Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section lists the steps in configuring a sample deployment scenario.
Note: "Step 4: Decide Whether to Create a New Identity Management Realm" through "Step 6: Select the Login Identifiers" involve configuring a new identity management realm and setting its parameters. This can affect the behavior of Oracle Application Server Single Sign-On and any other middle-tier application already installed in the environment. Consequently, make careful decisions at each step and verify the behavior of the applications. |
See Also: The chapter on deploying identity management realms in Oracle Internet Directory Administrator's Guide for more details on identity management realms and their role in Oracle Application Server. |
This section contains these topics:
Step 1: Identify the Default Identity Management Realm in Oracle Internet Directory
Step 2: Identify the User and Group Search Bases in Oracle Internet Directory
Step 3: Identify the Naming Context on the Remote Directory
Step 4: Decide Whether to Create a New Identity Management Realm
Step 5: Select the User Search Base and Group Search Base
Step 6: Select the Login Identifiers
Step 7: Modify the Mapping File to Reflect the Changes You Have Made
Step 8: Create or Modify the Synchronization Profile with the New Set of Mapping Rules
Step 9: Configure Access Control
Step 10: Bootstrap the Directory by Using the Directory Integration and Provisioning Assistant
Step 11: Update the Last Change Number for Synchronization
Step 13 (Optional): Enable the External Authentication Plug-in for Password Synchronization
Step 14: Start the Oracle Directory Integration and Provisioning Server
Step 1: Identify the Default Identity Management Realm in Oracle Internet Directory
To identify the default identity management realm in Oracle Internet Directory:
ldapsearch –p port -h host -D distinguished_name -w password -b "cn=common, cn=products,cn=oraclecontext" -s base "objectclass=*" orcldefaultsubscriber
In this sample deployment, the default identity management realm in Oracle Internet Directory is dc=us,dc=mycompany,dc=com
.
Step 2: Identify the User and Group Search Bases in Oracle Internet Directory
To identify the user and group search contexts in Oracle Internet Directory:
ldapsearch –p port -h host -D distinguished_name -w passwd -b "cn=common, cn=products,cn=oraclecontext, Identity Management Realm" -s base "objectclass=*"
Note down the values for the orclcommonusersearchbase
and orclcommongroupsearchbase
attributes. These are the values which are shown in the Oracle Internet Directory Self-Service Console as User Search Context and Group Search Context.
In this sample deployment, the user and group search contexts in Oracle Internet Directory are:
orclcommonusersearchbase is : cn=users, dc=us,dc=mycompany,dc=com orclcommongroupsearchbase is : cn=groups, dc=us,dc=mycompany,dc=com
Step 3: Identify the Naming Context on the Remote Directory
The default naming context is the root of the naming context under which the users are stored. Each directory has its own way of creating a default naming context.
If you are using Microsoft Active Directory, then you identify the default naming context by performing the following ldapsearch against that directory:
ldapsearch –p port -h host -D distinguished_name -w password -b "" –s base "objectclass=*" defaultnamingcontext
Typically the DNs of users in Microsoft Active Directory are of the form cn=user name, cn=users,
defaultnamingcontext
.
Note that the users also can bind with names such as, username
@
domain
.
For example, if the domain name is newcompany.com
, then the default naming context is dc=newcompany,dc=com
. The typical login identifier of a user is user@newcompany.com
.
If you are using SunONE Directory Server, then you identify the naming contexts in that directory by performing the following ldapsearch against it:
ldapsearch –p port -h host -D distinguished_name -w password -b "" –s base "objectclass=*" namingcontexts
Different sets of user entries reside in different subtrees. Choose the naming context that contains the objects to be synchronized.
Step 4: Decide Whether to Create a New Identity Management Realm
If the DITs on Oracle Internet Directory and the third-party directory are different, then it is better to create a new identify management realm and make it the default realm. Do this by using either the Oracle Internet Directory Self-Service Console or the Oracle Internet Directory Configuration Assistant. On the other hand, if the third-party directory is Microsoft Active Directory in which the default naming context is mycompany.com
, then you may not have to create the new identity management realm.
Step 5: Select the User Search Base and Group Search Base
How you do this depends on whether you created a new identity management realm as discussed in the previous step.
If a new identity management realm has been created, then:
Select the user search base and the user creation context. Do this by using the Oracle Internet Directory Self-Service Console. Set the user search context to reflect the container under which users are stored in the third-party directory. This is described in the Oracle Identity Management Guide to Delegated Administration.
Follow the same approach to set the user creation context.
Select the group search base and the group creation context. Do this by using the Oracle Internet Directory Self-Service Console. Set the group search context to reflect the container under which groups are stored in the third-party directory. This is described in the Oracle Identity Management Guide to Delegated Administration.
Follow the same approach to set the group creation context.
If a new identity management realm has not been created, then, to enable user and group entries to be accessed by all Oracle components, you must modify the default parameters in the Oracle Internet Directory Self-Service Console. To do this:
In the User Search Context, enter the DN of the users container in the third-party directory, or enter the subtree of the containers specified in the search context. For example, enter either of the following:
cn=users,dc=myCompany,dc=com
dc=myCompany,dc=com
.
In the Group Search Context, either enter the DN of the groups container in the third-party directory, or enter the subtree of the containers specified in the search context. For example, enter either of the following:
cn=groups,dc=myCompany,dc=com
dc=myCompany,dc=com
Step 6: Select the Login Identifiers
The attribute used for login is orclcommonnicknameattribute
. In the Oracle Internet Directory Self-Service Console, the field is named Attribute for Login Name. The default value is UID
. Oracle Corporation recommends that you keep the default value. If this attribute is modified—for example, if it is changed to mail
—then be sure that all entries under the container that you are working with have the mail
attribute value populated. Otherwise, the user cannot login through Oracle Application Server Single Sign-On.
Step 7: Modify the Mapping File to Reflect the Changes You Have Made
The attributes you have just modified can require a change in the default mapping files. Look carefully at the various mapping rules and modify them according to the requirements. If the users and groups are under different containers, you may need to specify multiple set of domain rules in the same mapping file.
Default mapping rules for integration with SunONE Directory Server and Microsoft Active Directory are in the directory $ORACLE_HOME/ldap/odi/conf.
The important parameters to be modified are:
Mapping rule for the loginid
attribute
In the default profile for Microsoft Active Directory, the default mapping rule for the loginid
attribute in the sample mapping file is:
Userprincipalname: : :user: uid: : :inetorgperson
In the default profile for SunONE Directory Server, the UID
is directly mapped to the UID
attribute.
This can be modified depending on which attribute is used for login. For example, to use employeenumber
as the loginid
, modify the mapping rule as follows:
Employeenumber: : :user: uid: : :inetorgperson
Mapping rule for the Kerberos login—To support Windows native authentication, Oracle Application Server Single Sign-On uses Kerberos login for the Windows environment. In such cases, a mapping rule is required for the Windows login. The attribute for the Kerberos login is orclcommonkrbprincipalattribute
in the entry cn=common,cn=public,cn=oraclecontext,
identity_management_realm
. By default, it is set to krbPrincipalName
.
For integration with Microsoft Active Directory, the default mapping rule is:
Userprincipalname: : :user: krbPrincipalName: : :orclUserV2.
This rule maps the user principal name in Microsoft Active Directory to the Kerberos principal name. To support another value for Kerberos login, modify this rule.
See Also: Oracle Application Server Single Sign-On Administrator's Guide for information about support for Windows native authentication in Oracle Application Server Single Sign-On |
Step 8: Create or Modify the Synchronization Profile with the New Set of Mapping Rules
To do this, use the Directory Integration and Provisioning Assistant.
dipassistant mp -profile profile_name odip.profile.mapfile=relative_path_name_of_mapping_file
Step 9: Configure Access Control
Configure access control to various containers in either of the following:
The profile orclodipagentname=
profile_name
,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
'
The group cn=odipgroup,cn=odi,cn=oracle internet directory
A sample ACI is available in $ORACLE_HOME/ldap/odi/samples/commonaci.ldif. This sample contains the following attributes, all of which have the same values:
UserSearchBase
GroupSearchBase
UserCreateBase
GroupCreateBase
You can use Oracle Directory Manager to set ACIs to these containers.
Step 10: Bootstrap the Directory by Using the Directory Integration and Provisioning Assistant
To bootstrap the directory, use the bootstrap
command in the Directory Integration and Provisioning Assistant.
See Also:
|
Step 11: Update the Last Change Number for Synchronization
To do this, enter:
dipassistant mp –profile profile_name -updlcn
The Directory Integration and Provisioning Assistant determines the connected directory by reading the directory integration profile.
Step 12: Enable the Profile by Using Either the Oracle Directory Integration and Provisioning Server Administration Tool or the Directory Integration and Provisioning Assistant
You can do this by using either the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant.
See Also:
|
Step 13 (Optional): Enable the External Authentication Plug-in for Password Synchronization
If you need to synchronize password changes from Oracle Internet Directory to the third-party directory, then enable the external authentication plug-in by doing the following:
Enable the password policy in the identity management realm. You can do this by using either the Oracle Internet Directory Self-Service Console or Oracle Directory Manager.
Enable reversible password encryption by setting the orclpwdencryptionenable
attribute to TRUE
.
When passwords are synchronized to directories that do not support the hashing technique used by Oracle Internet Directory, synchronization can be done only by using the SSL mode 2 (sslmode=2
).
See Also:
|
Step 14: Start the Oracle Directory Integration and Provisioning Server
Do this by following the instructions in "Starting, Stopping, and Restarting the Oracle Directory Integration and Provisioning Server".
Note: To synchronize passwords, start Directory Integration and Provisioning withsslmode=2 —that is, server-only authentication.
|