1. Integration Guide for Oracle Identity Management Suite
  2. Core Integrations
  3. Integrating Oracle Access Manager and LDAP

3 Integrating Oracle Access Manager and LDAP

Integrating Oracle Access Manager with LDAP involves preparing the LDAP directory, adding the missing object classes, and configuring OAM using automated script.

Topics include:

3.1 Configuring OAM Using Automated Script

Configure Oracle Access Manager using the idmConfig.sh automated script.

  1. Create a file called oam.props with the following values:
    #LDAP Properties

IDSTORE_HOST: ldaphost.example.com
IDSTORE_PORT: 1636
IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmTrustStore.p12
IDSTORE_KEYSTORE_PASSWORD:password
IDSTORE_SSL_ENABLED: true
IDSTORE_NEW_SETUP: true
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=edg,dc=com
IDSTORE_SEARCHBASE: dc=edg,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=edg,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
OAM_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_WLSADMINUSER : weblogic_iam
IDSTORE_WLSADMINGROUP : WLSAdministrators
OAM_SERVER_LOGIN_ATTRIBUTE: uid
OAM_IDSTORE_NAME: OAMIDSTORE

#OAM Properties
PRIMARY_OAM_SERVERS: oamhost1.example.com:5575
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
1
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_WG_DENY_ON_NOT_PROTECTED: true
OAM_IDM_DOMAIN_OHS_HOST: login.example.com
OAM_IDM_DOMAIN_OHS_PORT: 443
OAM_IDM_DOMAIN_OHS_PROTOCOL: https
OAM_SERVER_LBR_HOST: login.example.com
OAM_SERVER_LBR_PORT: 443
OAM_SERVER_LBR_PROTOCOL: https
OAM_OAM_SERVER_TRANSFER_MODE: open
OAM_OAM_SSLENABLED: true
OAM_TRANSFER_MODE: open
OAM_SSO_ONLY_FLAG: false
OAM_IMPERSONATION_FLAG: false
OAM_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM_OIM_INTEGRATION_REQ: yes
OAM_OIM_OHS_URL: https://oim.example.com:443/
mrhys: # WebLogic Properties
WLSHOST: oamhost1.example.com
WLSPORT: 9002
WLSADMIN: weblogic

WLS_IS_SSLENABLED: true

# Passwords
IDSTORE_PWD_OAMSOFTWAREUSER: password
IDSTORE_PWD_OAMADMINUSER: password
IDSTORE_PASSWD:password
OAM_IDM_DOMAIN_WEBGATE_PASSWD:password
OAM_OIM_WEBGATE_PASSWD: password
WLSPASSWD: password
# Logger Properties
LOG_FILE: /home/oracle/automation_integ.log
LOG_LEVEL: ALL
SSL_DEBUG_ENABLE: FALSE

    The following table provides descriptions of the parameters related to configuring OAM in the configOAM.config properties file example.

    Table 3-1 Parameters in configOAM.config file

    Property Description Sample Value

    ACCESS_GATE_ID

    Name to be assigned to the WebGate. This is the value specified during OAM configuration.

    Webgate_IDM

    COOKIE_DOMAIN

    Enter the domain in which the WebGate functions.

    .example.com

    COOKIE_EXPIRY_INTERVAL

    Enter the Cookie expiration period.

    120

    IDSTORE_BINDDN

    An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
    • OID: cn=orcladmin
    • OUD: cn=oudadmin
    • Active Directory: cn=Administrator,cn=Users,dc=example.com,dc=example,dc=com

    IDSTORE_GROUPSEARCHBASE

    Enter the location in the directory where groups are stored.

    cn=Groups,dc=edg,dc=com

    IDSTORE_HOST

    Enter the identity store host name.

    ldaphost.example.com

    IDSTORE_LOGINATTRIBUTE

    Enter the login attribute of the identity store that contains the user's login name.

    uid

    IDSTORE_OAMADMINUSER

    Enter the user you use to access your Oracle Access Management Console.

    oamadmin

    IDSTORE_OAMSOFTWAREUSER

    Enter the user you use to interact with the LDAP server.

    oamLDAP

    IDSTORE_PORT

    Enter the identity store port.

    1636

    IDSTORE_SEARCHBASE

    Enter the location in the directory where users and groups are stored.

    dc=edg,dc=com

    IDSTORE_SYSTEMIDBASE

    Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.

    For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

    cn=SystemIDs,dc=example,dc=com

    IDSTORE_USERNAMEATTRIBUTE

    Enter the username attribute used to set and search for users in the identity store.

    cn

    IDSTORE_USERSEARCHBASE

    Enter the Container under which Access Manager searches for the users.

    cn=Users,dc=edg,dc=com

    OAM_TRANSFER_MODE

    Enter the security mode in which the access servers function. Supported value is OPEN.

    Open

    OAM11G_IDM_DOMAIN_LOGOUT_URLS

    Set to the various logout URLs.

    /console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp

    OAM11G_IDM_DOMAIN_OHS_HOST

    Enter the load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration.

    sso.example.com

    OAM11G_IDM_DOMAIN_OHS_PORT

    Enter the load balancer port.

    443
    OAM11G_IDM_DOMAIN_OHS_PROTOCOL Enter the Protocol to use when directing requests to the load balancer.

    https

    OAM11G_IDSTORE_NAME

    Enter the name of the identity store configured in OAM. This will be set as the default/System ID Store in OAM.

    OAMIDSTORE

    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN

    Account to administer role security in identity store.

    OAMAdministrators

    OAM11G_IMPERSONATION_FLAG

    It enables or disables the impersonation feature in the OAM Server.

    true

    OAM11G_OAM_SERVER_TRANSFER_MODE

    Enter the security mode in which the access servers function. Supported value is OPEN.

    Open

    OAM11G_OIM_INTEGRATION_REQ

    It specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to true for integration.

    true

    OAM11G_OIM_OHS_URL

    Enter the URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server.

    https://sso.example.com:443/

    OAM11G_SERVER_LBR_HOST

    Enter the OAM Server fronting your site.

    sso.example.com

    OAM11G_SERVER_LBR_PORT

    Enter the port that the load balancer is listening on (HTTP_SSL_PORT).

    443

    OAM11G_SERVER_LBR_PROTOCOL

    Enter the Protocol to use when directing requests to the load balancer.

    https

    OAM11G_SERVER_LOGIN_ATTRIBUTE

    Setting to uid ensures the validation of the username against the uid attribute in LDAP when the user logs in.

    uid

    OAM11G_SSO_ONLY_FLAG

    Set it to configure Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is true.

    true

    OAM11G_WG_DENY_ON_NOT_PROTECTED

    Set to deny on protected flag for 10g WebGate. Valid values are true and false.

    false

    PRIMARY_OAM_SERVERS

    Enter comma-separated list of your Access Manager servers and the proxy ports they use.

    oamhost1.example.com:5575

    SPLIT_DOMAIN

    Set to true is required to suppress the double authentication of Oracle Access Management Console.

    true

    WEBGATE_TYPE

    Enter the WebGate agent type you want to create. 10g and 11g are no longer supported in 14c.

    ohsWebgate14c

    WLSADMIN

    Enter the WebLogic Server administrative user account you use to log in to the WebLogic Server Administration Console in OAM domain.

    weblogic

    WLSHOST

    Enter the Administration server host name in OAM domain.

    oamhost1.example.com

    WLSPORT
    Enter the Administration server port in OAM domain.

    Note:

    If your domain is using the WebLogic Administration port then this should be entered here.

    9002

  2. Stop the policy server. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.

  3. Shut down the policy manager servers.
  4. Run the idmConfigTool to configure OAM and integrate it with LDAP.
    export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/jdk/bin:$PATH
export MW_HOME=/u01/oracle/products/idm
export ORACLE_HOME=$MW_HOME/idm
export WLST_PROPERTIES="-Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/idmTrustStore.p12 -Djavax.net.ssl.trustStorePassword=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"

$ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOAM input_file=loam.props log_level=FINEST mode=all
    You have successfully executed the automated script for configuring Oracle Access Manager.

    Note:

    Set WLST_PROPERTIES only if WebLogic Domain is SSL Enabled. The trust store specified is the absolute location of the WebLogic Domain trust store.
  5. Restart the OAM domain servers along with the policy manager servers. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.
  6. Verify the configuration.
    1. Log in to the Oracle Access Management Console:

      http://oamhost.example.com:7001/oamconsole

      or

      https:///oamhost.example.com:7002/oamconsole

      Note:

      Log in by using the user you specified in IDSTORE_OAMADMINUSER.

    2. In the Application Security page, click Agents.

      The Search SSO Agents page is displayed.

    3. In the Search field, enter the WebGate name.

      Note:

      This is the value you specified for ACCESS_GATE_ID in the configOAM.config properties file.
    4. In the Search Result Table, you can see the agent.

3.2 Preparing LDAP directory for Use by Oracle Identity and Access Management

To use an LDAP directory with Oracle Access Management and Oracle Identity Governance, the directory must include the object classes required by these products. These object classes enable Oracle Access Manager to lock accounts and allow Oracle Identity Governance to terminate sessions.

The directory must also be pre-configured with several system users required by Oracle Access Management (OAM) and Oracle Identity Governance (OIG). For instance, if you are securing a WebLogic administration page, a user in the LDAP directory is needed to facilitate login. Additionally, you need to create non-system users for WebLogic domains to access and read the LDAP directory.

3.3 Adding Missing Object Classes Using Automated Script

Add the Missing Object Classes using the automated script for OIG-OAM integration, OIGOAMIntegration.sh. This script will add any missing object classes to existing users in the directory.

  1. Update addMissingObjectClasses.config file (Located at ORACLE_HOME/idm/server/ssointg/config)with values for IDSTORE_HOST, IDSTORE_PORT, IDSTORE_BINDDN, IDSTORE_BINDDN_PWD, and IDSTORE_USERSEARCHBASE.

    Example addMissingObjectClasses.config File

    IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_BINDDN_PWD: <password>
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
  2. Run the automated script for OIG-OAM integration to enable OAM notifications.
    OIGOAMIntegration.sh -addMissingObjectClasses
You have successfully executed the automated script to add object classes for existing users in LDAP directory.

Note:

This step depends on the number of users in the LDAP directory. It is estimated to take 10 minutes per 10000 users in the LDAP directory.