 0 Age Of Oldest Missing Change: <not available> Status
Parent topic: Configuring the Oracle Unified Directory Instances
Installing and Configuring Oracle Unified Directory Service Manager
Oracle Unified Directory Service Manager (OUDSM) is a Graphical User Interface (GUI) tool used to manage Oracle Unified Directory.
It is recommended that, if you are installing OUDSM, create it in its own light-weight domain.
The following topics describe how to do it:
- Creating a Domain for Oracle Unified Directory Service Manager
You can create a domain for Oracle Unified Directory Service Manager (OUDSM) without depending on the Oracle Database or the Repository Creation Utility (RCU) using the WebLogic Scripting Tool (WLST) command. - Starting the Oracle Unified Directory Service Manager Domain
After configuring the Oracle Unified Directory Service Manager domain, start the Administration Server to manage the domain.
Creating a Domain for Oracle Unified Directory Service Manager
You can create a domain for Oracle Unified Directory Service Manager (OUDSM) without depending on the Oracle Database or the Repository Creation Utility (RCU) using the WebLogic Scripting Tool (WLST) command.
Note:
This is the Oracle preferred approach to set up a domain for OUDSM. It is recommended not to extend this domain with any other products or components. In this approach, you do not have to run config.sh
.
To set up the OUDSM domain using the WLST, do the following:
Configuring Oracle HTTP Server for Oracle Unified Directory Services Manager
If you want to access the Oracle Unified Directory Services Manager (OUDSM) console through Oracle Web Servers, then you must add the necessary entry to one of your administrative virtual hosts.
Parent topic: Configuring Oracle LDAP for an Enterprise Deployment
Preparing an Existing LDAP Directory
Before you can use an LDAP directory with Oracle Identity and Access Management, it must be extended with object classes required by Oracle Access Manager.
Note:
This procedure involves running a utility provided as part of the Oracle Identity and Access Management suite. You must have installed the software for either Oracle Access Manager (Installing the Oracle Fusion Middleware Infrastructure) or Oracle Identity Manager (Installing the Oracle Fusion Middleware Infrastructure on OIMHOST1) to continue.This section includes the following topics:
- About the Enterprise Deployment Users and Groups
- Creating a Configuration File
- Preparing OUD as the Identity Store
- Creating Access Control Lists in Non-Oracle Directories
Parent topic: Configuring Oracle LDAP for an Enterprise Deployment
About the Enterprise Deployment Users and Groups
The following topics provide important information on the purpose and characteristics of the enterprise deployment administration users and groups.
Parent topic: Preparing an Existing LDAP Directory
About Using Unique Administration Users for Each Domain
When you use a central LDAP user store, you can provision users and groups for use with multiple Oracle WebLogic Server domains. As a result, there is a possibility that one WebLogic administration user can have access to all the domains within an enterprise.
It is a best practice to create and assign a unique distinguished name (DN) within the directory tree for the users and groups that you provision for the administration of your Oracle Fusion Middleware domains.
For example, create two users called oamLDAP
and oimLDAP
which is used to connect the WebLogic domain to LDAP. This allows the domain to see the users and groups which exist in the directory. You can create a different user for each domain or use a single user for multiple domains. Under no circumstances should the default LDAP administration user be used for this purpose. You must create these users in the systemids
container. This container is used for system users that are not normally visible to users. Placing the user into the systemids
container ensures that customers who have Oracle Identity Governance do not reconcile this user.
Using a different user for Oracle Access Management (OAM) and Oracle Identity Manager (OIM) LDAP connections ensures that the user that OAM uses to connect to LDAP has a restricted privilege set.
Create a user called weblogic_iam
and an administration group called WLSAdministrators
. Users in the WLSAdministrators
group will be allowed to access the following:
-
Oracle Fusion Middleware Control
-
Oracle WebLogic Administration Console
Create a user called oamadmin
and an administration group called OAMAdministrators
. Users in the OAMAdministrators
group are allowed to access the following:
-
Oracle Access Policy Manager
-
Oracle Access Manager Console
Parent topic: About the Enterprise Deployment Users and Groups
Creating a Configuration File
Create a property file iam.props
, to use when preparing the Identity Store and as a basis for later integration and configuration processes. The file will have the structure described in this section. When creating the file do not include any blank lines.
The property files in this section are complete examples. Some of the parameters specified in the file will not be used until later configuration steps in the guide. It is only necessary to include the properties for the products you are going to use.
This section includes the following topics:
Parent topic: Preparing an Existing LDAP Directory
Oracle Unified Directory Example
The following is and example configuration file for Oracle Unified Directory:
# Common IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_KEYSTORE_FILE: OUD_INSTANCE_HOME/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD: Password key IDSTORE_BINDDN: cn=oudadmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid OAM11G_SERVER_LOGIN_ATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_NEW_SETUP: true IDSTORE_DIRECTORYTYPE: OUD # OAM IDSTORE_OAMADMINUSER: oamadmin IDSTORE_OAMSOFTWAREUSER: oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # WebLogic IDSTORE_WLSADMINUSER : weblogic_iam IDSTORE_WLSADMINGROUP : WLSAdministrators
Parent topic: Creating a Configuration File
Explanation of Property Values
This section explains the configuration file property values.
Parent topic: Creating a Configuration File
LDAP Properties
-
IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIM they should point to the load balancer entry point.
For Exalogic setup, you must specify the OTD fail-over group name for this host.
-
IDSTORE_DIRECTORYTYPE is the type of directory you are using. Valid value is OUD.
-
IDSTORE_BINDDN is an administrative user in the Identity Store Directory
-
IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
-
IDSTORE_LOGINATTRIBUTE is the LDAP attribute, which contains the users Login name.
-
IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.
-
IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
-
IDSTORE_SYSTEMIDBASE is the location of a container in the directory where system users can be placed when you do not want them in the main user container.
-
IDSTORE_USERNAMEATTRIBUTE this is the name of the LDAP attribute which stores a users name.
-
IDSTORE_LOGIN_ATTRIBUTE this is the name of the LDAP attribute where userids are stored.
Parent topic: Explanation of Property Values
OUD Properties
-
IDSTORE_ADMIN_PORT is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.
-
IDSTORE_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called
admin-keystore
and is located inOUD_INSTANCE_HOME
/OUD/config
. If you are not using Oracle Unified Directory, you can leave out this parameter. -
IDSTORE_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file
OUD_INSTANCE_HOME
/OUD/config/admin-keystore.pin
. -
IDSTORE_NEW_SETUP this parameter is used when preparing a directory for the first time.
Parent topic: Explanation of Property Values
OAM Properties
-
IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIM they should point to the load balancer entry point.
If you are using an OTD Failover group for accessing the identity store, then you should specify this value here.
-
IDSTORE_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator.
-
IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
-
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group, which is used to allow access to the OAM console. Only users assigned to this group will be able to access the OAM Console.
-
OAM11G_SERVER_LOGIN_ATTRIBUTE this is the name of the LDAP attribute where userids are stored, this should be the same as the IDSTORE_LOGIN_ATTRIBUTE.
Note:
You can create different administrator accounts and groups for each of the products or use a single administration user. The example above uses a single Administration User and Group.
The OAMSOFTWAREUSER is the user that OAM uses to connect to LDAP. The OIMADMINUSER is the user that OIM uses to connect to LDAP. You can create separate users for each product or just use the same user.
Parent topic: Explanation of Property Values
OIM Properties
-
IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Governance administrative users.
-
IDSTORE_OIMADMINUSER is the user that Oracle Identity Governance uses to connect to the Identity store.
Note:
The OAMSOFTWAREUSER is the user that OAM uses to connect to LDAP. The OIMADMINUSER is the user that OIG uses to connect to LDAP. You can create separate users for each product or just use the same user.
Parent topic: Explanation of Property Values
WebLogic Properties
-
IDSTORE_WLSADMINUSER: The username to be created for logging in to the web logic domain once it is enabled by Single Sign-On.
-
IDSTORE_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.
Parent topic: Explanation of Property Values
Preparing OUD as the Identity Store
Before an Oracle LDAP directory can be used with Oracle Identity and Access Management, the directory needs to be pre-configured.
This process involves the creation of additional object classes within the directory and the seeding of users that the Oracle Identity and Access Management suite will use to connect to the directory. There are two phases to the configuration process:
-
Pre-configure: This adds the required object classes.
-
Seeding of Users.
To do this, perform the following tasks on LDAPHOST1 if you are extending Oracle Unified Directory:
- Directory Pre-Configuration
- Seeding Users and Groups
- Granting OUD changelog Access
- Updating Oracle Unified Directory ACIs
- Creating OUD Indexes
Parent topic: Preparing an Existing LDAP Directory
Directory Pre-Configuration
Before an Oracle LDAP directory can be used with Oracle Identity and Access Management, the directory needs to be pre-configured.
This process involves the creation of additional object classes within the directory and the seeding of users that the Oracle Identity and Access Management suite will use to connect to the directory. There are two phases to the configuration process:
-
Pre-configure: This adds the required object classes.
-
Seeding of Users.
To do this, perform the following tasks on LDAPHOST1 if you are extending Oracle Unified Directory:
Note:
The preparation of LDAP is performed using a tool called idmConfigTool
. This tool comes bundled with the Oracle Identity and Access Management software. Before you perform the steps in this section, you must install the Oracle Identity and Access Management. See Installing the Oracle Fusion Middleware Infrastructure. The steps in this section can be run from either OAMHOST1 or OIMHOST1.
If your Directory is on a different host to the IAD_ORACLE_HOME
, then the idmconfigTool.sh
tool will need to be run from that host. If you have a firewall between the IAD_ORACLE_HOME
and your directory server, you will be required to open up the LDAP ports in that firewall for the duration of this step.
If you are installing OIM only and wish to configure your directory, use IGD_ORACLE_HOME
instead of IAD_ORACLE_HOME
. The idmtool
is the same in both the locations.
Parent topic: Preparing OUD as the Identity Store
Seeding Users and Groups
You must seed the Identity Store with users and groups that are required by the Identity Management components.
To seed the Identity Store, perform the following tasks on OAMHOST1 or OIMHOST1:
Note:
This command also creates a container in your Identity Store for reservations.
Note:
When entering a password for xelsysadm
ensure that it is the same at the OIM policy that is it must be at least 8 characters long, contain an Uppercase character, and a number.
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.
After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.
Parent topic: Preparing OUD as the Identity Store
Granting OUD changelog Access
If you are using Oracle Unified Directory, you must grant access to the changelog
, by performing the following steps on LDAPHOST1
and LDAPHOST2
:
Parent topic: Preparing OUD as the Identity Store
Updating Oracle Unified Directory ACIs
The following is a workaround for an Oracle Unified Directory operations failure when OIG integration is enabled.
Update OUD_ORACLE_INSTANCE/OUD/config/config.ldif
on all OUD instances with below changes:
Note:
Save a copy of the original file before editing.
Parent topic: Preparing OUD as the Identity Store
Creating OUD Indexes
When you ran the idmConfigTool
to prepare an OUD identity store, it creates indexes for the data on the instance against which it is run. These indexes must be manually created on each of the OUD instances in LDAPHOST2.
To do this, run the following commands on LDAPHOST2:
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/idmtools/templates/oud/oud_indexes_extn.ldif
Rebuild the Indexes
Once the indexes have been created on all of the LDAP Hosts, the indexes should be rebuilt using the commands:
Parent topic: Preparing OUD as the Identity Store
Creating Access Control Lists in Non-Oracle Directories
In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is not Oracle Unified Directory, Oracle Directory Server Enterprise Edition, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created, this is true even if using Oracle Virtual Directory in front of them. This section lists the artifacts created and the privileges required for the artifacts.
-
Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
-
Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.
-
Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
-
Oracle Identity Governance user oigLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
-
Oracle Identity Governance administration group. The Oracle Identity Governance user is added as its member. The Oracle Identity Governance admin group is given complete read/write privileges to all the user and group entities in the directory.
-
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
-
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
-
Reserve container. Permissions are provided to the Oracle Identity Governance admin group to perform read/write operations.
Parent topic: Preparing an Existing LDAP Directory