Friday, 30 December, 2011

OIM Recon LDAP - adding fields


First, grab your metadata from MDS: MW_HOME/Oracle_IDM[1,2]/server/bin/

Setup weblogic.properties


wls_servername=oim_server1
application_name=oim
metadata_from_loca=/data/temp
metadata_to_loca=/data/temp
metadata_files=/db/LDAPUser,/db/RA_LDAPUSER.xml,/metadata/iam-features-ldap-sync/LDAPUser.xml


weblogicExportMetadata.sh/bat (connect as weblogic to the AdminServer e.g. t3://localhost:7001)

OIM Default/Existing Field Example


TO show you the fields that are required for update, here's a generic example to describe the LDAP/recon process for the OIM Role (user type) field to the LDAP attribute employeetype:

metadata/db/LDAPUser: Attribute appears twice, under "reconFields" and reconToOIMMappings:


reconFields

<reconAttr>
<oimFormDeescriptiveName>Role</oimFormDescriptiveName> (Attribute Name from OIM user attribute config)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">employeetype</reconFieldName>
<reconColName>RECON_USR_EMP_TYPE</reconColName>
<emDataType>string</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_emp_type"/> (name of field in USR table)
</reconAttr>

reconToOIMMappings

<reconAttr>
<oimFormDescriptiveName>Role</oimFormDescriptiveName> (Attribute Name from OIM user attribute config)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">employeetype</reconFieldName> (LDAPUser.xml fieldname)
<reconColName>RECON_USR_EMP_TYPE</reconColName>
<emDataType>string</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_emp_type"> (name of field in USR table)
<Transformation name="OneToOne">
<Parameter name="employeetype" fieldname="employeetype"/> (name of field in OVD)
</Transformation>
</targetattr>
</reconAttr>

/metadata/dbRA_LDAPUSer.xml: Attribute and recon field defined, under "entity-attributes" and "target-fields":


entity-attributes

<attribute name="Role"> (Attribute Name from OIM user attribute config)
<type>string</type>
<required>false</required>
<searchable>true</searchable>
<MLS>false</MLS>
<attribute-group>Basic</attribute-group>
<metadata-attachment/>
</attribute>
<attribute-map>
<entity-attribute>Role</entity-attribute>
<target-field>RECON_USR_EMP_TYPE</target-field>
</attribute-map>

target-fields

<field name="RECON_USR_EMP_TYPE">
<type>string</type>
<required>false</required>
</field>

/metadata/iam-features-ldap-sync/LDAPUser.xml: Mapping is defined, under "entity-attributes", "target-fields" and "attribute-maps"


<attribute name="Role">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<field name="employeeType">
<type>string</type>
<required>false</required>
</field>
<attribute-map>
<entity-attribute>Role</entity-attribute>
<target-field>employeeType</target-field>
</attribute-map>

Now a real example - Adding Lock Fields


The problem with a fully integrated OIM/OAM/Ldap Sync/OVD 11g is that it's broken.

Users lock themselves through OAM webgate login, correctly setting the oblockouttime - but OIM knows nothing about it. I have no idea how to get a unix-style epoch time (oblockouttime) through the reconcile process to OIM - if anyone knows how to convert to a date type, that would be awesome?

Oracle SR response not forthcoming (after several weeks), we looked for alternatives. Found an OVD field which was set during lockout: pwdaccountlockedtime.

First OVD must know about the target LDAP attribute. OAM schema (ob* attributes) should have been loaded to OVD, this is the relevant objectclass containing the OAM lockout info:

objectclasses: ( 1.3.6.1.4.1.3831.0.1.21 NAME 'oblixPersonPwdPolicy' DESC 'Oracle Access Manager defined objectclass' SUP top 
AUXILIARY MAY ( obpasswordcreationdate $ obpasswordhistory $ obpasswordchangeflag $ obpasswordexpmail $ oblockouttime $ oblogintrycount $ obfirstlogin $ obresponsetries $ oblastloginattemptdate $ oblastresponseattemptdate $ obresponsetimeout $ oblastsuccessfullogin $ oblastfailedlogin $ etc. etc. ) )

Next, to have two-way updates (LDAP back to OIM) you need a RECON field, I added these two to the RA_LDAPUSER table in the OIM database: lock date and number of failed login attempts.

describe RA_LDAPUSER 

 ... rest of the RA_LDAPUSER table above ...
RECON_ORCLUSERLOCKEDON DATE 
RECON_LOGINATTEMPTS    NUMBER(19)

LDAPUser


<reconAttr>
<oimFormDescriptiveName>Locked On</oimFormDescriptiveName> (This field must match the OIM Attribute Name - see Configuration, User Attributes to confirm)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">pwdaccountlockedtime</reconFieldName>
<reconColName>RECON_ORCLUSERLOCKEDON</reconColName>
<emDataType>date</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="Date" name="pwdaccountlockedtime"/> (This field must match your OVD or LDAP)
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>usr_login_attempts_ctr</oimFormDescriptiveName> (This field must match the OIM Attribute Name - see Configuration, User Attributes to confirm)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">oblogintrycount</reconFieldName>
<reconColName>RECON_LOGINATTEMPTS</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="oblogintrycount"/> (This field must match your OVD or LDAP)
</reconAttr>


<reconAttr>
<oimFormDescriptiveName>Locked On</oimFormDescriptiveName> (This field must match above - the OIM Attribute Name)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">pwdaccountlockedtime</reconFieldName>
<reconColName>RECON_ORCLUSERLOCKEDON</reconColName>
<emDataType>date</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="Date" name="usr_locked_on"> (This field must match the USR table column name)
<Transformation name="OneToOne">
<Parameter name="pwdaccountlockedtime" fieldname="pwdaccountlockedtime"/>
</Transformation> (This field must match your OVD or LDAP)
</targetattr>
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>usr_login_attempts_ctr</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">oblogintrycount</reconFieldName>
<reconColName>RECON_LOGINATTEMPTS</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_login_attempts_ctr">
<Transformation name="OneToOne">
<Parameter name="oblogintrycount" fieldname="oblogintrycount"/>
</Transformation>
</targetattr>
</reconAttr>

RA_LDAPUSER.xml


<attribute-map>
<entity-attribute>Locked On</entity-attribute>
<target-field>RECON_ORCLUSERLOCKEDON</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_login_attempts_ctr</entity-attribute>
<target-field>RECON_LOGINATTEMPTS</target-field>
</attribute-map>

<field name="RECON_ORCLUSERLOCKEDON">
<type>date</type>
<required>false</required>
</field>
<field name="RECON_LOGINATTEMPTS">
<type>number</type>
<required>false</required>
</field>

LDAPUser.xml


<attribute name="Locked On">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_login_attempts_ctr">
<type>number</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>

<field name="pwdaccountlockedtime">
<type>date</type>
<required>false</required>
</field>
<field name="oblogintrycount">
<type>number</type>
<required>false</required>
</field>

<attribute-map>
<entity-attribute>Locked On</entity-attribute>
<target-field>pwdaccountlockedtime</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_login_attempts_ctr</entity-attribute>
<target-field>oblogintrycount</target-field>
</attribute-map>

Re-import LDAP/Recon config


Back to the OIM_HOME server bin directory, run weblogicImportMetadata.sh/bat

Doesn't appear to need a restart, but I usually run "PurgeCache.sh All" at the same time.

Test reconciliation


Run the scheduled job; LDAP Full User Group reconcile - look to error details, fix typos and run again.

Posted by syber at 12:07 PM
Labels: , ,

0 comments:

Post a Comment