Integrating Oracle Identity Manager with Microsoft Active Directory: Performing User Management and Provisioning
Integrating Oracle Identity Manager with Microsoft Active
Directory: Performing User Management and Provisioning
This OBE tutorial describes and shows you how to perform
installation and configuration of the Active Directory Adapter. This process involves
using the Active Directory connector to connect the Oracle Identity Manager
Server with the Active Directory instance.
Approximately 1½ hour
This OBE tutorial covers the following topics:
 Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor
over each individual icon in the following steps to load and view only the screenshot
associated with that step.
The screenshots will not reflect the specific environment
you are using. They are provided to give you an idea of where to locate specific
functionality in Oracle Identity Manager.
All components that are used by Oracle Identity Manager to
communicate with a particular resource, for the purposes of performing provisioning
with that resource, are placed into a container. This container is known as
an Oracle Identity Manager Connector. Provisioning occurs as a result of the
components of this connector working with one another. Each provisioning workflow
is stored within a separate Oracle Identity Manager Connector. Out-of-the-box
connectors are installed and configured to connect the Oracle Identity Manager
Server to various other instances. You can install and configure an out-of-the-box
Active Directory connector to connect the Oracle Identity Manager Server with an
Active Directory instance. To connect Oracle Identity Manager to Active
Directory, you need to set up an IT resource for the users or the groups that
need to be provisioned in the Active Directory instance.
Back to Topic List
Linda works as a network administrator for Mydo Main Corporation.
In Mydo Main, Linda is responsible for managing the access privileges for various
user groups to various resources within the organization. In addition, to perform
provisioning tasks, she needs to install and configure various connectors for
integrating the Oracle Identity Manager Server to multiple other instances.
One of this is an Active Directory instance that needs to be connected to the
Oracle Identity Manager Server to perform user provisioning. This enables Linda
to manage provisioning tasks across the enterprise setup of Mydo Main.
Back to Topic List
The Oracle Identity Manager Connector
Pack contains adapter libraries and configuration information related to specific
targets. These targets are the various instances that can be connected to an
Oracle Identity Manager Server. The configuration information for a connector
resides in XML files that need be imported before using the connector. You use
the OIM Deployment Manager functions of the Oracle Identity Manager administrative
console to import the connector definitions to the Oracle Identity Manager Server.
To import the XML definition files, perform the following steps:
|
1.
|
Open a browser window and enter the URL to access the
Oracle Identity Manager Admin Console in the following format:
http://<hostname>.<domainname>:<port>/xlWebApp
Note: Ensure that the Oracle database and the
JBoss application server are already running.
|
|
2.
|
Log in with the user ID xelsysadm and password abcd1234.
Note: You can use your own Oracle Identity Manager account from
your environment for logging in to the Admin Console.
|
| 3. |
The Deployment Manager is used to import the XML configuration files
for the Active Directory (AD) connector. In the left pane, click Deployment
Management and then click Import.
|
| 4. |
Click Yes to accept the security certificate.
Note: This screen can change depending on the version of browser used.
Note: Before you perform the next step, you need
to download the XML configuration files from here.
Extract the contents of xml_AD.zip to the E:\OIM_Installs\OIM_CP_900\Directory
Servers\Microsoft Active Directory\Microsoft Active Directory Rev 4.4.0\xml
directory.
|
| 5. |
Navigate to E:\OIM_Installs\OIM_CP_900\Directory
Servers\Microsoft Active Directory\Microsoft Active Directory Rev 4.4.0\xml
and click the xliADOrganizationObject_DM.xml
file. Then, click Open.
|
| 6. |
By using the Deployment Manager, you can take a previously created .xml
data file, and use it to load information into Oracle Identity Manager.
Import files are generated by other Oracle Identity Manager environments.
They can contain either new information to be added to Oracle Identity
Manager or updates to information that already exists in Oracle Identity
Manager (for example, a record insert or record update). The Deployment
Manager provides a sequence of steps to confirm the substitutions and
the IT resource data. In the File Preview section, click Add File.
|
| 7. |
In the Substitutions section, click Next.
|
| 8. |
In the Confirmation section, click Next.
|
| 9. |
Click Skip. The IT Resource for the AD Server needs to be created
later.
|
| 10. |
In the Confirmation section, click View Selections.
|
| 11. |
The summary will list the data imported in the xliADOrganizationObject_DM.xml
file and the Current Selections section outlines the detail of the objects
that are being imported. Next, click Import.
|
| 12. |
In the Confirmation dialog box, click Import. This step imports
the configuration file to the Oracle Identity Manager Server.
|
| 13. |
Notice the message for a successful import. Then, click OK.
Note: Repeat step 5 through 13 to import the remaining XML files in
the following order:
- AD Groups Object (xliADGroupObject_DM.xml)
- AD User Object (xliADUserObject_DM.xml)
- AD Reconciliation Task (xliActiveDirectoryScheduleTask_DM.xml)
|
Back to Topic List
By transferring Oracle Identity Manager Connectors between
environments, you can ensure a faster and optimal process for provisioning.
It requires fewer resources to transport an Oracle Identity Manager Connector
between environments than it does to reconstruct the connector manually within
the target environment. Such transfers also ensure error reduction in the process
of using connectors. After importing the objects for the AD connector in the
Oracle Identity Manger Server, you need to copy the connector libraries to appropriate
locations. To copy these files, perform the following steps:
|
1.
|
Open the command prompt window and enter the following
command:
copy E:\OIM_Installs\OIM_CP_900\"Directory
Servers"\"Microsoft Active Directory"\"Microsoft Active
Directory Rev 4.4.0"\lib\xliActiveDirectory.jar E:\oracle\oim_server\xellerate\JavaTasks
Press the Enter key to confirm the copying of the
file.
Note: Any external *.jar
files for provisioning purposes need to copied to the JavaTasks
folder for Oracle Identity Manager to work with other resources.
|
|
2.
|
In the same command prompt window, enter the following command:
copy E:\OIM_Installs\OIM_CP_900\"Directory
Servers"\"Microsoft Active Directory"\"Microsoft Active
Directory Rev 4.4.0"\lib\xliADRecon.jar E:\oracle\oim_server\xellerate\JavaTasks
Press the Enter key to confirm the copying of the
file.
|
| 3. |
To copy the external library file used by the AD connector to the Oracle
Identity Manager Server, enter the following command:
copy E:\OIM_Installs\OIM_CP_900\"Directory
Servers"\"Microsoft Active Directory"\"Microsoft Active
Directory Rev 4.4.0"\ext\ldapsdk-4.1.jar E:\oracle\oim_server\xellerate\ext
Press the Enter key to confirm the copying of the
file.
Note: Non-resource-specific *.jar
files need to copied into the ext
folder.
|
Back to Topic List
After deploying the adapter libraries, you need to back up
the Oracle Identity Manger Server database. Regular backups for the database
can help you roll back to any stable state of Oracle Identity Manager in case
of a failure. To run this backup, perform the following step:
|
1.
|
At the command prompt, enter the following command:
exp system/abcd1234
file=E:\OimDB_backups\Lab09_1_AD_AdapterAdded.dmp owner=oimuser
Press the Enter key to confirm the database backup.
|
Back to Topic List
By importing an Oracle Identity Manager connector, you are
transferring any IT Resource Types for that connector into the Active Directory
environment. However, the IT Resource contains the administrative credentials
that Oracle Identity Manager needs to provision a user to an AD instance. As
a result, after backing up the Oracle Identity Manager Server database, you
need to create the IT Resource for connecting to the Active Directory instance.
To establish this connection, perform the following steps:
|
1.
|
Navigate to E:\oracle\oim_designConsole\xlclient
and double-click the xlclient.cmd
file. This launches the Oracle Identity Manager Design Console.
Note: The Oracle database and the JBoss application
server should be running for this task.
|
|
2.
|
Log in with the user ID xelsysadm and password abcd1234.
|
| 3. |
In the Oracle Identity Manager Design Console window, navigate to Resource
Management and then double-click IT Resources.
|
| 4. |
In the IT Resources Information section, enter AD
Server as Name and then double-click in the Type field to view
the resource types.
.
|
| 5. |
The Lookup window lists the target instances for which an IT Resource
can be set up. In this Lookup window, select AD Server and then click
OK.
|
| 6. |
Click the Save icon from the toolbar to store the new resource.
Note: You can view the default configuration parameters for the
IT Resource.
|
| 7. |
For configuring the resource parameter information, provide the following
values:
| Parameter |
Value |
| Admin FQDN |
cn=Administrator,cn=Users,dc=mydomain,dc=com |
| Admin Login |
Administrator |
| Admin Password |
abcd1234 |
| Root Context |
dc=mydomain,dc=com |
| SSL Port Number |
636 |
| Server Address |
ten.mydomain.com |
| Use SSL |
true |
Click the Save icon from the toolbar to save the new values.
Note: You need to use SSL for this configuration and the security
certificate information needs to be up to date for this task.
|
| 8. |
Close the IT Resource form.
|
Back to Topic List
After configuring the resource parameters, you need to back
up the Oracle Identity Manger Server database. To run this backup, perform the
following step:
|
1.
|
At the command prompt, enter the following
command:
exp system/abcd1234
file=E:\OimDB_backups\Lab09_2_AD_AdapterAdded.dmp owner=oimuser
Press the Enter key to confirm the database backup.
Note: You can view the database export progress.
This backup may take a few minutes to run. Note the completion of the
database export.
|
Back to Topic List
A connector is used to provision a user to an AD instance.
For this, you need to recompile the adapters that get imported, along with the
other components of your Oracle Identity Manager Connector. This recompilation
places the code for the adapter within the application server that is associated
with your Oracle Identity Manager environment. In addition, changes made to
the adapters, tasks, or processes need the recompiling of the adapters used
in the workflow processes. To execute this recompilation, perform the following
tasks:
|
1.
|
In the Oracle Identity Manager Design Console window,
navigate to Development Tools and then double-click Adapter
Manager.
|
|
2.
|
You can select specific adapters to be recompiled. If you want a
complete recompilation, you can click the Compile All option and
then click Start. This will recompile all the adapters.
|
| 3. |
Click X on the toolbar to close the Adapter Manager form.
|
Back to Topic List
After recompiling the adapters, you can assign the AD resource
to an Oracle Identity Manager user and view that the record is created in Active
Directory. To provision the user to Active Directory, perform the following
steps:
|
1.
|
In the Oracle Identity Manager Admin Console, click
Users and then click Manage.
Note: Ensure that the user JANE.FULLTIME is already
created for this activity.
|
|
2.
|
Enter Jane as the First Name and click Search User.
Note: You can provision any user from the Oracle Identity Manager
Server. Consider the user JANE for this example.
|
| 3. |
In the Results section, click the JANE.FULLTIME user to view the
user details.
|
| 4. |
In the User Detail section, select Resource Profile from the additional
detail drop-down menu.
|
| 5. |
In the Resource Profile section, click Provision New Resource.
|
| 6. |
Select the AD User resource and click Continue.
|
| 7. |
To verify the resource selection, click Continue.
|
| 8. |
In the Provide Process Data step, click the magnifying glass icon to select the AD
Server. Then, select the AD Server option and click Select.
|
| 9. |
After the AD Server is selected, click Continue.
Note: Ensure that the password for the user JANE.FULLTIME
is set as abcd1234.
|
| 10. |
In the AD User Group Details section, click Continue.
|
| 11. |
To finally verify the process data, click Continue.
|
| 12. |
Notice that the provisioning is successfully initiated. Click Back
to User Resource Profile to view the status.
|
| 13. |
To verify the user has been successfully provisioned to Active Directory,
from the Start menu, select Administrative Tools, and then select Active Directory Users and Computers.
|
| 14. |
Notice the newly provisioned JANE.FULLTIME user in the Users section.
|
Back to Topic List
In this lesson, you learned how to:
Back to Topic List
 |
Import Active Directory XML
definitions by using the Deployment Manager |
|
Deploy the adapter libraries |
|
Back up the Oracle Identity Manager
Server database |
|
Define the IT Resource for the Active
Directory Server |
|
Back up the Oracle Identity Manager
Server database |
|
Compile the adapters |
|
Provision the user to the Active
Directory Server |
|
To ask a question about this OBE tutorial, post a query on the OBE
Discussion Forum. |
Back to Topic List
Place the cursor over this icon to hide all screenshots.
|
Bookmark
