Skip to end of metadata
Go to start of metadata

How to configure user authentication via OID in EM12c

How to configure Enterprise Manager 12c to authenticate users via Oracle Internet Directoty LDAP server

Use emctl to configure external authentication on em12c host

oracle@linux5 ~$ emctl config auth oid -ldap_host linux4 -ldap_port 3060 -ldap_principal "cn=orcladmin" -ldap_credential "geheim" -sysman_pwd "geheim" -user_base_dn
"cn=Users,dc=loopback,dc=org" -group_base_dn "cn=Groups,dc=loopback,dc=org"
Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved.
Configuring LDAP Authentication ... Started
Configuring LDAP Authentication ... Successful

restart OMS

oracle@linux5 ~$ emctl stop oms -all
Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved.
Stopping WebTier...
WebTier Successfully Stopped
Stopping Oracle Management Server...
Oracle Management Server Successfully Stopped
AdminServer Successfully Stopped
Oracle Management Server is Down

oracle@linux5 ~$ emctl start oms

Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved.
Starting WebTier...
WebTier Successfully Started
Starting Oracle Management Server...
Oracle Management Server Successfully Started
Oracle Management Server is Up

verify connection

Navigate To the Weblogin Administration Console Web Page. The link is included in the Weblogic section of EM12c itself (probably port 7171).

Login as weblogic ans navigate to Domain/Security Realms. Select the default realm (probably "myrealm". There is a tab "Users and Groups", where all OID users should be visible.

create external identified EM user

oracle@linux5 ~$ emcli login -username=sysman
Enter password
Login successful

oracle@linux5 ~$ emcli create_user -name=jans -type=EXTERNAL_USER

User "JANS" created successfully

There seems to be no way of using EM GUI for this (question).

The new user is now visible in EM's Administrators tab.

Unfortunately, the email addresses is not being used from LDAP.

see [
Oracle® Enterprise Manager Cloud Control Administrator's Guide|http://docs.oracle.com/cd/E24628_01/doc.121/e24473/security.htm]

Adjust search attribute

Per default, "cn" is the search attribute. But in enterprise Manager, usernames cannot have banks in them. So, if you have a person named "testi Tester" in your OID, and try to create this user via "emcli create_user", it won't succeed:

oracle@linux5 ~$ emcli create_user -name="test tester" -type="EXTERNAL_USER"
Syntax Error: Invalid username

If you identify your users uniquely by the "uid" attribute, you have to change this in Weblogic Server.

Navigate to Home/Security Realms/realm/Provider/EM_OID_Provider in Weblogic Admin GUI.
Then adjust search attribute and filters for the user base there.