Preparing LDAP IDStore

2 Preparing LDAP IDStore

Prepare IDStore using the OIGOAMIntegration.sh automated script for OIG-OAM integration.

Configure the identity store and policy store by creating the groups and setting ACIs to the various containers. Add necessary users and associating users with groups to the identity store. This step is similar to running the commands idmConfigTool.sh -prepareIDStore and idmConfigTool.sh -prepareIDStore -mode=ALL. See prepareIDStore Command.

Create a file called prepareLDAP.props with the following contents.

Example prepareLDAP.props file for Oracle Internet Directory

IDSTORE_PORT: 1636
IDSTORE_SSL_ENABLED: true
IDSTORE_ADMIN_PORT: 4444

IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmcerts.p12
IDSTORE_KEYSTORE_PASSWORD: mytruststorepassword
IDSTORE_ADMIN_KEYSTORE_FILE: /u01/oracle/config/instances/oud1/config/admin-keystore
IDSTORE_ADMIN_KEYSTORE_PASSWORD:  myadmintruststorepassword

IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_iam
IDSTORE_WLSADMINGROUP : WLSAdministrators

The following table describes the parameters that you can set in the prepareLDAP.props file.

Table 2-1 Parameters in prepareLDAP.props File

Property	Description	Sample Value
`IDSTORE_DIRECTORYTYPE`	Enter the identity store directory type. Valid options are OID, OUD, and AD.	`OUD or OID`
`IDSTORE_HOST`	Enter the identity store host name.	`idstore.example.com`
`IDSTORE_PORT`	Enter the identity store port.	`1389`
`IDSTORE_ADMIN_PORT`	In OUD Installations Administration functions are performed on a dedicated administration port.	`4444`
`IDSTORE_SSL_ENABLED`	If you connect to your LDAP directory using SSL then set this parameter to true. The `IDSTORE_PORT` above must be the SSL port of your directory.	`true`
`IDSTORE_KEYSTORE_FILE`	If your directory is SSL enabled the tool must have access to a valid trust store with the CA of the directory included. Set this to the location of that trust store.
`IDSTORE_KEYSTORE_PASSWORD`	The password of the ID_KEYSTORE_FILE, if not supplied the script will prompt for it.	`password`
`IDSTORE_ADMIN_KEYSTORE_FILE`	If you are using OUD then you need to provide the OUD administration trust store file location.	`OUD_INSTANCE//config/admin-keystore`
`IDSTORE_ADMIN_KEYSTORE_PASSWORD`	The password of the `IDSTORE_ADMIN_KEYSTORE_FILE`, if not supplied the script will prompt for it. To obtain this password you can issue the command: `dsconfig -h ldaphost1 -p 4444 -D cn=oudadmin -j ~/oud.pwd -X -n` `get-key-manager-provider-prop --provider-name Administration --property key-store-pin --showKeystorePassword` If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the OIGOAMIntegration.sh command is running on. The command uses this file to authenticate itself with OUD.	`password`
`IDSTORE_BINDDN`	An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.	OID: `cn=orcladmin` OUD: `cn=oudadmin` AD: `CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com`
`IDSTORE_BINDDN_PWD`	Enter the Password for administrative user in Oracle Internet Directory, Oracle Unified Directory or Microsoft Active Directory.	`password`
`IDSTORE_USERNAMEATTRIBUTE`	Enter the username attribute used to set and search for users in the identity store.	`cn`
`IDSTORE_LOGINATTRIBUTE`	Enter the login attribute of the identity store that contains the user's login name.	`uid`
`IDSTORE_SEARCHBASE`	Enter the location in the directory where users and groups are stored.	`dc=example,dc=com`
`IDSTORE_USERSEARCHBASE`	Enter the Container under which Access Manager searches for the users.	`cn=users,dc=example,dc=com`
`IDSTORE_GROUPSEARCHBASE`	Enter the location in the directory where groups are stored.	`cn=groups,dc=example,dc=com`
`IDSTORE_SYSTEMIDBASE`	Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.	`cn=systemids,dc=example,dc=com`
`IDSTORE_READONLYUSER`	Enter the user with read-only permissions to the identity store. This parameter is optional.	`IDROUser`
`IDSTORE_READWRITEUSER`	Enter the user with read-write permissions to the identity store. This parameter is optional.	`IDRWUser`
`IDSTORE_SUPERUSER`	Enter the Oracle Fusion Applications superuser in the identity store. This parameter is optional.	`weblogic_fa`
`IDSTORE_OAMSOFTWAREUSER`	Enter the LDAP user that OAM uses to interact with LDAP.	`oamLDAP`
`IDSTORE_OAMADMINUSER`	Enter the user you use to access your Oracle Access Management Console.	`oamadmin`
`IDSTORE_OAMADMINUSER_PWD`	Enter the password for the user you use to access your Oracle Access Management Console. Note: All password fields are optional. If you do not enter them in the file (security issues), then you are prompted to enter them when the script runs.	`password`
`IDSTORE_OIMADMINUSER`	Enter the user that Oracle Identity Governance uses to connect to the identity store.	`oimLDAP`
`IDSTORE_OIMADMINUSER_PWD`	Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.	`password`
`IDSTORE_OIMADMINGROUP`	Enter the group you want to create to hold your Oracle Identity Governance administrative users.	`OIMAdministrators`
`IDSTORE_WLSADMINUSER`	Enter the identity store administrator for Oracle WebLogic Server.	`weblogic_idm` Note: This is the LDAP user that will be used to perform WebLogic Administrative operations. The equivalent of the internal weblogic user.
`IDSTORE_WLSADMINUSER_PWD`	Enter the password for Identity store administrator for Oracle WebLogic Server.	`password`
`IDSTORE_WLSADMINGROUP`	Enter the identity store administrator group for Oracle WebLogic Server.	`wlsadmingroup`
`IDSTORE_OAAMADMINUSER`	Enter the user you want to create as your Oracle Access Management Administrator. This user is created by the tool.	`oaamAdminUser`
`IDSTORE_XELSYSADMINUSER_PWD`	Enter the password of System administrator for Oracle Identity Goverance. Must match the value in Oracle Identity Governance	`password`
`POLICYSTORE_SHARES_IDSTORE`	Set it to `true` if your policy and identity stores are in the same directory. If not, it is set to `false`.	`TRUE`
`IDSTORE_KEYSTORE_FILE`	Enter the location of the Oracle Unified Directory `Keystore` file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called `admin-keystore` and is located in `OUD_ORACLE_INSTANCE/OUD/config`. If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the `OIGOAMIntegration.sh` command is running on. The command uses this file to authenticate itself with OUD.	`/u01/config/instances/oud1/OUD/config/admin-keystore`
`IDSTORE_KEYSTORE_PASSWORD`	Enter the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`. If you are not using Oracle Unified Directory, you can ignore this parameter.	`password`
`SSL_DEBUG_ENABLE`	Can be set to assist with the debugging of SSL connections	`false`

Run the idmConfigTool to extend the directory schema.

export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/jdk/bin:$PATH
export MW_HOME=/u01/oracle/products/idm
export ORACLE_HOME=$MW_HOME/idm

$ORACLE_HOME/idmtools/bin/idmConfigTool.sh -preConfigIDStore input_file=prepareLDAP.props log_level=FINEST

You have successfully executed the automated script for preparing the IDStore.

Run the idmConfigTool to populate the directory with administration users.

export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/jdk/bin:$PATH
export MW_HOME=/u01/oracle/products/idm
export ORACLE_HOME=$MW_HOME/idm
$ORACLE_HOME/idmtools/bin/idmConfigTool.sh -prepareIDStore input_file=ldapPrepare.props log_level=FINEST mode=all

Verifying the Identity Store and Policy Store Configuration

Do the following in your LDAP directory:

Search base for users and groups you specified in the prepareLDAP.props file exist in the LDAP directory.
The user container, group container, and the System ID container exist in the LDAP directory.
The systemids container includes the IDROuser, IDRWUser, oamSoftwareUser, and oimadminuser users. These are sample values provided in prepareLDAP.props. You can provide and use your own values.
The user container includes the oamadminuser, weblogic_idm, and xelsysadm users. These are sample values provided in prepareLDAP.props. You can provide and use your own values.
The group container includes the OAMadministreatrs, OIMadminsitrators, BIReportAdminnistrator, Session REST API, and wlsadmingroup, orclFAGroup.

Access is granted to the changelog for OUD:

If you are using Oracle Unified Directory, you must grant access to the changelog by performing the following steps on the single node LDAP host or on LDAPHOST1 and LDAPHOST2 for multinode LDAP instances:

Create a file called passwordfile that contains the password you use to connect to OUD.

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"  \
				--hostname OUD Host \
				--port OUD Admin Port \
				--trustAll \
				--bindDN cn=oudadmin \
                           --bindPasswordFile passwordfile \
				--no-prompt

For example:

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
				--hostname LDAPHOST1.example.com \
			       --port 4444 \
				--trustAll \
				--bindDN cn=oudadmin \
				--bindPasswordFile passwordfile \
				--no-prompt

Add the new act:

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --add \

global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
				--hostname OUD Host \
				--port OUD Admin Port \
				--trustAll \
				--bindDN cn=oudadmin \
				--bindPasswordFile passwordfile \
				--no-prompt

For example:

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --add \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
                      --hostname LDAPHOST1.example.com \
			  --port 4444 \
			  --trustAll \
			  --bindDN cn=oudadmin \
			  --bindPasswordFile passwordfile \
			  --no-prompt

Additional OUD grants are created:

Update OUD_ORACLE_INSTANCE/OUD/config/config.ldif on all OUD instances with below changes:

Look at the following line:

ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)

Remove the Object Identifier 1.2.840.113556.1.4.319 from the above aci and add it to following aci as shown:

ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)

Add Object Identifiers 1.3.6.1.4.1.26027.1.5.4 and 1.3.6.1.4.1.26027.2.3.4 to the following aci as shown:

ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)

Restart the Oracle Unified Directory server on both LDAPHOSTs.

Additional OUD indexes are created:

When you ran the idmConfigTool.sh script to prepare an OUD identity store, it creates indexes for the data on the instance against which it is run. These indexes must be manually created on each of the OUD instances in LDAPHOST2. To do this, run the following commands on LDAPHOST2:
```
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
```
```
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j  passwordfile -c \-f IAD_ORACLE_HOME/idm/idmtools/templates/oud/oud_indexes_extn.ldif
```

Granting ACLs Manually for Active Directory

For Active Directory, after running idmConfigTool, perform the following on the AD server machine:

Add ACLs.

dsacls /G cn=orclFAUserReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR
dsacls /G cn=orclFAUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW
dsacls /G cn=orclFAGroupReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR
dsacls /G cn=orclFAGroupWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW
dsacls /G cn=orclFAOAMUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW

Reset User Password.

dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=OblixAnonymous,DC=interop,DC=example,DC=com" -pwd <password> -mustchpwd no
dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no

Enable user accounts.

dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -disabled no
dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -disabled no
dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -disabled no
dsmod user "CN=OblixAnonymous,DC=interop,DC=example,DC=com" -disabled no
dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no
dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no