Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
B14085-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

18.2 Deployment Options for Integrating with Microsoft Active Directory

There are two common ways of integrating with a Microsoft Windows environment:

This section discusses the requirements of each deployment. It contains the following topics:

18.2.1 Deployments with Oracle Internet Directory as the Central Directory

Table 18-2 describes the typical requirements in this deployment.

Table 18-2 Typical Requirements with Oracle Internet Directory as the Central Directory

Requirement Description

Initial startup

The Directory Integration and Provisioning Assistant populates Microsoft Active Directory with users and groups stored in Oracle Internet Directory.

If there are multiple Microsoft Active Directory domains, then the Directory Integration and Provisioning Assistant must be run as many times as there are Microsoft Active Directory domains. Each time you do this, you choose the specific data set required by the target Microsoft Active Directory domain.

Synchronization

User and group information is managed in Oracle Internet Directory. Changes to that information are synchronized with Microsoft Active Directory by the Oracle directory integration and provisioning server when an import profile has been configured.

Synchronization from Microsoft Active Directory into Oracle Internet Directory can be achieved by configuring an import profile.

Passwords and password verifiers

Passwords are managed in Oracle Internet Directory by using Oracle tools such as the Oracle Internet Directory Self-Service Console. Password changes are synchronized with Microsoft Active Directory by the Oracle directory integration and provisioning server. However, before this server can synchronize the password changes, the password synchronization must be configured in the mapping rules.

Because the password is securely managed, the communication for synchronizing passwords to Microsoft Active Directory must be over SSL. Run the Oracle directory integration and provisioning server in the server-only authentication mode with the proper certificate from Microsoft Active Directory. Be sure that Active Directory is also enabled for SSL.

If the Oracle environment requires a password verifier, then the password verifier is automatically generated when a new user entry is created or when a password is modified.

Oracle Application Server Single Sign-On


Users log in to the Oracle environment by using the OracleAS Single Sign-On server.

When called upon by the OracleAS Single Sign-On server to authenticate a user, the Oracle directory server uses credentials available locally. No external authentication is involved.

Users must log in only once to access various components in the Oracle environment.


New users or groups in Oracle Internet Directory can be automatically provisioned into the Microsoft Windows environment by the Oracle directory integration and provisioning server. This automatic provisioning requires that:

  • The Oracle directory server is running with the change log enabled

  • The change log is not purged

If these two conditions are not met, then you must load the entries in Oracle Internet Directory to an LDIF file and upload the data to Microsoft Active Directory.

If multiple Microsoft Active Directory domains are involved, then the Oracle directory integration and provisioning server provisions users and groups in the respective Microsoft Active Directory domains. Before provisioning can take place, you must configure a one-way synchronization from Oracle Internet Directory to the Microsoft Active Directory domain.


See Also:

The chapter on garbage collection in Oracle Internet Directory Administrator's Guide for information about purging the change log

18.2.2 Deployments with Microsoft Active Directory as the Central Directory

Table 18-3 describes the typical requirements in this deployment.

Table 18-3 Typical Requirements with Microsoft Active Directory as the Central Directory

Requirement Description

Initial startup

The Directory Integration and Provisioning Assistant populates Oracle Internet Directory with users and groups stored in Microsoft Active Directory.

If there are multiple Microsoft Active Directory servers, then you must bootstrap the data from each Microsoft Active Directory domain. If you use the Global Catalog for one-way synchronization from Microsoft Active Directory to Oracle Internet Directory, then you need to bootstrap only once from the Global Catalog server.

You can choose to manage user information, including password credentials, in Microsoft Active Directory only. In such deployments, to enable single sign-on in the Oracle environment, the Oracle directory integration and provisioning server can synchronize only those user entry attributes required by Oracle components.

Passwords are not migrated from Microsoft Active Directory to Oracle Internet Directory.

Synchronization

The central directory for user and group information is Microsoft Active Directory. Changes to user and group information in Active Directory are synchronized with Oracle Internet Directory by the Oracle directory integration and provisioning server when an import profile has been configured.

Synchronization from Oracle Internet Directory to Microsoft Active Directory is achieved by configuring an export profile.

Passwords and password verifiers

Passwords are managed in typically Active Directory by using Microsoft Windows tools. The Oracle directory integration and provisioning server does not synchronize password changes into Oracle Internet Directory.

Oracle Application Server Single Sign-On


Users log in to the Oracle environment only once by using the OracleAS Single Sign-On server.

Users with credentials only in Microsoft Active Directory are authenticated by the Oracle directory server invoking the external authentication plug-in.

Users with credentials in Oracle Internet Directory are authenticated locally by the Oracle directory server.

Windows native authentication

Same as in Oracle Internet Directory-centered deployment. However, for a user to use Windows native authentication, a user must exist in Active Directory.

If Windows native authentication is enabled, then, for local Oracle Internet Directory users to invoke the single sign-on server, you must populate the attributes orclsamaccountname and krbprincipalname for each user entry.

Active Directory external authentication plug-in

When user credentials are managed in Microsoft Active Directory, this plug-in is required. To authenticate a user, the OracleAS Single Sign-On server calls upon the Oracle directory server. The plug-in then performs the authentication of the user against the user credentials stored in Active Directory.


New users or groups created in Microsoft Active Directory are automatically synchronized into Oracle Internet Directory by the Oracle directory integration and provisioning server. Before the provisioning can take place, a one-way synchronization between Microsoft Active Directory and Oracle Internet Directory must be established.

If multiple Microsoft Active Directory domains are involved, then the Oracle directory integration and provisioning server synchronizes users and groups from the respective Microsoft Active Directory domains into Oracle Internet Directory. Before the provisioning can take place, a one-way synchronization between Oracle Internet Directory and a domain controller on each Microsoft Active Directory domain must be established.

Passwords are not migrated from Microsoft Active Directory to Oracle Internet Directory.