Preconfiguring LDAP means making the LDAP directory ready to have default containers, administrators, and Access Control Lists (ACIs) for Oracle Identity Manager to perform correctly
if you don't have OID configured already in your environment you must need to follow steps to configure OID with 11g Release 2 (11.1.2.2.0)
you must complete the following steps to preconfigure the Identity Store:
Create a new file OIDContainers.ldif. Add the following entries and save the file.
make sure to modify dn value as per your environment. there is space between each entry also make sure to have your cursor at the new line after copying these values in a file
dn:cn=oracleAccounts,dc=orasystemsusa,dc=com
cn:oracleAccounts
objectClass:top
objectClass:orclContainer
dn:cn=Users,cn=oracleAccounts,dc=orasystemsusa,dc=com
cn:Users
objectClass:top
objectClass:orclContainer
dn:cn=Groups,cn=oracleAccounts,dc=orasystemsusa,dc=com
cn:Groups
objectClass:top
objectClass:orclContainer
dn:cn=Reserve,cn=oracleAccounts,dc=orasystemsusa,dc=com
cn:Reserve
objectClass:top
objectClass:orclContainer
Import the containers into Oracle Internet Directory Server with ldapadd command. This will create the user, group and reserve containers.
ldapadd -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c -f ./OIDContainers.ldif
For example:
ldapadd -h localhost -p 389 -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif
If the above gives authentication error, try the command with '-x' option with simple bind option.
ldapadd -h localhost -p 389 -x -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif
Configure OIM proxy users and acis to communicate with OID after installing OID. Create the OIM Admin User, Group and the ACIs.
The root suffix is given as 'dc=orasystemsusa,dc=com'. This can be replaced with the appropriate root suffix of the OID server.
Open a new file oidadmin.ldif. Add the following LDAP entries and save the file oidadmin.ldif. Run the following command to load the ldif file, oidadmin.ldif.
Note:
Run the ldapmodify command in OID setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.
./ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c-v-f oidadmin.ldif
dn: cn=systemids,dc=orasystemsusa,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids
dn: cn=oimAdminUser,cn=systemids,dc=orasystemsusa,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: welcome1
dn: cn=oimAdminGroup,cn=systemids,dc=orasystemsusa,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: orclPrivilegeGroup
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=orasystemsusa,dc=com
dn: cn=oracleAccounts,dc=orasystemsusa,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=orasystemsusa,dc=com" (add,browse,delete) by * (none)
orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=orasystemsusa,dc=com" (read,search,write,compare) by * (none)
dn: cn=changelog
changetype: modify
add: orclaci
orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=orasystemsusa,dc=com" (browse) by * (none)
orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=orasystemsusa,dc=com" (read,search,compare) by * (none)
Use the following command to check if the ACI is added.
./ldapsearch -h <OID Server> -p <OID Port> -D "cn=orcladmin"
-w <OID Admin password> -b "dc=orasystemsusa,dc=com" -s one "objectclass=*" orclaci
Use the following command to check if the proxy user is working against OID. Before running this command ensure that the changenumber is catalogued.
./ldapsearch -h <OID Server> -p <OID Port> -D
"cn=oimAdminUser,cn=systemids,dc=orasystemsusa,dc=com" -w <OID Admin password> -b
"cn=changelog" -s sub "changenumber>=0"
If the above command gives an error, try the following:
./ldapsearch -h <OID Server> -p <OID Port> -D
"cn=oimAdminUser,cn=systemids,dc=orasystemsusa,dc=com" -w <OID Admin password> -b
"cn=changelog" -s one "changenumber>=0"
No comments:
Post a Comment