1. Integration Guide for Oracle Identity Management Suite
  2. Appendices
  3. Configuring LDAP Connector Manually

D Configuring LDAP Connector Manually

Configure LDAP Connector manually.

This section contains the following topics:

D.1 Copying OAM-OIG Integration Connector Template XML to the Connector Bundle

Replace the default template XML files in the Connector Bundle with OAM-OIG Integration Connector Template XML files.

  1. Download the Connector Bundle form OTN. See Download Connector Bundle.

    Note:

    The Connector bundle contains default template XML files.
  2. Replace the default XML files with OIG-OAM integration-specific XML files as shown in the following table.

    Table D-1 Replacing default XML files in the Connector bundle with integration-specific XML files

    Directory Default XML file(Files to be removed) Integration-specific XML files(Filed to be copied)
    Oracle Internet Directory

    • CONNECTORINSTALLDIR/xml/OID-auth-template.xml

    • CONNECTORINSTALLDIR/xml/OID-pre-config.xmlss

    • I

    • ORACLE_HOME/idm/server/ssointg/connector/oid/connector/OID-auth-template.xml to $CONNECTORINSTALLDIR/xml/

    • ORACLE_HOME/idm/server/ssointg/connector/oid/connector/OID-OAM-Target-Template.xml to $CONNECTORINSTALLDIR/xml/

    • ORACLE_HOME/idm/server/ssointg/connector/oid/connector/OID-OAM-pre-config.xml to $CONNECTORINSTALLDIR/xml/
    Oracle Unified Directory N/A

    • ORACLE_HOME/idm/server/ssointg/connector/oud/connector/OUD-auth-template.xml to $CONNECTORINSTALLDIR/xml/

    • ORACLE_HOME/idm/server/ssointg/connector/oud/connector/OUD-OAM-Target-Template.xml to $CONNECTORINSTALLDIR/xml/

    • ORACLE_HOME/idm/server/ssointg/connector/oud/connector/OUD-OAM-pre-config.xml to $CONNECTORINSTALLDIR/xml/
    Microsoft Active Directory

    • CONNECTORINSTALLDIR/xml/ad-auth-template.xml

    • CONNECTORINSTALLDIR/xml/ad-target-template.xml

    • CONNECTORINSTALLDIR/xml/ad-pre-config.xml

    • ORACLE_HOME/idm/server/ssointg/connector/AD/connector/ad-auth-template.xml to $CONNECTORINSTALLDIR/xml/

    • ORACLE_HOME/idm/server/ldif/prepareidstore/AD/connector/AD-OAM-target-template.xml to $CONNECTORINSTALLDIR/xml/

    • ORACLE_HOME/idm/server/ssointg/connector/AD/connector/AD-OAM-pre-config.xml to $CONNECTORINSTALLDIR/xml/

D.2 Creating Target Application Instance

In OIG-OAM integration, a target account corresponding to the target application instance is granted to all users by default. The target account in Oracle Identity Governance corresponds to the user record in the directory.

  1. Login into OIG Self-service UI.
  2. Under Manage workspace, select Applications.
  3. On the Applications page, select Create.
  4. On the Create Target Application page, perform the following:
    1. Select the connector bundle to be used for target application like SSOTarget.
    2. If the Connector bundle used for OIG-OAM integration is located at path different from the default location, $ORACLE_HOME/idm/server/ConnectorDefaultDirectory, specify appropriate connector path in Alternate Connector Directory and click Refresh.
    3. Select the Connector bundle from Select Bundle drop-down options.
    4. Enter Application Name.

      Note:

      Unlike authoritative application name, you need not follow any conventions for the target application name.
    5. Enter Display Name.

      Note:

      Display name can be identical to the application name.
    6. Enter basic configuration details and click Next.
    7. On the Schema page, verify Schema.

      Note:

      • If needed, new schema mapping could be added between user-defined field and directory attribute.

      • Please do not modify existing schema mapping.

    8. Click Next.
    9. On the Settings page, leave the default values intact.
    10. Click Next.
    11. Click Finish to create target application instance.

D.3 Creating Authoritative Application Instance

In OIG-OAM integration, authoritative application instance is required for reconciling users from the directory to the Oracle Identity Governance. To create an authoriative application instance, please perform the following steps:

  1. Login into OIG Self-service UI.
  2. Under Manage workspace, select Applications.
  3. On the Applications page, select Create.
  4. On the Create Authoritative Application page, perform the following:
    1. Select the connector bundle to be used for Authoritative application like SSOTrusted.
    2. If the Connector bundle used for OIG-OAM integration is located at path different from the default location, $ORACLE_HOME/idm/server/ConnectorDefaultDirectory, specify appropriate connector path in Alternate Connector Directory and click Refresh.
    3. Select the Connector bundle from Select Bundle drop-down options.
    4. Enter Application Name.

      Important:

      Application Name value must contain SSOTrusted substring. It is case-sensitive.

      The OIG-OAM integration has a strong dependency on the name of the Authoritative Application Instance. Ensure that the name contains SSOTrusted. For example, SSOTrusted-for-SSOTarget, SSOTrustedAD, and adSSOTrusted.

    5. Enter Display Name.

      Note:

      Display name can be identical to the application name.
    6. Enter basic configuration details and click Next.
    7. On the Schema page, verify Schema.

      Note:

      • If needed, new schema mapping could be added between user-defined field and directory attribute.

      • Please do not modify existing schema mapping.

    8. Click Next.
    9. On the Settings page, leave the default values intact.
    10. Click Next.
    11. Click Finish to create authoritative application instance.

D.4 Updating IT Resource Instance Details for Directories

There are three IT Resource Instances created for OIG-OAM integration operations.

The three IT Resource Instances are:

  1. An IT Resource Instance with the name of the target application. The property values for this instance are auto-populated during the target application creation.

  2. An IT Resource Instance with the name of the authoritative application.The property values for this instance are auto-populated during the authoritative application creation.

  3. An IT Resource Instance with the fixed name, SSO Server

    .This instance is defined in the pre-config.xml file corresponding to the directory type. You must manually update the property values of this IT Resource with values matching the directory server type and its access details.

Note:

In case of Active Directory type, an additional IT Resource with the fixed name, SSO Connector Server should be created. You must manually update the property values of this IT Resource.

Table D-2 Directory types and IT Resource values

Directory Type IT Resource Field Value
OID Configuration Lookup Lookup.SSO.Configuration.

This value is fixed and should not be changed.
OID Connector Server Name (Leave it blank)
OID baseContexts For example, dc=us,dc=oracle,dc=com
OID credentials Credentials for the administrative user that you provide as principal
OID failover N/A
OID host Enter the host of the target OID directory.
OID port OID port: default values are 389 or 3060

SSL port: default value is 636 / 3131
OID principal For example, cn=orcladmin
OID ssl It should be true or false; the default value is true.
OUD Configuration Lookup Lookup.OUD.Configuration.

This value is fixed and should not be changed.
OUD Connector Server Name (Leave it blank)
OUD baseContexts For example, dc=us,dc=oracle,dc=com
OUD credentials Credentials for the administrative user that you provide as principal
OUD failover N/A
OUD host Enter the host of the target OUD directory.
OUD port OUD port: the default values are 389 (if run as superuser) or 1389, SSL port default is 636 (if setup as superuser) / 1636

SSL port: default value is 636 / 3131
OUD principal For example, cn=oudadmin
OUD ssl It should be true or false; the default value is true.
AD DirectoryAdminName The AD administrator, for example, exampledomain\Administrator
AD DirectoryAdminPassword password for the AD administrator
AD Container for example, dc=interop55,dc=us,dc=oracle,dc=com
AD LDAPHostName host of the target AD directory
AD DomainName for example, interop55.us.oracle.com
AD IsADLDS default : no
AD UseSSL default : no
AD ADLDSPort (Leave it blank)
AD SyncDomainController (Leave it blank)
AD SyncGlobalCatalogServer (Leave it blank)
AD Configuration Lookup Lookup.Configuration.SSO

This value is fixed and should not be changed.
AD Connector Server Name SSO Connector Server

This value is fixed and should not be changed.
AD BDCHostNames (Leave it blank)
SSO Connector Server (Only when AD is used) Host for example, ssoserver.us.com
SSO Connector Server (Only when AD is used) Key The plaintext (not encrypted) value you set when installing the AD connector server
SSO Connector Server (Only when AD is used) Port 8759
SSO Connector Server (Only when AD is used) Timeout 0
SSO Connector Server (Only when AD is used) UseSSL false

D.5 Updating MBean

  1. Login into Enterprise Manager UI.
  2. Select System MBean Properties to access SSOIntegrationMXBean.
  3. Set the MBean values as follows:

    Table D-3 MBean attributes and values

    Field Description Value
    DirectoryType Directory Type used for group resource in OIG-OAM integration mode. Acceptable values are OID, OUD, and AD. Use one of the following values:

    • OID - if the directory used is Oracle Internet Directory.

    • OUD - if the directory used is Oracle Unified Directory.

    • AD - if the directory used is Microsoft Active Directory.

    IntegrationMode OIG-OAM Integration Mode type. CQR

    It is a fixed value for OIG-OAM integration.
    RDNAttribute RDN Attribute to be used for the user in LDAP for the OIG-OAM integration setup. For example,

    • cn - if cn is the RDN attribute used in the directory.

    • uid - if uid is the RDN attribute used in the directory.

    SSOEnabled SSO Config to indicate whether SSO is enabled or not. Select true from drop-down to enable OIG-OAM integration.
    TargetAppInstanceName Target application instance name used in OIG-OAM integration mode. For example, SSOTarget.
    TargetITResourceNameForGroup Target IT Resource Name used for group resource in OIG-OAM integration mode. Set it to SSO Server. It is a fixed value.
    oamServerPort Port for OAM managed server. 14100
    oamAdminUser Admin user for OAM. oamAdmin

D.6 Importing Metadata for LDAP Container Rules

Oracle Identity Governance provides a default plug-in to determine the LDAP container for the user or role. It is determined based on the attributes of user or roles that are synchronized to LDAP. The default plug-in reads the rules from a XML file to determine the LDAP container. The XML file must be deployed to MDS as /db/LDAPContainerRules.xml. The container rules are stored in the /db/LDAPContainerRules.xml file at containers for which the expression is Default.
Following is an example for LDAP Container Rules:
<container-rules>
<user>
<rule>
<expression>Country=US, Locality Name=AMER</expression>
<container>l=amer,dc=oracle,dc=com</container>
</rule>
<rule>
<expression >Country=IN, Locality Name=APAC</expression>
<container>l=apac,dc=oracle,dc=com</container>
</rule>
<rule>
<expression>Default</expression>
<container>l=users,dc=oracle,dc=com</container>
</rule>
</user>
<role>
<rule>
<expression>Role Description=AMER</expression>
<description>AMER</description>
<container>l=amer,ou=role,dc=oracle,dc=com</container>
</rule>
<rule>
<expression >Role Description=APAC</expression >
<description>APAC</description>
<container>l=apac,ou=role,dc=oracle,dc=com</container>
</rule>
<rule>
<expression>Default</expression>
<description>Default</description>
<container>l=roles,dc=oracle,dc=com</container>
</rule>
</role>
</container-rules>
Each rule in the LDAPContainerRules.xml file contains the following sections:

  • Expression:It specifies the actual rule that you use to find the namespace and the OU for LDAP. The <expression> tag must be defined based on user or role attributes. Only the equal to (=) operator is supported in the <expression> tag. The expression can be based on multiple attributes, as shown in the example, and the LDAP container is determined based on an AND operation of all the defined attributes. If none of the rules satisfy, then the users or roles are put in the container for which expression is Default.

  • Description:It is the namespace that is used for the Role Namespace attribute. The description (namespace) associated to the default expression will always use Default. Roles do not have many attributes, by default, to create meaningful expressions. You need to add a new User-Defined Field (UDF) attribute, for example, the Role Location attribute. In the sample LDAP container rules, the Role Description attribute is used to define the rule.

  • Container:It is the OU that is used to figure out where to create the user or role in LDAP.

    For example, a user with attributes Country=US and Locality Name=AMER is created in the container l=amer,dc=oracle,dc=com. If a user is to be created in Country=France and Locality Name=FR, then it will be created in the container l=users,dc=oracle,dc=com because no expression matches these two attributes, and therefore, the default container is selected.