Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
There are two common ways of integrating with a Microsoft Windows environment:
Using Oracle Internet Directory as the central directory for user and group data for the Microsoft Windows 2000 and Windows NT environments
Using Microsoft Active Directory as the central enterprise directory for user and group data for Oracle components
This section discusses the requirements of each deployment. It contains the following topics:
Deployments with Oracle Internet Directory as the Central Directory
Deployments with Microsoft Active Directory as the Central Directory
Table 18-2 describes the typical requirements in this deployment.
Table 18-2 Typical Requirements with Oracle Internet Directory as the Central Directory
Requirement | Description |
---|---|
Initial startup |
The Directory Integration and Provisioning Assistant populates Microsoft Active Directory with users and groups stored in Oracle Internet Directory. If there are multiple Microsoft Active Directory domains, then the Directory Integration and Provisioning Assistant must be run as many times as there are Microsoft Active Directory domains. Each time you do this, you choose the specific data set required by the target Microsoft Active Directory domain. |
Synchronization |
User and group information is managed in Oracle Internet Directory. Changes to that information are synchronized with Microsoft Active Directory by the Oracle directory integration and provisioning server when an import profile has been configured. Synchronization from Microsoft Active Directory into Oracle Internet Directory can be achieved by configuring an import profile. |
Passwords and password verifiers |
Passwords are managed in Oracle Internet Directory by using Oracle tools such as the Oracle Internet Directory Self-Service Console. Password changes are synchronized with Microsoft Active Directory by the Oracle directory integration and provisioning server. However, before this server can synchronize the password changes, the password synchronization must be configured in the mapping rules. Because the password is securely managed, the communication for synchronizing passwords to Microsoft Active Directory must be over SSL. Run the Oracle directory integration and provisioning server in the server-only authentication mode with the proper certificate from Microsoft Active Directory. Be sure that Active Directory is also enabled for SSL. If the Oracle environment requires a password verifier, then the password verifier is automatically generated when a new user entry is created or when a password is modified. |
Oracle Application Server Single Sign-On |
Users log in to the Oracle environment by using the OracleAS Single Sign-On server. When called upon by the OracleAS Single Sign-On server to authenticate a user, the Oracle directory server uses credentials available locally. No external authentication is involved. Users must log in only once to access various components in the Oracle environment. |
New users or groups in Oracle Internet Directory can be automatically provisioned into the Microsoft Windows environment by the Oracle directory integration and provisioning server. This automatic provisioning requires that:
The Oracle directory server is running with the change log enabled
The change log is not purged
If these two conditions are not met, then you must load the entries in Oracle Internet Directory to an LDIF file and upload the data to Microsoft Active Directory.
If multiple Microsoft Active Directory domains are involved, then the Oracle directory integration and provisioning server provisions users and groups in the respective Microsoft Active Directory domains. Before provisioning can take place, you must configure a one-way synchronization from Oracle Internet Directory to the Microsoft Active Directory domain.
See Also: The chapter on garbage collection in Oracle Internet Directory Administrator's Guide for information about purging the change log |
Table 18-3 describes the typical requirements in this deployment.
Table 18-3 Typical Requirements with Microsoft Active Directory as the Central Directory
Requirement | Description |
---|---|
Initial startup |
The Directory Integration and Provisioning Assistant populates Oracle Internet Directory with users and groups stored in Microsoft Active Directory. If there are multiple Microsoft Active Directory servers, then you must bootstrap the data from each Microsoft Active Directory domain. If you use the Global Catalog for one-way synchronization from Microsoft Active Directory to Oracle Internet Directory, then you need to bootstrap only once from the Global Catalog server. You can choose to manage user information, including password credentials, in Microsoft Active Directory only. In such deployments, to enable single sign-on in the Oracle environment, the Oracle directory integration and provisioning server can synchronize only those user entry attributes required by Oracle components. Passwords are not migrated from Microsoft Active Directory to Oracle Internet Directory. |
Synchronization |
The central directory for user and group information is Microsoft Active Directory. Changes to user and group information in Active Directory are synchronized with Oracle Internet Directory by the Oracle directory integration and provisioning server when an import profile has been configured. Synchronization from Oracle Internet Directory to Microsoft Active Directory is achieved by configuring an export profile. |
Passwords and password verifiers |
Passwords are managed in typically Active Directory by using Microsoft Windows tools. The Oracle directory integration and provisioning server does not synchronize password changes into Oracle Internet Directory. |
Oracle Application Server Single Sign-On |
Users log in to the Oracle environment only once by using the OracleAS Single Sign-On server. Users with credentials only in Microsoft Active Directory are authenticated by the Oracle directory server invoking the external authentication plug-in. Users with credentials in Oracle Internet Directory are authenticated locally by the Oracle directory server. |
Windows native authentication |
Same as in Oracle Internet Directory-centered deployment. However, for a user to use Windows native authentication, a user must exist in Active Directory. If Windows native authentication is enabled, then, for local Oracle Internet Directory users to invoke the single sign-on server, you must populate the attributes |
Active Directory external authentication plug-in |
When user credentials are managed in Microsoft Active Directory, this plug-in is required. To authenticate a user, the OracleAS Single Sign-On server calls upon the Oracle directory server. The plug-in then performs the authentication of the user against the user credentials stored in Active Directory. |
New users or groups created in Microsoft Active Directory are automatically synchronized into Oracle Internet Directory by the Oracle directory integration and provisioning server. Before the provisioning can take place, a one-way synchronization between Microsoft Active Directory and Oracle Internet Directory must be established.
If multiple Microsoft Active Directory domains are involved, then the Oracle directory integration and provisioning server synchronizes users and groups from the respective Microsoft Active Directory domains into Oracle Internet Directory. Before the provisioning can take place, a one-way synchronization between Oracle Internet Directory and a domain controller on each Microsoft Active Directory domain must be established.
Passwords are not migrated from Microsoft Active Directory to Oracle Internet Directory.