This appendix describes how to configure, implement, and log messages for adapters used in identity virtualization.
This appendix includes the following sections:
A split profile is an identity whose attributes are stored in two (or more) sources. Identity virtualization supports split profiles and querying multiple LDAP directories in a single query. So when an application must obtain attributes from more than one source directory for an identity, it uses identity virtualization with split profiles. The adapter configuration is stored in the adapters.os_xml
file, but connection parameters, such as host, port, and credentials, are obtained from the OPSS configuration.
When configuring the LDAP connection parameters, the user.create.bases
and group.create.bases
properties must correspond to the primary adapter's namespace.
See also:
Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory
To configure split profiles:
Set the virtualize
property to true to enable queries against multiple LDAPs. For information about configuring the identity store, see Configuring the Identity Store.
Use the createJoinAdapter
WLST command to create a join adapter in the primary identity store:
createJoinAdapter(adapterName="Join Adapter Name", root="Namespace", primaryAdapter="Primary adapter Name")
Use the addJoinRule
WLST command to add the join rule to each secondary store:
addJoinRule(adapterName="Join Adapter Name", secondary="Secondary Adapter Name", condition="Join Condition")
Use the modifyLDAPAdapter
WLST command to modify adapters in all stores:
modifyLDAPAdapter(adapterName="AuthenticatorName", attribute="Visible", value="Internal")
See also:
WLST Command Reference for Infrastructure Security:
Assume that Microsoft Active Directory is the primary authentication provider with the cn=users,dc=acme,dc=com
user base, and Oracle Internet Directory is the secondary provider with the cn=users,dc=oid,dc=com
user base.
To implement split profile with these two adapters:
Create a join adapter on the primary authentication provider:
createJoinAdapter(adapterName="JoinAdapter1", root="dc=acme,dc=com", primaryAdapter="AD")
Add the created join adapter to the secondary authentication provider:
addJoinRule(adapterName="JoinAdapter1", secondary="OID", condition="uid=cn")
where uid=cn
indicates that if for a user, the uid
value matches the cn
value in Microsoft Active Directory, then the attributes are combined.
The attribute on the left side of the equal sign is the attribute in the secondary adapter and the attribute on the right side is the attribute in the primary adapter.
Change the visibility of all adapters:
modifyLDAPAdapter(adapterName="OID", attribute="Visible", value="Internal") modifyLDAPAdapter(adapterName="AD", attribute="Visible", value="Internal")
Restart Oracle WebLogic Server.
See also:
WLST Command Reference for Infrastructure Security:
To enable identity virtualization library logging:
Remove any previously configured identity virtualization library loggers.
Create the new logger named oracle.ods.virtualization.accesslog
with the NOTIFICATION
level.
Create a handler to specify the file associated with the logger, where all messages are logged.
Add auditLogPublisher
to the DOMAIN_HOME
/
config/fmwconfig/ovd/default/provider.os_xml
file:
<providers> ... <auditLogPublisher> <provider name="FMWAuditLogPublisher"></provider> <provider name="AccessLogPublisher"> <configClass>oracle.ods.virtualization.config.AccessLogPublisherConfig</configClass> <properties> <property name="enabled" value="true"/> </properties> </provider> </auditLogPublisher> ... </providers>
Restart WebLogic Server.