OAM and OIM Config changes for Split Profile ( Split Profile Configuration -Part 2)

Introduction

In my previous post I discussed split profile set up scenario with AD and OID in Fusion Applications IDM Environment and how to create Adapters in OVD  for consolidating the two directory servers AD and OID.However configuring adapters alone is not sufficient to allow split profile to function.Configuration of rest of the IDM Components in the integration needs update to communicate with directory layer. In this post i will try to highlight the configuration changes needed in the rest of IDM Components involved in Fusion Applications Integration.

Please refer to the first picture in split profile part1   which shows the consolidated view of the Directory Tree to set context in further configurations in this post. As always take a back up  of the existing IDM environment before making any changes.Backup would include IDM Middleware , IDM Database and Enterprise Directory.

Let us review for which components the configuration will change:

  1. 1. WLS :  During Initial set up without split profile , OVD Authenticator Provider would refer to OID  via OVD alone or OID directly via OID Authenticator, now OVD Authenticator should refer to both OID and AD.
  2. 2. OAM : Similar case as WLS ,  user and Group base need to be set to consolidated base for Authenticating Users from both OID and AD
  3. 3. OIM  : User Base needs to be new consolidated base, Rules need to be modified for Target User Base and Target Groups Base during user creation etc.

Main Article

Here are the detailed changes by component for this scenario

WLS

1. Login to oim-domain wls console, User=<oim_admin_user>, Password=<Password>

2. Go to Security Realms –> myrealm –> providers –>

3. Remove OIDAuthenticator and save [ You will see OIDAuthenticator If IDM Environment was configured with IDStore as OID and not OVD]

4. Create [If step 3 is True] / Edit OVDauthenticator and make sure control flag = “SUFFICIENT”

authnctrs

5. Make sure the Providers list has the correct order, If they are not , reorder them

6. Click on OVDAuthenticator —–> Provider Specific

7. host= <ovd host>, port=<ovd port>, principal=<cn=oamLDAP,cn=users,dc=us,dc=oididm,dc=com> , in my environment i have used ‘cn=orcladmin’ for quick set up.

8. User base dn: dc=oididm,dc=com  [ Again this based on the example configuration i have used, please see Split-profile-part1 ]

9. All Users Filter: (&(uid=*)(objectclass=person))

10. User Name Attribute = uid

11. Group Base DN: dc=oididm,dc=com

12. Static Group Object Class: groupofuniquenames

userbase

13. Save the changes and shutdown wls admin console and restart

14. check if the ovdauthenticator is working by accessing WLS Console :   Security Realms —> myrealm —> Users and Groups ——>

You will see users from both OID and AD  

Snap6

OAM

  1. 1.Login to the OAM11g console.
  2. 2.Go to System Configuration–>Common Configuration–>Data Sources
  3. 3.Open the ‘OIMIDStore instance’–>Change the “Store Type” to “OVD: Oracle Virtual Directory” from “OID: Oracle Internet Directory” ( only if OID was set as IDStore originally)
  4. 4.Change the “Location” to <ovdhost>:<ovdport>
  5. 5.Change the BindDN to a User from OVD who has appropriate ACIs  ( i used orcladmin for quick setup but this can be oimLDAP or oamLDAP , if ACIs are granted)
  6. 6.Provide password to that of the user used above
  7. Snap5
  8. 7.Change the User search base, to the base of the OVD , dc=oididm,dc=com [ same as we set in OVDAuthenticator in WLS earlier ]
  9. 8.Change the Group search base, to the base of the OVD, dc=oididm,dc=com
  10. user_base
  11. 9.Make sure to Test Connect and Apply
  12. 10.Also for quick check testing I added a user from AD  ‘ad_user1’  as access system administrator confirming my config was fine and able to retrieve users
  13. 11.Also tried a login to oamconsole with ‘ad_user1’ and ‘oamadmin’  to confirm Authentication of users from both AD and OID is successful

 OIM

1.Change the Search Base

1.1. Log on to OIM http://<oimhost>:<oim_port>/oim as xelsysadm

1.2. Click on “Advanced” on top right side of your screen

1.3. Click on “Manage IT Resource” link under “Configuration” section

1.4. In query screen, In IT Resource Type field, choose “Directory server” from drop down and search

1.5.  In the directory server ,Click on Edit button for directory server

1.6. In Search Base field, update the search base [ same OVD base as in previous steps for WLS and OAM] to “dc=oididm,dc=com”

1.7. Also update reserve container base to absolute value.

directoryserver

1.8. Click Update. Close window.

2. Update Container Rules in MDS for Split profile

2.1 Create LDAPContainerRules.xml with new rules that you want to import into LDAP. This file contains the rules for user creation and role creation and corresponding containers in LDAP where they should be created/target to. For current split profile scenario, i have set only default rules as below:

<?xml version=’1.0′ encoding=’UTF-8′?> 
<container-rules> 
<user> 
 
<rule> 
<expression>Default</expression> <container>cn=Users,dc=us,dc=oididm,dc=com</container> <description>UserContainer</description> 
</rule> 
</user> 
 
<role> 
 
<rule> 
<expression>Default</expression> <container>cn=Groups,dc=us,dc=oididm,dc=com</container> <description>RoleContainer</description> 
</rule> 
</role> 
 
</container-rules>

2.2. Modify <OIM_ORACLE_HOME>/bin/weblogic.properties file present in to import the above LDAPContainerRules.xml file for following data wls_servername=<oim server name>, for example wls_oim1

2.3. Set OIM_ORACLE_HOME environment variable.

2.4. Run weblogicImportMetadata.sh from <OIM_ORACLE_HOME>/bin to import the configuration file into MDS

2.5. Input weblogic login Creds when prompted. Please enter your username [weblogic] : <weblogic_user> Please enter your password [weblogic] :<password> Please enter your server URL [t3://localhost:7001] :t3://oimadmin.mycompany.com:7001

2.6. Restart OIM Server for new rules to take effect

3. Update Username generation policy to accommodate AD

This change is due to AD Limitation only ,AD has a username limitation of 20 characters for Windows 2000 and earlier . Hence Username generation policy in OIM has to be updated to accommodate this AD limitation.

3.1. Log on to OIM http://<oimhost>:<oim_port>/oim

3.2. Click on “Advanced” on top right side of your screen

3.3. Click on “Search System properties”

3.4. On left navigation bar, Search on “Username Generation”

3.5. Click on “Default policy for username generation”

3.6. In Value field, update entry from “oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy” to “oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD”

3.7. Click “Save”

usernamepolicy

That completes the needed configuration changes for WLS, OAM and OIM  for IDM Environment.    As a last step, for each Fusion Application Domain please change the OIDAuthenticator  to be an OVDAuthenticator for those domains where the identity store was OID previously.

Comments

  1. Thanks for the post. I have following questions (we will be using 11rG2PS3) :
    1) Can we use OUD instead of OID as shadow directory?
    2) We have AD and OUD where we would like to present both as Identity Stores for OAM and OIM, but provision users created in OIM to OUD only. In this case, should we use OUD user/role containers in LDAPUser.xml? We also need to make sure AD users are NOT copied to OUD.

    Thank you very much,
    Hari

  2. Aishao Li says:

    After following the steps described here, we accessed to oim ../identity by login as one of the ad user. Authentication with the ad user is fine, but when doing user search, error occured. If login as xelsysadm, searching user displays those users from OID, but not from AD. From weblogic domain realm, we can see all users, both from OID and AD.

    Please advise..

Add Your Comment