OID Connector
OID (Oracle Internet Directory) connector is an Oracle Identity Manager connector which is used to integrate OIM (Oracle Identity Manager) with external directories like OID, ODSEE, OUD and Novell eDirectory.
For OIM 11.1.1 or later versions (e.g. 11.1.2) use the 11.1.1.x version of this connector (currently available for download is 11.1.1.6 from OID Connector Download http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html)
Here is a link which explains all the steps for configuring OID connector 11.1.1.6 with OIM Configure OID connector with OIM
(http://www.pythian.com/blog/configuring-oid-11-1-1-6-connector-in-oim-11-1-2)
Note, LDAP synch only deals with Users and Roles. Other attributes of OIM like Organization will not be synched into OID. If you just need users and roles to be synched from OIM to OID/OUD then LDAP sync will suffice. It works great and you can use OIM approval workflow features to enable user accounts be provisioned into appropriate roles via Request Level approval workflow.
To create the admin user, group, and ACIs for connector operations:
Run the following command to load the oidadmin.ldif file given below.
./ldapmodify -h OID-Server -p OID-port -D OID-Admin-ID -w OID-Admin-password -c-v-f oidadmin.ldif
Run the following command to check if the ACI is added:
./ldapsearch -h OID-Server -p OID-Port -D "cn=orcladmin"
-w OID-Admin-password -b "dc=example,dc=com" -s one "objectclass=*" orclaci
Run the following command to check if the proxy user is working against OID.
Before running this command ensure that the changenumber is catalogued.
./ldapsearch -h OID-Server -p OID-Port -D
"cn=oimAdminUser,cn=systemids,dc=example,dc=com" -w OID-Admin-password
-b "cn=changelog" -s sub "changenumber>=0"
If the above command reurns an error, run the following command:
./ldapsearch -h OID-Server -p OID-Port -D
"cn=oimAdminUser,cn=systemids,dc=example,dc=com" -w OID-Admin-password
-b "cn=changelog" -s one "changenumber>=0"
------------------------------------------------------------------------------------
Create a new file name oidadmin.ldif as below (assuming your domain is example.com)
dn: cn=systemids,dc=example,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids
dn: cn=oimAdminUser,cn=systemids,dc=example,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: welcome1
dn: cn=oimAdminGroup,cn=systemids,dc=example,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: orclPrivilegeGroup
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=example,dc=com
dn: cn=oracleAccounts,dc=example,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com"
(add,browse,delete) by * (none)
orclaci: access to attr=(*) by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com"
(read,search,write,compare) by * (none)
dn: cn=changelog
changetype: modify
add: orclaci
orclaci: access to entry by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com" (browse) by *
(none)
orclaci: access to attr=(*) by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com"
(read,search,compare) by * (none)
---------------------------
For OIM 11.1.1 or later versions (e.g. 11.1.2) use the 11.1.1.x version of this connector (currently available for download is 11.1.1.6 from OID Connector Download http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html)
Connector Architecture |
Here is a link which explains all the steps for configuring OID connector 11.1.1.6 with OIM Configure OID connector with OIM
(http://www.pythian.com/blog/configuring-oid-11-1-1-6-connector-in-oim-11-1-2)
However if your requirements are for integrating OIM with OAM including password management then LDAP sync is required. LDAP synch feature is available OOTB when you are installing OIM- it is one of the optional steps. You may enable LDAP synch after OIM has been configured but it requires several manual steps. So better to enable the LDAP synch during OIM install/config step.
To create the admin user, group, and ACIs for connector operations:
You need to create a OID Target system User account. This account will be used for various Connector operations. Use the below file to create required admin users,group in OID.
The file and contents for oidadmin.ldif file are given below in this pageRun the following command to load the oidadmin.ldif file given below.
./ldapmodify -h OID-Server -p OID-port -D OID-Admin-ID -w OID-Admin-password -c-v-f oidadmin.ldif
Run the following command to check if the ACI is added:
./ldapsearch -h OID-Server -p OID-Port -D "cn=orcladmin"
-w OID-Admin-password -b "dc=example,dc=com" -s one "objectclass=*" orclaci
Run the following command to check if the proxy user is working against OID.
Before running this command ensure that the changenumber is catalogued.
./ldapsearch -h OID-Server -p OID-Port -D
"cn=oimAdminUser,cn=systemids,dc=example,dc=com" -w OID-Admin-password
-b "cn=changelog" -s sub "changenumber>=0"
If the above command reurns an error, run the following command:
./ldapsearch -h OID-Server -p OID-Port -D
"cn=oimAdminUser,cn=systemids,dc=example,dc=com" -w OID-Admin-password
-b "cn=changelog" -s one "changenumber>=0"
------------------------------------------------------------------------------------
Create a new file name oidadmin.ldif as below (assuming your domain is example.com)
dn: cn=systemids,dc=example,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids
dn: cn=oimAdminUser,cn=systemids,dc=example,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: welcome1
dn: cn=oimAdminGroup,cn=systemids,dc=example,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: orclPrivilegeGroup
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=example,dc=com
dn: cn=oracleAccounts,dc=example,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com"
(add,browse,delete) by * (none)
orclaci: access to attr=(*) by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com"
(read,search,write,compare) by * (none)
dn: cn=changelog
changetype: modify
add: orclaci
orclaci: access to entry by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com" (browse) by *
(none)
orclaci: access to attr=(*) by
group="cn=oimAdminGroup,cn=systemids,dc=example,dc=com"
(read,search,compare) by * (none)
---------------------------
Comments
Post a Comment