Configuring the Identity Store 28-7

14. Click Save.

15. Return to the Providers tab and reorder the providers so that the new authentication provider is on top, followed by any other authenticators with the DefaultAuthenticator placed at the end of the list. All should have their control flags set to SUFFICIENT so that subsequent authenticators can authenticate identities that fall through from the new provider all the way through to the DefaultAuthenticator which is used only for the default file-based embedded LDAP. For example, logins such as the default administrator account are not typically created in the LDAP directory, but still need to be authenticated to start up the server. Unless identities are allowed to fall through to the DefaultAuthenticator, the default administrator account will not be authenticated. For more information about the DefaultAuthenticator and the default administrator account, see Section 28.5, Moving the Administrator Account to an External LDAP Server. 16. Restart the Administration Server and the managed server for the changes to take effect.

28.2 Tuning the Identity Store for Performance

For OVD, the only object class against which attributes are looked up is inetOrgPerson and its parent object classes. Since the Profile Gallery can display attributes not defined in inetOrgPerson, all the additional attributes not covered in inetOrgPerson would require an additional round trip to the identity store. For best performance when using OVD in a production environment, Oracle recommends that you add the following configuration entry in bold to the domain-level jps-config.xml file: -- JPS WLS LDAP Identity Store Service Instance -- User Base DN: Specify the DN under which your Users start for example, cn=users,dc=example,dc=com Group Base DN: Specify the DN that points to your Groups node for example, cn=groups,dc=example,dc=com Use Retrieved User Name as Principal Checked Must be turned on All Users Filter: uid=objec tclass=person Search to find all users under the User Base DN User From Name Filter: uid=uobje ctclass=person User Name Attribute: uid Note: Do not use the REQUIRED control flag if you are using multiple authenticators. If a REQUIRED control flag is found in the list of authenticators, regardless of its position, no further authenticators will be examined. Parameter Value Description 28-8 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter serviceInstance name=idstore.ldap provider=idstore.ldap.provider property name=idstore.config.provider value=oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider property name=CONNECTION_POOL_CLASS value=oracle.security.idm.providers.stdldap.JNDIPool extendedProperty nameuser.object.classesname values valuetopvalue valuepersonvalue valueinetorgpersonvalue valueorganizationalpersonvalue valueorcluservalue valueorcluserv2value valuectCalUservalue values extendedProperty serviceInstance For best performance when using Active Directory in a production environment, Oracle recommends that you add the following configuration entries in bold to the domain-level jps-config.xml file: serviceInstance provider=idstore.ldap.provider name=idstore.ldap property value=oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider name=idstore.config.provider property value=oracle.security.idm.providers.stdldap.JNDIPool name=CONNECTION_POOL_CLASS property name=PROPERTY_ATTRIBUTE_MAPPING value=WIRELESS_ACCT_NUMBER=mobile:MIDDLE_NAME=middlename:MAIDEN_NAME=sn:DATE_OF_H IRE=pwdLastSet:NAME_SUFFIX=generationqualifier:DATE_OF_BIRTH=pwdLastSet:DEFAULT_GR OUP=primaryGroupID property value=sAMAccountName name=username.attr property value=sAMAccountName name=user.login.attr serviceInstance The People Profile Service queries for all these attributes and there is no default mapping for these attributes in the Active Directory provider. A vanilla Active Directory installation doesnt have any mapping corresponding to DATE_OF_HIRE, DATE_OF_BIRTH. Note that the two attributes are simply a mapping to some attribute of the correct data type to reduce unnecessary LDAP server calls as Active Directory really doesnt have corresponding attributes with the same semantic meaning.

28.3 Adding Users to the Embedded LDAP Identity Store

You can add users to the embedded LDAP using the WebLogic Server Administration Console, or using an LDIF file and LDAP commands. Using an LDIF file lets you add additional attributes not available through the WebLogic Server Administration Console. Configuring the Identity Store 28-9 For Oracle Internet Directory, users are typically managed using ODSM described in the section on Managing Directory Entries in the Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory. WebCenter Spaces supports self-registration. New users who self-register with WebCenter Spaces are added directly to the identity store. For more information about self-registration, see Allowing Self-Registration in Oracle Fusion Middleware Users Guide for Oracle WebCenter. This section includes the following subsections: ■ Section 28.3.1, Adding Users to the Identity Store Using the WLS Administration Console ■ Section 28.3.2, Adding Users to the Identity Store Using an LDIF File

28.3.1 Adding Users to the Identity Store Using the WLS Administration Console

To add users to the embedded LDAP identity store from the WebLogic Server Administration Console: 1. Log in to the WebLogic Server Administration Console. For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, Oracle WebLogic Server Administration Console. 2. In the Domain Structure pane see Figure 28–9 , click Security Realms. Note: The embedded LDAP server should only be used for testing or proof of concept. For production use, Oracle recommends using external identity stores, such as Oracle Internet Directory or Microsoft Active Directory, that are supported by the OPSS user and role APIs. Note: If you are planning to reassociate your identity store with an external LDAP, perform that step first as described in Section 28.1, Reassociating the Identity Store with an External LDAP Server to avoid having to migrate the users from the embedded LDAP to the newly configured external LDAP. Note: Adding users to the identity store is typically a system administrator task and may not be a task for which application-level administrators have the required permissions. 28-10 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Figure 28–9 Domain Structure Pane The Summary of Security Realms pane displays see Figure 28–10 . Figure 28–10 Summary of Security Realms pane 3. In the Name column, click the realm to which you want to add users. The Realm Settings pane displays see Figure 28–11 . Configuring the Identity Store 28-11 Figure 28–11 Realm Settings Pane

4. Click the Users and Groups tab to display the list of current users.

5. Click New to add a new user.

28-12 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Figure 28–12 Create a New User Page

6. On the Create a New User page, enter the new user login name in the Name field.

User names are case sensitive and must be unique. Do not use commas, tabs or any other characters in the following comma-separated list: , , |, , ?, , { }

7. In the Description field, enter a description for the user for example, the users

full name.

8. From the Provider drop-down menu, select DefaultAuthenticator.

9. In the Password field, enter a password for the user.

The minimum password length for a user defined in the WebLogic Authentication provider is 8 characters note that other LDAP providers may have different requirements for the password length. Do not use user namepassword combinations such as weblogicweblogic in a production environment.

10. Reenter the password in the Confirm Password field.

11. Click OK to save your changes and add the user.

The user should now appear in the list of users.

28.3.2 Adding Users to the Identity Store Using an LDIF File

You can add users directly to the embedded LDAP identity store using an LDIF file. Using an LDIF file enables you to specify additional user attributes that are not available through the WebLogic Server Administration Console.