16.14 Setting Up LDAP Synchronization

16.14.1 Prerequisites

You must complete the following prerequisites for setting up LDAP synchronization:

1. Install a supported version of Oracle Database, as described in Installing Oracle Database.

2. Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

3. Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.4.0).

4. Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) with or without a WebLogic administration domain. For more information, see Configuring Oracle Internet Directory and Configuring Oracle Virtual Directory.

5. Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).

16.14.2 Task 1: Running the LDAP Preconfiguration Utility

After completing the prerequisites, you must run the LDAP preconfiguration utility as follows:

1. Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under the Oracle Home for Oracle Identity Manager and Oracle Acccess Manager.

2. In the ldapconfig.props file, set values for the following parameters:

   • OIMProviderURL - Specify the URL for the OIM provider in the format: t3://localhost:port. For example:

     t3://myhost.mycompany.com:8003
     

   • OIDURL - Specify the URL for the OID instance.

   • OIDAdminUsername - Specify the OID Administrator's user name, such as cn=orcladmin.

   • OIDSearchBase - Specify the OID search base, such as ou=people,dc=com.

   • UserContainerName - Specify the name of the user container, which is used as a default container of users in the LDAP directory.

   • RoleContainerName - Specify the name of the role container, which is used as a default container of roles in the LDAP directory.

   • ReservationContainerName - Specify the name of the user reservation container, which is used to reserve users while waiting for user creation approvals in Oracle Identity Manager. When the user creation is approved, users are moved from the reservation container to the actual user container.

3. Ensure that the WL_HOME environment variable is set to the wlserver_10.3 directory under your Middleware Home. On UNIX, it is the <MW_HOME>/wlserver_10.3 directory. On Windows, it is the <MW_HOME>\wlserver_10.3 directory. In addition, set the JAVA_HOME environment variable to the directory where the JDK is installed on your machine.

4. On the command line, run the LDAP configuration pre-setup script (LDAPConfigPreSetup.bat on Windows, and LDAPConfigPreSetup.sh on UNIX). The files are located in the same server/ldap_config_util directory under your IDM_Home for Oracle Identity Manager and Oracle Access Manager.

5. When prompted, enter the OID administrator's password and the OIM administrator's password.

16.14.3 Task 2: Configuring OVD and OID for OIM

After running the LDAP preconfiguration utility, as described in Task 1: Running the LDAP Preconfiguration Utility, you must create and configure two Oracle Virtual Directory (OVD) adapters and Changelog adapters.

To configure the adapters, complete the following steps:

1. Create a User adapter as follows:

   1. Choose the User_OID template.

   2. Specify Proxy DN as follows: cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext

   3. Specify Proxy Password as the value that is specified for the oimadmin user.

   4. For namespace, select Remote Base and map it to Mapped Namespace in Oracle Virtual Directory.

2. Create a Changelog adapter as follows:

   1. Choose the Changelog_OID template.

   2. For namespace, set both Remote Base and map it to Mapped Namespace to cn=changelog.

3. Verify that the plug-in parameter values for the user adapter match with the values listed in Table 16-2.

   1. Select the user adapter to modify, and click the Plug-ins tab.

   2. Click the plug-in, and click Edit.

   3. In the Parameters table, update the parameters, if necessary, to match the following values:

      Table 16-2 User Adapter Parameter Values

      Parameter	Value
      directoryType	oid
      pwdMaxFailure	10
      oamEnabled	true or false Note that this parameter should be set to true if you are setting up integration between Oracle Identity Manager and Oracle Access Manager.

      
      

   4. Click OK.

   5. Click Apply.

4. Verify that the plug-in parameter values for the changelog adapter match with the values listed in Table 16-3.

   1. Select the changelog adapter to modify, and click the Plug-ins tab.

   2. Click the plug-in, and click Edit.

   3. In the Parameters table, update the parameters, if necessary, to match the following values:

      Table 16-3 Changelog Adapter Parameter Values

      Parameter	Value
      directoryType	oid
      mapAttribute	targetGUID=orclGUID
      mapObjectclass	changelog=changelogentry
      requiredAttribute	orclGUID
      addAttribute	orclContainerOC,changelogSupported=1
      modifierDNFilter	cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
      sizeLimit	1000
      targetDNFilter	Search based from which reconciliation needs to happen. This value needs to same as the LDAP SearchDN that is specified during OIM installation
      mapUserState	true
      oamEnabled	true or false

      
      

   4. Click OK.

   5. Click Apply.

   Note:

   For more information about these plug-in parameters, refer to the "Understanding the Oracle Virtual Directory Plug-ins" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).

16.14.4 Task 3: Running the LDAP Post-Configuration Utility

After configuring OID and OVD for OIM, as described in Task 2: Configuring OVD and OID for OIM, you must run the LDAP post-configuration utility as follows:

1. In the ldapconfig.props file, set values for the following parameters:

   • OIMProviderURL - Specify the URL for the OIM provider in the format: t3://localhost:8003

   • OIDURL - Specify the URL for the OID instance.

   • OIDAdminUsername - Specify the OID Administrator's user name, such as cn=orcladmin.

   • OIDSearchBase - Specify the OID search base, such as ou=people,dc=com.

   • UserContainerName - Specify the name of the user container, which is used as a default container of users in the LDAP directory.

   • RoleContainerName - Specify the name of the user container, which is used as a default container of roles in the LDAP directory.

   • ReservationContainerName - Specify the name of the user reservation container, which is used to reserve users while waiting for user creation approvals in Oracle Identity Manager. When the user creation is approved, users are moved from the reservation container to the actual user container.

2. Ensure that the WL_HOME environment variable is set to the wlserver_10.3 directory under your Middleware Home. On UNIX, it is the <MW_HOME>/wlserver_10.3 directory. On Windows, it is the <MW_HOME>\wlserver_10.3 directory. In addition, set the JAVA_HOME environment variable to the directory where the JDK is installed on your machine.

3. Start the OIM Managed Server. For more information, see Starting the Servers.

4. On the command line, run the LDAP configuration post-setup script (LDAPConfigPostSetup.bat on Windows, and LDAPConfigPostSetup.sh on UNIX). The files are located in the server/ldap_config_util directory under your IDM_Home for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.

5. When prompted, enter the OIM administrator's password and the xelsysadm password.

16.14.5 After Setting Up LDAP Synchronization

After setting up LDAP synchronization, you can enable LDAP Sync for Oracle Identity Manager by selecting the Enable LDAP Sync option on the BI Publisher and OAM screen in the Oracle Identity Management 11g Configuration Wizard while configuring Oracle Identity Manager (OIM) Server. For more information, see Configuring OIM Server.

Note that LDAP Sync is enabled automatically if you choose to enable identity administration integration with Oracle Access Manager on the BI Publisher and OAM screen.

16.14.6 Verifying the LDAP Synchronization

To verify the configuration of LDAP with Oracle Identity Manager, complete the following steps:

1. Ensure that the WebLogic Administration Server is up and running.

2. Invoke the Oracle Identity Manager Administration Console (http://<host>:<port>/oim), which is deployed on the Administration Server.

3. In this console, click Search under Configurations -> Manage IT Resource. If the LDAP information is correct, the resource information is displayed.

4. Create a normal user using the same console.

5. If a user is created, verify the LDAP store by using the Oracle Data Services Manager URL, such as http://<host>:<odsm_port>/odsm/faces/odsm.jspx.