Identity Management in Quercus<>

CampusIT Embedded

What is CampusIT Embedded?

CampusIT Embedded is Quercus’s own IDM-equivalent option. CampusIT Embedded provides you with an alternative identity management solution if you do not want Quercus to be integrated with an external IDM. CampusIT Embedded allows you to set up and maintain LDAP groups in the same way that an external LDAP solution would, except that its use is confined to Quercus. CampusIT Embedded allows you to run Quercus as a totally standalone system without dependency on any external LDAP server. This is useful in situations when interoperability with other systems is not required and for training and test environments.

It can be also used when Oracle's DBMS_LDAP API is not available (e.g. in Oracle Database Cloud environments).

Implementation details

APIs

OC_LDAP and OC_LDAP_USER APIs were refactored to support new identity management type: CAMPUSIT_DB

Database tables

CAMPUSIT_DB is storing user credentials, attributes and roles in new QUERCUS tables: OC_LDAP_USER_STORE and OC_LDAP_USER_STORE_ATTRIBUTE.

Passwords

Passwords are stored securely – using a one-way secure hash (SSHA).

Note: for security reasons Quercus does not store actual passwords in the database. Only salt-protected one‑way hash values are stored. This makes it impossible to retrieve what password is user using whilst still enabling the password to be validated.

Using CampusIT Embedded

To use CampusIT Embedded

1Choose the CampusIT Embedded option from the LDAP_SERVER parameter.

2Set values for the following parameters:

LDAP_ADMIN_USER_NAME

LDAP_PASSWORD_REMINDER

You do not need to set values for other LDAP parameters if you use the embedded option.

3Set LDAP_ADMIN_USER_NAME to admin.

4Go to Quercus Menu > Students and identify a person record.

5Create a new admin account (as QUERCUS) by running the following script:

begin
-- create user: replace XXX with PERSON_LDAP.LDAP_ID
oc_ldap_user.create_user(
p_user_name => 'admin',
p_password => '123456',
p_email => 'admin@example.com',
p_ldap_id => 'XXX',
p_first_name => 'Joe',
p_surname => 'Admin'
);
-- add to groups
oc_ldap_user.add_to_group('admin', 'QP_USER');
oc_ldap_user.add_to_group('admin', 'OAPL_USER_MANAGEMENT');
end;
/


6Re-create all LDAP groups by running all ldap.%.sql scripts from SU3800+\su3800\db\QUERCUS\data\config\static_data\)

Note: CAMPUSIT_DB stores list of all groups/roles by assigning them to the LDAP_ADMIN_USER_NAME user.

If LDAP_ADMIN_USER_NAME is not pointing to an existing user account the list will be empty – making assignment of role in the Control Centre impossible.

7Login to Quercus as admin

8Test authentication, authorization and provision related functionality including:

9Change user account attributes/roles in the control centre

10Create a new user account (e.g. via the Apply Online service).

Migration from CampusIT Embedded to an external IDM

CampusIT Embedded has been designed in such a way that migration to an external IDM will be as simple as possible should it be required in the future. So the data structures within the Quercus database tables mirror those which would be found in an external LDAP IDM.

If you are using CampusIT Embedded and plan to move to an external IDM you should plan the migration with the assistance of CampusIT support.

Note: migration to the Microsoft LDAP server is somewhat more complicated than migration to other LDAP servers owing to the use of proprietary extensions in the Microsoft LDAP API and data model.