D Configuring LDAP Connector Manually
Configure LDAP Connector manually.
This section contains the following topics:
D.1 Copying OAM-OIG Integration Connector Template XML to the Connector Bundle
Replace the default template XML files in the Connector Bundle with OAM-OIG Integration Connector Template XML files.
D.2 Creating Target Application Instance
In OIG-OAM integration, a target account corresponding to the target application instance is granted to all users by default. The target account in Oracle Identity Governance corresponds to the user record in the directory.
- Login into OIG Self-service UI.
- Under Manage workspace, select Applications.
- On the Applications page, select Create.
- On the Create Target Application page, perform the following:
D.3 Creating Authoritative Application Instance
In OIG-OAM integration, authoritative application instance is required for reconciling users from the directory to the Oracle Identity Governance. To create an authoriative application instance, please perform the following steps:
- Login into OIG Self-service UI.
- Under Manage workspace, select Applications.
- On the Applications page, select Create.
- On the Create Authoritative Application page, perform the following:
D.4 Updating IT Resource Instance Details for Directories
There are three IT Resource Instances created for OIG-OAM integration operations.
-
An IT Resource Instance with the name of the target application. The property values for this instance are auto-populated during the target application creation.
-
An IT Resource Instance with the name of the authoritative application.The property values for this instance are auto-populated during the authoritative application creation.
-
An IT Resource Instance with the fixed name,
.This instance is defined in theSSO Server
pre-config.xml
file corresponding to the directory type. You must manually update the property values of this IT Resource with values matching the directory server type and its access details.
Note:
In case of Active Directory type, an additional IT Resource with the fixed name, SSO Connector Server should be created. You must manually update the property values of this IT Resource.Table D-2 Directory types and IT Resource values
Directory Type | IT Resource Field | Value |
---|---|---|
OID | Configuration Lookup | Lookup.SSO.Configuration .
This value is fixed and should not be changed. |
OID | Connector Server Name | (Leave it blank) |
OID | baseContexts | For example, dc=us,dc=oracle,dc=com |
OID | credentials | Credentials for the administrative user that you provide as principal |
OID | failover | N/A |
OID | host | Enter the host of the target OID directory. |
OID | port | OID port: default values are 389 or 3060
SSL port: default value is 636 / 3131 |
OID | principal | For example, cn=orcladmin |
OID | ssl | It should be true or false ; the default value is true .
|
OUD | Configuration Lookup | Lookup.OUD.Configuration .
This value is fixed and should not be changed. |
OUD | Connector Server Name | (Leave it blank) |
OUD | baseContexts | For example, dc=us,dc=oracle,dc=com |
OUD | credentials | Credentials for the administrative user that you provide as principal |
OUD | failover | N/A |
OUD | host | Enter the host of the target OUD directory. |
OUD | port | OUD port: the default values are 389 (if run as superuser) or 1389, SSL port default is 636 (if setup as superuser) / 1636
SSL port: default value is 636 / 3131 |
OUD | principal | For example, cn=oudadmin |
OUD | ssl | It should be true or false ; the default value is true .
|
AD | DirectoryAdminName | The AD administrator, for example, exampledomain\Administrator |
AD | DirectoryAdminPassword | password for the AD administrator |
AD | Container | for example, dc=interop55,dc=us,dc=oracle,dc=com |
AD | LDAPHostName | host of the target AD directory |
AD | DomainName | for example, interop55.us.oracle.com |
AD | IsADLDS | default : no |
AD | UseSSL | default : no |
AD | ADLDSPort | (Leave it blank) |
AD | SyncDomainController | (Leave it blank) |
AD | SyncGlobalCatalogServer | (Leave it blank) |
AD | Configuration Lookup | Lookup.Configuration.SSO
This value is fixed and should not be changed. |
AD | Connector Server Name | SSO Connector Server
This value is fixed and should not be changed. |
AD | BDCHostNames | (Leave it blank) |
SSO Connector Server (Only when AD is used) | Host | for example, ssoserver.us.com |
SSO Connector Server (Only when AD is used) | Key | The plaintext (not encrypted) value you set when installing the AD connector server |
SSO Connector Server (Only when AD is used) | Port | 8759 |
SSO Connector Server (Only when AD is used) | Timeout | 0 |
SSO Connector Server (Only when AD is used) | UseSSL | false |
D.6 Importing Metadata for LDAP Container Rules
/db/LDAPContainerRules.xml
. The container rules are stored in the /db/LDAPContainerRules.xml file
at containers for which the expression is Default.<container-rules> <user> <rule> <expression>Country=US, Locality Name=AMER</expression> <container>l=amer,dc=oracle,dc=com</container> </rule> <rule> <expression >Country=IN, Locality Name=APAC</expression> <container>l=apac,dc=oracle,dc=com</container> </rule> <rule> <expression>Default</expression> <container>l=users,dc=oracle,dc=com</container> </rule> </user> <role> <rule> <expression>Role Description=AMER</expression> <description>AMER</description> <container>l=amer,ou=role,dc=oracle,dc=com</container> </rule> <rule> <expression >Role Description=APAC</expression > <description>APAC</description> <container>l=apac,ou=role,dc=oracle,dc=com</container> </rule> <rule> <expression>Default</expression> <description>Default</description> <container>l=roles,dc=oracle,dc=com</container> </rule> </role> </container-rules>
LDAPContainerRules.xml
file contains the following sections:
-
Expression:It specifies the actual rule that you use to find the
namespace
and theOU
for LDAP. The<expression>
tag must be defined based on user or role attributes. Only the equal to (=) operator is supported in the <expression> tag. The expression can be based on multiple attributes, as shown in the example, and the LDAP container is determined based on an AND operation of all the defined attributes. If none of the rules satisfy, then the users or roles are put in the container for which expression is Default. -
Description:It is the namespace that is used for the Role Namespace attribute. The description (
namespace
) associated to the default expression will always use Default. Roles do not have many attributes, by default, to create meaningful expressions. You need to add a new User-Defined Field (UDF) attribute, for example, the Role Location attribute. In the sample LDAP container rules, the Role Description attribute is used to define the rule. -
Container:It is the OU that is used to figure out where to create the user or role in LDAP.
For example, a user with attributes Country=US and Locality Name=AMER is created in the containerl=amer,dc=oracle,dc=com
. If a user is to be created in Country=France and Locality Name=FR, then it will be created in the containerl=users,dc=oracle,dc=com
because no expression matches these two attributes, and therefore, the default container is selected.