Steps to Setup LDAP Sync After Install in OIM 11g:
Note: For simplicity, we are using the following hosts and ports as an example for various components involved in setting up LDAP sync.
Host and port details for OID and OVD:
OID/OVD host name: oidovd.oracle.com
OID non-SSL port (LDAP): 3060
OID SSL port (LDAPS): 3131
OVD non-SSL port (LDAP): 6501
OID/OVD managed server port: 7005 (In order to access ODSM)
OID search base: dc=oracle,dc=com
dn of user container : cn=oimusers,dc=oracle,dc=com
dn of role container : cn=oimroles,dc=oracle,dc=com
dn of reserve container : cn=oimreserve,dc=oracle,dc=com
Host and port details for OIM:
OIM host name: oim.oracle.com
OIM managed server port: 8003
Details for Database:
OIM schema owner and password: OIMUSER/******
Database host: dbhost.oracle.com
Listener port: 1521
The following environment variables are referred later in this article. These variables are not necessarily set in a deployment, and they are used to just to clarify a location of various files mentioned in this article:
$MW_HOME - This refers to the directory in which Weblogic is installed, for example
/home/oracle/wlsinstallhome
$OIM_HOME - This refers to the directory in which OIM is installed, for example
/home/oracle/wlsinstallhome/Oracle_IDM1
1. Run LDAP pre configuration utility (Task 1) as per documentation mentioned above. This tool performs the following tasks:
1.1 Creates user in OID, and assigns appropriate permissions to the base container and changelog, using file
$OIM_HOME/server/ldap_config_util/oimadminuser.ldif
1.2 Creates the user, role and user reservation containers under the search base using file
$OIM_HOME/server/ldap_config_util/oimcontainers.ldif
1.3 Creates required schema objects for OAM using the following files in $OIM_HOME/oam/server/oim-intg/schema:
OID_oblix_pwd_schema_add.ldif
OID_oblix_schema_add.ldif
OID_oblix_schema_index_add.ldif
OID_oim_pwd_schema_add.ldif.
As we can see, all mentioned steps are LDAP operations, and LDAPConfigPreSetup.bat/sh doesn't do any configuration in OIM or OVD. The documentation advices to modify the values in
file $OIM_HOME/server/ldap_config_util/ldapconfig.props.
Note that LDAP details provided are for OID, not for OVD. Also, values for UserContainerName, RoleContainerName and ReservationContainerName should be relative distinguished names. Using the example values listed above, our ldapconfig.props would be:
OIDURL=ldap://oidovd.oracle.com:3060
OIMProviderURL=t3://oim.oracle.com:8003
OIDAdminUsername=cn=orcladmin
OIDSearchBase=dc=oracle,dc=com
UserContainerName=cn=oimusers
RoleContainerName=cn=oimroles
ReservationContainerName=cn=oimreserve
And in step 1.2 the following entries
will be created:
cn=oimusers, dc=oracle,dc=com
cn=oimroles, dc=oracle,dc=com
cn=oimreserve, dc=oracle,dc=com
LDAPConfigPreSetup.bat/sh can be re-executed in case errors occur. During the subsequent execution, errors like "object already exist" etc. can be ignored.
2. Configure OVD adapters as per documentation (Task2).
There are couple of things to note when configuring OVD adapters:
2.1 For change log adapter, value of "Remote Base" field must be cn=changelog. Value for "Root" can be anything, but it is easiest to use the same value as in "Remote Base".
2.2 For user adapter, value of "Remote Base" should be the same as used in ldapconfig.props for OIDSearchBase (dc=oracle,dc=com in our case).
This value is what OVD uses when it perform LDAP operations against OID. Value for "Root" will be used by OIM when it performs LDAP operations against OVD.
Value can be any valid LDAP DN (distinguished name), and this value will be used later to configure OIM for LDAP sync.
2.3 Value for changelog plugin attribute targetDNFilter should be the same as the value of OIDSearchBase. If this is set to lower level, for example to cn=oimusers,dc=oracle,dc=com, then
role reconciliation will not work.
2.4 Value for changelog plugin attribute modifierDNFilter must be cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext this OID user was created in step 1.1).
This value is used during reconciliation process to avoid reconciliation of entries modified by LDAP sync.
3. Modify IT Resource "Directory Server" using OIM admin console.
3.1 Server URL and admin credentials are for OVD, not for OID. Admin DN needs to be full DN, for example cn=oimusers,dc=oracle,dc=com.
3.2 Changelog Container must be the same as defined as value of "Root" defined in step 2.1
3.3 User Reservation Container needs to be full DN, for example cn=oimreserve,dc=oracle,dc=com. This needs to be somewhere under "Root" defined in step 2.2
3.4 Search Base needs to be full DN, for example dc=oracle,dc=com. This needs to be the same as or somewhere under "Root" defined in step 2.2
4. Import metadata required for LDAP sync to MDS.
4.1 Copy the complete directory $OIM_HOME/server/metadata/db to a new directory, for example /tmp/metadata/db. Note that user executing the following operations needs to have full
access to this new directory structure.
4.2 Remove oim-config.xml file from /tmp/metadata/db.
4.3 Update /tmp/metadata/db/LDAPContainerRules.xml and replace:
$DefaultUserContainer$ with full DN of the user container, for example
cn=oimusers,dc=oracle,dc=com.
$DefaultRoleContainer$ with full DN of the role container, for example
cn=oimroles, dc=oracle,dc=com
These values are DNs like OVD shows them, and depending on the settings done in steps 2.1 and 2.2 that might not be the same as OID represenation of the DN of the same entry.
Our sample LDAPContainerRules.xml is:
<?xml version="1.0"?>
<container-rules>
<user>
<rule>
<expression>Default</expression>
<container>cn=oimusers,dc=oracle,dc=com</container>
</rule>
</user>
<role>
<rule>
<expression>Default</expression>
<container>cn=oimroles,dc=oracle,dc=com</container>
</rule>
</role>
</container-rules>
4.4 Import the metadata to MDS repository with from location as /tmp/metadata. Essentially, in MDS these files should be available under location /db.
4.4.1 Modify $OIM_HOME/server/bin/weblogic.properties, follow the instructions in that file itself. For our import operation, relevant sample values are:
metadata_from_loc=/home/oracle/tmp/metadata
wls_servername=oim_server1
application_name=OIMMetadata
4.4.2 Execute weblogicImportMetadata.bat/sh as described here:
Note that this script will ask the weblogic server details. Provided information must be for managed server. Example:
./weblogicImportMetadata.sh
Starting import metadata script ....
Please enter your username [weblogic] :
Please enter your password [welcome1] :
Please enter your server URL [t3://localhost:7001] :t3://oim.oracle.com:8003
5. Seed LDAP reconciliation scheduled Jobs to OIM Database.
5.1 Create file oim.profile to any directory with following properties, and replace all values surrounded with <> with proper values.
operationsDB.user=<OIM DB User Name>
operationsDB.password=<OIM DB User Password>
operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource
operationsDB.host=<DB Host>
operationsDB.port=<DB listener port>
operationsDB.SID=<DB SID>
OIM.DBPassword=<OIM DB User Password>
oim.profile with our sample values:
operationsDB.user=OIMUSER
operationsDB.password=welcome1
operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource
operationsDB.host=dbhost.oracle.com
operationsDB.port=1521
operationsDB.SID=IAM
OIM.DBPassword=welcome1
Note: Remove all trailing spaces from each line.
5.2 Set environment variables $ANT_HOME as $MW_HOME/modules/org.apache.ant_1.7.1 and $JAVA_HOME as $MW_HOME/jdk160_18
5.3 Goto directory $OIM_HOME/server/seed_data/ and run ant script that loads LDAP reconciliation scheduled jobs as:
ant -v -propertyfile <full path/filename for oim.profile created in step 5.1>
-Dserver.dir=<$OIMHOME/server>
-Dweblogic.server.dir=<Weblogic_SERVER_LOCATION>
-Dwork.dir=. -f seed-rcu-data.xml seed-ldap-recon-jobs
for example
ant -v -propertyfile ./oim.profile
-Dserver.dir=/scratch/shiphome/beahome/Oracle_IDM1/server
-Dweblogic.server.dir= /scratch/shiphome/beahome/wlserver_10.3
-Dwork.dir=.
-f seed-rcu-data.xml seed-ldap-recon-jobs
This step might give the following error, which can be ignored:
[java] Dec 1, 2010 3:48:12 AM oracle.jdbc.driver.OracleDriver registerMBeans
[java] SEVERE: Error while registering Oracle JDBC Diagnosability MBean.
[java] java.security.AccessControlException: access denied (javax.management.MBeanTrustPermissionregister)
In case of other errors, check log -Dwork.dir/ldap/SeedSchedulerData.log.
After completing these steps, test user and role creation in OIM to see that they are copied as user and group entry to appropriate OID container. Test also user and role reconciliation. If OIM user is created but there's no user in OID, common problem is that MDS data is not correct. In that case, please use MDS tools to check/correct the content of MDS.
Note: For simplicity, we are using the following hosts and ports as an example for various components involved in setting up LDAP sync.
Host and port details for OID and OVD:
OID/OVD host name: oidovd.oracle.com
OID non-SSL port (LDAP): 3060
OID SSL port (LDAPS): 3131
OVD non-SSL port (LDAP): 6501
OID/OVD managed server port: 7005 (In order to access ODSM)
OID search base: dc=oracle,dc=com
dn of user container : cn=oimusers,dc=oracle,dc=com
dn of role container : cn=oimroles,dc=oracle,dc=com
dn of reserve container : cn=oimreserve,dc=oracle,dc=com
Host and port details for OIM:
OIM host name: oim.oracle.com
OIM managed server port: 8003
Details for Database:
OIM schema owner and password: OIMUSER/******
Database host: dbhost.oracle.com
Listener port: 1521
The following environment variables are referred later in this article. These variables are not necessarily set in a deployment, and they are used to just to clarify a location of various files mentioned in this article:
$MW_HOME - This refers to the directory in which Weblogic is installed, for example
/home/oracle/wlsinstallhome
$OIM_HOME - This refers to the directory in which OIM is installed, for example
/home/oracle/wlsinstallhome/Oracle_IDM1
1. Run LDAP pre configuration utility (Task 1) as per documentation mentioned above. This tool performs the following tasks:
1.1 Creates user in OID, and assigns appropriate permissions to the base container and changelog, using file
$OIM_HOME/server/ldap_config_util/oimadminuser.ldif
1.2 Creates the user, role and user reservation containers under the search base using file
$OIM_HOME/server/ldap_config_util/oimcontainers.ldif
1.3 Creates required schema objects for OAM using the following files in $OIM_HOME/oam/server/oim-intg/schema:
OID_oblix_pwd_schema_add.ldif
OID_oblix_schema_add.ldif
OID_oblix_schema_index_add.ldif
OID_oim_pwd_schema_add.ldif.
As we can see, all mentioned steps are LDAP operations, and LDAPConfigPreSetup.bat/sh doesn't do any configuration in OIM or OVD. The documentation advices to modify the values in
file $OIM_HOME/server/ldap_config_util/ldapconfig.props.
Note that LDAP details provided are for OID, not for OVD. Also, values for UserContainerName, RoleContainerName and ReservationContainerName should be relative distinguished names. Using the example values listed above, our ldapconfig.props would be:
OIDURL=ldap://oidovd.oracle.com:3060
OIMProviderURL=t3://oim.oracle.com:8003
OIDAdminUsername=cn=orcladmin
OIDSearchBase=dc=oracle,dc=com
UserContainerName=cn=oimusers
RoleContainerName=cn=oimroles
ReservationContainerName=cn=oimreserve
And in step 1.2 the following entries
will be created:
cn=oimusers, dc=oracle,dc=com
cn=oimroles, dc=oracle,dc=com
cn=oimreserve, dc=oracle,dc=com
LDAPConfigPreSetup.bat/sh can be re-executed in case errors occur. During the subsequent execution, errors like "object already exist" etc. can be ignored.
2. Configure OVD adapters as per documentation (Task2).
There are couple of things to note when configuring OVD adapters:
2.1 For change log adapter, value of "Remote Base" field must be cn=changelog. Value for "Root" can be anything, but it is easiest to use the same value as in "Remote Base".
2.2 For user adapter, value of "Remote Base" should be the same as used in ldapconfig.props for OIDSearchBase (dc=oracle,dc=com in our case).
This value is what OVD uses when it perform LDAP operations against OID. Value for "Root" will be used by OIM when it performs LDAP operations against OVD.
Value can be any valid LDAP DN (distinguished name), and this value will be used later to configure OIM for LDAP sync.
2.3 Value for changelog plugin attribute targetDNFilter should be the same as the value of OIDSearchBase. If this is set to lower level, for example to cn=oimusers,dc=oracle,dc=com, then
role reconciliation will not work.
2.4 Value for changelog plugin attribute modifierDNFilter must be cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext this OID user was created in step 1.1).
This value is used during reconciliation process to avoid reconciliation of entries modified by LDAP sync.
3. Modify IT Resource "Directory Server" using OIM admin console.
3.1 Server URL and admin credentials are for OVD, not for OID. Admin DN needs to be full DN, for example cn=oimusers,dc=oracle,dc=com.
3.2 Changelog Container must be the same as defined as value of "Root" defined in step 2.1
3.3 User Reservation Container needs to be full DN, for example cn=oimreserve,dc=oracle,dc=com. This needs to be somewhere under "Root" defined in step 2.2
3.4 Search Base needs to be full DN, for example dc=oracle,dc=com. This needs to be the same as or somewhere under "Root" defined in step 2.2
4. Import metadata required for LDAP sync to MDS.
4.1 Copy the complete directory $OIM_HOME/server/metadata/db to a new directory, for example /tmp/metadata/db. Note that user executing the following operations needs to have full
access to this new directory structure.
4.2 Remove oim-config.xml file from /tmp/metadata/db.
4.3 Update /tmp/metadata/db/LDAPContainerRules.xml and replace:
$DefaultUserContainer$ with full DN of the user container, for example
cn=oimusers,dc=oracle,dc=com.
$DefaultRoleContainer$ with full DN of the role container, for example
cn=oimroles, dc=oracle,dc=com
These values are DNs like OVD shows them, and depending on the settings done in steps 2.1 and 2.2 that might not be the same as OID represenation of the DN of the same entry.
Our sample LDAPContainerRules.xml is:
<?xml version="1.0"?>
<container-rules>
<user>
<rule>
<expression>Default</expression>
<container>cn=oimusers,dc=oracle,dc=com</container>
</rule>
</user>
<role>
<rule>
<expression>Default</expression>
<container>cn=oimroles,dc=oracle,dc=com</container>
</rule>
</role>
</container-rules>
4.4 Import the metadata to MDS repository with from location as /tmp/metadata. Essentially, in MDS these files should be available under location /db.
4.4.1 Modify $OIM_HOME/server/bin/weblogic.properties, follow the instructions in that file itself. For our import operation, relevant sample values are:
metadata_from_loc=/home/oracle/tmp/metadata
wls_servername=oim_server1
application_name=OIMMetadata
4.4.2 Execute weblogicImportMetadata.bat/sh as described here:
Note that this script will ask the weblogic server details. Provided information must be for managed server. Example:
./weblogicImportMetadata.sh
Starting import metadata script ....
Please enter your username [weblogic] :
Please enter your password [welcome1] :
Please enter your server URL [t3://localhost:7001] :t3://oim.oracle.com:8003
5. Seed LDAP reconciliation scheduled Jobs to OIM Database.
5.1 Create file oim.profile to any directory with following properties, and replace all values surrounded with <> with proper values.
operationsDB.user=<OIM DB User Name>
operationsDB.password=<OIM DB User Password>
operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource
operationsDB.host=<DB Host>
operationsDB.port=<DB listener port>
operationsDB.SID=<DB SID>
OIM.DBPassword=<OIM DB User Password>
oim.profile with our sample values:
operationsDB.user=OIMUSER
operationsDB.password=welcome1
operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource
operationsDB.host=dbhost.oracle.com
operationsDB.port=1521
operationsDB.SID=IAM
OIM.DBPassword=welcome1
Note: Remove all trailing spaces from each line.
5.2 Set environment variables $ANT_HOME as $MW_HOME/modules/org.apache.ant_1.7.1 and $JAVA_HOME as $MW_HOME/jdk160_18
5.3 Goto directory $OIM_HOME/server/seed_data/ and run ant script that loads LDAP reconciliation scheduled jobs as:
ant -v -propertyfile <full path/filename for oim.profile created in step 5.1>
-Dserver.dir=<$OIMHOME/server>
-Dweblogic.server.dir=<Weblogic_SERVER_LOCATION>
-Dwork.dir=. -f seed-rcu-data.xml seed-ldap-recon-jobs
for example
ant -v -propertyfile ./oim.profile
-Dserver.dir=/scratch/shiphome/beahome/Oracle_IDM1/server
-Dweblogic.server.dir= /scratch/shiphome/beahome/wlserver_10.3
-Dwork.dir=.
-f seed-rcu-data.xml seed-ldap-recon-jobs
This step might give the following error, which can be ignored:
[java] Dec 1, 2010 3:48:12 AM oracle.jdbc.driver.OracleDriver registerMBeans
[java] SEVERE: Error while registering Oracle JDBC Diagnosability MBean.
[java] java.security.AccessControlException: access denied (javax.management.MBeanTrustPermissionregister)
In case of other errors, check log -Dwork.dir/ldap/SeedSchedulerData.log.
After completing these steps, test user and role creation in OIM to see that they are copied as user and group entry to appropriate OID container. Test also user and role reconciliation. If OIM user is created but there's no user in OID, common problem is that MDS data is not correct. In that case, please use MDS tools to check/correct the content of MDS.
No comments:
Post a Comment