Oracle® Fusion Middleware System Administrator's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14308-05 |
|
|
View PDF |
Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.
Note:
This procedure does not enable the following functionality:Forced password changes, including first login, administrator password reset, and expired passwords
Forced setting of challenge responses
Add a dynamic group in Oracle Internet Directory (OID).
Create an oimusers.ldif file that defines a dynamic group. The format of the LDIF file should be similar to the following:
dn: cn=oimusers, <group search base> objectclass: orclDynamicGroup objectclass: groupOfUniqueNames labeleduri:ldap://<LdapHost>:<LdapPort>/<UserSearchBase>??sub?(objectclass=inetOrgPerson)
For example:
dn: cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com objectclass: orclDynamicGroup objectclass: groupOfUniqueNames labeleduri: ldap://dadvmc0225:3060/cn=Users,dc=us,dc=oracle,dc=com??sub?(objectclass=inetOrgPerson)
Use the ldapadd command to upload the oimusers.ldif file to OID. The command should have the following format:
ldapadd -h <ldaphost> -p <ldapport> -D <root dn> -w <password> -f oimusers.ldif
For example:
ldapadd -h dadvmc0225 -p 3060 -D cn=orcladmin -w welcome1 -f oimusers.ldif
Use the ldapsearch command to validate group members. The command should have the following format:
ldapsearch -h <ldaphost> -p <ldapport> -D <root dn> -w <password> -b "cn=oimusers,<groupsearchbase>" -s base "objectclass=*"
For example:
ldapsearch -h dadvmc0225 -p 3060 -Dcn=orcladmin -wwelcome1 -b "cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com" -s base "objectclass=*"
Configure the LDAP Authenticator in WLS.
Log in to WebLogic Administrative Console.
Go to Security Realms, myrealm, Providers.
Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.
Set the Control Flag to SUFFICIENT.
Click the Provider Specific settings and configure the OID connection details.
In Dynamic groups section, enter the following values:
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: orcldynamicgroup
Dynamic Member URL Attribute: labeleduri
User Dynamic Group DN Attribute: GroupOfUniqueNames
Click the Providers tab and then click Reorder. Reorder the LDAP authenticator so this is placed before the OIM Authenticator.
Restart all servers.
Validate role memberships.
Login to WebLogic Admin Console.
Go to Security Realms, myrealm, User and Groups.
Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).
Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.