Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
B14085-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

17.9 Step-by-Step Guide to Configuring Synchronization with a Third-Party Directory

This section lists the steps in configuring a sample deployment scenario.


Note:

"Step 4: Decide Whether to Create a New Identity Management Realm" through "Step 6: Select the Login Identifiers" involve configuring a new identity management realm and setting its parameters. This can affect the behavior of Oracle Application Server Single Sign-On and any other middle-tier application already installed in the environment. Consequently, make careful decisions at each step and verify the behavior of the applications.


See Also:

The chapter on deploying identity management realms in Oracle Internet Directory Administrator's Guide for more details on identity management realms and their role in Oracle Application Server.

This section contains these topics:

Step 1: Identify the Default Identity Management Realm in Oracle Internet Directory

Step 2: Identify the User and Group Search Bases in Oracle Internet Directory

Step 3: Identify the Naming Context on the Remote Directory

Step 4: Decide Whether to Create a New Identity Management Realm

Step 5: Select the User Search Base and Group Search Base

Step 6: Select the Login Identifiers

Step 7: Modify the Mapping File to Reflect the Changes You Have Made

Step 8: Create or Modify the Synchronization Profile with the New Set of Mapping Rules

Step 9: Configure Access Control

Step 10: Bootstrap the Directory by Using the Directory Integration and Provisioning Assistant

Step 11: Update the Last Change Number for Synchronization

Step 12: Enable the Profile by Using Either the Oracle Directory Integration and Provisioning Server Administration Tool or the Directory Integration and Provisioning Assistant

Step 13 (Optional): Enable the External Authentication Plug-in for Password Synchronization

Step 14: Start the Oracle Directory Integration and Provisioning Server

Step 1: Identify the Default Identity Management Realm in Oracle Internet Directory

To identify the default identity management realm in Oracle Internet Directory:

ldapsearch –p port -h host -D distinguished_name -w password 
-b "cn=common, cn=products,cn=oraclecontext" -s base "objectclass=*"
orcldefaultsubscriber

In this sample deployment, the default identity management realm in Oracle Internet Directory is dc=us,dc=mycompany,dc=com.

Step 2: Identify the User and Group Search Bases in Oracle Internet Directory

To identify the user and group search contexts in Oracle Internet Directory:

ldapsearch –p port -h host -D distinguished_name -w passwd 
-b "cn=common, cn=products,cn=oraclecontext, Identity Management Realm" 
-s base "objectclass=*"

Note down the values for the orclcommonusersearchbase and orclcommongroupsearchbase attributes. These are the values which are shown in the Oracle Internet Directory Self-Service Console as User Search Context and Group Search Context.

In this sample deployment, the user and group search contexts in Oracle Internet Directory are:

orclcommonusersearchbase is : cn=users,  dc=us,dc=mycompany,dc=com
orclcommongroupsearchbase is : cn=groups,  dc=us,dc=mycompany,dc=com

Step 3: Identify the Naming Context on the Remote Directory

The default naming context is the root of the naming context under which the users are stored. Each directory has its own way of creating a default naming context.

If you are using Microsoft Active Directory, then you identify the default naming context by performing the following ldapsearch against that directory:

ldapsearch –p port -h host -D distinguished_name -w password -b "" –s base "objectclass=*" defaultnamingcontext

Typically the DNs of users in Microsoft Active Directory are of the form cn=user name, cn=users, defaultnamingcontext.

Note that the users also can bind with names such as, username@domain.

For example, if the domain name is newcompany.com, then the default naming context is dc=newcompany,dc=com. The typical login identifier of a user is user@newcompany.com.

If you are using SunONE Directory Server, then you identify the naming contexts in that directory by performing the following ldapsearch against it:

ldapsearch –p port -h host -D distinguished_name -w password -b "" –s base "objectclass=*" namingcontexts

Different sets of user entries reside in different subtrees. Choose the naming context that contains the objects to be synchronized.

Step 4: Decide Whether to Create a New Identity Management Realm

If the DITs on Oracle Internet Directory and the third-party directory are different, then it is better to create a new identify management realm and make it the default realm. Do this by using either the Oracle Internet Directory Self-Service Console or the Oracle Internet Directory Configuration Assistant. On the other hand, if the third-party directory is Microsoft Active Directory in which the default naming context is mycompany.com, then you may not have to create the new identity management realm.

Step 5: Select the User Search Base and Group Search Base

How you do this depends on whether you created a new identity management realm as discussed in the previous step.

If a new identity management realm has been created, then:

  1. Select the user search base and the user creation context. Do this by using the Oracle Internet Directory Self-Service Console. Set the user search context to reflect the container under which users are stored in the third-party directory. This is described in the Oracle Identity Management Guide to Delegated Administration.

    Follow the same approach to set the user creation context.

  2. Select the group search base and the group creation context. Do this by using the Oracle Internet Directory Self-Service Console. Set the group search context to reflect the container under which groups are stored in the third-party directory. This is described in the Oracle Identity Management Guide to Delegated Administration.

    Follow the same approach to set the group creation context.

If a new identity management realm has not been created, then, to enable user and group entries to be accessed by all Oracle components, you must modify the default parameters in the Oracle Internet Directory Self-Service Console. To do this:

  1. In the User Search Context, enter the DN of the users container in the third-party directory, or enter the subtree of the containers specified in the search context. For example, enter either of the following:

    cn=users,dc=myCompany,dc=com

    dc=myCompany,dc=com.

  2. In the Group Search Context, either enter the DN of the groups container in the third-party directory, or enter the subtree of the containers specified in the search context. For example, enter either of the following:

    cn=groups,dc=myCompany,dc=com

    dc=myCompany,dc=com

Step 6: Select the Login Identifiers

The attribute used for login is orclcommonnicknameattribute. In the Oracle Internet Directory Self-Service Console, the field is named Attribute for Login Name. The default value is UID. Oracle Corporation recommends that you keep the default value. If this attribute is modified—for example, if it is changed to mail—then be sure that all entries under the container that you are working with have the mail attribute value populated. Otherwise, the user cannot login through Oracle Application Server Single Sign-On.

Step 7: Modify the Mapping File to Reflect the Changes You Have Made

The attributes you have just modified can require a change in the default mapping files. Look carefully at the various mapping rules and modify them according to the requirements. If the users and groups are under different containers, you may need to specify multiple set of domain rules in the same mapping file.

Default mapping rules for integration with SunONE Directory Server and Microsoft Active Directory are in the directory $ORACLE_HOME/ldap/odi/conf.

The important parameters to be modified are:

Step 8: Create or Modify the Synchronization Profile with the New Set of Mapping Rules

To do this, use the Directory Integration and Provisioning Assistant.

dipassistant mp -profile profile_name odip.profile.mapfile=relative_path_name_of_mapping_file

Step 9: Configure Access Control

Configure access control to various containers in either of the following:

A sample ACI is available in $ORACLE_HOME/ldap/odi/samples/commonaci.ldif. This sample contains the following attributes, all of which have the same values:

You can use Oracle Directory Manager to set ACIs to these containers.

Step 10: Bootstrap the Directory by Using the Directory Integration and Provisioning Assistant

To bootstrap the directory, use the bootstrap command in the Directory Integration and Provisioning Assistant.


See Also:


Step 11: Update the Last Change Number for Synchronization

To do this, enter:

dipassistant mp –profile profile_name -updlcn

The Directory Integration and Provisioning Assistant determines the connected directory by reading the directory integration profile.

Step 12: Enable the Profile by Using Either the Oracle Directory Integration and Provisioning Server Administration Tool or the Directory Integration and Provisioning Assistant

You can do this by using either the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant.


See Also:


Step 13 (Optional): Enable the External Authentication Plug-in for Password Synchronization

If you need to synchronize password changes from Oracle Internet Directory to the third-party directory, then enable the external authentication plug-in by doing the following:

When passwords are synchronized to directories that do not support the hashing technique used by Oracle Internet Directory, synchronization can be done only by using the SSL mode 2 (sslmode=2).


See Also:


Step 14: Start the Oracle Directory Integration and Provisioning Server

Do this by following the instructions in "Starting, Stopping, and Restarting the Oracle Directory Integration and Provisioning Server".


Note:

To synchronize passwords, start Directory Integration and Provisioning with sslmode=2—that is, server-only authentication.