Here are the steps required to allow OID users can authenticate into OPAM in order for them to view their privileged accounts.
In order to do this, the LDAP connector is available OOTB. The DB and Unix is also available... Though that's all!
These connectors are actually from the OIM installation though because they comply with the ICF schema, they can be used for OPAM also.
The 3 connectors that can be used with OPAM are as follows:
- org.identityconnectors.dbum-1.0.1116.jar
- org.identityconnectors.genericunix-1.0.0.jar
- org.identityconnectors.ldap-1.0.6380.jar
Assuming you correctly configured the opam-config.xml file during installation, the 3 connectors are already configured for use. The blog post, HOW TO: install OPAM which is a video on how to execute the ANT command in preparation to the OPAM installation.
Lets Begin!
Startup Weblogic and log into the weblogic domain. On the left hand side, click Security Realms. Unless you've changed it in the past, click on the realm called myrealms
Click Lock & Edit located on the top-left area to make changes. Now click on the Providers tab, then select the Authentication tab, then click New to create a new Authentication Provider.
Click New to launch the Create a New Authentication Provider page and complete the fields as follows:
- Name: MyOIDDirectory
- Type: OracleInternetDirectoryAuthenticator
Then click OK
Now click on the MYOIDDirectory and select the configuration tab, then the Common tab. and select SUFFICIENT as the control flag. click Save, and return to the previous page (Do the same thing for the DefaultAuthenticator)
Now click on Reorder
Now make sure the Authentication Provider that you created is at the top.
Now click on the configuration tab then click on Provider Specific tab and enter in the following information:
- host:
- port: 3061
- principial: cn=orcladmin
- Credential: Password1
- Confirm Credential: Password1
- User base DN: cn=Users, dc=localdomain
- Group Base DN cn=Groups, dc=localdomain
Click, Save, then Activate Changes, then restart the WLS server. (Restarting is important!)
Common issues
ldap://localhost.localdomain:389, the error cause is: Connection refused.
The LDAP authentication provider named "MyOIDDirectory" failed to make connection to ldap server at ldap://localhost.localdomain:389, the error cause is: Connection refused.
I was experiencing this error when I incorrectly entered in the provider Specific information within WLS and restarted the domain server. Double check that you've entered in the correct LDAP authentication credentials. (In this scenario, I should of been using 3061 (OID Port) not 389 (LDAP Port)
[Security:090294]could not get connection
Caused by: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User rbacxadmin weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
I was receiving this error when then I discovered the principal was incorrect.
Authentication Failed: User {0} java.lang.NullPointerException
Caused by: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User {0} java.lang.NullPointerException
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
I noticed I was receiving this error when I was getting the error above though I was simply pressing 'submit' but instead of entering in the password again, I was using the stored, concatenated password stored in the GUI interface. To work around this issue, focus on the issue above.
About the author
Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles
Comments
Other Posts
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...