This is part VIII of step by step installation of Oracle Identity Management (OAM, OIM, OAAM, OAPM & OIN) which covers configuring  LDAP Sync with OIM 11g.

LDAP Sync with OIM 11g  :  OIM will sync users to LDAP (OID in this case) . OIM LDAP Synchronization will use OVD/OID to synchronize users from OIM to OID. LDAP Sync is mandatory for integration of Oracle Identity Manager (OIM) with Oracle Access Manager (OAM) .

  • For Part I Download Software and create Schema click here
  • For Part II Install WebLogic Server 10.3.3  click here
  • For Part III Install SOA Server and Upgrade to 11.1.1.3 click here
  • For Part IV Install IDAM 11.1.1.3 click he
  • For Part V Create Domain for OIM, OAM, OAAM, OAPM & OIN here
  • For Part VI Configure Identity Manager click here
  • For Part VII Configure OIM Design Console click here

.
Requirement : OIM (11g R1) LDAP Sync requires Oracle Virtual Directory (OVD) and Oracle Internet Directory.  (In this release of OIM, LDAP sync is limited to OID server)

What happens when you configure LDAP Sync in OIM 11g ? – Configuration process creates schema (objectclass) in OID for OIM & OAM. It also creates a IT Resource in OIM which will automatically synchronize user in OID when you create/modify/delete user in OIM.

.

High Level steps for LDAP Sync configuration with OIM

1. Run LDAP Pre Configuration Setup (on OIM Server)
2. Create two adapters in OVD (on OVD via ODSM)
3. Run LDAP Post Configuration Setup (on OIM Server)

.

OIM LDAP Sync configuration

1. Run LDAP Preconfiguration Utility

1.1
Edit $OIM_ORACLE_HOME/server/ldap_config_util/ldapconfig.props and add OIMProviderURL, OIDURL, OIDAdminUsername, OIDSearchBase, UserContainerName, RoleContainerName, ReservationContainerName

ReservationContainerName - This is container name in OID in which users will stay who are created but not approved in OIM (once they are approved they will be moved to container represented by UserContainerName)
1.2 Set WL_HOME & JAVA_HOME

1.3 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPreSetup.sh (when prompted enter password of orcladmin)

Above command will
a) Extend OID schema using (More on OID Schema here )
i) oimadminuser.ldif, oimcontainers.ldif from $ORACLE_HOME/server/ldap_config_util
ii)  OID_oblix_schema_add.ldif, OID_oblix_schema_index_add.ldif, OID_oblix_pwd_schema_add.ldif from $ORACLE_HOME/oam/server/oim-intg/schema/  (Oblix Schema extenstion is required for OIM integration with OAM)

b) Create user oimadmin under cn=oim,cn=products,cn=oracleContext

____________

2. Create two LDAP adapters in OVD

To know more about adapters in OVD click here

2.2 Create adapter of type user_OID

2.2.1 Login to ODSM to connect to OVD (If you have installed OVD with default settings then use SSL port 8899 for OVD). More on ODSM here
2.2.2 Select Adapter tab in ODSM
2.2.3 Click Create Adapter button
2.2.4 In new Adapter Wizard select
Adapter Type : LDAP
Adapter Name : userOID
Adapter Template : user_OID
.

.
Add OID details under connection details (3060 is OID Port and 192.168.1.75 is OID Server IP)

.
Naming Space : dc=com (Realm Name aka OID domain in my case is com – Change this as per your OID settings)
.
.
2.3 Create Adapter of type changelog_OID
2.3.1 Select Adapter tab in ODSM
2.3.2 Click Create Adapter button


.
2.3 Change plug-in value (oamEnabled) of userOID adapter from false to true

2.3.1 From ODSM login to OVD -> Select Adapter -> select userOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change value of oamEnabled from false to true -> click OK -> Click Apply
.

.

2.4 Add/Modify plug-in parameter for changelogOID adapter

2.4.1 From ODSM login to OVD -> Select Adapter -> select changlogOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change/Add value of parameter as shown below -> click OK -> Click Apply

directoryType – oid
mapAttribute – targetGUID=orclGUID
requiredAttribute – orclGUID
addAttribute – orclContainerOC,changelogSupported=1
modifierDNFilter – cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
sizeLimit – 1000
targetDNFilter – dc=com   (Change this value as per your OID realm/domain)
mapUserState – true
oamEnabled – true

.
___________
3. Configure OIM for LDAP Synch
3.1 Run $ORACLE_HOME/bin/config.sh
3.2 Select OIM Server, follow post here  with exception of step 6 of 9

.

6501 is OVD’s non SSL LDAP Port .

.

Realm/domain for OID in my case is dc=com  (change this value as per your OID realm)
.

.
_________________

4. Run LDAP Post-Configuration Utility

4.1 Set WL_HOME & JAVA_HOME
4.2 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh (when prompted enter password of orcladmin & OIM Administrator i.e. XELSYSADM – OIM Managed Server oim_server1 should be running)

You should see message like “Succesfully Update Changelog based schedule jobs with change number : XXXX”
________________

5. Test LDAP Sync configuration
5.1 Login to OIM Administration Console (http://oimserver:14000/oim) and create a user
5.2 Login to OID via ODSM and check if this user is synchronized to OID
I encountered two issues while running LDAPConfigPostSetup.sh

Error 1 :

____________
javax.security.auth.login.LoginException: unable to find LoginModule class:
weblogic.security.auth.login.UsernamePasswordLoginModule        at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)        at
javax.security.auth.login.LoginContext.access%content0(LoginContext.java:186)        at
javax.security.auth.login.LoginContext.run(LoginContext.java:683)        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java
_____________

Fix 1 : Create wlfullclient.jar  . More information here
.
.

Error 2:
__________
java.lang.NullPointerException
at oracle.iam.platformservice.utils.
LDAPConfigPostSetup.updateLDAPSync
ScheduleJobs(LDAPConfigPostSetup.java:168)
at oracle.iam.platformservice.utils.LDAPConfig
PostSetup.main(LDAPConfigPostSetup.java:95)
__________

Fix 2 : Make sure that OIM is configured with LDAP Sync option (Follow step 3) before running LDAPConfigPostSetup.sh

.

References/Related

.

Related Posts for IdM


  1. Oracle Identity & Access Management II
  2. Upgrade Oracle Internet Directory/IdM Suite to 10.1.4.2
  3. Oracle Launches Oracle Access Management Suite
  4. Installing Oracle Fusion Middleware (FMW) 11g – Identity Management Components (OID, DIP, OVD, OIF)
  5. Oracle Identity Management Products – OID, OVD, OAM, OIM, ORM, OWSM, OIF, eSSO, OES, OAAM
  6. #OracleIdM 11g webinar : Is this for OAM (Oracle Access Manager) & OIM (Oracle Identity Manager) 11g ?
  7. Installing Oracle Identity Management (OIM & OAM) 11g R1 PS2 (11.1.1.3) : High Level Steps
  8. #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0) – Part I : Load Schema
  9. Part II – Install WebLogic 10.3.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
  10. Part III – Install SOA 11.1.1.2 & Upgrade to 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
  11. Part IV – Install IDAM 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
  12. Part V : Create Domain : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
  13. Part VI : Configure Identity Manager (OIM) : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
  14. Part VII : Install & Configure OIM Design Console : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
  15. OAM 11g / OIM 11g High Availability (Active / Active) Architecture Documentation
  16. Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)
  17. Looking for Technical Reviewer for Oracle Identity & Access Management Book (OIM/OAM Administration)
  18. My Book “Oracle Identity & Access Manager 11g for Administrators” is now available in RAW format
  19. Install Oracle Identity Management (OIM/IDM) 11.1.1.4 – OID / OVD / OIF : High Level Steps
  20. Oracle IDentity & Access Management (OAM, OIM, OAAM & OES) 11.1.1.5 is available now : 12575064
  21. Password Policy in OAM-OIM-OID Integration : User not locked after configured value
  22. IdmConfigTool : OIM/OAM/FusionApps Integration – preConfigIDStore, prepareIDStore, configOAM, configOIM
  23. Autologin failed in OIM/OAM Integration after password reset SSOAccessKey javax.security. auth.login. LoginException
  24. OIM 11.1.1.5 BP02 (13399365) and OAM 11.1.1.5 BP02 (13115859)
  25. Confused about Oracle IAM software version & release number ?
  26. Oracle Identity Management 11g R2 #oracleidm : Webcast
  27. Oracle Identity Management 11g R2 documentation now available
  28. Oracle Identity & Access Management 11gR2 Software is now available to download
  29. Oracle Identity & Access Management 11gR2 : Installation & Configuration in 12 Steps
  30. OIM-OAM-OAAM integration using TAP – Request Flow you must understand !!
  31. Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts
  32. User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM is not locked in OIM
  33. Oracle IAM 11gR2 PS2 (11.1.2.2) is now available : Software download & Documentation
  34. Oracle IAM 11.1.2.2 Certification Matrix – Supported JDK, WebLogic, OS