Configuring LDAP Authentication in OIM 11g

Configuring LDAP Authentication in OIM 11g : 

  1. Add a dynamic group in Oracle Internet Directory (OID).
    1. Create an oimusers.ldif file that defines a dynamic group. The format of the LDIF file should be similar to the following:
      dn: cn=oimusers, <group search base>
      objectclass: orclDynamicGroup
      objectclass: groupOfUniqueNames
      labeleduri:ldap://LDAP_HOST:LDAP_PORT/<UserSearchBase>??sub?(objectclass=inetOrgPerson)

      For example:

      dn: cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com
      objectclass: orclDynamicGroup
      objectclass: groupOfUniqueNames
      labeleduri: ldap://LDAP_HOST:3060/cn=Users,dc=us,dc=oracle,dc=com??sub?(objectclass=inetOrgPerson)
    2. Use the ldapadd command to upload the oimusers.ldif file to OID. The command should have the following format:
      ldapadd -h LDAP_HOST -p LDAP_PORT -D <root dn> -w <password> -f oimusers.ldif

      For example:

      ldapadd -h LDAP_HOST -p 3060 -D cn=orcladmin -w welcome1 -f oimusers.ldif
    3. Use the ldapsearch command to validate group members. The command should have the following format:
      ldapsearch -h LDAP_HOST -p LDAP_PORT -D <root dn> -w <password> -b "cn=oimusers,<groupsearchbase>" -s base "objectclass=*"

      For example:

      ldapsearch  -h LDAP_HOST -p 3060 -Dcn=orcladmin -wwelcome1 -b "cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com" -s base "objectclass=*"
  2. Configure the LDAP Authenticator in WLS.
    1. Log in to WebLogic Administrative Console.
    2. Go to Security Realms, myrealm, Providers.
    3. Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.
    4. Set the Control Flag to SUFFICIENT.
    5. Click the Provider Specific settings and configure the OID connection details.
    6. In Dynamic groups section, enter the following values:

      Dynamic Group Name Attribute: cn

      Dynamic Group Object Class: orcldynamicgroup

      Dynamic Member URL Attribute: labeleduri

      User Dynamic Group DN Attribute: GroupOfUniqueNames

    7. Click the Providers tab and then click Reorder. Reorder the LDAP authenticator so this is placed before the OIM Authenticator.
  3. Restart all servers.
  4. Validate role memberships.
    1. Login to WebLogic Admin Console.
    2. Go to Security Realms, myrealm, User and Groups.
    3. Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).
    4. Click on any user and then to the corresponding group entry. “Oimusers” should be one of the listed entries. If this validation fails, please go through the LDAP authenticator’s provider-specific details.

This procedure does not enable the following functionality:

  • Forced password changes, including first login, administrator password reset, and expired passwords
  • Forced setting of challenge responses

Leave a Reply

Your email address will not be published. Required fields are marked *