This chapter explains how to configure and use the identity store, and how to query it programmatically.
This chapter includes the following sections:
See also:
Overview of the Identity Directory API in Developing Applications with Identity Governance Framework
The identity store stores users and groups, and the service lets you query that data. By default, it supports querying a single LDAP identity store. You can configure the service to use a virtualized identity store that lets you query multiple LDAP identity repositories instead of just one. For information about identity virtualization, see Configuring the Identity Store.
Depending on the configuration, the service uses a file or (one or more) LDAP servers as the repository of identities. When the service is configured for LDAP, by default, it queries a single LDAP, but you can configure the service to query multiple LDAPs.
The service is available in Java SE environments. For information about virtualization in Java SE applications, see Configuring Virtualization in Java SE Applications.
Before using the identity store, you must configure the identity store provider. OPSS supports both file and LDAP identity store providers, as the following configuration example illustrates:
<serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider"> <description>LDAP IdentityStore Provider</description> </serviceProvider> <serviceProvider type="IDENTITY_STORE" name="idstore.xml.provider" class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider"> <description>XML-based IdentityStore Provider</description> </serviceProvider>
If you set Active Directory as the identity store provider, then set the USERNAME_ATTR
and USER_LOGIN_ATTR
properties to sAMAccountName
in jps-config.xml
(or jps-config-jse.xml
) if you want to override the default value (cn
). For example:
<property value="sAMAccountName" name="username.attr"/> <property value="sAMAccountName" name="user.login.attr"/>
Note:
If you setvirtualize
to true
, then do not set the user.login.attr
and username.attr
properties.The following sections explain how to configure the identity store:
See also:
The following sections explain the use of the identity store configuration parameters:
Use the following parameters to configure queries to multiple LDAPs:
The virtualize
property - This property can be either true
(multiple LDAPs lookup) or false
(single LDAP lookup). If unspecified, it defaults to false
.
Global Connection Parameters (when the virtualize
property is enabled) - The calling application uses these parameters to specify global LDAP configuration such as the search base, create base, and so on. If any of these parameters is unspecified, then OPSS uses a default value.
Back-end Connection Parameters - These parameters are specific to each LDAP store. One set of back-end parameters is specified for each LDAP. You do not need to set these parameters unless you want to overwrite default values.
Table 8-1 shows the global parameters. For a list of connection pool parameters, see Configuration Parameters for IDS in Developing Applications with Identity Governance Framework.
Table 8-1 Global LDAP Identity Store Parameters
Parameter | Default Value |
---|---|
|
same as user.create.bases |
|
groupofuniquenames |
|
No default value |
|
uniquemember |
|
groupofuniquenames |
|
No default value |
|
No default value |
|
No default value |
|
cn |
|
No default value |
|
No default value |
|
If only one authentication provider, then it uses the create base value. If multiple ones, then no default value is set. |
|
inetorgperson |
|
uid |
|
No default value |
|
inetorgperson |
|
Same as group.search.bases |
|
cn |
See also:
These parameters are specific to your particular LDAP store.
LDAP authentication providers are configured with Oracle WebLogic Server Administration Console or WebLogic Scripting Tool (WLST). At runtime, the server passes the configuration details to OPSS.
In WebLogic Server domains, you can configure multiple authentication providers in a given context. By default, the first authentication provider in the list is used to initialize the identity store. For information about authentication providers, see Support for Multiple Authentication Providers.
To query multiple LDAPs requires setting up the virtualize
property.
The following sections explain several configurations:
Configuring the Service for Multiple LDAPs without Virtualization
Configuring the Service for Multiple LDAPs with Fusion Middleware Control
The following example illustrates the configuration of a single LDAP service instance:
<!-- JPS WLS LDAP Identity Store Service Instance --> <serviceInstance name=idstore.ldap provider=idstore.ldap.provider> <property name=idstore.config.provider value=oracle.security.jps.wls.internal.idstore. WlsLdapIdStoreConfigProvider/> <property name=CONNECTION_POOL_CLASS value=oracle.security.idm.providers.stdldap.JNDIPool/> </serviceInstance>
In cases when the virtualize
property cannot be set, configure the service to query more than one LDAP and override the configuration in WebLogic Server. To specify multiple LDAPs, use a comma separated list of LDAP URLs:
<property name="ldap.url", value="ldap://host1:port1,ldap://host2:port2"/>
To configure the service for multiple LDAPs with Fusion Middleware Control:
Choose the domain in the navigation pane on the left.
Go to Security, then Security Provider Configuration.
Expand the Identity Store Provider section of the page.
Click Configure.
The Identity Store Configuration page appears.
Under Custom Properties, click Add.
Add the new property:
Property Name=virtualize Value=true
Be sure to also add this property to the service instance in the default context of the OPSS configuration file.
Click OK.
To configure and use virtualization using WLST:
Create a script file to connect to the Administration Server in the domain of interest. You must specify the userName
, userPass
, localHost
, and portNumber
attributes for this operation. For information about configuring services with scripts, See Configuring Services with Scripts.
Go to $ORACLE_HOME/common/bin
.
Run wlst.sh
.
For example, if the domain configuration file contains the idstore.ldap
authentication provider, then the following command configures the provider for multiple LDAPs lookup:
wlst.sh /tmp/updateServiceInsta, nceProperty.py -si idstore.ldap -key "virtualize" -value "true"
To set adapter timeout using WLST:
Run the listAdapters command to obtain the list of adapters.
Run the modifyLDAPAdapter command to set the timeout for each adapter to, for example, 120 seconds:
modifyLDAPAdapter('<ADAPTER NAME>', 'OperationTimeout', 120000)
Restart WebLogic Server.
See also:
modifyLDAPAdapter in WLST Command Reference for Infrastructure Security
Optionally, update the configuration in the jps-config.xml
file to set query parameters listed in Identity Store Parameters. These parameters are optional and have default values.
After configuring queries to multiple LDAPs, restart WebLogic Administration Server and Managed Servers.
The following example illustrates the configuration of a single LDAP:
<serviceInstance name=idstore.ldap provider=idstore.ldap.provider> <property name=idstore.config.provider value=oracle.security.jps.wls.internal.idstore. WlsLdapIdStoreConfigProvider/> <property name=CONNECTION_POOL_CLASS value=oracle.security.idm.providers.stdldap.JNDIPool/> </serviceInstance>
The following example illustrates the configuration of a multiple LDAPs:
<serviceProviders> <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider"> <description>LDAP IdentityStore Provider</description> </serviceProvider> </serviceProviders> <serviceInstances> <!-- IDstore instance connecting to multiple ldap --> <serviceInstance name="idstore.virtualize" provider="idstore.ldap.provider"> <!-- indicates using WLS ldap authentication providers --> <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/> <!-- enable virtualization --> <property name="virtualize" value="true"/> <!-- ldap properties (if not supplied, then it uses default values) --> <extendedProperty> <name>user.create.bases</name> <values> <value>cn=users_front,dc=us,dc=example,dc=com</value> </values> </extendedProperty> <extendedProperty> <name>group.create.bases</name> <values> <value>cn=groups_front,dc=us,dc=example,dc=com</value> </values> </extendedProperty> </serviceInstance> </serviceInstances> <jpsContexts default="default"> <!-- the identity store uses multiple ldaps --> <jpsContext name="default"> <!-- use multiple ldap --> <serviceInstanceRef ref="idstore.virtualize"/> <!-- .....other services --> </jpsContext> </jpsContexts> </jpsConfig>
Note that:
The virtualize
property of the service instance is true
, and this allows queries to multiples LDAP directories.
The extendedProperty
element allows you to set front-end parameters to override default values.
See also:
Identity virtualization supports split profiles, which lets applications access identity attributes when they are stored in more than one LDAP repository.
This feature requires additional configuration explained in Adapter Configuration for Identity Virtualization.
OPSS supports WebLogic Authentication providers to access identities. If the available providers are not suitable to your particular LDAP server, then, typically, you customize one. This section explains how to configure and use a custom authentication provider.
When using a custom LDAP authentication provider, the following configuration illustrates how to specify the LDAP type so that the provider can find the proper LDAP plug-in by overriding idstore.type
in jps-config.xml
:
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider" /> <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool" /> <property value="true" name="virtualize" /> <serviceInstanceRef ref="myGenericLDAPName"/> </serviceInstance> <serviceInstance name="myGenericLDAPName" provider="idstore.ldap.provider"> <!-- overrides the 'idstore.type' property --> <property name="idstore.type" value="ACTIVE_DIRECTORY" /> </serviceInstance>
To override additional LDAP provider instances, insert similar entries. For information about provider configuration, see Configuring Security Providers with Fusion Middleware Control.
For Java SE applications, you set all configurations in the jps-config-jse.xml
file. According to your needs, edit this file to:
Define a new service instance.
Add the new service instance to the context and replace any previously defined instances.
Enable virtualize
.
To programmatically query the identity store, use OPSS APIs to obtain a context. This context acts like a bridge to obtain the store instance. Subsequently you use the User and Role API to query the store instance:
try { //find the JPS context JpsContextFactory ctxFactory = JpsContextFactory.getContextFactory(); JpsContext ctx = ctxFactory.getContext(); //find the JPS IdentityStore service instance //(assuming the back-end is ldap type) LdapIdentityStore idstoreService = (LdapIdentityStore)ctx.getServiceInstance(IdentityStoreService.class) //get the User/Role API's Idmstore instance oracle.security.idm.IdentityStore idmIdentityStore = idstoreService.getIdmStore(); //use the User/Role API to query ID store // //alternatively, instead of using IdentityStore, use the //IdentityDirectory to access LDAP oracle.igf.ids.IdentityDirectory ids = idstoreService.getIdentityStore(); } catch (Exception e) { e.printStackTrace() }
See also:
You can use Secure Sockets Layer (SSL) connections between the identity store and the LDAP server(s). Both the Identity Directory API and the User and Role API can operate with multiple LDAPs.
When the connection to the identity store originates at a client in WebLogic Server, then the SSL configuration is handled by the server.
See also:
Administering Oracle Fusion Middleware: