OID documentation
I am just starting out in application server world. I was just hired on to a company that has an aggressive portal project underway. They are trying to sync active directory with oid. I am having a helluva time finding a concepts guid on oid. They are on 10.1.2.1 (that may just be the portal release). Can anyone point me in the right direction?
Thanks
Hi,
The first few topics in the Oracle Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) outline the basics of OID very well. You can find the Guide here :-
http://download-east.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/toc.htm
You can also get Oracle's Collection of Identity Management Documentation here :-
http://download-east.oracle.com/docs/cd/B14099_19/idmanage.htm
You can also get excellent information about the LDAP Protocol at this website :-
http://ldapguru.com
The Sample Code Gallery at LDAPGuru.com is very helpful, if you are starting off in developing LDAP Solutions.
And, for everything else, there's Google :)
Regards,
Sandeep
Similar Messages
-
We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for authentication.
We also use OID to hold users' entitlements/privileges that control access to our applications. We use OID groups (represented by entries based on groupOfUniqueNames and orclGroup objects) to do this. For example we might have an application called 'Finance' with three levels of access represented by OID groups e.g. 'finance_enquiry', 'finance_updater', 'finance_superuser'. Those groups would all belong to a parent group called 'finance_application'. To access the application the user needs to be a member of 'finance_application' group or one of its child groups. Access to features of the application are controlled by membership of the 3 child groups. We have an application that maintains groups, group membership, and user entitlements in OID.
As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above scenario seems quite basic.
My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table in OIM? Are there any case studies or other documentation that describes this kind of requirement?
I've looked at the OIM Connector for OID documentation but it doesn't describe typical scenarios. It assumes that you know what you are doing.
We also want to give users the ability to request entitlements, and to provide an approval process. So we could have a user who approves/rejects entitlement requests to access to the applications they control. But that's a another topic.
Cheers,
EricPeachEye wrote:
We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above > scenario seems quite basic.You're about to find out otherwise.
>
My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table > in OIM? Are there any case studies or other documentation that describes this kind of requirement?You'll need a custom connector and lots of OIM tweaks. Your groups will stay in OID, OIM will replace the current application you use to maintain them. That's one way of doing it, no impact to OID schema is the benefit of this way, there are other ways. -
Documentation organization needs WORK!
Hi all,
I've been frequenting the docs off OTN for quite some time now. I am currently looking for developer documentation for the latest flavor of Oracle Internet Directory. I have spent the last 20 minutes searching, looking, clicking, scratching my head, etc. I have YET to find what I need! Logically, I would expect to look at "Products" -> OID.. then to "Docs".. then the 'latest version',.. then 'developer docs'.. but no! I have yet to find the rules regarding LDAP filter expressions and OID quirks. Please reorg the docs!!!! This isn't the first time I've spent an unruling amount of time digging for something so simple. At best, I can somehow use the 'search' feature to find a doc, but I don't know if it's the latest, or what other info is available using the search method. Oracle, please do something!!
-s-> Hi all,
>
> I've been frequenting the docs off OTN for quite some
> time now. I am currently looking for developer
> documentation for the latest flavor of Oracle
> Internet Directory. I have spent the last 20 minutes
> searching, looking, clicking, scratching my head,
> etc. I have YET to find what I need! Logically, I
> would expect to look at "Products" -> OID.. then to
> "Docs".. then the 'latest version',.. then 'developer
> docs'.. but no! I have yet to find the rules
I'm not sure whether you are having difficulty finding the OID documentation or the OID doc does not address your issue. If it's the former, please read read on. Otherwise, please post your documentation feedback in the doc feedback forum available at Documentation
I was able to find the developer guide following similar clickthrough that you mentioned. OTN Home Page -> Products (click on the product menu in the left hand nav) -> OID (listed under both db and apps) -> documentation (available in the left hand navigation menu of the OID product section under Oracle Internet Directory header). You would see OID application developer's guide 9.2, 9.0.2, 3.0.1 and 2.1.1 all listed in the OID documentation page (url: http://otn.oracle.com/docs/products/oid/content.html) Oddly enough, I could not use the same clickthrough trail from the documentation menu available on OTN home page. If you find the product page (http://otn.oracle.com/products/) organization useful, please let us know. We will try to reorg the docs page (http://otn.oracle.com/docs/) along the same line.
--OTN
> regarding LDAP filter expressions and OID quirks.
> Please reorg the docs!!!! This isn't the first time
> I've spent an unruling amount of time digging for
> something so simple. At best, I can somehow use the
> 'search' feature to find a doc, but I don't know if
> it's the latest, or what other info is available
> using the search method. Oracle, please do
> something!!
>
> -s- -
I used Oracle Unified Directory with Directory Services Manager. I tried to create a new root entry. Following http://docs.oracle.com/cd/E17904_01/oid.1111/e10029/oid_dir_entries.htm#i43505, I left Parent Entry field blank. But it prompt "A value is required".
You are trying to use the OID documentation for OUD. The ODSM interface and functionality between these two products are a bit different. Try the ODSM documentation for OUD here: http://docs.oracle.com/cd/E22289_01/html/821-1273/managing-ojd-with-odsm.html#scrolltoc
-
Hi all,
i found this on the OID documentation (9.2 Oracle Identity Management Attribute Reference):
9.2.467 pwdExpireWarning
Description
The number of seconds before a password expires that a warning should be sent to the user. The user will see the warning when they attempt to log on during the warning period. If the user does not modify the password before it expires, the user is locked out until the password is changed by the administrator. The default value is 0, which means no warnings are sent.
For this feature to work, the client application must support it.
Last sentence (maked in bold by me) is clear but don't specified WHERE is possible to get information HOW client application to do it. I can't find anything.
Can anyone help me? Where i found the documentation to catch this type of LDAP event?
Thanks a lot.
AlessandroPlease, do you have any suggestions?
Do you know if "client application" means also for "web application"?
Alesssandro -
Hi,
I am working in ADF 11g, OIM Self Service Control.
Can anyone provide me some material on OIM, as how to create Groups and provisiong Users to Groups.
Also, can anyone help me in understanding the relation between OIM, OAM, OID.
Early response is appreciated.
Thanks
Edited by: user617801 on Mar 16, 2009 8:46 AMHi,
You need to go to documentation section of oracle and get OIM/OAM/OID documentation. On this forum one could not give a lot of info and this forum is platform to discuss any issue or any conceptual questions.
Just go through documentation and if you are biggener then you must attend some oracle training or start with small development and understand bit and pieces of Identity Management systems.
Regards
Nitesh -
How can we get ADFSecurity work when used in OC4J, OID and OAM?
I am getting error in http server log "mod_oc4j: Response status=499 and reason=Oracle SSO, but failed to get mod_osso global context."
But I am not using Oracle SSO and my client doesn't want to use it either, I am using OAM SSO(CoreIDSSO) in my configuration. Please read the details below.
I am using ADFSecurity in an app that is protected by OAM. To migrate ADFSecurity permissions from
system-jazn-data.xml to OID, I used JAZNMigrationTool to populate OID with Grantees and Permissions. OAM gives login page, and authentication works fine.
But ADFSecurity is not working. ADFComponent Delete button is enabled even for roles that dont have permissions for the iterator delete.
- The app works fine when I use without OAM. ADF Security permissions work fine.
- The app works fine when used with OAM, but with ADFSecurity disabled (enforce=false).
- When I enforce ADFSecurity alongwith OAM, ADFSecurity is not working.
In the doc "Oracle Containers for J2EE Security Guide b28957", there is a mention of use of CoreIDPrincipal for permissions. Our OID Permissions entries show
LDAPRealmRole for attribute orcljaznprincipal. I am not sure if this could be the reason.
We have configured AccessServerSDK for the SOA instance and have policy for the urls in the policy manager. We have entries in orion-application.xml, orion-web.xml and system-jazn-data.xml as per the documentations.
How can we get ADFSecurity work when used with OID and OAM?Have you been able to successfully integrate OAS with OAM & OID? We have similar requriement and so far we have not been able to get it working.
We have application specific roles which we map to OID roles using orion-application.xml.
Any pointers to achieve this would be greatly appreciated.
thanks,
Dipal -
Sychronisation AD - OID: Is it possible to read the user password from AD?
Hi.
We are using the Oracle Internet Directory shipped with the Oracle 9i Database Rel. 2 (9.2.0.1).
I try to synchronise the user accounts from AD to OID using JAVA JNDI. I'm able to read all necessary user information except the user password (MD5 value). Even if I connect to the AD using SSL, it's not possible to read the attribute userPassword.
Is anybody out there who got this work or knows a way (may also be by the use of another programming language or tool) to get the user password out of AD? Is this possible? How does the Oracle Integration Agents accomplish this?
Thanks in advance.
Hermann S.Hermann,
I am working with this as well, though from AS10g, not RDBMS. According to the OID Administrator Guide chapter 43, page 43-52:
<snip>
Synchronizing passwords from Microsoft Active Directory to Oracle Internet Directory is not possible in the Oracle Application Server 10g release because passwords in Microsoft Active Directory are not accessible by LDAP clients. However, if a deployment requires passwords to be available in Oracle Internet Directory, then the following two methods are recommended:
Build a custom plug-in for Microsoft Active Directory that captures a password change and synchronizes it with Oracle Internet Directory
Manage Active Directory passwords from the Oracle environment. This enables passwords to be available in both Oracle Internet Directory and Microsoft Active Directory because the Active Directory connector can synchronize passwords from Oracle Internet Directory to Microsoft Active Directory.
</snip>
As10g can however look up the password in AD using the "Active Directory External Authentication Plug-In". This is documented in the same chapter.
Hope this helps,
Jens -
Synchronization from OID to AD failed by using ActiveExport profile
Hi All
Synchronization from OID to AD failed by using ActiveExport profile
and i use copy activeexp.map.master that contains
DomainRules
cn=Users,dc=software,dc=raya,dc=corp:CN=Users,DC=twa,DC=com:
AttributeRules
# Organizational Unit Mapping
ou: : :organizationalunit:ou: : organizationalunit
# Container mapping
cn: : :orclcontainer: cn: :Container
#Domain cannot be exported
#name: : :domain: dc: :domain
cn:1: :inetorgperson:cn: :User
cn:1: :inetorgperson:SAMAccountName: :User
# attribute rule for mapping Active Directory LOGIN id
#mail: : :person:sn: :User:
mail: : :person:UserPrincipalName: :User:
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
cn: : :inetorgperson:givenname: :person
givenName: : :person:displayName: :person
# mail needs to be assigned valid value for default settings ing DAS
mail: : :inetorgperson:mail: :person
# The next mapping rule is for synchronizing password from OID to AD.
# Additional configuration is required. Please refer to DIP documentation
# for details.
# NOTE - To synchronize password from OID to AD, uncomment the next rule.
# userpassword: : :person:unicodepwd: :person:
# Setting useraccountcontrol to "544" (0x220) means
# 1) regular account 2) password not required 3) user account is enabled
cn: : :person:useraccountcontrol: :person:"544"
mobile: : :inetorgperson:mobile: :organizationalperson:
# GROUP ENTRY MAPPING RULES
cn: : :orclgroup:cn: :group:
# This will work successfully only when cn doesn't have any
# special characters associated with it.
cn: : :orclgroup:SAMAccountName: :group:
uniquemember: : :groupofuniquenames:member: :group:
when i check the log file i found
Trace Log Started at Mon Jul 24 07:54:58 EEST 2006
tampro.Twa.com:389
rdn value is missing in change record when performing insert operation. Please ensure that required mapping rule is specified in the profile.
java.lang.NullPointerException
at oracle.ldap.odip.gsi.ActiveWriter.insert(ActiveWriter.java:286)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:272)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:200)
null
ActiveExport:Error in Mapping Enginejava.lang.NullPointerException
java.lang.NullPointerException
at java.io.Writer.write(Writer.java:126)
at java.io.PrintStream.write(PrintStream.java:303)
at java.io.PrintStream.print(PrintStream.java:462)
at java.io.PrintStream.println(PrintStream.java:599)
at java.lang.Throwable.printStackTrace(Throwable.java:461)
at oracle.ldap.odip.engine.ODIException.printStackTrace(ODIException.java:296)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:740)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:200)
Updated Attributes
orclodipLastExecutionTime: 20060724075501
orclLastAppliedChangeNumber: 3833
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Unknown Error Encountered
Sleeping for 1 secs
can any one tell me what can i do ?If its a very rare failure, then as you mentioned, you can skip it..
-
OID 11.1.1.5.0 Connector Issue With Logging in OIM 11.1.1.5.0
I am using OpenLDAP as my target system for the OID connector. I am following the OID 11.1.1.5.0 documentation section "2.1.6.1 Enabling Logging on Oracle Identity Manager". I placed the first part inside the <log_handers> tag and the second part inside the <loggers> tag.
<log_handler name='OIMCP.LDAP' level='TRACE:32'
class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
<property name='path'
value='${domain.home}/servers/${weblogic.Name}/logs/oid_connector.log'/>
<property name='format' value='ODL-Text'/>
<property name='useThreadName' value='true'/>
<property name='locale' value='en'/>
<property name='maxFileSize' value='5242880'/>
<property name='maxLogSize' value='52428800'/>
<property name='encoding' value='UTF-8'/>
</log_handler>
<logger name="ORG.IDENTITYCONNECTORS.LDAP" level="TRACE:32"
useParentHandlers="false">
<handler name="OIMCP.LDAP"/>
<handler name="console-handler"/>
</logger>
The "oid_connector.log" was created for me, but no logs are being printed out whenever I do anything related with LDAP in the OIM console.
Any insights on how to fix this issue?Any updates i am facing same problem.
thanks in advance -
hi,
i am trying to figure out how to move existing user from OIM to OID in bulk.
Is there anyway by which we can move all the existing user in OIM simultaneously rather than one by one through resource profile by provisioning.
Regards
PegasusI don't know if I understood the question, ignore me if I'm wrong.
If you want to provision all your users in a Resource you can do the following:
1) Create an "Access Policy" through Admin. Console, wich provisions your OID Resource (ensure you check the "Retrofit Access Policy" Checkbox!)
2) When creating the Policly you'll be asked to select the Users Groups that will be affected by the policy. As all OIM users belong to "ALL USERS" group, you can assign your Access Policy to this group. By the way I would consider to create a new Users Group if there is any chance that you add a user to OIM who you won't need to be provisioned in OID.
You can have a look to chapters 10 and 11 in the Admin. Console Documentation:
link
Shout me if I missunderstood you ;)
Regards, -
Invalid Naming Error while creating user in OIM and provisioning to OID
Hi,
I am trying to create users in OIM. As per the access policy, the users will directly provisioned to OID. When I am creating users in OIM, its showing provisioning for OID user resource. The create user task is rejected with error as
"Response: Invalid Naming Error
Response Description: Naming exception encountered"
If anybody is getting these error, then please suggest a solution.
Thanks.logs ???
Are you provisioning any custom attributes of different object classes . Make sure you include those object classes as well , go to connector documentation for adding the object classes .., may be some configuration look up ....i guess
Thanks
Suren
Edited by: Suren on Jul 6, 2010 7:41 PM -
OIM - OID Connector 9.0.4 - Incremental User Recon?
I can't see how incremental user recon is implemented in this connector. Can anyone tell me if incremental user recon is possible with this connector and if so how to configure it to perform incremental user recon? There is no documented or default scheduled task property that seems to enable / disable this. The IT Resource has a Last Recon TimeStamp that is updated on each recon, but ALL users are reconciled each time the task is run even though there are no changes to the objects. I have also looked at the "Object Initial Reconciliation Date" field in RO and setting this date to a date in the past doesn't seem to have any impact.
My OID install is 10.1.4.2 and my OIM install is 9.1.Although the documentation does not make any mention of it AT ALL, you need to add modifytimestamp to the ldapTargetResourceTimeStampField in the recon lookup attribute map. The modifytimestamp attribute in OID then needs to be indexed so that it can be used in the LDAP search the connector makes.
-
Third Party Integration and OID Accounts
I'm planning on using OID with a sync with another LDAP such as AD or Novell. I am also going to integrate SSO with a third party SSO engine.
How do I log into Oracle SSO with a user neither defined in AD or my third party SSO engine? I am basically worried about accounts like PORTAL and ORCLADMIN. Is it possible to bypass the third party integration for these accounts or am I forced to create these accounts in AD and my third party SSO engine?Jon,
you can either authenticate locally e.g. cn=orcladmin or externally.
You have various option s (depending on the OID version) and how you organize the user base in OID. On a high level the authentication is based on objectclasses for an entry.
E.g. user being synchronized from AD to OID (using the Directory Integration Plaform) contain an objectclass "aduser" to distinguish them as external AD users within OID. So the external authentication plugin will "know" who is an AD user and try to authenticate this user externally with AD not OID. You can also configure the external authentication plugin to filter user who should not be externally authenticated.
If you store all external users in a dedictated subtree e.g. cn=AD_USERS or cn=EDIR_USER you can configure the external authentication plugin to authenticate those user to the respective external directories.
with OID 10.1.4.0.1 you could also make use of the server chaining authentication.
So there are a couple of options you have. See the documentation
Oracle Identity Management Integration Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/toc.htm
Oracle Internet Directory Administrator's Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/toc.htm
regards,
--Olaf -
Using OID for authentication in APEX and PL/SQL apps
Hi,
One of my colleagues (much more skilled in APEX than me) has written a PL/SQL package that makes it easy to use Oracle Internet Directory (OID) groups to control access to pages and items in APEX. It assumes that you are already using Oracle Single Sign-On (which he also set up for us).
Being a package, it's easy to use in any PL/SQL application.
He's given me permission to add his work to my web page but prefers to remain anonymous. You can see how to do it here:
http://www.patrickhaston.co.uk/plsql/oid_authorisation.html
The source code is available for download.
Hope this is useful.
Patrick.Nothing new - all documented with APEX.
Maybe you are looking for
-
Wrong project opens when double clicking on a project in project view
This is really weird. I have a personal library that was created by importing my entire iPhoto library and a Pro library that was created by just importing groups of images and folders from one of my drives. Both libraries are 100% managed. When Aper
-
Hello I have installed the network setup app on my lumia 710. Im with Vodafone monthly contract. Can anyone tell me what the connection name is. I have all the other settings but not sure what I should put in the connection name as you cannot save it
-
How to change the HTML/XML test data to test my_abap_proxy in SE80?
Hello, I am trying to test my_abap_proxy in SE80 by usng a HTML/XML file of my desk top, the test data is as below <LoadingDate>20110422</LoadingDate> <DocumentDate>20110422</DocumentDate> <SDDocumentCategory>G</SDDocumentCategory> so on.......
-
html:link action="" input type="button"... does not work under IE browser
Greeting, I have the following codes in struts1.3.5. It works fine under Firefox, but it does not work at all under Internet Explore (IT) at all. Any clues why under IE it does not work? <html:link action="/private/search"> <input type="button" value
-
When I try to open a file with PSE 10, the app doesn't respond. I have owned PSE 10 for less than a month, and Adobe's support is impossible to access.