Hi all, Mike here. Today I’m writing about configuring and using OUD as a data source for OAM to store our identities.
First, we need to configure the directory instance to prepare it for OAM. We need to create user, group, and reserve containers. After updating it for your directory, insert the following into a file called OUDContainers.ldif:
dn:cn=oracleAccounts,dc=uberether,dc=com cn:oracleAccounts objectClass:top objectClass:orclContainer dn:cn=Users,cn=oracleAccounts,dc=uberether,dc=com cn:Users objectClass:top objectClass:orclContainer dn:cn=Groups,cn=oracleAccounts,dc=uberether,dc=com cn:Groups objectClass:top objectClass:orclContainer dn:cn=Reserve,cn=oracleAccounts,dc=uberether,dc=com cn:Reserve objectClass:top objectClass:orclContainer
In your terminal, cd on over to /asinst_1/OUD/bin and execute these commands:
./stop-ds
./import-ldif --backendID userRoot --append --ldifFile /OUDContainers.ldif
./start-ds
Now we need to add a few OIMAdmin users to the mix, create a file called oudadmin.ldif. Update and insert the following:
dn: cn=systemids,dc=mycompany,dc=com changetype: add objectclass: orclContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com dn: cn=oracleAccounts,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");) dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
Now execute this command:
./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword --defaultAdd --filename /location/of/oudadmin.ldif
Time to create a replication server. Make sure you have a file containing your directory manager’s password. Execute
./dsconfig --hostname localhost --port 4444 --bindDN "cn=Directory Manager" -j -X -n \
create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:8989 --set replication-server-id:1 --type generic
At this point I used iptables to open port 8989. Next we must use dsconfig in interactive mode.
./dsconfig
Upon login, select the “Access Control Handler” option for viewing and editing. Add this value to the list:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=uberether,dc=com";)
Choose to use values as they are, then back out so dsconfig can save. Go back in to the Access Control Handler and look for the other value of “cn=changelog”. This one should have a deny policy. Delete it, save everything, and exit dsconfig.
We can now connect the database to OAM. Open the Access Manager webconsole and choose to create a new User Identity Store.
That should cover it. Let me know if you have any questions!