4.2.4 Creating Users and Groups in the LDAP Store
Oracle Advanced Authentication (OAA) requires two groups to be configured
in the LDAP store used by Oracle Access Management (OAM):
- OAA-Admin-Role, which is used to authenticate administrator users who are permitted to access the Administration Console.
- OAA-App-User, which contains the list of users who are permitted to access the Self-Service Portal.
Note:
- If you are installing Oracle Universal Authenticator (OUA), each user
must have the following ldap attribute set for persistent login:
obpsftid: true
.
Creating Users and Groups
The following section gives an example of creating the
OAA-Admin-Role
group and OAA-App-User
group in
an OAM enabled LDAP directory. It also creates an OAA Administration user
(oaaadmin
) and adds it to the OAA-Admin-Role
group.
To create the users and groups:
- Create an LDIF file
oaa_admin.ldif
with the following contents:dn: cn=oaaadmin,cn=Users,dc=example,dc=com changetype: add objectClass: orclUserV2 objectClass: oblixorgperson objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: oblixPersonPwdPolicy objectClass: orclAppIDUser objectClass: orclUser objectClass: orclIDXPerson objectClass: top objectClass: OIMPersonPwdPolicy givenName: oaaadmin uid: oaaadmin orclIsEnabled: ENABLED sn: oaaadmin userPassword: <Password> mail: oaaadmin@example.com orclSAMAccountName: oaaadmin cn: oaaadmin obpasswordchangeflag: false ds-pwp-password-policy-dn: cn=FAPolicy,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com dn:cn=OAA-Admin-Role,cn=Groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupofuniquenames uniqueMember: cn=oaaadmin,cn=Users,dc=example,dc=com dn:cn=OAA-App-User,cn=Groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupofuniquenames
- Load the LDIF file into the directory. The following example
assumes you are using Oracle Unified Directory as the LDAP
store:
$ cd INSTANCE_DIR/OUD/bin ldapmodify -h <OUD_HOSTNAME> -p 1389 -D "cn=Directory Manager" -w <password> -f oaa_admin.ldif
Adding Existing Users to the OAA User Group
The following example shows how to add existing users to the
OAA-App-User
group created above:
- Run the following commands in the LDAP instance. These commands
create an LDIF file that adds all your existing users to the
OAA-App-User
group:echo "dn:cn=OAA-App-User,cn=Groups,dc=example,dc=com" > update_group.ldif
echo "changetype: modify" >> update_group.ldif
echo "add: uniqueMember" >> update_group.ldif
ldapsearch -h <OUD_HOSTNAME> -p <OUD_PORT> "cn=Directory Manager" -w <password> -b cn=Users,dc=example,dc=com "cn=*" dn | grep -v oaaadmin | grep -v "dn: cn=Users,dc=example,dc=com" | grep cn| awk ' { print "uniqueMember: "$2 } ' >> update_group.ldif
- Edit the
update_group.ldif
and remove any users you don't want to add to the group. - Load the LDIF file into the
directory:
ldapmodify -h oud.example.com -p 1389 -D "cn=Directory Manager" -w <password> -f update_group.ldif
Setting LDAP Attribute obpsftid for Existing OAA Users
To enable persistent login for users in the
OAA-App-User
user group, each LDAP user needs to have the LDAP attribute
obpsftid
set to true
:
- Create a
modify_oaa_user.ldif
which has the following contents:dn: cn=<username>,<LDAP_USER_SEARCHBASE> changetype: modify replace: obpsftid obpsftid: true
For example:dn: cn=oaauser,cn=Users,dc=example,dc=com changetype: modify replace: obpsftid obpsftid: true
- Load the LDIF file into the
directory:
ldapmodify -h <OUD_HOSTNAME> -p 1389 -D "cn=Directory Manager" -w <password> -f modify_oaa_user.ldif
- This needs to be performed for each user in the
OAA-App-User
group. To obtain a list of members in theOAA-App-User
group you can issue the following LDAP command from your LDAP instance:ldapsearch -h "<OUD_HOSTNAME>" -p "<OUD_PORT>" -D "cn=Directory Manager" -w "<password>" -b "cn=<OAA_USER_GROUP>,<LDAP_GROUP_SEARCHBASE>" "cn=*" uniqueMember
For example:ldapsearch -h "oud.example.com" -p 1389 -D "cn=Directory Manager" -w <password> -b "cn=OAA-App-User,cn=Groups,dc=example,dc=com" "cn=*" uniqueMember