In my previous post i have discussed split profile set up scenario with AD and OID in Fusion Applications IDM Environment and how to create Adapters in OVD for consolidating the two directory servers AD and OID.
Adapters configuration alone is not enough. Hence in this post i will try to highlight the configuration changes needed in the rest of IDM Components involved in Fusion Applications Integration.
Please refer to the first picture in split profile part1 which shows the consolidated view of the Directory Tree to set context in further configurations in this post
My recommendation is to make sure you have back up of IDM Environment before split profile is configured. This includes AD too.
So..what are the components that we are going to change the configuration for and why ?
- WLS : During Initial set up without split profile , OVD Authenticator Provider would refer to OID via OVD alone or OID directly via OID Authenticator, now OVD Authenticator should refer to both OID and AD.
- OAM : Similar case as WLS , user and Group base need to be set to consolidated base for Authenticating Users from both OID and AD
- OIM : User Base needs to be new consolidated base, Rules need to be modified for Target User Base and Target Groups Base during user creation etc.
Here are the detailed changes by component for this scenario
WLS
1. Login to oim-domain wls console, User=<oim_admin_user>, Password=<Password>
2. Go to Security Realms --> myrealm --> providers -->
3. Remove OIDAuthenticator and save [ You will see OIDAuthenticator If IDM Environment was configured with IDStore as OID and not OVD]
4. Create [If step 3 is True] / Edit OVDauthenticator and make sure control flag = "SUFFICIENT"
2. Go to Security Realms --> myrealm --> providers -->
3. Remove OIDAuthenticator and save [ You will see OIDAuthenticator If IDM Environment was configured with IDStore as OID and not OVD]
4. Create [If step 3 is True] / Edit OVDauthenticator and make sure control flag = "SUFFICIENT"
5. Make sure the Providers list has the correct order, If they are not , reorder them
6. Click on OVDAuthenticator -----> Provider Specific
7. host= <ovd host>, port=<ovd port>, principal=<cn=oamLDAP,cn=users,dc=us,dc=oididm,dc=com> , in my environment i have used 'cn=orcladmin' for quick set up.
8. User base dn: dc=oididm,dc=com [ Again this based on the example configuration i have used, please see Split-profile-part1 ]
9. All Users Filter: (&(uid=*)(objectclass=person))
7. host= <ovd host>, port=<ovd port>, principal=<cn=oamLDAP,cn=users,dc=us,dc=oididm,dc=com> , in my environment i have used 'cn=orcladmin' for quick set up.
8. User base dn: dc=oididm,dc=com [ Again this based on the example configuration i have used, please see Split-profile-part1 ]
9. All Users Filter: (&(uid=*)(objectclass=person))
10. User Name Attribute = uid
11. Group Base DN: dc=oididm,dc=com
12. Static Group Object Class: groupofuniquenames
11. Group Base DN: dc=oididm,dc=com
12. Static Group Object Class: groupofuniquenames
13. Save the changes and shutdown wls admin console and restart
14. check if the ovdauthenticator is working by accessing WLS Console :
Security Realms ---> myrealm ---> Users and Groups ------> You will see users from both OID and AD
OAM
1.Login to the OAM11g console.
2.Go to System Configuration-->Common Configuration-->Data Sources
3.Open the 'OIMIDStore instance'-->Change the "Store Type" to "OVD: Oracle Virtual Directory" from "OID: Oracle Internet Directory" ( only if OID was set as IDStore originally)
4.Change the "Location" to <ovdhost>:<ovdport>
6.Change the BindDN to a User from OVD who has appropriate ACIs ( i used orcladmin for quick setup but this can be oimLDAP or oamLDAP , if ACIs are granted)
7. Provide password to that of the user used above
8.Change the User search base, to the base of the OVD , dc=oididm,dc=com [ same as we set in OVDAuthenticator in WLS earlier ]
9.Change the Group search base, to the base of the OVD, dc=oididm,dc=com
10. Make sure to Test Connect and Apply
11. Also for quick check testing i added a user from AD 'ad_user1' as access system administrator confirming my config was fine and able to retrieve users
12 . Also tried a login to oamconsole with 'ad_user1' and 'oamadmin' to confirm Authentication of users from both AD and OID is successfulOIM
1.Change the Search Base
1.1. Log on to OIM http://<oimhost>:<oim_port>/oim as xelsysadm
1.2. Click on "Advanced" on top right side of your screen
1.3. Click on "Manage IT Resource" link under "Configuration" section
1.4. In query screen, In IT Resource Type field, choose "Directory server" from drop down and search
1.5. In the directory server ,Click on Edit button for directory server
1.6. In Search Base field, update the search base [ same OVD base as in previous steps for WLS and OAM] to "dc=oididm,dc=com"
1.2. Click on "Advanced" on top right side of your screen
1.3. Click on "Manage IT Resource" link under "Configuration" section
1.4. In query screen, In IT Resource Type field, choose "Directory server" from drop down and search
1.5. In the directory server ,Click on Edit button for directory server
1.6. In Search Base field, update the search base [ same OVD base as in previous steps for WLS and OAM] to "dc=oididm,dc=com"
1.7. Also update reserve container base to absolute value.
1.8. Click Update. Close window.
2. Update Container Rules in MDS for Split profile
2.1 Create LDAPContainerRules.xml with new rules that you want to import into LDAP. This file contains the rules for user creation and role creation and corresponding containers in LDAP where they should be created/target to. For current split profile scenario, i have set only default rules as below:
<?xml version='1.0' encoding='UTF-8'?>
<container-rules>
<user>
<rule>
<expression>Default</expression> <container>cn=Users,dc=us,dc=oididm,dc=com</container> <description>UserContainer</description>
</rule>
</user>
<role>
<rule>
<expression>Default</expression> <container>cn=Groups,dc=us,dc=oididm,dc=com</container> <description>RoleContainer</description>
</rule>
</role>
</container-rules>
2.2. Modify <OIM_ORACLE_HOME>/bin/weblogic.properties file present in to import the above LDAPContainerRules.xml file for following data
wls_servername=<oim server name>, for example wls_oim1
wls_servername=<oim server name>, for example wls_oim1
2.3. Set OIM_ORACLE_HOME environment variable.
2.4. Run weblogicImportMetadata.sh from <OIM_ORACLE_HOME>/bin to import the configuration file into MDS
2.5. Input weblogic login Creds when prompted.
2.4. Run weblogicImportMetadata.sh from <OIM_ORACLE_HOME>/bin to import the configuration file into MDS
2.5. Input weblogic login Creds when prompted.
Please enter your username [weblogic] : <weblogic_user>
Please enter your password [weblogic] :<password>
Please enter your server URL [t3://localhost:7001] :t3://oimadmin.mycompany.com:7001
2.6. Restart OIM Server for new rules to take effect
2.6. Restart OIM Server for new rules to take effect
3. Update Username generation policy to accommodate AD
This change is due to AD Limitation only ,AD has a username limitation of 20 characters for Windows 2000 and earlier . Hence Username generation policy in OIM has to be updated to accommodate this AD limitation.
3.1. Log on to OIM http://<oimhost>:<oim_port>/oim
3.2. Click on "Advanced" on top right side of your screen
3.3. Click on "Search System properties"
3.4. On left navigation bar, Search on "Username Generation"
3.5. Click on "Default policy for username generation"
3.6. In Value field, update entry from "oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy"
3.2. Click on "Advanced" on top right side of your screen
3.3. Click on "Search System properties"
3.4. On left navigation bar, Search on "Username Generation"
3.5. Click on "Default policy for username generation"
3.6. In Value field, update entry from "oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy"
to
"oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD"
3.7. Click "Save"
3.7. Click "Save"
That's all with the configuration changes needed with WLS, OAM and OIM for IDM Environment.For Fusion Application Domains please change the OIDAuthenticator to OVDAuthenticator for each domain if OID was used as ID Store previously.
Hey Uday, thank you so much for posting the valuable information. I have not tried yet this implementation but I will preserve it for future need.
ReplyDeletethanks
Jyothi
Hi Jyothi,
DeleteThank you. Let me know , we are glad to help you as possible with your implementation.
-Uday
This comment has been removed by the author.
ReplyDeleteHi
DeleteThanks for the nice article!
We followed split-profile part-1 in this blog and created OVD adapters. Later we created OVD Authenticator and logged in to WLS console to verify whether users are getting picked from AD and OID but we are able to see users only from AD but not from OID. It looks like JOIN Adapter is not picking users from OID. What could be the reason? Also we didn't configured LDAP Sync in our environment. Do we need to configure LDAP Sync before configuring split profile?
Thanks
Yuva
Hello Yuva, did you get an answer on LDAP Sync? I have a similar requirement. I have setup the OVD adapters, but stuck on LDAP Sync. Not sure which container in OID to be configured for LDAP Sync. Thanks.
DeleteHi Uday,
ReplyDeleteWhile doing the fusion provisioning, I am facing error during pre-check phase.
Error Log :-
1. OVD_ROLE_CONTAINER : Inconsistency in Default Role Container. Expected : cn=Users,dc=unix,dc=morrisons,dc=net Configured : cn=Groups, dc=unix,dc=morrisons,dc=net
2. OAM_Validation : Cannot perform OAM Validation as Error in receiving hashed server challenge ObAAAStatus: Major code: 52(Challenge_Failed) Minor code: 2(NoCode)
3. OVD_USER_CONTAINER : Inconsistency in Default User Container. Expected : cn=Users,dc=unix,dc=morrisons,dc=net Configured : cn=Users, dc=unix,dc=morrisons,dc=net
Regards
Karunakar