Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12002-05 |
|
|
View PDF |
This section discusses the following topics:
You must complete the following prerequisites for setting up LDAP synchronization:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.4.0).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) with or without a WebLogic administration domain. For more information, see Configuring Oracle Internet Directory and Configuring Oracle Virtual Directory.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
After completing the prerequisites, you must run the LDAP preconfiguration utility as follows:
Open the ldapconfig.props
file in a text editor. This file is located in the server/ldap_config_util
directory under the Oracle Home for Oracle Identity Manager and Oracle Acccess Manager.
In the ldapconfig.props
file, set values for the following parameters:
OIMProviderURL - Specify the URL for the OIM provider in the format: t3://localhost:port
. For example:
t3://myhost.mycompany.com:8003
OIDURL - Specify the URL for the OID instance.
OIDAdminUsername - Specify the OID Administrator's user name, such as cn=orcladmin
.
OIDSearchBase - Specify the OID search base, such as ou=people,dc=com
.
UserContainerName - Specify the name of the user container, which is used as a default container of users in the LDAP directory.
RoleContainerName - Specify the name of the role container, which is used as a default container of roles in the LDAP directory.
ReservationContainerName - Specify the name of the user reservation container, which is used to reserve users while waiting for user creation approvals in Oracle Identity Manager. When the user creation is approved, users are moved from the reservation container to the actual user container.
Ensure that the WL_HOME environment variable is set to the wlserver_10.3
directory under your Middleware Home. On UNIX, it is the <MW_HOME>/wlserver_10.3
directory. On Windows, it is the <MW_HOME>\wlserver_10.3
directory. In addition, set the JAVA_HOME environment variable to the directory where the JDK is installed on your machine.
On the command line, run the LDAP configuration pre-setup script (LDAPConfigPreSetup.bat
on Windows, and LDAPConfigPreSetup.sh
on UNIX). The files are located in the same server/ldap_config_util
directory under your IDM_Home for Oracle Identity Manager and Oracle Access Manager.
When prompted, enter the OID administrator's password and the OIM administrator's password.
After running the LDAP preconfiguration utility, as described in Task 1: Running the LDAP Preconfiguration Utility, you must create and configure two Oracle Virtual Directory (OVD) adapters and Changelog adapters.
To configure the adapters, complete the following steps:
Create a User adapter as follows:
Choose the User_OID template.
Specify Proxy DN as follows: cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
Specify Proxy Password as the value that is specified for the oimadmin
user.
For namespace, select Remote Base and map it to Mapped Namespace in Oracle Virtual Directory.
Create a Changelog adapter as follows:
Choose the Changelog_OID template.
For namespace, set both Remote Base and map it to Mapped Namespace to cn=changelog
.
Verify that the plug-in parameter values for the user adapter match with the values listed in Table 16-2.
Select the user adapter to modify, and click the Plug-ins tab.
Click the plug-in, and click Edit.
In the Parameters table, update the parameters, if necessary, to match the following values:
Click OK.
Click Apply.
Verify that the plug-in parameter values for the changelog adapter match with the values listed in Table 16-3.
Select the changelog adapter to modify, and click the Plug-ins tab.
Click the plug-in, and click Edit.
In the Parameters table, update the parameters, if necessary, to match the following values:
Table 16-3 Changelog Adapter Parameter Values
Parameter | Value |
---|---|
|
|
|
|
|
|
|
orclGUID |
|
orclContainerOC,changelogSupported=1 |
|
cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext |
|
1000 |
|
Search based from which reconciliation needs to happen. This value needs to same as the LDAP SearchDN that is specified during OIM installation |
|
|
|
|
Click OK.
Click Apply.
Note:
For more information about these plug-in parameters, refer to the "Understanding the Oracle Virtual Directory Plug-ins" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).After configuring OID and OVD for OIM, as described in Task 2: Configuring OVD and OID for OIM, you must run the LDAP post-configuration utility as follows:
In the ldapconfig.props
file, set values for the following parameters:
OIMProviderURL - Specify the URL for the OIM provider in the format: t3://localhost:8003
OIDURL - Specify the URL for the OID instance.
OIDAdminUsername - Specify the OID Administrator's user name, such as cn=orcladmin
.
OIDSearchBase - Specify the OID search base, such as ou=people,dc=com
.
UserContainerName - Specify the name of the user container, which is used as a default container of users in the LDAP directory.
RoleContainerName - Specify the name of the user container, which is used as a default container of roles in the LDAP directory.
ReservationContainerName - Specify the name of the user reservation container, which is used to reserve users while waiting for user creation approvals in Oracle Identity Manager. When the user creation is approved, users are moved from the reservation container to the actual user container.
Ensure that the WL_HOME environment variable is set to the wlserver_10.3
directory under your Middleware Home. On UNIX, it is the <MW_HOME>/wlserver_10.3
directory. On Windows, it is the <MW_HOME>\wlserver_10.3
directory. In addition, set the JAVA_HOME environment variable to the directory where the JDK is installed on your machine.
Start the OIM Managed Server. For more information, see Starting the Servers.
On the command line, run the LDAP configuration post-setup script (LDAPConfigPostSetup.bat
on Windows, and LDAPConfigPostSetup.sh
on UNIX). The files are located in the server/ldap_config_util
directory under your IDM_Home for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.
When prompted, enter the OIM administrator's password and the xelsysadm
password.
After setting up LDAP synchronization, you can enable LDAP Sync for Oracle Identity Manager by selecting the Enable LDAP Sync option on the BI Publisher and OAM screen in the Oracle Identity Management 11g Configuration Wizard while configuring Oracle Identity Manager (OIM) Server. For more information, see Configuring OIM Server.
Note that LDAP Sync is enabled automatically if you choose to enable identity administration integration with Oracle Access Manager on the BI Publisher and OAM screen.
To verify the configuration of LDAP with Oracle Identity Manager, complete the following steps:
Ensure that the WebLogic Administration Server is up and running.
Invoke the Oracle Identity Manager Administration Console (http://<host>:<port>/oim)
, which is deployed on the Administration Server.
In this console, click Search under Configurations -> Manage IT Resource. If the LDAP information is correct, the resource information is displayed.
Create a normal user using the same console.
If a user is created, verify the LDAP store by using the Oracle Data Services Manager URL, such as http://<host>:<odsm_port>/odsm/faces/odsm.jspx
.
Note:
Ensure that Oracle Identity Directory being used has an Oracle Virtual Directory configured. They both must be up and running because Oracle Identity Manager communicates with the LDAP data store via the Oracle Virtual Directory component.