In my previous post I discussed split profile set up scenario with AD and OID in Fusion Applications IDM Environment and how to create Adapters in OVD for consolidating the two directory servers AD and OID.However configuring adapters alone is not sufficient to allow split profile to function.Configuration of rest of the IDM Components in the integration needs update to communicate with directory layer. In this post i will try to highlight the configuration changes needed in the rest of IDM Components involved in Fusion Applications Integration.
Please refer to the first picture in split profile part1 which shows the consolidated view of the Directory Tree to set context in further configurations in this post. As always take a back up of the existing IDM environment before making any changes.Backup would include IDM Middleware , IDM Database and Enterprise Directory.
Let us review for which components the configuration will change:
Here are the detailed changes by component for this scenario
1. Login to oim-domain wls console, User=<oim_admin_user>, Password=<Password>
2. Go to Security Realms --> myrealm --> providers -->
3. Remove OIDAuthenticator and save [ You will see OIDAuthenticator If IDM Environment was configured with IDStore as OID and not OVD]
4. Create [If step 3 is True] / Edit OVDauthenticator and make sure control flag = "SUFFICIENT"
5. Make sure the Providers list has the correct order, If they are not , reorder them
6. Click on OVDAuthenticator -----> Provider Specific
7. host= <ovd host>, port=<ovd port>, principal=<cn=oamLDAP,cn=users,dc=us,dc=oididm,dc=com> , in my environment i have used 'cn=orcladmin' for quick set up.
8. User base dn: dc=oididm,dc=com [ Again this based on the example configuration i have used, please see Split-profile-part1 ]
9. All Users Filter: (&(uid=*)(objectclass=person))
10. User Name Attribute = uid
11. Group Base DN: dc=oididm,dc=com
12. Static Group Object Class: groupofuniquenames
13. Save the changes and shutdown wls admin console and restart
14. check if the ovdauthenticator is working by accessing WLS Console : Security Realms ---> myrealm ---> Users and Groups ------>
1.Change the Search Base
1.1. Log on to OIM http://<oimhost>:<oim_port>/oim as xelsysadm
1.2. Click on "Advanced" on top right side of your screen
1.3. Click on "Manage IT Resource" link under "Configuration" section
1.4. In query screen, In IT Resource Type field, choose "Directory server" from drop down and search
1.5. In the directory server ,Click on Edit button for directory server
1.6. In Search Base field, update the search base [ same OVD base as in previous steps for WLS and OAM] to "dc=oididm,dc=com"
1.7. Also update reserve container base to absolute value.
1.8. Click Update. Close window.
2. Update Container Rules in MDS for Split profile
2.1 Create LDAPContainerRules.xml with new rules that you want to import into LDAP. This file contains the rules for user creation and role creation and corresponding containers in LDAP where they should be created/target to. For current split profile scenario, i have set only default rules as below:
2.2. Modify <OIM_ORACLE_HOME>/bin/weblogic.properties file present in to import the above LDAPContainerRules.xml file for following data wls_servername=<oim server name>, for example wls_oim1
2.3. Set OIM_ORACLE_HOME environment variable.
2.4. Run weblogicImportMetadata.sh from <OIM_ORACLE_HOME>/bin to import the configuration file into MDS
2.5. Input weblogic login Creds when prompted. Please enter your username [weblogic] : <weblogic_user> Please enter your password [weblogic] :<password> Please enter your server URL [t3://localhost:7001] :t3://oimadmin.mycompany.com:7001
2.6. Restart OIM Server for new rules to take effect
3. Update Username generation policy to accommodate AD
This change is due to AD Limitation only ,AD has a username limitation of 20 characters for Windows 2000 and earlier . Hence Username generation policy in OIM has to be updated to accommodate this AD limitation.
3.1. Log on to OIM http://<oimhost>:<oim_port>/oim
3.2. Click on "Advanced" on top right side of your screen
3.3. Click on "Search System properties"
3.4. On left navigation bar, Search on "Username Generation"
3.5. Click on "Default policy for username generation"
3.6. In Value field, update entry from "oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy" to "oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD"
3.7. Click "Save"
That completes the needed configuration changes for WLS, OAM and OIM for IDM Environment. As a last step, for each Fusion Application Domain please change the OIDAuthenticator to be an OVDAuthenticator for those domains where the identity store was OID previously.