I Configuring Adapters for Identity Virtualization

This appendix describes how to configure, implement, and log messages for adapters used in identity virtualization.

This appendix includes the following sections:

About Split Profiles

A split profile is an identity whose attributes are stored in two (or more) sources. Identity virtualization supports split profiles and querying multiple LDAP directories in a single query. So when an application must obtain attributes from more than one source directory for an identity, it uses identity virtualization with split profiles. The adapter configuration is stored in the adapters.os_xml file, but connection parameters, such as host, port, and credentials, are obtained from the OPSS configuration.

When configuring the LDAP connection parameters, the user.create.bases and group.create.bases properties must correspond to the primary adapter's namespace.

Configuring Split Profiles

To configure split profiles:

  1. Set the virtualize property to true to enable queries against multiple LDAPs. For information about configuring the identity store, see Configuring the Identity Store.
  2. Use the createJoinAdapter WLST command to create a join adapter in the primary identity store:
    createJoinAdapter(adapterName="Join Adapter Name",  root="Namespace", primaryAdapter="Primary adapter Name")
  3. Use the addJoinRule WLST command to add the join rule to each secondary store:
    addJoinRule(adapterName="Join Adapter Name", secondary="Secondary Adapter Name", condition="Join Condition")
  4. Use the modifyLDAPAdapter WLST command to modify adapters in all stores:
    modifyLDAPAdapter(adapterName="AuthenticatorName", attribute="Visible", value="Internal")

See also:

WebLogic Scripting Tool Command Reference for Identity and Access Management:

Implementing Split Profiles

Assume that Microsoft Active Directory is the primary authentication provider with the cn=users,dc=acme,dc=com user base, and Oracle Internet Directory is the secondary provider with the cn=users,dc=oid,dc=com user base.

To implement split profile with these two adapters:

  1. Create a join adapter on the primary authentication provider:
    createJoinAdapter(adapterName="JoinAdapter1", root="dc=acme,dc=com", primaryAdapter="AD")
  2. Add the created join adapter to the secondary authentication provider:
    addJoinRule(adapterName="JoinAdapter1", secondary="OID", condition="uid=cn")

    where uid=cn indicates that if for a user, the uid value matches the cn value in Microsoft Active Directory, then the attributes are combined.

    The attribute on the left side of the equal sign is the attribute in the secondary adapter and the attribute on the right side is the attribute in the primary adapter.

  3. Change the visibility of all adapters:
    modifyLDAPAdapter(adapterName="OID", attribute="Visible", value="Internal")
    modifyLDAPAdapter(adapterName="AD", attribute="Visible", value="Internal")
  4. Restart Oracle WebLogic Server.

See also:

WebLogic Scripting Tool Command Reference for Identity and Access Management:

Logging Identity Virtualization Library

To enable identity virtualization library logging:

  1. Remove any previously configured identity virtualization library loggers.
  2. Create the new logger named oracle.ods.virtualization.accesslog with the NOTIFICATION level.
  3. Create a handler to specify the file associated with the logger, where all messages are logged.
  4. Add auditLogPublisher to the DOMAIN_HOME/config/fmwconfig/ovd/default/provider.os_xml file:
          <provider name="FMWAuditLogPublisher"></provider>
          <provider name="AccessLogPublisher">
                <property name="enabled" value="true"/>
  5. Restart WebLogic Server.