How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
.
.
OAM 11g identity store is covered in my book and this post covers steps to find what identity store (OID, OVD, AD or other LDAP Server) configured with OAM and what user OAM uses to connect to User Store (LDAP Server).
When you try to login to OAM server using username/password, OAM collects this username/password and validates them against User Identity Store configured with OAM. This configuration is stored in OAM configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml
By default OAM 11g is configured with WebLogic’s embedded LDAP server
<Setting Name=”UserIdentityStore” Type=”htf:map”>
<Setting Name=”Name” Type=”xsd:string”>UserIdentityStore1</Setting>
<Setting Name=”Type” Type=”xsd:string”>LDAP</Setting>
<Setting Name=”LDAP_URL” Type=”xsd:string”>ldap://ldap-host:7001</Setting>
<Setting Name=”SECURITY_PRINCIPAL” Type=”xsd:string”>cn=Admin</Setting>
<Setting Name=”SECURITY_CREDENTIAL” Type=”xsd:string”>{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
<Setting Name=”USER_SEARCH_BASE” Type=”xsd:string”>ou=people,ou=myrealm,dc=base_domain</Setting>
<Setting Name=”GROUP_SEARCH_BASE” Type=”xsd:string”>ou=groups,ou=myrealm,dc=base_domain</Setting>
<Setting Name=”USER_NAME_ATTRIBUTE” Type=”xsd:string”>uid</Setting>
<Setting Name=”LDAP_PROVIDER” Type=”xsd:string”>EMBEDDED_LDAP</Setting>
<Setting Name=”UserIdentityProviderType” Type=”xsd:string”>OracleUserRoleAPI</Setting>
<Setting Name=”IsPrimary” Type=”xsd:boolean”>false</Setting>
<Setting Name=”IsSystem” Type=”xsd:boolean”>false</Setting>
<Setting Name=”RoleMappings” Type=”htf:map”>
<Setting Name=”Role Security Admin” Type=”htf:map”>
<Setting Name=”Groups” Type=”xsd:string”>Administrators</Setting>
<Setting Name=”Users” Type=”xsd:string”>weblogic</Setting>
</Setting>
<Setting Name=”Role System Monitor” Type=”xsd:string”>Monitors</Setting>
<Setting Name=”Role Application Administrator” Type=”xsd:string”>Operators</Setting>
<Setting Name=”Role System Manager” Type=”xsd:string”>Deployers</Setting>
</Setting>
You can integrate OAM to external LDAP store like OID/OVD/AD using step for 11.1.1.3 click here and for 11.1.1.5 click here . You can also integrate OAM with LDAP store using idmConfigTool.sh -configOAM more here and here
When you integrate OAM with external Identity store then you see entry in oam-config.xml like
<Setting Name=”5412E65C1172336B91″ Type=”htf:map”>
<Setting Name=”SECURITY_PRINCIPAL” Type=”xsd:string”>cn=oamLDAP, cn=Users,dc=onlineAppsDBA,dc=com</Setting>
<Setting Name=”GROUP_SEARCH_BASE” Type=”xsd:string”>cn=Groups,dc=onlineAppsDBA,dc=com</Setting>
<Setting Name=”USER_NAME_ATTRIBUTE” Type=”xsd:string”>uid</Setting>
<Setting Name=”IsSystem” Type=”xsd:boolean”>true</Setting>
<Setting Name=”GroupCacheEnabled” Type=”xsd:boolean”>false</Setting>
<Setting Name=”IsPrimary” Type=”xsd:boolean”>true</Setting>
<Setting Name=”Name” Type=”xsd:string”>OIMIDStore</Setting>
<Setting Name=”SECURITY_CREDENTIAL” Type=”xsd:string”>{AES}469BF6D04A46BA1699D174439725D3D8</Setting>
<Setting Name=”SearchTimeLimit” Type=”xsd:integer”>0</Setting>
<Setting Name=”RoleMappings” Type=”htf:map”>
<Setting Name=”Role Security Admin” Type=”htf:map”>
<Setting Name=”Groups” Type=”xsd:string”>OAMAdministrators</Setting>
<Setting Name=”Users” Type=”xsd:string”>oamadmin</Setting>
</Setting>
</Setting>
<Setting Name=”LDAP_PROVIDER” Type=”xsd:string”>OID</Setting>
<Setting Name=”GROUP_NAME_ATTR” Type=”xsd:string”></Setting>
<Setting Name=”ENABLE_PASSWORD_POLICY” Type=”xsd:boolean”>true</Setting>
<Setting Name=”USER_SEARCH_BASE” Type=”xsd:string”>cn=Users,dc=onlineAppsDBA,dc=com</Setting>
<Setting Name=”LDAP_URL” Type=”xsd:string”>ldap://innowave21:3065</Setting>
<Setting Name=”GroupCacheTTL” Type=”xsd:integer”>0</Setting>
<Setting Name=”UserIdentityProviderType” Type=”xsd:string”>OracleUserRoleAPI</Setting>
</Setting>
Here
a) <Setting Name=”IsSystem” Type=”xsd:boolean”>true</Setting> means this ID store is System Identity Store
b) <Setting Name=”IsPrimary” Type=”xsd:boolean”>true</Setting> means this ID store is Primary Identity Store
c) <Setting Name=”SECURITY_PRINCIPAL” Type=”xsd:string”>cn=oamLDAP, cn=Users,dc=onlineAppsDBA,dc=com</Setting> means this user will connect to OID and validates user password (LDAPCOMPARE)
d) <Setting Name=”Role Security Admin” Type=”htf:map”>
<Setting Name=”Groups” Type=”xsd:string”>OAMAdministrators</Setting>
<Setting Name=”Users” Type=”xsd:string”>oamadmin</Setting>
Means that user in group OAMAdministrators and user oamadmin in system Identity Store (IsSystem=true)
e) <Setting Name=”LDAP_URL” Type=”xsd:string”>ldap://innowave21:3065</Setting> means OAM is integrated with LDAP server running on host innowave21 and listening on port 3065
There are two type of Identity Store in OAM
a) System Identity Store : Used for administrative login like /oamconsole
b) User Identity Store : User are authenticated using this this identity store
Note :
1. From OAM 11.1.1.5 onwards you can configure multiple User Identity Store. In OAM 11.1.1.3 only single identity store is supported
2. System Identity Store and User Identity Store “both can” points to same LDAP store or to different LDAP Stores
When you try to login as OAM Administrator (/oamconsole ), this user must be available in System Identity Store and must be defined under setting Role Security Admin (Groups/Users)
About the Author Atul Kumar
Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.