1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Installing Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
  3. Procedure for Installing OAA, OARM, and OUA
  4. Prerequisite Configurations for Installing OAA, OARM, and OUA
  5. Creating Users and Groups in the LDAP Store

4.2.4 Creating Users and Groups in the LDAP Store

Oracle Advanced Authentication (OAA) requires two groups to be configured in the LDAP store used by Oracle Access Management (OAM):
  • OAA-Admin-Role, which is used to authenticate administrator users who are permitted to access the Administration Console.
  • OAA-App-User, which contains the list of users who are permitted to access the Self-Service Portal.

Note:

  • If you are installing Oracle Universal Authenticator (OUA), each user must have the following ldap attribute set for persistent login: obpsftid: true.

Creating Users and Groups

The following section gives an example of creating the OAA-Admin-Role group and OAA-App-User group in an OAM enabled LDAP directory. It also creates an OAA Administration user (oaaadmin) and adds it to the OAA-Admin-Role group.

To create the users and groups:
  1. Create an LDIF file oaa_admin.ldif with the following contents:
    dn: cn=oaaadmin,cn=Users,dc=example,dc=com
changetype: add
objectClass: orclUserV2
objectClass: oblixorgperson
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: oblixPersonPwdPolicy
objectClass: orclAppIDUser
objectClass: orclUser
objectClass: orclIDXPerson
objectClass: top
objectClass: OIMPersonPwdPolicy
givenName: oaaadmin
uid: oaaadmin
orclIsEnabled: ENABLED
sn: oaaadmin
userPassword: <Password>
mail: oaaadmin@example.com
orclSAMAccountName: oaaadmin
cn: oaaadmin
obpasswordchangeflag: false
ds-pwp-password-policy-dn: cn=FAPolicy,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com

dn:cn=OAA-Admin-Role,cn=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupofuniquenames
uniqueMember: cn=oaaadmin,cn=Users,dc=example,dc=com

dn:cn=OAA-App-User,cn=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupofuniquenames
  2. Load the LDIF file into the directory. The following example assumes you are using Oracle Unified Directory as the LDAP store:
    $ cd INSTANCE_DIR/OUD/bin
ldapmodify -h <OUD_HOSTNAME> -p 1389 -D "cn=Directory Manager" -w <password> -f oaa_admin.ldif

Adding Existing Users to the OAA User Group

The following example shows how to add existing users to the OAA-App-User group created above:
  1. Run the following commands in the LDAP instance. These commands create an LDIF file that adds all your existing users to the OAA-App-User group:
    echo "dn:cn=OAA-App-User,cn=Groups,dc=example,dc=com" > update_group.ldif
    echo "changetype: modify" >> update_group.ldif
    echo "add: uniqueMember" >> update_group.ldif
    ldapsearch -h <OUD_HOSTNAME> -p <OUD_PORT> "cn=Directory Manager" -w <password> -b cn=Users,dc=example,dc=com "cn=*" dn | grep -v oaaadmin | grep -v "dn: cn=Users,dc=example,dc=com" | grep cn| awk ' { print "uniqueMember: "$2 } ' >> update_group.ldif
  2. Edit the update_group.ldif and remove any users you don't want to add to the group.
  3. Load the LDIF file into the directory:
    ldapmodify -h oud.example.com -p 1389 -D "cn=Directory Manager" -w <password> -f update_group.ldif

Setting LDAP Attribute obpsftid for Existing OAA Users

To enable persistent login for users in the OAA-App-User user group, each LDAP user needs to have the LDAP attribute obpsftid set to true:
  1. Create a modify_oaa_user.ldif which has the following contents:
    dn: cn=<username>,<LDAP_USER_SEARCHBASE>
changetype: modify
replace: obpsftid
obpsftid: true
    For example:
    dn: cn=oaauser,cn=Users,dc=example,dc=com
changetype: modify
replace: obpsftid
obpsftid: true
  2. Load the LDIF file into the directory:
    ldapmodify -h <OUD_HOSTNAME> -p 1389 -D "cn=Directory Manager" -w <password> -f modify_oaa_user.ldif
  3. This needs to be performed for each user in the OAA-App-User group. To obtain a list of members in the OAA-App-User group you can issue the following LDAP command from your LDAP instance:
    ldapsearch -h "<OUD_HOSTNAME>" -p "<OUD_PORT>" -D "cn=Directory Manager" -w "<password>" -b "cn=<OAA_USER_GROUP>,<LDAP_GROUP_SEARCHBASE>" "cn=*" uniqueMember
    For example:
    ldapsearch -h "oud.example.com" -p 1389 -D "cn=Directory Manager" -w <password> -b "cn=OAA-App-User,cn=Groups,dc=example,dc=com" "cn=*" uniqueMember