Configuring Oracle Unified Directory as an Identity Store for Access Manager 11gR2 (11.1.2)

Hi all, Mike here. Today I’m writing about configuring and using OUD as a data source for OAM to store our identities.
 
First, we need to configure the directory instance to prepare it for OAM. We need to create user, group, and reserve containers. After updating it for your directory, insert the following into a file called OUDContainers.ldif:

dn:cn=oracleAccounts,dc=uberether,dc=com
cn:oracleAccounts
objectClass:top
objectClass:orclContainer

dn:cn=Users,cn=oracleAccounts,dc=uberether,dc=com
cn:Users
objectClass:top
objectClass:orclContainer

dn:cn=Groups,cn=oracleAccounts,dc=uberether,dc=com
cn:Groups
objectClass:top
objectClass:orclContainer

dn:cn=Reserve,cn=oracleAccounts,dc=uberether,dc=com
cn:Reserve
objectClass:top
objectClass:orclContainer

 

In your terminal, cd on over to /asinst_1/OUD/bin and execute these commands:
./stop-ds
./import-ldif --backendID userRoot --append --ldifFile /OUDContainers.ldif
./start-ds

Now we need to add a few OIMAdmin users to the mix, create a file called oudadmin.ldif. Update and insert the following:

dn: cn=systemids,dc=mycompany,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids

dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: welcome1

dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

dn: cn=oracleAccounts,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=oracleAccounts,dc=mycompany,dc=com")(targetattr =
 "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to
 all attributes"; allow (add, read, search, compare,write, delete, import,export)
 (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)

dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

 

Now execute this command:
./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword --defaultAdd --filename /location/of/oudadmin.ldif

Time to create a replication server. Make sure you have a file containing your directory manager’s password. Execute
./dsconfig --hostname localhost --port 4444 --bindDN "cn=Directory Manager" -j -X -n \
create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:8989 --set replication-server-id:1 --type generic

At this point I used iptables to open port 8989. Next we must use dsconfig in interactive mode.
./dsconfig
Upon login, select the “Access Control Handler” option for viewing and editing. Add this value to the list:

(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=uberether,dc=com";)

Choose to use values as they are, then back out so dsconfig can save. Go back in to the Access Control Handler and look for the other value of “cn=changelog”. This one should have a deny policy. Delete it, save everything, and exit dsconfig.

We can now connect the database to OAM. Open the Access Manager webconsole and choose to create a new User Identity Store.

Create New Store

Fill info in

That should cover it. Let me know if you have any questions!

You might also enjoy