Ovd question

Similar Messages

• OVD question -- Hiding selected nodes

  Hi,
  This is what my OVD DIT looks like:
  Join View Adapter:
  Primary Adapter: OID
  Join Adapter: AD
  The resulting DIT looks like this:
  dc=company,dc=com
  - cn=OracleContext
  - cn=Calendar Server
  - cn=Users
  - cn=Groups
  - ou=Oblix
  I would like to expose only cn=Users and cn=Groups in my OVD. How do I hide the remaining nodes? I tried DN Matching, but it blocks all the children nodes.
  The other option is to create a Local Store Adapter for dc=company,dc=com and then create two nodes:
  - Join View Adapter for ou=Users
  - Join View Adapter for ou=Groups
  Is it safe to use a Local Store Adapter in a production environment, if it contains no data? I basically need this for an OAM deployment.
  Thanks.

  hello,
  i think, from OVD view you want to allow only the users node & groups node and not the OracleContext,Calender, oblix nodes. if i am correct, then you might done your adapter configuration in this approach:
  1. create the local store adapter as:
  cn=users,dc=company,dc=com (if u want ou instead of cn, just define ou mapping for the users node)
  cn=groups,dc=company,dc=com
  2. create 2 adapters with the following parameters:
  a) remote is: cn=users,dc=company,dc=com
  root Base: cn=users,dc=company,dc=com
  b) remote is: cn=groups,dc=company,dc=com
  root base: cn=groups,dc=company,dc=com
  in this approach you definately get the users, group nodes and its children nodes. ofcourse, if you want to do object mappings on any specific entity like user node you can extend in the adapter configuration.
  Also, it won't be any issue by using the local store adapter in production also. you will be using this local store adapter only for mapping puprose and for storing the data i believe, you might do any operation onthe user nodes under user/group node but not on user/group node right!

• OVD Adapter Question using template "OAM/ADAM Adapter with Mapper"

  I am creating adapter to ADAM using template "OAM/ADAM Adapter with Mapper" in OVD 11.1.1.7.0 using ODSM.
  obpasswordhistory, obpasswordexpirydate, obLoginTrycount and obLockouttime fields are not displayed in OVD. They are present in ADAM instance.
  Any thoughts on how to add these missing fields in OVD?

  You would need to extend OVD schema as well. You can refer to production documentation
  http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#CFFEJEEE

• OVD - OIM Query

  Hi all,
  There is OID 11g, AD, OVD 11g in our environment. OID has external users, AD has internal users. OVD 11g is used for Virtualization - nothing new so far.
  This implementation is almost completed and we are heading to next phase i.e., OIM 11g implementation. Here, we can think of two trusted sources - AD, OID. Nothing complex until now.
  Now the question is: Can OIM talk to OVD for provisioning and reconciliation? If so, do we need to develop custom connector (as OOTB connector is not available) and what is the trusted source to be used here? Is this recommended approach?
  I have seen LDAP Sync feature in OIM 11g which makes OVD-OID in synch with OIM. So, is it recommended to design OIM with OVD using LDAP Synch which automatically sync users from OID, AD.
  Can someone throw light on this?
  Thanks,
  Mahendra.

  Hi Mahendra,
  OVD acts like another LDAP which is having the same capabilities as any other Standard LDAP service. Because this OVD & OID are Oracle products so, Both's products base ldap schemas will be almost same. OIM connector point of view you can use the OID connector for OVD. We have used the same approach in OIM 10g version and we did not see any issues even for provisioning operations too since we have single source ldap connected to the OVD.
  But in Ideal approach OVD is not recommended for ldap modifications in the sense Provisioning operations in terms of OIM world. OVD product architecuture is more robust for Read operations since this product has a capacity of consolidate different data structures into single ldap view that make more complexity and if we use this product for modify operations then many other factors we need to consider manually like performance, ACLs and, customization etc.
  Hope this info helps yo to get an idea for your decision point.
  OIM synchronization with LDAP i dont have any insight on this..
  Cheers,
  Srini

• Preparing OVD for use with OAM

  Hi,
  I am trying to configure OVD for use with OAM. I am trying to present two directories, one from AD and the other from Sun LDAP, with OVD.
  In case of AD, I am using the "OAM/AD Adapter with Mapper" template, and it does appear to be massaging Active Directory into a more inetOrgPerson schema... however the relative distinguished name (rdn) of the objects are still cn=username.
  This is in conflict with the users that are coming in from Sun, who have an rdn of uid=username. I'm concerned that this is going to create difficulties for OAM, and it just feels wrong (especially since we are migrating many of these users to AD at which point their DNs will change).
  My questions are:
  1. Is there a best practice for what the RDN should be for OAM? It seems like the product has historically used uid as the RDN, and so that feels safest.
  2. Should I, and if so, how can I get OVD to translate the RDNs? Why don't the templates do this automatically?
  - Jim

  OAM is not concerned with the RDN of a user in AD or Sun. It can be anything.
  So in OVD you can have dn like uid=usrid,dc=example,dc=com for Sun and cn=commonname,dc=example,dc=com for AD.
  Only thing to take care is you have configured OVD with the same objectclass for AD and Sun.
  For example "OAM/AD Adapter with Mapper" maps AD's user object class into inteorgperson and same goes for Sun. So in OAM you have to configure user objectclass as "inetorgperson"
  OAM searches are based on the login id, so in this case it will always be uid="user login" which OVD will translate into samaccountname for AD and uid for Sun.
  There is no restriction in OAM on what the RDN should be for a user entry.

• OVD Install Getting OutOfMemoryError: PermGen space

  During an install of OIM 10.3.2 I have to create a new domain. Everything works fine until in Step 12 the installer attempts to restart the domain. At that point I get the OutOfMemoryError: PermGen space in my install log and the installer pretty much locks up and dies. I see some comments about using the JAVA_HOME environment variable to increase these amounts but they all in postings for other products that talk about making changes to .sh files in the install paths so I'm not sure where I should be making this change, if I should even be making this change. Any direction would be greatly appreciated.
  WebLogic Server 10.3.2
  JRockit JDK 1.6.0_26
  Thanks
  Edited by: user8798451 on Jul 20, 2011 4:41 PM

  Pardon me for my ignorance but I'm new to the Oracle products so where exactly would I need to make these setting changes? I have seen posts online about making similar changes in the WLS admin console in an "Arguments" text box but so far those changes have not successfully resolved the issue. I have seen other posts about editing an .sh file but I'm not sure which is correct.
  Plus, once I've made the changes I still need to continue installing and configuring my OVD instance so I would just like to confirm that after making the changes I should be able to restart the OVD installer and instead of telling it to create a new domain just select extend existing and point it to the domain in question, right? From there it should do what it needs to do???
  Thanks again for the response and thanks in advance for any additional help you can provide.

• OVD plugin returning "Virtual" entry when entry not yet available in OID

  Hi,
  We've been working on a solution in which a new user has to get immediate access to a website and we, because the provisioning is taking some time, we have implemented a plugin for OVD which basically looks in the OID and if the user exists in OID it will return that entry and otherwise will create an virtual entry (it is not stored in OID) and return this entry to the requestor.
  Now this al looks like it is working fine but the requester, OAM in this case, reacts different on a "virtual" entry then a non virtual entry. When it is a "virtual" entry not al headers are filled by OAM. So my question is if there is someone out there who has done something simliar and/or knows why this is happening, because we tried everything and still face this problem. Any help would be appreciated!
  Br,
  Sarris

  Hi Flanjman,
  Additional this article may give you more tips.
  https://connect.microsoft.com/SQLServer/feedback/details/674454/name-resolution-not-yet-available
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• OVD:  RESTful interfaces

  Hello
  I see references by Mark Wilcox about a RESTful interface to OVD, and how it's possible.  References:  here and here
  Question:  Is this a published configuration?  I see how to use the HTTP Gateway, and get content via DSML, however, I don't see a RESTful / JSON way of doing this.
  Have I missed a function in OVD?
  Thank you.

  Hi Sushant
  Check the question 11.I am getting org.apache.axis.ConfiguraitonException: adapter is null in this note 1039369 - FAQ XI Axis Adapter
  (you will find all the answers in the attachment section)
  Regards.

• Why we are use OVD?

  Hi ,
  I am new to OIM and OAM.Currently in my project they are using OID and OVD .
  The diff bet ween OID and OVD is in OVD there is no Database Repository .
  what my question is already OID is there whay we are using OVD?
  Could any one please explain.
  Thanks in advance.
  Regards,
  Ravi.

  You don't need to use OVD if you don't need it. OVD allows you to present multiple LDAP resources as if they were one. For example, you could configure OIM/OAM to look at OVD which presents a virtual view of your OID and WebLogic embedded LDAP, so no matter whether the user is in OID or WebLogic, they can authenticate. Similarly, if you have other LDAP repositories like ODSEE or AD, you could do something similar.

• Base IDM product should consist of  OIM, OID, OVD, OAM and OIF ?

  Hi Experts,
  I want to understand what should be the very base IDM 11g Product should satisfy majority of client requirement. What is best Practices of Product combination one should have ?
  1) OIM, OID, OVD, OAM and OIF 11g
  2) OIM, OID, OVD, OAM 11g
  3)OIM, OID, OVD and OIA 11g
  Considering 11g & best pratices.
  I would like to understand what Pack is must for what kind of requirement ?
  There are so many product combination so confused what is best base Security Prodcut combination can be ?
  Help Appreciated.
  Thanks In Advance.
  Edited by: 937775 on 31/05/2012 06:01

  Thanks Gyanprakash for valuable Suggestion.
  I have one more question,
  Now to do the OIM,OID,OVD,OAM Security Stack Installaton,
  can I use two VM 1) all security product (OIM,OID,OVD,OAM) 2) DB VM (I heard we do have database VM)
  Could you mind sharing Info 1) what number of VM do I use for security Product Installation 2) Can I use DB VM or Database should be installed physically not on VM ?
  Thoughts ?

• OAM language question

  Hello,
  Customer has OAM installed on Windows 2003 where the OS language is in Japanese. Just wanted to check the feasibility of having the parameter, log files etc in English so that basic administration and support activities can be done in English.
  Any help on this will be highly appreciated.
  Thanks,
  Sudipto

  user13476138 wrote:
  Hi All,
  I have doubt with OAM related stuff. My question is
  If OAM uses MS Active Directory as its identity store (AD domain with user and password details), and will be integrated with OIM for password self service capabilities. The standard out of box capabilities is expected to be supported:
  1. Force change password on first
  2. Force change password on being reset by help desk
  3. Forgot password journey – answer security questions and retrieve your password
  To support the above,
  a) Can OAM 11g support the typical AAA requirements, and the password change functionalities above, when connected with MS Active Directory and OIM 11g? Instead of OID 11g proxied by OVD 11g.Obviously your typical is not the same as everyone else's typical
  b) If it’s possible, this implies the IDAM implementation will not require OIM to be provisioning to OID via OVD (the auto-synch process). Instead OIM will be provisioning identities into MS AD via the AD connector.Or to OVD although it's probably simpler to provision to AD directly
  Do we have any technical limitations of the IDAM 11g solution that will fail to meet either access management or self-service requirements?Everything is possible with customization and development. Out of the box OAM 11g does not support 1, 2 or 3.

• Secret question for password resets

  Is there a way, without customization, to allow users of R11i to reset their password after first authenticating through a "secret question" (e.g. "what was your first pet's name" and the like) ? This is to bypass the email mechanism in the standard "forgot password" link as not all our users here have access to email (e.g. some are causual workers with external gmail/yahoo accounts which are blocked by the intranet and personal wireless access is unreliable).
  Thanks for any comments. If not possible in R11i, would it be possible in R12 e.g. integrated with OID/OAM/OVD Fusion Middleware?

  user1083814 wrote:
  Is there a way, without customization, to allow users of R11i to reset their password after first authenticating through a "secret question" (e.g. "what was your first pet's name" and the like) ? This is to bypass the email mechanism in the standard "forgot password" link as not all our users here have access to email (e.g. some are causual workers with external gmail/yahoo accounts which are blocked by the intranet and personal wireless access is unreliable).
  Thanks for any comments. If not possible in R11i, would it be possible in R12 e.g. integrated with OID/OAM/OVD Fusion Middleware?AFAIK, this is not available as a standard functionality and you will have to customize it. You may log a SR to confirm this with Oracle support.
  Thanks,
  Hussein

• OAM-OIM 11g User Lockout Question

  All,
  We have a OAM and OIM 11.1.1.3 installation and i am testing the invalid login attempt scenarios and came across teh following situation. I was wondering if you could give me steps or some pointers for resolving this:
  1. created an account [email protected] as xelsysadm and reset the password on first login
  2. Have the following OIM default parameters (these are the only configs that i could find are possibly related to this)
  XL.UnlockAfter - 0
  XL.MaxLoginAttempts - 10
  3. Entered incorrect password and for the initial 4 times i got the OAM login screen back with an error message "An incorrect Username or Password was specified"
  4. After 5th attempt i just got the error message "Error
  An incorrect Username or Password was specified"
  5. I go back the http://oimservername:oimport/oim i get the login screen again and enter [email protected] with an incorrect password next 4 times (total 9 now) I get login screen back with "An incorrect Username or Password was specified"
  6. after the 10th attempt with incorrect password i get a different error message with no login screen "Error
  The user account is locked. Please contact Administrator."
  7. I logged into OIM as xelsysadm -> administration -> search user [email protected] and it doesn't show that the account is locked. I lock it anyways explicitly by clicking the button the user screen and click unlock immediately and now enter [email protected] and correct password everything works.
  Few questions that i have are:
  1. how do i get the OAM/OIM system to behave consistently, (give an incorrect username or password message until the first 9 attempts with a login screen back to the end user and give them an error message at the end that the accoutn is locked". I am okay with out of the box message text
  2. How will our operations team understand that the user is really locked becuase they have nowhere to go find this information
  3. what are all the places where i will look for this information in the above scneario when the user account is locked by himself. (OVD/OID, USR table in OIM_DEV schema etc)
  4. Are there any other best practices that i should follow in setting up the system.
  Thanks in advance for reviewing this.
  Prasad.

  It appears to be all happening in OAM. After researching some more, I found this piece at http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15740/idmint.htm#CACBBIDI.
  But never the less it doesn't explain how to unlock the user other than the workaround that i found. Did anyone else had to deal with this.
  x---------------------------------------------------------------x
  2.8.4.4 Account Lock and Unlock
  Oracle Access Manager keeps track of the login attempts and locks the account when the count exceeds the established limit.
  When an account is locked, Oracle Access Manager displays the Help Desk contact information.
  When contacted by the end user, the Help Desk unlocks the account using the Oracle Identity Manager administrative console. Oracle Identity Manager notifies Oracle Access Manager about the changes.
  Account Lock and Unlock Flow
  When the number of unsuccessful user login attempts exceeds the value specified in the password policy, the user account is locked. Any login attempt after the user account has been locked displays a page that provides information about the account unlocking process, which will need to be customized to reflect the process (Help Desk information or similar) that is followed by your organization.
  Note:
  Oracle Identity Manager does not support automatic locking of a user account after a specific period has elapsed.
  The following describes the account locking/unlocking flow:
  Using a browser, a user tries to access an application URL that is protected by Oracle Access Manager.
  Oracle Access Manager Webgate (SSO Agent) intercepts the request and redirects the user to the Oracle Access Manager login page.
  The user submits credentials that fail Oracle Access Manager validation. Oracle Access Manager renders the login page and asks the user to resubmit credentials.
  The user's unsuccessful login attempts exceed the limit specified by the policy. Oracle Access Manager locks the user account and redirects the user to the Oracle Access Manager Account Lockout URL, which displays Help Desk contact information.
  The user contacts the Help Desk over the telephone and asks an administrator to unlock the account.
  Oracle Identity Manager notifies Oracle Access Manager of the account unlock event.
  The user attempts to access an application URL and this event triggers the normal Oracle Access Manager single sign-on flow.

• OVD Roles

  Hello folks,
  I have some questions regarding OVD roles:
  It is possible to defer defined groupings of users to an attached data source?
  It is possible to defer defined groupings of users through a PAAM module?
  Product administrative roles can have a clear delineation from general client access control?
  I know are generic questions but any help can be appreciated.
  Thanks

  user8846155 wrote:
  This method seems a little inefficient compared to the first. I think you can deal with that. Pre-fetch and caching come to mind.
  When you say the database is the slave, are you suggesting we keep our user tables for query join purpose? Use some method of synchronization?Yes, exactly. Not just for join purpose but also to avoid changing the app. Avoiding data sunch from LDAP tp your database is a goal that may be less important than having your app work fast and avoid change..this depends on your priorities of course.
  If we were to use OVD instead of SQL, we would need some method of representing our role/context associations in OVD.
  User-> Role-> One or more context values for user association to role.
  As a user, I may be an agent for two customers, with 1 having further restriction on contracts.
  Role      Context
  Agent Customer X
  Agent Customer Y, Contract Z
  I apologize if I am not being very clear.Your question is basically how to translate database schema to directory schema. There's many ways to do that. One way:
  Object class Role
  - attribute customerID
  - attribute contractID
  Object class User
  - multi-valued attribute 'role' of type Role
  User entry for Agent / Customer X
  - objectclass User with 'role' set to Agent.
  - objectlcass Role with 'customerID' set to CustomerX
  User entry for Agent / Customer Y
  - objectlcass User with 'role' set to Agent.
  - objectclass Role with 'customerID' set to CustomerY and 'contractID' set to Contract Z.
  Then it's very easy to construct an LDAP query to pull out your users depending on their role and context (customer and contract).

• OID Question

  Hallo,
  i want to read the red marked Info via SNMP,
  is there a OID available,
  because in LMS i could not find a report to get this info
  thanks
  Alex
  s069aula01#show interfaces fa9/47 switchport
  Name: Fa9/47
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 1 (default)
  Trunking Native Mode VLAN: 350
  Administrative Native VLAN tagging: enabled
  Operational Native VLAN tagging: disabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 350,360
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled

  user7985255 wrote:
  Hello everyone,
  Question 1: Does anyone have practical experience (do's and dont's) with Oracle Virtual Directory used in combination with Oracle database Enterprise User Security and the limitations when
  using OVD for EUS (things like lockout etc.)Dos: Just Do It! or ask more specific question
  One limitation is that if your users are in AD you will need Oracle DLL on the domain controller (this is an EUS requirement, nothing to do with OVD) which brings me to your 2nd question
  >
  Question 2: Is an user able to change the password for his "enterprise user" account stored in OID (account used for Oracle database EUS) and if so, with what tool or application can he/she do this?So it looks like you've got users in OID (or synced from AD), no AD directly in the mix. OID ships with a simple web UI for managing users and passwords (DAS - Delegated Administration Services) and you can manage your own data and password too. Or there are many other open source and commercial tools that work with LDAP.