Configure Oracle Identity Manager AD/LDAP Authentication

Requirements (on AD side)

  • LDAP connection user with the necessary rights in AD to do subtree searches on your users and groups container, respectively in the scope we configure below
  • For LDAP in OIM to work, you need an AD Group called "oimusers", in which all users who shall be able to login to OIM need to be member. The group need to be named exactly "oimusers".

Step 1: Login Weblogic Administration Console 

Step 2: Create New Provider

Authentication Provider

  • Name: ADAuthenticationProvider
  • Type: ActiveDirectoryAuthenticator
  • Control Flag: SUFFICIENT 

 User scope configuration

  • User Base DN: Container where your users are found
  • Rest of the parameters stay default  

Group scope configuration

  • Group Base DN: Container where your groups are found
  • Your "oimusers" group must be found in this container or in the subtree
  • Rest of the parameters stay default 


Step 3: Restart Admin Server


Step 4: Check oimusers group


Step 5: Re order providers


Step 6: Restart Admin Server

Comments:

hi,

thank you for this tutorial. works fine!

when adding more than 1000 users to that oimusers group, we get this error message in the admin server log:

------------ logfile start ------------
<BEA-240003> <Console encountered the following error java.lang.RuntimeException: netscape.ldap.LDAPException: error result (4); Sizelimit exceeded at weblogic.security.providers.authentication.LDAPAtnNameList.handleUnexpectedLDAPException(LDAPAtnNameList.java:179)
------------ logfile end ------------

I think our AD-configuration: MaxPageSize=1000 is the problem. but it is not possible to increase that pagesize. do you know a workaround for this problem?

br,
max

Posted by Michael on December 03, 2013 at 03:11 PM EET #

Hi Max,

You can use AD groups recursively, it means that any AD group can contain another AD group.

So you can add groups as a member of "oimusers".

thnx,
Arda

Posted by Arda Eralp on December 03, 2013 at 04:41 PM EET #

ok

Posted by guest on February 07, 2014 at 07:42 AM EET #

Post a Comment:
  • HTML Syntax: NOT allowed
About


I am a member of the Fusion Middleware Applications Consultancy team.

I focus on tips and tricks FMW applications consultancy but also have a strong interest in ADF Development & Achitecture, Oracle BPM, Oracle Identity Manager and Oracle SOA Suite.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
4
5
6
7
9
10
11
12
13
14
15
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today