Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)
This is part VIII of step by step installation of Oracle Identity Management (OAM, OIM, OAAM, OAPM & OIN) which covers configuring LDAP Sync with OIM 11g.
LDAP Sync with OIM 11g : OIM will sync users to LDAP (OID in this case) . OIM LDAP Synchronization will use OVD/OID to synchronize users from OIM to OID. LDAP Sync is mandatory for integration of Oracle Identity Manager (OIM) with Oracle Access Manager (OAM) .
- For Part I Download Software and create Schema click here
- For Part II Install WebLogic Server 10.3.3 click here
- For Part III Install SOA Server and Upgrade to 11.1.1.3 click here
- For Part IV Install IDAM 11.1.1.3 click he
- For Part V Create Domain for OIM, OAM, OAAM, OAPM & OIN here
- For Part VI Configure Identity Manager click here
- For Part VII Configure OIM Design Console click here
.
Requirement : OIM (11g R1) LDAP Sync requires Oracle Virtual Directory (OVD) and Oracle Internet Directory. (In this release of OIM, LDAP sync is limited to OID server)
What happens when you configure LDAP Sync in OIM 11g ? – Configuration process creates schema (objectclass) in OID for OIM & OAM. It also creates a IT Resource in OIM which will automatically synchronize user in OID when you create/modify/delete user in OIM.
.
High Level steps for LDAP Sync configuration with OIM
1. Run LDAP Pre Configuration Setup (on OIM Server)
2. Create two adapters in OVD (on OVD via ODSM)
3. Run LDAP Post Configuration Setup (on OIM Server)
.
OIM LDAP Sync configuration
1. Run LDAP Preconfiguration Utility
1.1 Edit $OIM_ORACLE_HOME/server/ldap_config_util/ldapconfig.props and add OIMProviderURL, OIDURL, OIDAdminUsername, OIDSearchBase, UserContainerName, RoleContainerName, ReservationContainerName
ReservationContainerName – This is container name in OID in which users will stay who are created but not approved in OIM (once they are approved they will be moved to container represented by UserContainerName)
1.2 Set WL_HOME & JAVA_HOME
1.3 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPreSetup.sh (when prompted enter password of orcladmin)
Above command will
a) Extend OID schema using (More on OID Schema here )
i) oimadminuser.ldif, oimcontainers.ldif from $ORACLE_HOME/server/ldap_config_util
ii) OID_oblix_schema_add.ldif, OID_oblix_schema_index_add.ldif, OID_oblix_pwd_schema_add.ldif from $ORACLE_HOME/oam/server/oim-intg/schema/ (Oblix Schema extenstion is required for OIM integration with OAM)
b) Create user oimadmin under cn=oim,cn=products,cn=oracleContext
____________
2. Create two LDAP adapters in OVD
To know more about adapters in OVD click here
2.2 Create adapter of type user_OID
2.2.1 Login to ODSM to connect to OVD (If you have installed OVD with default settings then use SSL port 8899 for OVD). More on ODSM here
2.2.2 Select Adapter tab in ODSM
2.2.3 Click Create Adapter button
2.2.4 In new Adapter Wizard select
Adapter Type : LDAP
Adapter Name : userOID
Adapter Template : user_OID
.
.
Add OID details under connection details (3060 is OID Port and 192.168.1.75 is OID Server IP)
.
Naming Space : dc=com (Realm Name aka OID domain in my case is com – Change this as per your OID settings)
.
.
2.3 Create Adapter of type changelog_OID
2.3.1 Select Adapter tab in ODSM
2.3.2 Click Create Adapter button
.
2.3 Change plug-in value (oamEnabled) of userOID adapter from false to true
2.3.1 From ODSM login to OVD -> Select Adapter -> select userOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change value of oamEnabled from false to true -> click OK -> Click Apply
.
.
2.4 Add/Modify plug-in parameter for changelogOID adapter
2.4.1 From ODSM login to OVD -> Select Adapter -> select changlogOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change/Add value of parameter as shown below -> click OK -> Click Apply
directoryType – oid
mapAttribute – targetGUID=orclGUID
requiredAttribute – orclGUID
addAttribute – orclContainerOC,changelogSupported=1
modifierDNFilter – cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
sizeLimit – 1000
targetDNFilter – dc=com (Change this value as per your OID realm/domain)
mapUserState – true
oamEnabled – true
.
___________
3. Configure OIM for LDAP Synch
3.1 Run $ORACLE_HOME/bin/config.sh
3.2 Select OIM Server, follow post here with exception of step 6 of 9
.
6501 is OVD’s non SSL LDAP Port .
.
Realm/domain for OID in my case is dc=com (change this value as per your OID realm)
.
.
_________________
4. Run LDAP Post-Configuration Utility
4.1 Set WL_HOME & JAVA_HOME
4.2 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh (when prompted enter password of orcladmin & OIM Administrator i.e. XELSYSADM – OIM Managed Server oim_server1 should be running)
You should see message like “Succesfully Update Changelog based schedule jobs with change number : XXXX”
________________
5. Test LDAP Sync configuration
5.1 Login to OIM Administration Console (http://oimserver:14000/oim) and create a user
5.2 Login to OID via ODSM and check if this user is synchronized to OID
I encountered two issues while running LDAPConfigPostSetup.sh
Error 1 :
____________
javax.security.auth.login.LoginException: unable to find LoginModule class:
weblogic.security.auth.login.UsernamePasswordLoginModule at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:808) at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java
_____________
Fix 1 : Create wlfullclient.jar . More information here
.
.
Error 2:
__________
java.lang.NullPointerException
at oracle.iam.platformservice.utils.
LDAPConfigPostSetup.updateLDAPSync
ScheduleJobs(LDAPConfigPostSetup.java:168)
at oracle.iam.platformservice.utils.LDAPConfig
PostSetup.main(LDAPConfigPostSetup.java:95)
__________
Fix 2 : Make sure that OIM is configured with LDAP Sync option (Follow step 3) before running LDAPConfigPostSetup.sh
.
References/Related
- OIM/OAM integration
- Setting up LDAP Synchronization with OIM
- Creating adapters in OVD
- 1163093.1 Running LDAPConfigPostSetup script Leads to Exception: unable to find LoginModule class
.