OIM and OUD integration
Integration of Oracle Unified Directory OUD with Oracle Identity Manager OIM Link
Roles defined in Oracle Identity manager (OIM) can be mapped to Groups defined in Oracle Unified Directory (OUD). See below example where a Role in OIM (screenshots from OIM provided) and how they can be mapped to Group in OUD (has screenshot with example)
In OIM I create organizations, to reflect the actual company's structure. User is created in OIM and belongs to an Organization.
When I browse data in the integrated OUD, the same User has no Organization.
Best Answer
- Sandeep Kumar sk Posts:482 Bronze Badge
You define "Groups" in OUD or your LDAP server. These groups map directly to "Roles" in OIM (if you have OIM in your setup).
Assuming you have already defined OUD (or LDAP server) as the directory configured for OAM, Oracle Access Manager, then using the group membership in OUD access can be granted to applications. Hope this step is clear.
Next, you need to define the Directory Information Tree or DIT. DIT is nothing but how your entries are arranged in a hierarchical form and how you store the various objects in an LDAP server. For example in your case, the entry for user Sonai Rivkind is following
cn=Sonia RivKind,cn=Users,cn=us,cn=oracle,cn=com
Above is called as DN or Distinguised Name for user Sonia. This is unique in the whole directory.
See this picture
This your DIT structure where your users are defined in the container cn=Users,cn=us,cn=oracle,cn=com (This is your user store location defined in terms of DIT).
Similarly you will define your DIT structure for Groups, see below picture
You will define new groups under groups (as shown in above picture).
You create a new group called as, say Testgroup1 under cn=groups. (You should be able to click on cn=groups and from right pane you can create new group and edit its name and other attributes)
Once your group is created (say Testgroup1), then you will have following entry for your new group in the DIT as follows
cn=Testgroup1,cn=groupss,cn=us,cn=oracle,cn=com
(See picture on right
)Example: You asked how a group looks like in LDAP. See below picture of how groups are in LDAP. In the picture below you can see 2 groups OCS Portal Users and OESAdmin group. On the right pane you can edit the attributes of the group
Next, you provide group membership to your new groups. So in your case you may add Sonia as new member to this Testgroup1
With group membership you allow access to applications based on groups defined in OUD. This way all users who are part of group- Testgroup1 will be allowed access to your applicationX. For applicationY you could define another group called as Testgroup2 and add members there.
Hope it is clear how you define and manage groups in OUD and how objects are stored in OUD or LDAP.
If you want to control the group membership from OIM, then you define Roles in OIM. Roles in OIM are equivalent to Groups defined in OID/OUD/LDAP server. But in order to do this you need to ensure two things -1) OIM and your LDAP server are integrated via ldapsync 2) you define roles in OIM only. Due to ldapsync defined in 1), the roles are automatically created in OUD/OID/LDAP server. (actually both users and groups are defined in OIM only and via ldapsync are copied over to the OUD)
Hope this was helpful and answered your question.
Answers
So what is your expected outcome for that? How would you like OUD to
reflect user belonging to a specific org?
This is OIM's record:
When I browse user data in OUD, I see the attribute "Organization' but it is empty.
This is not how LDAP works. The Organization field in LDAP is basically part of your DIT.
If you wanted those fields in LDAP to be populated, then your DN would need to look something like this:
cn=Sonia Rivkind,cn=Users,ou=OrgUnit,o=Custom Root,dc=oracle,dc=com,c=us
With the above, OrgUnit would be in Organization Unit, and Custom Root would be in Organization
I see. Where/how I make this happen? I assume it should be somewhere in the integration between OIM and OUD?
Ans also, can I then build authorization policy in OAM (that is connected to this same OUD) that will take into account the o=Custom Root part of DN?
Thanks!
You will first need to design your DIT, then update your LDAP sync configuration to have a different mapping for each organisation, etc..
In OAM, you can define multiple user repositories (user stores), but each user store will have one base search location so you will need to make it right at the top of the base suffix. This however, isn't such a good design from a directory perspective. A better approach would be to create LDAP roles or groups which map to the OIM roles/groups and forget about the organizations (or just make 'organisation' as a LDAP role). OAM authorization policies are mainly based on LDAP groups or role attributes.
Could you please clarify: how could I manage groups in OIM?
I see Users, Roles and Organizations. I can't find a way to define group.
And also - how the group will look like in LDAP?
You define "Groups" in OUD or your LDAP server. These groups map directly to "Roles" in OIM (if you have OIM in your setup).
Assuming you have already defined OUD (or LDAP server) as the directory configured for OAM, Oracle Access Manager, then using the group membership in OUD access can be granted to applications. Hope this step is clear.
Next, you need to define the Directory Information Tree or DIT. DIT is nothing but how your entries are arranged in a hierarchical form and how you store the various objects in an LDAP server. For example in your case, the entry for user Sonai Rivkind is following
cn=Sonia RivKind,cn=Users,cn=us,cn=oracle,cn=com
Above is called as DN or Distinguised Name for user Sonia. This is unique in the whole directory.
See this picture
This your DIT structure where your users are defined in the container cn=Users,cn=us,cn=oracle,cn=com (This is your user store location defined in terms of DIT).
Similarly you will define your DIT structure for Groups, see below picture
You will define new groups under groups (as shown in above picture).
You create a new group called as, say Testgroup1 under cn=groups. (You should be able to click on cn=groups and from right pane you can create new group and edit its name and other attributes)
Once your group is created (say Testgroup1), then you will have following entry for your new group in the DIT as follows
cn=Testgroup1,cn=groupss,cn=us,cn=oracle,cn=com
(See picture on right
)
Example: You asked how a group looks like in LDAP. See below picture of how groups are in LDAP. In the picture below you can see 2 groups OCS Portal Users and OESAdmin group. On the right pane you can edit the attributes of the group
Next, you provide group membership to your new groups. So in your case you may add Sonia as new member to this Testgroup1
With group membership you allow access to applications based on groups defined in OUD. This way all users who are part of group- Testgroup1 will be allowed access to your applicationX. For applicationY you could define another group called as Testgroup2 and add members there.
Hope it is clear how you define and manage groups in OUD and how objects are stored in OUD or LDAP.
If you want to control the group membership from OIM, then you define Roles in OIM. Roles in OIM are equivalent to Groups defined in OID/OUD/LDAP server. But in order to do this you need to ensure two things -1) OIM and your LDAP server are integrated via ldapsync 2) you define roles in OIM only. Due to ldapsync defined in 1), the roles are automatically created in OUD/OID/LDAP server. (actually both users and groups are defined in OIM only and via ldapsync are copied over to the OUD)
Hope this was helpful and answered your question.
If I were you, I would worry less about the LDAP organisation and other mappings to OIM, ie ignore the incomplete mapping in ODSM as that is not that important (unless that is a requirement for you in which case you will need to redesign your current implementation). What you should be concentrating on is to map your OIM Roles into OUD Groups and create OUD dynamic groups or OUD Roles out of OIM organisations so you can easily group users in OAM when enforcing access.
Thanks a lot!
I wish I could all the answers as correct ones.