5.1.7 Creating Users and Groups in the LDAP Store

Oracle Advanced Authentication (OAA) requires two groups to be configured in the LDAP store used by Oracle Access Management (OAM):
  • OAA-Admin-Role, which is used to authenticate administrator users who are permitted to access the Administration Console.
  • OAA-App-User, which contains the list of users who are permitted to access the Self-Service Portal.
These groups, along with the OAA Administration user oaaadmin, are created in your LDAP store during the OAA installation (unless they already exist).

Note:

As described in Supported Architectures, the LDAP store used by OAM must be extended with OAM Object classes. For more information, see Using Password Policy.
The installation can optionally add all your existing LDAP users (in the defined user search base) to the OAA-App-User group, and add the obpsftid: true attribute for each user.

Note:

The obpsftid: true is a requirement for persistent login and Oracle Universal Authenticator.

If you do not want to add all of your defined LDAP user search base to the OAA-App-User group, then you must add the users manually, post-installation of OAA. Similarly, if using OUA you must also add the LDAP attribute obpsftid: true to each user manually.

5.1.7.1 Configuration Checkpoint

  1. Before proceeding make sure you have the following information:
    Variable Your Value Sample Value Description
    <LDAP_HOST>   oud.example.com The fully qualified hostname of the LDAP server.
    <LDAP_SERVER>   ldap://oud.example.com:1389 The LDAP server protocol, hostname and port.
    <LDAP_ADMIN_USER>   cn=oudadmin The user name of the directory administrator.
    <LDAP_ADMIN_PWD>   password The password of the directory administrator.
    <LDAP_USER_SEARCHBASE>   cn=Users,dc=example,dc=com The location in the directory where names of users are stored.
    <LDAP_GROUP_SEARCHBASE>   cn=Groups,dc=example,dc=com The location in the directory where groups/roles are stored.