Configuring Oracle LDAP for an Enterprise Deployment

12 Configuring Oracle LDAP for an Enterprise Deployment

Install and configure Oracle Unified Directory (OUD) for use with Oracle Identity and Access Management.

This chapter includes the following topics:

Configuring Oracle Unified Directory
Install and configure Oracle Unified Directory (OUD). In an enterprise deployment, each OUD instance is configured on a separate host. OUD is not installed into a domain.
Preparing an Existing LDAP Directory
Before you can use an LDAP directory with Oracle Identity and Access Management, it must be extended with object classes required by Oracle Access Manager.

Parent topic: Configuring the Enterprise Deployment

Configuring Oracle Unified Directory

Install and configure Oracle Unified Directory (OUD). In an enterprise deployment, each OUD instance is configured on a separate host. OUD is not installed into a domain.

Parent topic: Configuring Oracle LDAP for an Enterprise Deployment

Variables Used When Configuring Oracle Unified Directory

The procedures for installing and configuring Oracle Unified Directory (OUD) reference a series of variables that you can replace with the actual values used in your environment.

The following table outlines the OUD variables used:

Table 12-1 Variables Used in This Chapter

Variable	Sample Value	Description
DIR_ORACLE_HOME	`/u02/oracle/products/oud`	Oracle Home for the Oracle Unified Directory.
OUD_ORACLE_INSTANCE	`/u02/oracle/config/instances/oud1`	The path to the OUD instance home.
OUD_REPLICATION_PORT	`8989`	The replication port you wish to use.
LDAP_PORT	`1389`	The LDAP port you wish to use.
LDAP_SSL_PORT	`1636`	The LDAP port you wish to use for SSL.
LDAP_ADMIN_PORT	`4444`	The LDAP port you wish to use for the administration port.
JAVA_HOME	`/u02/oracle/products/jdk`	The JDK home directory.
INSTANCE_NAME	`../../../../u02/oracle/config/instances/oud1`	The path to the instance home. Note: The tool creates the instance home relative to the DIR_ORACLE_HOME, so you must include previous directories to get the instance created in LOCAL_CONFIG_DIR/instances.
LOCAL_CONFIG_DIR	`/u02/oracle/config`	The local or nfs-mounted configuration directory unique to a given host containing the machine-specific domain directory (`MSERVER_HOME`).
OHS_DOMAIN_HOME	`/u02/oracle/config/domains/domain_name`	The Domain home for the standalone Oracle HTTP Server domain, which is created when you install Oracle HTTP Server on the local disk of each web tier host.
IDSTORE_HOST	`idstore.example.com`	The host of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_PORT	`1636`	The port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_DIRECTORYTYPE	`OUD`	The type of directory you are using. Valid value is OUD.
IDSTORE_BINDDN	`cn=oudadmin`	An administrative user in the Identity Store Directory.
IDSTORE_SEARCHBASE	`dc=example,dc=com`	The location in the directory where Users and Groups are stored.
IDSTORE_LOGINATTRIBUTE	`uid`	The LDAP attribute, which contains the users Login name.
IDSTORE_USERSEARCHBASE	`cn=Users,dc=example,dc=com`	The location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE	`cn=Groups,dc=example,dc=com`	The location in the directory where Groups are Stored.
IDSTORE_SYSTEMIDBASE	`cn=SystemIDs,dc=example,dc=com`	The location of a container in the directory where system users can be placed when you do not want them in the main user container.
IDSTORE_USERNAMEATTRIBUTE	`cn`	The name of the LDAP attribute which stores a users name.
IDSTORE_ADMIN_PORT	`4444`	The administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.
IDSTORE_KEYSTORE_FILE	`/u02/oracle/config/instances/oud1/config/admin-keystore`	The location of the LDAP Truststore for LDAP connections.
IDSTORE_KEYSTORE_PASSWORD	`password`	The password of the IDSTORE_KEYSTORE_FILE.
IDSTORE_NEW_SETUP	`true`	This parameter is used when preparing a directory for the first time.
IDSTORE_OAMADMINUSER	`oamadmin`	The name of the user you want to administer OAM.
IDSTORE_OAMSOFTWAREUSER	`oamLDAP`	The name of the user that gets created in LDAP that is used when OAM is running to connect to the LDAP server.
OAM_IDSTORE_ROLE_SECURITY_ADMIN	`OAMAdministrators`	The name of the group, which is used to allow access to the OAM console. Only users assigned to this group will be able to access the OAM Console.
OAM_SERVER_LOGIN_ATTRIBUTE	`uid`	The name of the LDAP attribute where userids are stored. This should be the same as the IDSTORE_LOGIN_ATTRIBUTE.
IDSTORE_WLSADMINUSER	`weblogic_iam`	The username to be created for logging in to the web logic domain once it is enabled by Single Sign-On.
IDSTORE_WLSADMINGROUP	`WLSAdministrators`	The name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.
ORACLE_HOME		Oracle Home value to set when instructed below.

Parent topic: Configuring Oracle Unified Directory

Setting Environment Variables

To help navigate this guide, to be able to copy sample commands without modification you can set the following environment variables, replacing the values with values appropriate to your environment.

export DIR_ORACLE_HOME=/u02/oracle/products/oud
export ORACLE_HOME=/u02/oracle/products/oud
export ORACLE_COMMON_HOME=$ORACLE_HOME/oracle_common
export JAVA_HOME=/u02/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
export LDAPCONFIG=$ORACLE_HOME/idmtools
export OUD_ORACLE_INSTANCE=/u02/oracle/config/instances/oud1
export LDAP_BASE_DN=dc=example,dc=com
export LDAPHOST1=ldaphost1.example.com
export LDAPHOST2=ldaphost2.example.com
export LOCAL_CONFIG_DIR=/u02/oracle/config

Parent topic: Configuring Oracle Unified Directory

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

Parent topic: Configuring Oracle Unified Directory

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

https://www.oracle.com/java/technologies/downloads/

Be sure to navigate to the download for the Java SE JDK.

Parent topic: Installing a Supported JDK

Installing the JDK Software

Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

For more information about the recommended location for the JDK software, see Understanding the Recommended Directory Structure for an Enterprise Deployment.

To install JDK 21.0:

Change directory to the location where you downloaded the JDK archive file.
```
cd download_dir
```
Unpack the archive into the JDK home directory, and then run the following commands:
```
tar -xzvf jdk-21.0.4+8_linux-x64_bin.tar.gz
```
Note that the JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
Move the JDK directory to the recommended location in the directory structure.
For example:
```
ln -s jdk-21.0.4 /u02/oracle/products/jdk
```
See File System and Directory Variables Used in This Guide.
Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:
```
java -version
```
The Java version in the output should be displayed as “21.0.4”.

Parent topic: Installing a Supported JDK

Installing Oracle Unified Directory

You can install Oracle Unified Directory by using an interactive graphical wizard provided by the Oracle Universal Installer.

Starting the Oracle Unified Directory Installer
Navigating the Oracle Unified Directory Installation Screens
Installing the Stack Bundle Patch
Installing the Software on Other Host Computers
Verifying the Installation
After you complete the installation, you nust verify it.

Parent topic: Configuring Oracle Unified Directory

Starting the Oracle Unified Directory Installer

To start the installation program:

Log in to LDAPHOST1.
Go to the directory in which you downloaded the installer.
Run the following Java command to launch the installation wizard:
```
java -d64 -jar fmw_14.1.2.1.0_oud.jar
```
Replace the JDK location in the above command with the actual JDK location on your system. For information about downloading the software and locating the actual installer file name for your product, see Identifying and Obtaining Software Distributions for an Enterprise Deployment.

Parent topic: Installing Oracle Unified Directory

Navigating the Oracle Unified Directory Installation Screens

The following table describes how to use the installer screens to install Oracle Unified Directory.

If you need additional help with any of the installation screens, click the screen name.

Screen	Description
Welcome	This screen introduces you to the product installer. Click Next.
Auto Updates	Select whether or not you want to receive automatic updates for this product.
Installation Location	For the purposes of this enterprise deployment, enter the value of the DIR_ORACLE_HOME variable listed in Table 8-2. Note that run-time processes cannot write to this directory.
Installation Type	Use this screen to select the type of installation and as a consequence, the products and feature sets you want to install. If you plan to manage OUD through WebLogic server or OUDSM, select Collocated Oracle Unified Directory Server (Managed through WebLogic server). Note: If you select Collocated mode, you must also install Oracle Fusion Middleware Infrastructure. See Installing the Oracle Fusion Middleware Infrastructure. If you plan to manage OUD independently of WebLogic server, select Standalone Oracle Unified Directory Server (Managed independently of WebLogic server). Click Next.
Prerequisite Checks	The installer analyzes the host computer to ensure that the prerequisites are fulfilled. The results of the prerequisite checks are displayed on this screen. If a prerequisite check fails, an error or warning message is displayed. Fix the error and click Rerun. To ignore the error or warning and continue with the installation, click Skip. To stop the prerequisite checking process, click Stop. Click Next to continue.
Installation Summary	This screen displays the Oracle home directory that you specified earlier. It also indicates the amount of disk space that will be used for the installation and the free space available. Review information on this screen. To save the settings specified so far in the installation wizard in a text file (called a response file), click Save. If necessary, you can use the response file to perform the same installation from the command line. Click Install to begin the installation. For more information about silent or command line installation, see "Using the Oracle Universal Installer in Silent Mode" in Installing Software with the Oracle Universal Installer.
Installation Progress	This screen shows the progress and status of the installation process. If you want to cancel the installation, click Cancel. The files that were copied to your system before you canceled the installation will remain on the system; you should remove them manually. Click Next to continue.
Installation Complete	Click Finish.

Parent topic: Installing Oracle Unified Directory

Installing the Stack Bundle Patch

After installing the software binaries you must download and apply the July 2025 Stack Bundle Patch or later. For more details, see Identifying and Obtaining Software Distributions for an Enterprise Deployment.

To apply the patch run the following commands:

After downloading the patch, unzip it to your preferred location. For example:
```
unzip p38184742_141210_Linux-x86-64.zip
```
This location will be known as $PATCH_DIR.
Navigate to the $PATCH_DIR:
```
cd $PATCH_DIR/tools/spbat/generic/SPBAT/
```

Apply the patch using the command:

./spbat.sh -type oud -phase downtime -mw_home $DIR_ORACLE_HOME -spb_download_dir $PATCH_DIR

Parent topic: Installing Oracle Unified Directory

Installing the Software on Other Host Computers

If you have configured a separate shared storage volume or partition for LDAPHOST2 , then you must also install the software on LDAPHOST2. For more information, see Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

Note that the location where you install the Oracle home (which contains the software binaries) varies, depending upon the host. To identify the proper location for your Oracle home directories, refer to the guidelines in File System and Directory Variables Used in This Guide.

You must install the Stack Bundle Patch and any other mandatory patches outlined in Identifying and Obtaining Software Distributions for an Enterprise Deployment.

Parent topic: Installing Oracle Unified Directory

Verifying the Installation

After you complete the installation, you nust verify it.

Perform the following tasks:

Parent topic: Installing Oracle Unified Directory

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that no problems were encountered. For a description of the log files and where to find them, see Understanding Installation Log Files in Installing Software with the Oracle Universal Installer.

Parent topic: Verifying the Installation

Checking the Directory Structure

After you install the Oracle Unified Directory and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options you selected during the installation.

To check the directory structure:

Navigate to the $DIR_ORACLE_HOME:
```
cd $DIR_ORACLE_HOME
```
Enter the following command:
```
ls --format=single-column
```
If you installed using the colocated method, the directory structure on your system must match the structure shown in the following example:
```
addons
bat
bin 
common 
config 
lib 
libForUpgrade 
oud-proxy-setup 
oud-proxy-setup.bat 
oud-replication-gateway-setup 
oud-replication-gateway-setup.bat 
oud-setup 
oud-setup.bat 
plugins 
snmp 
winlib
```
If you installed using the standalone method, then the directory structure should match the structure shown below:
```
cfgtoollogs
inventory
OPatch
oracle_common
oraInst.loc
oud
oui
wlserver
```
See What are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Parent topic: Verifying the Installation

Viewing the Contents of Your Oracle Home

You can also view the contents of your Oracle home by using the viewInventory script. See Viewing the contents of an Oracle home in Installing Software with the Oracle Universal Installer.

Parent topic: Verifying the Installation

Configuring the Oracle Unified Directory Instances

Follow these steps to configure Oracle Unified Directory (OUD) components in the directory tier on LDAPHOST1 and LDAPHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.

The following are the two option available when you install Oracle Unified Directory:

Standalone mode: Choose this option if you wish to manage OUD via command line tools.
Co-located mode: Choose this option to associate Oracle Unified directory with a domain. If you choose to associate it with a domain, you have the option to manage OUD using Oracle Unified Directory Service Manager. If you wish to use OUDSM in the same domain as OUD, then you must select co-located mode.

This section contains the following topics:

Parent topic: Configuring Oracle Unified Directory

Configuring Oracle Unified Directory on LDAPHOST1

Ensure that ports 1389, 1636, 4444, and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

netstat -an | grep "1389"

If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.

Change directory to the following:

cd $DIR_ORACLE_HOME/oud

Parent topic: Configuring the Oracle Unified Directory Instances

Configuring OUD Using the GUI

Set the environment variable INSTANCE_NAME as follows:

export INSTANCE_NAME=../../../../u02/oracle/config/instances/oud1

Note:

The tool creates the instance home relative to the $DIR_ORACLE_HOME, so you must include previous directories to get the instance created in $LOCAL_CONFIG_DIR/instances.

Start the Oracle Unified Directory configuration assistant by executing the command:

./oud-setup

The following table describes how to use the configuration assistant screens to configure Oracle Unified Directory.

Screen	Description
Welcome	This screen introduces you to the product configuration assistant. Click Next.
Server Administration Settings	Enter the following details of the server: Instance Path: Enter the location of the OUD configuration files (`$OUD_INSTANCE_HOME`). Host Name: Enter the name of the host where Oracle Unified Directory is running. For example: `ldaphost1.example.com`. Administration Port(s): The value of this field determines how you are going to administer OUD. The following are the optional values: Enable Administration only by LDAP: Enter the LDAP port that will be used for administration traffic. The default LDAP administration port is `4444`. Enable Administration by LDAP and HTTP: Enter the LDAP and HTTP ports that will be used for administration traffic. The default administration ports are `4444` for LDAP and `8444` for HTTP. Enable Administration by HTTP: Enter the HTTP port that will be used for administration traffic. The default HTTP administration port is `8444`. LDAP Port: Enter the port that you wish to use for administering OUD via LDAP. HTTP Port: Enter the port that you wish to use for administering OUD via HTTP: 8444 (OUD_ADMIN_PORT). Root User DN: Enter an administrative user. For example, `cn=oudadmin`. Password: Enter the password you wish to assign to the `ouadmin` user. Password (Confirm): Repeat the password. Click Next.
Ports	Enter the following details: LDAP Enable: Select if you wish to enable non SSL communications with OUD. on Port: Select the Port you wish to use (`LDAP_PORT`). Enable Start TLS for LDAP: Select Enable StartTLS for LDAP to specify that the LDAP connection handler should allow clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure connection. LDAPS Enable: Select if you wish to enable SSL communications with OUD. on Port: Select the Port you wish to use (`LDAP_SSL_PORT`). If you select this option, you must provide the SSL certificate information below. Certificate You can use the existing certificate or generate a self signed certificate. Self signed certificates are not recommended for production deployments. Generate self signed certificate: Select this if you wish OUD to generate its own certificate. Use an existing certificate: Select this if you are using an existing certificate. Select the type of certificate, the location of the Keystore, and the Keystore pin.
Topology Options	Enter the following details: This will server will be part of a replication topology: Select this. Replication Port: Enter the replication port. For example: `8989 (OUD_REPLICATION_PORT)`. Configure As Secure: Select this if you wish the replication traffic to be encrypted. There is already a server in the topology. Leave it unselected. Click Next.
Directory Data	Enter the following details: Directory Base DN: `dc=example,dc=com` Directory Data: Only create base entry. Click Next.
Oracle Components Integration	If you are planning to use the directory for integrating with other directories, Select Enable for DIP. If you are planning on using the directory for E Business Suite or for Oracle database name resolution, select Enable for EBS (E-Business Suite), Database Net Services and DIP. Click Next. If you are planning to use the directory for Enterprise User Security, select Enable fo EUS (Enterprise User Security), EBS, Database Net Services and DIP.
Server Tuning	You have the option of allocating specific resources to the OUD instance. You can choose to accept the default of change the resource allocations based on your deployment. If this server is used only for OUD as in a distributed deployment then be sure to check the box Dedicated Machine for OUD. Click Next.
Review	Verify that the information displayed is correct. If you wish the OUD server to be started after configuration, ensure that you select the option Start the server.
Finished	Click Close.

Parent topic: Configuring Oracle Unified Directory on LDAPHOST1

Configuring OUD Using the CLI

You can also configure Oracle Unified Directory using the CLI and run the following command:

export INSTANCE=/u02/oracle/config/instances

$ORACLE_HOME/oud/oud-setup \
        --cli \
        --no-prompt \
        --noPropertiesFile \
        -I /u02/oracle/config/instances/oud1 \
        -h $LDAPHOST1 \
        -D cn=oudadmin \
        -j /home/oracle/oud.pwd \
        --usePkcs12keyStore /u02/oracle/config/keystores/idmcerts.p12 \
        --keyStorePasswordFile /u02/oracle/config/keystores/oud.pin \
        --keyPasswordFile /u02/oracle/config/keystores/oud.pin \
        --certNickname idmcerts \
        --ldapPort disabled \
        --adminConnectorPort 4444 \
        --ldapsPort 1636 \
        --baseDN $LDAP_BASE_DN \
        --addBaseEntry \
        --serverTuning systemMemory:75% \
        --offlineToolsTuning jvm-default \
        --doNotStart
/u02/oracle/config/instances/oud1/bin/start-ds
dsconfig -D "cn=oudadmin" -j /u02/oracle/config/keystores/oud.pin -X -n set-trust-manager-provider-prop --provider-name=pkcs12 --set trust-store-file:/u02/oracle/config/keystores/idmTrustStore.p12 --set trust-store-pin:Manager1 --set enabled:true
dsconfig -D "cn=oudadmin" -j /u02/oracle/config/keystores/oud.pin -X -n set-trust-manager-provider-prop --provider-name=jks --set enabled:false
XX=$(/u02/oracle/config/instances/oud1/bin/dsconfig -h ldaphost1 -p 4444 -D cn=oudadmin -j ~/oud.pwd -X -n get-key-manager-provider-prop --provider-name Administration --property key-store-pin --showKeystorePassword | grep "store-pin" | cut -f2 -d:)

Parent topic: Configuring Oracle Unified Directory on LDAPHOST1

Validating Oracle Unified Directory on LDAPHOST1

After configuration, you can validate that Oracle Unified Directory is working by performing a simple search using the following command:

cd $OUD_ORACLE_INSTANCE/bin

./ldapsearch -h LDAPHOST1.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

If Oracle Unified Directory is working correctly, you will see a list of supportedControl entries returned.

If you have enabled SSL on the directory, you can test it using the command:

cd $OUD_ORACLE_INSTANCE/bin

./ldapsearch -h LDAPHOST1.example.com -p 1636 --useSSL -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

Parent topic: Configuring Oracle Unified Directory on LDAPHOST1

Configuring Oracle Unified Directory Instance on LDAPHOST2

netstat -an | grep "1389"

If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.

Navigate to the $DIR_ORACLE_HOME/oud directory:

cd $DIR_ORACLE_HOME/oud

Set the environment variable INSTANCE_NAME to ../../admin/oud2.

For example:

export INSTANCE_NAME=../../../../u02/oracle/config/instances/oud2

Note the tool creates the instance home relative to the $DIR_ORACLE_HOME, so you must include previous directories to get the instance created in $LOCAL_CONFIG_DIR/instances.

Start the Oracle Unified Directory configuration assistant by executing the command:

./oud-setup

The following table describes how to use the configuration assistant screens to configure Oracle Unified Directory.

Screen	Description
Welcome	This screen introduces you to the product configuration assistant. Click Next.
Server Administration Settings	Enter the following details of the server: Instance Path: Enter the location of the OUD configuration files (`$OUD_INSTANCE_HOME`). Host Name: Enter the name of the host where Oracle Unified Directory is running. For example: `ldaphost2.example.com`. Administration Port(s): The value of this field determines how you are going to administer OUD. The following are the optional values: Enable Administration only by LDAP: Enter the LDAP port that will be used for administration traffic. Enable Administration by LDAP and HTTP: Enter the LDAP and HTTP ports that will be used for administration traffic. Enable Administration by HTTP: Enter the HTTP port that will be used for administration traffic. LDAP Port: Enter the port that you wish to use for administering OUD via LDAP. HTTP Port: Enter the port that you wish to use for administering OUD via HTTP. For example, `8444` (`LDAP_ADMIN_PORT`). Root User DN: Enter an administrative user. For example, `cn=oudadmin`. Password: Enter the password you wish to assign to the ouadmin user. Password (Confirm): Repeat the password. Click Next.
Ports	Enter the following details: LDAP Enable: Select if you wish to enable non SSL communications with OUD. on Port: Select the Port you wish to use (`LDAP_PORT`). Enable Start TLS for LDAP: Select Enable StartTLS for LDAP to specify that the LDAP connection handler should allow clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure connection. LDAPS Enable: Select if you wish to enable SSL communications with OUD. on Port: Select the Port you wish to use (`LDAP_SSL_PORT`). If you select this option, you must provide the SSL certificate information below. Certificate You can use the existing certificate or generate a self signed certificate. Self signed certificates are not recommended for production deployments. Generate self signed certificate: Select this if you wish OUD to generate its own certificate. Use an existing certificate: Select this if you are using an existing certificate. Select the type of certificate, the location of the Keystore, and the Keystore pin.
Topology Options	Enter the following details: Select This will server will be part of a replication topology. Replication Port: Enter the replication port. For example: `8989 (OUD_REPLICATION_PORT)`. Configure As Secure: Select this if you wish the replication traffic to be encrypted. There is already a server in the topology selected. Enter the following: Host Name: Name of the existing Oracle Unified Directory server host. For example, `ldaphost1.example.com`. Administrator Connector Port: `4444` (`LDAP_ADMIN_PORT`). Admin User: Name of the Oracle Unified Directory admin user on `ldaphost1.example.com`. For example, `cn=oudadmin`. Admin Password: Administrator password. Click Next. If you see a Certificate Not Trusted dialogue, it is because you are using self signed certificates. Click Accept Permanently. For more information, see Setting Up Replication During Installation.
Create Global Administrator	Enter the following details: Global Administrator ID: Enter the name of an account you want to use for managing Oracle Unified Directory replication. For example: `oudmanager`. Global Administrator Password / Confirmation: Enter a password for this account. Click Next.
Data Replication	Select dc=example,dc=com. Click Next.
Oracle Components Integration	If you selected any products to integrate with, when you configured LDAPHOST1, then select the same option here. Click Next.
Server Tuning	You have the option of allocating specific resources to the OUD instance. You can choose to accept the default of change the resource allocations based on your deployment. If this server is used only for OUD as in a distributed deployment then be sure to check the box Dedicated Machine for OUD. Click Next.
Review	Verify that the information displayed is correct. If you wish the OUD server to be started after configuration, ensure that you select the option Start the server.
Finished	Click Close.

Validating Oracle Unified Directory on LDAPHOST2

Parent topic: Configuring the Oracle Unified Directory Instances

Validating Oracle Unified Directory on LDAPHOST2

After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:

export $OUD_ORACLE_INSTANCE=/u02/oracle/config/instances/oud2

cd $OUD_ORACLE_INSTANCE/bin

./ldapsearch -h ldaphost2.example.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

If Oracle Unified Directory is working correctly, you see a list supportedControl entries returned.

If you have enabled SSL on the directory, you can test it using the command:

export $OUD_ORACLE_INSTANCE=/u02/oracle/config/instances/oud2

cd $OUD_ORACLE_INSTANCE/bin

./ldapsearch -h ldaphost2.example.com -p 1636 --useSSL -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl

To check that Oracle Unified Directory replication is enabled, issue the command:

cd $OUD_ORACLE_INSTANCE/bin

./status

You are prompted for the Administrator bind DN (cn=oudadmin) and its password.

You then see output similar to the following example. Replication is set to enable.

--- Server Status ---
Server Run Status: Started
Open Connections: 2
          --- Server Details ---
Host Name: ldaphost1
Administrative Users: cn=oudadmin
Installation Path: /u02/oracle/products/oud/oud
Instance Path: /u02/oracle/config/instances/oud1
Version: Oracle Unified Directory 14.1.2.1.241204
Java Version: 21.0.4
Administration Connector: Port 4444 (LDAPS)
          --- Connection Handlers ---
Address:Port : Protocol : State
-------------:----------------------:---------
-- : LDIF : Disabled
8989 : Replication (secure) : Enabled
0.0.0.0:161 : SNMP : Disabled
0.0.0.0:389 : LDAP : Disabled
0.0.0.0:1636 : LDAPS : Enabled
0.0.0.0:1689 : JMX : Disabled
          --- Data Sources ---
Base DN: cn=virtual acis
Backend ID: virtualAcis
Entries: 0
Replication: Disabled
Base DN: dc=edg,dc=com
Backend ID: userRoot
Entries: 37
Replication: Enabled
Missing Changes: 0
Age Of Oldest Missing Change: <not available>
Subject:

Parent topic: Configuring Oracle Unified Directory Instance on LDAPHOST2

Preparing an Existing LDAP Directory

Before you can use an LDAP directory with Oracle Identity and Access Management, it must be extended with object classes required by Oracle Access Manager.

In addition, certain users and groups need to be seeded into the directory. These users and groups will be used by the various Oracle Identity and Access Management products as described later.

The preparation of LDAP is performed using a tool called ldapConfigTool which is included in Patch 38047590. See, Identifying and Obtaining Software Distributions for an Enterprise Deployment.

This section includes the following topics:

Parent topic: Configuring Oracle LDAP for an Enterprise Deployment

About the Enterprise Deployment Users and Groups

The following topics provide important information on the purpose and characteristics of the enterprise deployment administration users and groups.

About Using Unique Administration Users for Each Domain

Parent topic: Preparing an Existing LDAP Directory

About Using Unique Administration Users for Each Domain

When you use a central LDAP user store, you can provision users and groups for use with multiple Oracle WebLogic Server domains. As a result, there is a possibility that one WebLogic administration user can have access to all the domains within an enterprise.

It is a best practice to create and assign a unique distinguished name (DN) within the directory tree for the users and groups that you provision for the administration of your Oracle Fusion Middleware domains.

For example, create two users called oamLDAP and oimLDAP which is used to connect the WebLogic domain to LDAP. This allows the domain to see the users and groups which exist in the directory. You can create a different user for each domain or use a single user for multiple domains. Under no circumstances should the default LDAP administration user be used for this purpose. You must create these users in the systemids container. This container is used for system users that are not normally visible to users. Placing the user into the systemids container ensures that customers who have Oracle Identity Governance do not reconcile this user.

Using a different user for Oracle Access Management (OAM) and Oracle Identity Governance (OIG) LDAP connections ensures that the user that OAM uses to connect to LDAP has a restricted privilege set.

Create a user called weblogic_iam and an administration group called WLSAdministrators. Users in the WLSAdministrators group will be allowed to access Oracle Fusion Middleware Control and the WebLogic Remote Console.

Create a user called oamadmin and an administration group called OAMAdministrators. Users in the OAMAdministrators group are allowed to access the Oracle Access Policy Manager and Oracle Access Manager Console.

Parent topic: About the Enterprise Deployment Users and Groups

Creating a Configuration File

Create a property file iam.props, to use when preparing the Identity Store and as a basis for later integration and configuration processes. The file will have the structure described in this section. When creating the file do not include any blank lines.

The property files in this section are complete examples. Some of the parameters specified in the file will not be used until later configuration steps in the guide. It is only necessary to include the properties for the products you are going to use.

This section includes the following topics:

Parent topic: Preparing an Existing LDAP Directory

Oracle Unified Directory Example

The following is and example configuration file for Oracle Unified Directory. For an explanation of the parameters, see Explanation of Property Values:

# Common
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1636
IDSTORE_ADMIN_PORT: 4444
IDSTORE_KEYSTORE_FILE: /u02/oracle/config/keystores/idmcerts.p12
IDSTORE_ADMIN_KEYSTORE_FILE: /u02/oracle/config/instances/oud1/config/admin-keystore
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
# OAM
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
OAM_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
# OAM and OIG
IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
# OIG
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_iam
IDSTORE_WLSADMINGROUP : WLSAdministrators

LOG_LEVEL: ALL

Note:

You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime. The parameters are:

IDSTORE_KEYSTORE_PASSWORD
IDSTORE_ADMIN_KEYSTORE_PASSWORD
IDSTORE_PASSWD
IDSTORE_OAMADMINUSER_PWD
IDSTORE_OAMSOFTWAREUSER_PWD
IDSTORE_OAMADMINUSER_PWD
WLSPASSWD
OAM_IDM_DOMAIN_WEBGATE_PASSWD

Parent topic: Creating a Configuration File

Explanation of Property Values

The following table explains the configuration file property values required in this section.

LDAP Properties

Table 12-2 LDAP Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_HOST	`idstore.example.com`	The host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_PORT	`1636`	The port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_DIRECTORYTYPE	`OUD`	The type of directory you are using. Valid value is OUD.
IDSTORE_BINDDN	`cn=oudadmin`	An administrative user in the Identity Store Directory.
IDSTORE_PASSWD	`password`	The the password of IDSTORE_BINDDN. You will be prompted for the value if not supplied.
IDSTORE_SEARCHBASE	`dc=example,dc=com`	The location in the directory where Users and Groups are stored.
IDSTORE_LOGINATTRIBUTE	`uid`	The LDAP attribute, which contains the users Login name.
IDSTORE_USERSEARCHBASE	`cn=Users,dc=example,dc=com`	The location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE	`cn=Groups,dc=example,dc=com`	The location in the directory where Groups are Stored.
IDSTORE_SYSTEMIDBASE	`cn=SystemIDs,dc=example,dc=com`	The location of a container in the directory where system users can be placed when you do not want them in the main user container.
IDSTORE_USERNAMEATTRIBUTE	`cn`	The name of the LDAP attribute which stores a users name.
IDSTORE_KEYSTORE_FILE	`/u02/oracle/config/keystores/idmcerts.p12`	The location of the LDAP Truststore for LDAP connections.
IDSTORE_KEYSTORE_PASSWORD	`password`	The password of the IDSTORE_KEYSTORE_FILE.

OUD Properties

Table 12-3 OUD Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_ADMIN_PORT	`4444`	The administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.
IDSTORE_ADMIN_KEYSTORE_FILE	`/u02/oracle/config/instances/oud1/config/admin-keystore`	The location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_INSTANCE_HOME/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter.
IDSTORE_ADMIN_KEYSTORE_PASSWORD	`password`	The encrypted password of the Oracle Unified Directory keystore. To obtain the password of the Administration Trust Store issue the command: `$OUD_INSTANCE_HOME/oud1/bin/dsconfig -h ldaphost1.example.com -p 4444 -D cn=oudadmin -j ~/oud.pwd -X -n get-key-manager-provider-prop --provider-name Administration --property key-store-pin --showKeystorePassword` Where `oud.pwd` is a file which contains your administrator password.
IDSTORE_NEW_SETUP	`true`	This parameter is used when preparing a directory for the first time.

OAM Properties

Table 12-4 OAM Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_OAMSOFTWAREUSER	`oamLDAP`	A user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
IDSTORE_PWD_OAMSOFTWAREUSER	`password`	The password you want to assign to the IDSTORE_OAMSOFTWAREUSER. If not supplied, you will be prompted for it.
OAM_IDSTORE_ROLE_SECURITY_ADMIN	`OAMAdministrators`	The name of the group, which is used to allow access to the OAM console. Only users assigned to this group will be able to access the OAM Console.
OAM_SERVER_LOGIN_ATTRIBUTE	`uid`	The name of the LDAP attribute where userids are stored, this should be the same as the IDSTORE_LOGIN_ATTRIBUTE.
OAM_IDM_DOMAIN_WEBGATE_PASSWD	`password`	The password you want to assign to the webgate.

OIG Properties

Table 12-5 OIG Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_OIMADMINGROUP	`OIMAdministrators`	The name of the group you want to create to hold your Oracle Identity Governance administrative users.
IDSTORE_OIMADMINUSER	`oimLDAP`	The user that Oracle Identity Governance uses to connect to the Identity store.
IDSTORE_PWD_OIMADMINUSER	`password`	The password of IDSTORE_OIMADMINUSER. If there is no value, you will be prompted for it .

OIG Properties

Table 12-6 OIG Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_WLSADMINUSER	`weblogic_iam`	The username to be created for logging in to the web logic domain once it is enabled by Single Sign-On.
WLSPASSWD	`password`	The password you want to assign to the IDSTORE_WLSADMINUSER. If not supplied, you will be prompted for this value.
IDSTORE_WLSADMINGROUP	`WLSAdministrators`	The name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Remote Console and EM, belong.

Parent topic: Creating a Configuration File

Preparing OUD as the Identity Store

Before an Oracle LDAP directory can be used with Oracle Identity and Access Management, the directory needs to be pre-configured.

This process involves the creation of additional object classes within the directory and the seeding of users that the Oracle Identity and Access Management suite will use to connect to the directory. There are two phases to the configuration process:

Pre-configure: This adds the required object classes.
Seeding of Users.

To do this, perform the following tasks on LDAPHOST1 if you are extending Oracle Unified Directory:

Parent topic: Preparing an Existing LDAP Directory

Setting Environment Variables

To help navigate this section, to be able to copy sample commands without modification you can set the following environment variables, replacing the values with values appropriate to your environment.

export DIR_HOME=/u02/oracle/products/oud
export ORACLE_HOME=/u02/oracle/products/oud
export JAVA_HOME=/u02/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
export LDAPCONFIG=$ORACLE_HOME/idmtools

Parent topic: Preparing OUD as the Identity Store

Directory Pre-Configuration

Before an Oracle LDAP directory can be used with Oracle Identity and Access Management, the directory needs to be pre-configured.

Pre-configure: This adds the required object classes.
Seeding of Users.

To perform the pre-configuration task, perform the following on LDAPHOST1 if you are extending Oracle Unified Directory:

Configure the Identity Store using the following ldapConfigTool command.
```
cd $LDAPCONFIG/bin
```
```
./ldapConfigTool.sh -preConfigIDStore input_file=configfile
```
For example:
```
./ldapConfigTool.sh -preConfigIDStore input_file=iam.props
```
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.

Check the log file for any errors or warnings, and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Parent topic: Preparing OUD as the Identity Store

Seeding Users and Groups

You must seed the Identity Store with users and groups that are required by the Identity Management components.

To seed the Identity Store, perform the following tasks on LDAPHOST1:

Seed the users and groups in the Identity Store using the following ldapConfigTool command.
```
cd $LDAP_CONFIG_HOME/bin
```
```
./ldapConfigTool.sh -prepareIDStore mode=MODE input_file=configfile pwd_file=passwordfile
```
The value selected for MODE determines the type of users to be created. Possible values for MODE are: OAM, OIM, and WLS.
- In all topologies, when you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Remote Console and Oracle Enterprise Manager Fusion Middleware Control. Type:
```
./ldapConfigTool.sh -prepareIDStore mode=WLS input_file=iam.props
```
- If your topology includes Oracle Access Management, you must seed the Identity Store with users that are required by Oracle Access Management. Type:
```
./ldapConfigTool.sh -prepareIDStore mode=OAM input_file=iam.props
```
- If your topology includes Oracle Identity Governance, you must seed the Identity Store with the xelsysadm user and assign it to an Oracle Identity Governance administrative group. You must also create a user outside of the standard cn=Users location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory. Type
```
./ldapConfigTool.sh -prepareIDStore mode=OIM input_file=iam.props
```

Note:

This command also creates a container in your Identity Store for reservations.

Note:

When entering a password for xelsysadm ensure that it is the same as the OIG policy, in it must be at least 8 characters long, contain an uppercase character, and a number.

When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Parent topic: Preparing OUD as the Identity Store

Granting OUD changelog Access

If you are using Oracle Unified Directory and wish to integrate with Oracle Identity Governance, you must grant access to the changelog by performing the following steps on each OUD instance.

Create a property file call oudacl.props with the following contents:

IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_HOST: ldaphost1.example.com
IDSTORE_ADMIN_PORT: 4444
IDSTORE_ADMIN_KEYSTORE_FILE: /u02/oracle/config/instances/oud1/config/admin-keystore
IDSTORE_ADMIN_KEYSTORE_PASSWORD: password
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_PASSWD: password

For more information on these properties, see Explanation of Property Values.

Run the ldapConfigTool to create the ACLs in the directory schema:

cd $LDAP_CONFIG_HOME/bin

./ldapConfigTool.sh -setupOUDacl input_file=oudacl.props log_level=FINEST

Repeat the above steps for each OUD instance.

Parent topic: Preparing OUD as the Identity Store

Creating Access Control Lists in Non-Oracle Directories

In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is not Oracle Unified Directory, Oracle Directory Server Enterprise Edition, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created, this is true even if using Oracle Virtual Directory in front of them. This section lists the artifacts created and the privileges required for the artifacts.

Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.
Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Governance user oigLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
Oracle Identity Governance administration group. The Oracle Identity Governance user is added as its member. The Oracle Identity Governance admin group is given complete read/write privileges to all the user and group entities in the directory.
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
Reserve container. Permissions are provided to the Oracle Identity Governance admin group to perform read/write operations.

Parent topic: Preparing an Existing LDAP Directory