Integrate Oracle ECM/UCM (Content Management) 11g with Oracle Internet Directory (LDAP Server) : Things you must know

This post covers things you must know when integrating Oracle Enterprise Content Management 11g with Oracle Internet Directory (OID).  OID is LDAP version 3 complaint directory server from Oracle. Latest release of OID (as of 5 April 2011) is 11gR1 PS3 11.1.1.4. For steps on how to install OID 11g click here

If you are new to Oracle Enterprise Content Management, then check my previous post

ECM – Enterprise Content Management
UCM – Universal Content Management
IPM – Image & process Management
IRM – Information Rights Management

Why should you integrate Oracle ECM/UCM with Oracle Internet Directory (OID) ?
Oracle Enterprise Content Management (ECM) 11g or Universal Content Management (UCM) 11g by default uses WebLogic’s embedded LDAP server to store ECM/UCM users. Though WebLogic’s embedded LDAP server is good enough for development purpose but for performance, security and maintenance reasons it is recommended to integrate ECM/UCM with enterprise level LDAP Server (OID).  Apart from user repository, external LDAP server (OID) can also be used to store Policy(as Policy Store) for WebLogic Domain on which ECM runs. More on managing Policyb Store in Fusion Middleware here . By default WebLogic domain uses XML file (on file system) as Policy store .

.

Things good to know before integrating ECM with OID

1.For Oracle Image and Process Management (IPM – component of ECM), the user who logs in first to an Oracle I/PM Managed Server is provisioned with full security throughout the server.

2.The first user who logs in to the Information Rights Management (IRM – component of ECM) console is made the IRM Domain Administrator for the Oracle IRM instance. Note* IRM Console is different from WebLogic Cosnole and IRM Domain is different from WebLogic Domain.

3. If a user logs into IRM console after installation but before integrating with LDAP (OID) then run setIRMExportFolder(weblogic script), re-associate weblogic domain to use external LDAP (OID),and then run setIRMImportFolder(WebLogic Script).

4. setIRMExportFolder command will dump XML files containing users/groups in folder mentioned with setIRMExportFolder command

5. setIRMImportFoldercommand will read XML files containing users/groups in folder mentioned with setIRMImportFolder command, and update the global user ID (GUID) values in the Oracle IRM system to reflect the values in the external identity/ldap server (OID).

6. setIRMImportFolderis unable to handle user or group with same name. Consider you have user 123 and group 123 then setIRMImportFolder will mograte data for either user or group 123 (and not both). Manually reconcile user/group with same name.

7. IPM caches GUID (attribute set of user) from LDAP server to IPM’s local table. If there is mismatch in GUID between external LDAP Server (OID) and IPM’s local table then use refreshIPMSecurity  (LDAP script) to refresh GUID in IPM’s local table (with GUID value in LDAP provider). You can also use Fusion Middleware control (/em) using Application defined mbean oracle.imaging

8. IPM’s local tables caching user’s GUID are SYSTEM_SECURITY, DEFINITION_SECURITY and DOCUMENT_SECURITY

9. Use WebLogic Console to add OID as Authentication provider (OracleInternetDirectoryAuthenticator) and set JAAS flag to SUFFICIENTfor both default authenticator and OID Authenticator. For steps on how to integrate weblogic domain with OID click here .

10.In order for attributes to be searched in OID following attributes must be indexed in OID – orclrolescope, orclassignedroles, orclApplicationCommonName, orclAppFullName, orclCSFAlias, orclCSFKey, orclCSFName, orclCSFDBUrl, orclCSFDBPort, orclCSFCredentialType, orclCSFExpiryTime, modifytimestamp, createtimestamp, orcljpsassignee

.

References/Related

About the Author Masroof Ahmad

Leave a Comment: