5.1.7 Creating Users and Groups in the LDAP Store
Oracle Advanced Authentication (OAA) requires two groups to be configured
in the LDAP store used by Oracle Access Management (OAM):
- OAA-Admin-Role, which is used to authenticate administrator users who are permitted to access the Administration Console.
- OAA-App-User, which contains the list of users who are permitted to access the Self-Service Portal.
These groups, along with the OAA Administration user
oaaadmin, are created
in your LDAP store during the OAA installation (unless they already exist).
Note:
As described in Supported Architectures, the LDAP store used by OAM must be extended with OAM Object classes. For more information, see Using Password Policy.The installation can optionally add all your existing LDAP users (in the defined user
search base) to the OAA-App-User group, and add the
obpsftid:
true attribute for each user.
Note:
Theobpsftid:
true is a requirement for persistent login and Oracle Universal
Authenticator.
If you do not want to add all of your defined LDAP user search base to
the OAA-App-User group, then you must add the users manually,
post-installation of OAA. Similarly, if using OUA you must also add the LDAP
attribute obpsftid: true to each user manually.
5.1.7.1 Configuration Checkpoint
- Before proceeding make sure you have the following
information:
Variable Your Value Sample Value Description <LDAP_HOST> oud.example.comThe fully qualified hostname of the LDAP server. <LDAP_SERVER> ldap://oud.example.com:1389The LDAP server protocol, hostname and port. <LDAP_ADMIN_USER> cn=oudadminThe user name of the directory administrator. <LDAP_ADMIN_PWD> passwordThe password of the directory administrator. <LDAP_USER_SEARCHBASE> cn=Users,dc=example,dc=comThe location in the directory where names of users are stored. <LDAP_GROUP_SEARCHBASE> cn=Groups,dc=example,dc=comThe location in the directory where groups/roles are stored.