2 Preparing LDAP IDStore

Preparing the ID Store consists of two different operations.
  1. Extending the Directory Schema with object classes required by Oracle Access Manager.
  2. Seeding the Directory with users to perform administrative tasks.

To use an LDAP directory with Oracle Access Management and Oracle Identity Governance, the directory must include the object classes required by these products. These object classes enable Oracle Access Manager to lock accounts and allow Oracle Identity Governance to terminate sessions.

The directory must also be pre-configured with several system users required by Oracle Access Management (OAM) and Oracle Identity Governance (OIG). For instance, if you are securing a WebLogic administration page, a user in the LDAP directory is needed to facilitate login. Additionally, you need to create non-system users for WebLogic domains to access and read the LDAP directory.

Creating a Property file

This section describes creating a property file for both the pre-configure and user population steps.

  1. Create a file called prepareLDAP.props with the following contents.

    Example prepareLDAP.props file for Oracle Unified Directory

    IDSTORE_PORT: 1636
    IDSTORE_SSL_ENABLED: true
    IDSTORE_ADMIN_PORT: 4444
    
    IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmcerts.p12
    IDSTORE_KEYSTORE_PASSWORD: mytruststorepassword
    IDSTORE_ADMIN_KEYSTORE_FILE: /u01/oracle/config/instances/oud1/config/admin-keystore
    IDSTORE_ADMIN_KEYSTORE_PASSWORD:  myadmintruststorepassword
    
    IDSTORE_BINDDN: cn=oudadmin
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
    IDSTORE_SEARCHBASE: dc=example,dc=com
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
    IDSTORE_NEW_SETUP: true
    IDSTORE_DIRECTORYTYPE: OUD
    IDSTORE_OAMADMINUSER: oamadmin
    IDSTORE_OAMSOFTWAREUSER: oamLDAP
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
    IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
    IDSTORE_OIMADMINGROUP: OIMAdministrators
    IDSTORE_OIMADMINUSER: oimLDAP
    # WebLogic
    IDSTORE_WLSADMINUSER : weblogic_iam
    IDSTORE_WLSADMINGROUP : WLSAdministrators

    The following table describes the parameters that you can set in the prepareLDAP.props file.

    Table 2-1 Parameters in prepareLDAP.props File

    Property Description Sample Value

    IDSTORE_DIRECTORYTYPE

    Enter the identity store directory type. Valid options are OID, OUD, and AD.

    OUD or OID

    IDSTORE_HOST

    Enter the identity store host name.

    idstore.example.com

    IDSTORE_PORT

    Enter the identity store port.

    1389

    IDSTORE_ADMIN_PORT In OUD Installations Administration functions are performed on a dedicated administration port. 4444
    IDSTORE_SSL_ENABLED If you connect to your LDAP directory using SSL then set this parameter to true. The IDSTORE_PORT above must be the SSL port of your directory. true
    IDSTORE_KEYSTORE_FILE If your directory is SSL enabled the tool must have access to a valid trust store with the CA of the directory included. Set this to the location of that trust store.  
    IDSTORE_KEYSTORE_PASSWORD The password of the ID_KEYSTORE_FILE, if not supplied the script will prompt for it. password
    IDSTORE_ADMIN_KEYSTORE_FILE If you are using OUD then you need to provide the OUD administration trust store file location. OUD_INSTANCE//config/admin-keystore
    IDSTORE_ADMIN_KEYSTORE_PASSWORD

    The password of the IDSTORE_ADMIN_KEYSTORE_FILE, if not supplied the script will prompt for it.

    To obtain this password you can issue the command:
    dsconfig -h ldaphost1 -p 4444 -D cn=oudadmin -j ~/oud.pwd -X -n
    get-key-manager-provider-prop --provider-name Administration --property key-store-pin --showKeystorePassword

    If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the OIGOAMIntegration.sh command is running on. The command uses this file to authenticate itself with OUD.

    password

    IDSTORE_BINDDN

    An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.

    • OID: cn=orcladmin
    • OUD: cn=oudadmin
    • AD: CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com

    IDSTORE_BINDDN_PWD

    Enter the Password for administrative user in Oracle Internet Directory, Oracle Unified Directory or Microsoft Active Directory.

    password

    IDSTORE_USERNAMEATTRIBUTE

    Enter the username attribute used to set and search for users in the identity store.

    cn

    IDSTORE_LOGINATTRIBUTE

    Enter the login attribute of the identity store that contains the user's login name.

    uid

    IDSTORE_SEARCHBASE

    Enter the location in the directory where users and groups are stored.

    dc=example,dc=com

    IDSTORE_USERSEARCHBASE

    Enter the Container under which Access Manager searches for the users.

    cn=users,dc=example,dc=com

    IDSTORE_GROUPSEARCHBASE

    Enter the location in the directory where groups are stored.

    cn=groups,dc=example,dc=com

    IDSTORE_SYSTEMIDBASE

    Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.

    For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

    cn=systemids,dc=example,dc=com

    IDSTORE_READONLYUSER

    Enter the user with read-only permissions to the identity store.

    This parameter is optional.

    IDROUser

    IDSTORE_READWRITEUSER

    Enter the user with read-write permissions to the identity store.

    This parameter is optional.

    IDRWUser

    IDSTORE_SUPERUSER

    Enter the Oracle Fusion Applications superuser in the identity store.

    This parameter is optional.

    weblogic_fa

    IDSTORE_OAMSOFTWAREUSER

    Enter the LDAP user that OAM uses to interact with LDAP.

    oamLDAP

    IDSTORE_OAMADMINUSER

    Enter the user you use to access your Oracle Access Management Console.

    oamadmin

    IDSTORE_OAMADMINUSER_PWD

    Enter the password for the user you use to access your Oracle Access Management Console.

    Note:

    All password fields are optional. If you do not enter them in the file (security issues), then you are prompted to enter them when the script runs.

    password

    IDSTORE_OIMADMINUSER

    Enter the user that Oracle Identity Governance uses to connect to the identity store.

    oimLDAP

    IDSTORE_OIMADMINUSER_PWD

    Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.

    password

    IDSTORE_OIMADMINGROUP

    Enter the group you want to create to hold your Oracle Identity Governance administrative users.

    OIMAdministrators

    IDSTORE_WLSADMINUSER

    Enter the identity store administrator for Oracle WebLogic Server.

    weblogic_idm

    Note:

    This is the LDAP user that will be used to perform WebLogic Administrative operations. The equivalent of the internal weblogic user.

    IDSTORE_WLSADMINUSER_PWD

    Enter the password for Identity store administrator for Oracle WebLogic Server.

    password

    IDSTORE_WLSADMINGROUP

    Enter the identity store administrator group for Oracle WebLogic Server.

    wlsadmingroup

    IDSTORE_OAAMADMINUSER

    Enter the user you want to create as your Oracle Access Management Administrator. This user is created by the tool.

    oaamAdminUser

    IDSTORE_XELSYSADMINUSER_PWD

    Enter the password of System administrator for Oracle Identity Goverance. Must match the value in Oracle Identity Governance

    password

    POLICYSTORE_SHARES_IDSTORE

    Set it to true if your policy and identity stores are in the same directory. If not, it is set to false.

    TRUE

    IDSTORE_KEYSTORE_FILE

    Enter the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_ORACLE_INSTANCE/OUD/config.

    If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the OIGOAMIntegration.sh command is running on. The command uses this file to authenticate itself with OUD.

    /u01/config/instances/oud1/OUD/config/admin-keystore

    IDSTORE_KEYSTORE_PASSWORD

    Enter the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin. If you are not using Oracle Unified Directory, you can ignore this parameter.

    password

    SSL_DEBUG_ENABLE Can be set to assist with the debugging of SSL connections false
  2. Run the idmConfigTool to extend the directory schema.
    export JAVA_HOME=/u01/oracle/products/jdk
    export PATH=$JAVA_HOME/jdk/bin:$PATH
    export MW_HOME=/u01/oracle/products/idm
    export ORACLE_HOME=$MW_HOME/idm
    
    $ORACLE_HOME/idmtools/bin/idmConfigTool.sh -preConfigIDStore input_file=prepareLDAP.props log_level=FINEST

    You have successfully executed the automated script for preparing the IDStore.

  3. Run the idmConfigTool to populate the directory with administration users.
    export JAVA_HOME=/u01/oracle/products/jdk
    export PATH=$JAVA_HOME/jdk/bin:$PATH
    export MW_HOME=/u01/oracle/products/idm
    export ORACLE_HOME=$MW_HOME/idm
    $ORACLE_HOME/idmtools/bin/idmConfigTool.sh -prepareIDStore input_file=ldapPrepare.props log_level=FINEST mode=all

Verifying the Identity Store and Policy Store Configuration

Do the following in your LDAP directory:

  • Search base for users and groups you specified in the prepareLDAP.props file exist in the LDAP directory.

  • The user container, group container, and the System ID container exist in the LDAP directory.

  • The systemids container includes the IDROuser, IDRWUser, oamSoftwareUser, and oimadminuser users. These are sample values provided in prepareLDAP.props. You can provide and use your own values.

  • The user container includes the oamadminuser, weblogic_idm, and xelsysadm users. These are sample values provided in prepareLDAP.props. You can provide and use your own values.

  • The group container includes the OAMadministreatrs, OIMadminsitrators, BIReportAdminnistrator, Session REST API, and wlsadmingroup, orclFAGroup.

  • Access is granted to the changelog for OUD:

Grant Access to OUD Change Log for Oracle Identity Governance
If you are using Oracle Unified Directory and wish to integrate with Oracle Identity Governance , you must grant access to the change log by performing the following steps on the single node LDAP host or on LDAPHOST1 and LDAPHOST2 for multitude LDAP instances:
  1. Create a property file call oudacl.props with the following contents:
    IDSTORE_SEARCHBASE: dc=example,dc=com
    IDSTORE_HOST: ldaphost1.example.com
    IDSTORE_ADMIN_PORT: 4444
    IDSTORE_ADMIN_KEYSTORE_FILE: /u01/oracle/config/instances/oud1/config/admin-keystore
    IDSTORE_ADMIN_KEYSTORE_PASSWORD:  myadmintruststorepassword
    IDSTORE_BINDDN: cn=oudadmin
    IDSTORE_PASSWD: password
    The following table describes the parameters that you can set in oudacl.props.

    Table 2-2 Parameters in oudacl.props file

    Property Description Sample Value

    IDSTORE_SEARCHBASE

    Enter the location in the directory where users and groups are stored.

    dc=example,dc=com

    IDSTORE_HOST

    Enter the identity store host name.

    ldaphost1.example.com

    IDSTORE_ADMIN_PORT

    The admin port for an Oracle Unified Directory (OUD) identity store.

    4444

    IDSTORE_ADMIN_KEYSTORE_FILE

    If you are using OUD then you need to provide the OUD administration trust store file location.

    /u01/oracle/config/instances/oud1/config/admin-keystore

    IDSTORE_ADMIN_KEYSTORE_PASSWORD

    The password of the IDSTORE_ADMIN_KEYSTORE_FILE, if not supplied the script will prompt for it.

    myadmintruststorepassword

    IDSTORE_BINDDN

    An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.

    cn=oudadmin

    IDSTORE_PASSWD

    Password of the identity store.

    password

  2. Run the idmConfigTool to create the ACLs n the the directory schema.
    export JAVA_HOME=/u01/oracle/products/jdk
    export PATH=$JAVA_HOME/jdk/bin:$PATH
    export ORACLE_HOME=$ORACLE_HOME/idm
    
    $ORACLE_HOME/idmtools/bin/idmConfigTool.sh  -setupOUDacl input_file=oudacl.props log_level=FINEST
  3. Repeat for each OUD instance in your topology.