OIM and OUD integration

Integration of Oracle Unified Directory OUD with Oracle Identity Manager OIM   Link

Roles defined in Oracle Identity manager (OIM) can be mapped to Groups defined in Oracle Unified Directory (OUD). See below example where a Role in OIM (screenshots from OIM provided) and how they can be mapped to Group in OUD (has screenshot with example)
The example below is from Oracle discussion forum. The original LINK is here.   The example is from OIM 11gR2 PS2 but should be valid for 12c versions for OIM and OUD.


srivkind-Oraclesrivkind-Oracle Posts:27
 
 edited September 2016

In OIM I create organizations, to reflect the actual company's structure. User is created in OIM and belongs to an Organization.

When I browse data in the integrated OUD, the same User has no Organization.

Tagged: 
srivkind-Oracle

Best Answer

  • Sandeep Kumar skSandeep Kumar sk Posts:482 Bronze Badge
     
     edited September 2016 Accepted Answer

    You define "Groups" in OUD or your LDAP server. These groups map directly to "Roles" in OIM (if you have OIM in your setup).

    Assuming you have already defined OUD (or LDAP server) as the directory configured for OAM, Oracle Access Manager, then using the group membership in OUD access can be granted to applications. Hope this step is clear.

    Next, you need to define the Directory Information Tree or DIT. DIT is nothing but how your entries are arranged in a hierarchical form and how you store the various objects in an LDAP server. For example in your case, the entry for user Sonai Rivkind is following

    cn=Sonia RivKind,cn=Users,cn=us,cn=oracle,cn=com

    Above is called as DN or Distinguised Name for user Sonia. This is unique in the whole directory.

    See this picture ouPath1.JPG

    This your DIT structure where your users are defined in the container   cn=Users,cn=us,cn=oracle,cn=com    (This is your user store location defined in terms of DIT).

    Similarly you will define your DIT structure for Groups, see below picture

    ouPath2.JPG

    You will define new groups under   groups (as shown in above picture).

    You create a new group called as, say Testgroup1 under cn=groups. (You should be able to click on cn=groups and from right pane you can create new group and edit its name and other attributes)

    Once your group is created (say Testgroup1), then you will have following entry for your new group in the DIT as follows

    cn=Testgroup1,cn=groupss,cn=us,cn=oracle,cn=com

    (See picture on right  group_info1.JPG       )

    Example: You asked how a group looks like in LDAP. See below picture of how groups are in LDAP. In the picture below you can see 2 groups OCS Portal Users and OESAdmin group. On the right pane you can edit the attributes of the group

    group_pic.JPG

    Next, you provide group membership to your new groups. So in your case you may add Sonia as new member to this Testgroup1

    With group membership you allow access to applications based on groups defined in OUD. This way all users who are part of group- Testgroup1 will be allowed access to your applicationX. For applicationY you could define another group called as Testgroup2 and add members there.

    Hope it is clear how you define and manage groups in OUD and how objects are stored in OUD or LDAP.

    If you want to control the group membership from OIM, then you define Roles in OIM. Roles in OIM are equivalent to Groups defined in OID/OUD/LDAP server. But in order to do this you need to ensure two things -1) OIM and your LDAP server are integrated via ldapsync   2) you define roles in OIM only. Due to ldapsync defined in 1), the roles are automatically created in OUD/OID/LDAP server. (actually both users and groups are defined in OIM only and via ldapsync are copied over to the OUD)

    Hope this was helpful and answered your question.

    srivkind-Oraclesrivkind-Oracle

Answers

  • Philipp GrigoryevPhilipp Grigoryev Posts:1,017 Gold Badge
     
     edited September 2016

    So what is your expected outcome for that? How would you like OUD to

    reflect user belonging to a specific org?

    srivkind-Oracle
  • srivkind-Oraclesrivkind-Oracle Posts:27
     
     edited September 2016

    This is OIM's record:

    pastedImage_0.png

    When I browse user data in OUD, I see the attribute "Organization' but it is empty.

    pastedImage_1.png

  • handathandat Posts:4,688
     
     edited September 2016

    This is not how LDAP works. The Organization field in LDAP is basically part of your DIT.

    If you wanted those fields in LDAP to be populated, then your DN would need to look something like this:

    cn=Sonia Rivkind,cn=Users,ou=OrgUnit,o=Custom Root,dc=oracle,dc=com,c=us

    With the above, OrgUnit would be in Organization Unit, and Custom Root would be in Organization

    srivkind-Oracle
  • srivkind-Oraclesrivkind-Oracle Posts:27
     
     edited September 2016

    I see. Where/how I make this happen? I assume it should be somewhere in the integration between OIM and OUD?

    Ans also, can I then build authorization policy in OAM (that is connected to this same OUD) that will take into account the o=Custom Root part of DN?

    Thanks!

  • handathandat Posts:4,688
     
     edited September 2016

    You will first need to design your DIT, then update your LDAP sync configuration to have a different mapping for each organisation, etc..

    In OAM, you can define multiple user repositories (user stores), but each user store will have one base search location so you will need to make it right at the top of the base suffix. This however, isn't such a good design from a directory perspective. A better approach would be to create LDAP roles or groups which map to the OIM roles/groups and forget about the organizations (or just make 'organisation' as a LDAP role). OAM authorization policies are mainly based on LDAP groups or role attributes.

    srivkind-Oracle
  • srivkind-Oraclesrivkind-Oracle Posts:27
     
     edited September 2016

    Could you please clarify: how could I manage groups in OIM?

    I see Users, Roles and Organizations. I can't find a way to define group.

    And also - how the group will look like in LDAP?

    srivkind-Oracle
  • Sandeep Kumar skSandeep Kumar sk Posts:482 Bronze Badge
     
     edited September 2016 Accepted Answer

    You define "Groups" in OUD or your LDAP server. These groups map directly to "Roles" in OIM (if you have OIM in your setup).

    Assuming you have already defined OUD (or LDAP server) as the directory configured for OAM, Oracle Access Manager, then using the group membership in OUD access can be granted to applications. Hope this step is clear.

    Next, you need to define the Directory Information Tree or DIT. DIT is nothing but how your entries are arranged in a hierarchical form and how you store the various objects in an LDAP server. For example in your case, the entry for user Sonai Rivkind is following

    cn=Sonia RivKind,cn=Users,cn=us,cn=oracle,cn=com

    Above is called as DN or Distinguised Name for user Sonia. This is unique in the whole directory.

    See this picture ouPath1.JPG

    This your DIT structure where your users are defined in the container   cn=Users,cn=us,cn=oracle,cn=com    (This is your user store location defined in terms of DIT).

    Similarly you will define your DIT structure for Groups, see below picture

    ouPath2.JPG

    You will define new groups under   groups (as shown in above picture).

    You create a new group called as, say Testgroup1 under cn=groups. (You should be able to click on cn=groups and from right pane you can create new group and edit its name and other attributes)

    Once your group is created (say Testgroup1), then you will have following entry for your new group in the DIT as follows

    cn=Testgroup1,cn=groupss,cn=us,cn=oracle,cn=com

    (See picture on right  group_info1.JPG       )

    Example: You asked how a group looks like in LDAP. See below picture of how groups are in LDAP. In the picture below you can see 2 groups OCS Portal Users and OESAdmin group. On the right pane you can edit the attributes of the group

    group_pic.JPG

    Next, you provide group membership to your new groups. So in your case you may add Sonia as new member to this Testgroup1

    With group membership you allow access to applications based on groups defined in OUD. This way all users who are part of group- Testgroup1 will be allowed access to your applicationX. For applicationY you could define another group called as Testgroup2 and add members there.

    Hope it is clear how you define and manage groups in OUD and how objects are stored in OUD or LDAP.

    If you want to control the group membership from OIM, then you define Roles in OIM. Roles in OIM are equivalent to Groups defined in OID/OUD/LDAP server. But in order to do this you need to ensure two things -1) OIM and your LDAP server are integrated via ldapsync   2) you define roles in OIM only. Due to ldapsync defined in 1), the roles are automatically created in OUD/OID/LDAP server. (actually both users and groups are defined in OIM only and via ldapsync are copied over to the OUD)

    Hope this was helpful and answered your question.

    srivkind-Oraclesrivkind-Oracle
  • handathandat Posts:4,688
     
     edited September 2016

    If I were you, I would worry less about the LDAP organisation and other mappings to OIM, ie ignore the incomplete mapping in ODSM as that is not that important (unless that is a requirement for you in which case you will need to redesign your current implementation). What you should be concentrating on is to map your OIM Roles into OUD Groups and create OUD dynamic groups or OUD Roles out of OIM organisations so you can easily group users in OAM when enforcing access.

    srivkind-Oraclesrivkind-Oracle
  • srivkind-Oraclesrivkind-Oracle Posts:27
     
     edited September 2016

    Thanks a lot!

    I wish I could all the answers as correct ones.


Comments

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Session Timeout in Oracle Access Manager

SOAPUI - import certificate