HOW TO: Configure OIM 11g AD/LDAP Authentication Part 2

The follow-up of the steps required for the OIM and AD authentication
February 1, 2015
OIM-11gAD

Assuming you've just come from HOW TO: Configure OIM 11g AD/LDAP Authentication Part 1, the following steps carries on from that.

Within the previous step, there was a configuration setup for an LDAP connection to access user with the necessary rights within AD to access OIM. Below is to assurance that the configuration for the groups is also in place. The AD group in question is called "oimusers", in which all users who shall be able to login to OIM need to be member of this group. The group need to be named exactly "oimusers".


Step 4: Configure Group

https://technicalconfessions.com/images/postimages/postimages/_364_3_AD group for OIM.png

Groups
By using the same process you used to locate the LDAP DN as mentioned in the HOW TO: Configure OIM 11g AD/LDAP Authentication Part 1 blog, you can use the apache LDAP query to discover the DN of the 'oimusers' group. This group membership must be assigned to the user within Active Directory for this to be transferred over.

https://technicalconfessions.com/images/postimages/postimages/_364_4_oim query within LDAP .png

You are then required to login into the WLS provider configuration screen and populate the group information


Step 5: Restarting the WLS

https://technicalconfessions.com/images/postimages/postimages/_364_5_group configuration within AD provider.png

Once saved, you will be asked to thenrestart your WLS domain. Assuming you have your configuration correct, you'll be able to see the users and groups associated with your 'myrealm'.

Now jump back to the Weblogic admin console and click on authentication provider and click on provider Specific. This is the page is the single configuration for the authentication provider to extract the users.

https://technicalconfessions.com/images/postimages/postimages/_364_7_users within WLS based on the provider.png

You will also be able to see that the users and groups. If you don't see the users and groups, then the configuration was setup incorrectly

It will also be worth ranking up the order of your newly created AD provider to the top, which in the event will be the initial search for the user credentials. If this is not used, and that the password within OIM differs within AD, you will get a invalid password prompt when you attempt a login within your OIM AD credentials

If you have done this correctly and that the users and groups have been setup, you should now be able to access OIM using your AD credentials

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

forgerock-openidm-encryptedjwt-error

OpenIDMIDMForgeRockJWTIAM

August 29, 2017
Created by: Daniel Redfern
Received the JWT error
Read More...

Unexpected character ('¾' (code 190)): expected a valid value

ForgeRock-OpenIDMOpenIDMIDMKeystore

June 25, 2017
Created by: Daniel Redfern
Unexpected character occurred when the IP addresses changes and the virtual instance was migrated into a separate network subnet.
Read More...