Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section explains the tasks to configure the SunONE connector. It contains these topics:
Task 1: Configure the Synchronization Profiles for the SunONE Connector
Task 4: (Optional) Configure the SunONE Directory Server External Authentication Plug-in
The following two default Integration profiles for synchronization with the SunONE Directory Server are created in the Oracle directory server as a part of the installation process:
iPlanetImport
—for importing entries and changes from the SunONE Directory Server by using the directory synchronization approach
iPlanetExport
—for exporting changes from Oracle Internet Directory to SunONE Directory Server
Although you can enable synchronization with the SunONE Directory Server by customizing the default iPlanetImport
and iPlanetExport
integration profiles, the recommended approach is to create new profiles based on the default integration profiles. You can use either the Directory Integration and Provisioning Assistant's createprofilelike
command or the Oracle Directory Integration and Provisioning Server Administration tool to create new profiles based on existing profiles.
To use the Directory Integration and Provisioning Assistant's createprofilelike
command to create new profiles based on the existing default integration profiles, use the following syntax:
dipassistant createprofilelike [-h hostName] [-p port] [-D bindDn] [-w password] -profile origProfName -newprofile newProfName
Use the preceding command to make copies of both the iPlanetImport
and iPlanetExport
integration profiles.
To use the Oracle Directory Integration and Provisioning Server Administration to create new profiles based on the existing default integration profiles:
Launch the Oracle Directory Integration and Provisioning Server Administration tool by entering:
$ORACLE_HOME/bin/dipassistant -gui
In the navigator pane, expand directory_integration_and_provisioning_server, then expand Integration Profile Configuration.
Select the configuration set, and, in the right pane, choose Create. The Integration Profiles window appears.
This window is described in "Integration Profiles".
In the Integration Profile window, select the IplanetImport or IplanetExport profile, and then choose Create Like. The General tab of the Integration Profile window appears.
This tab is described in "General".
Enter a name for the new profile and make any additional changes in the General tab or other tabs in the Integration Profile window to finish customizing the profile.
Choose OK.
You must update the SunONE Directory server connection details in the synchronization profiles as follows:
Create a user account in the SunONE Directory server with administrative privileges. Oracle Directory Integration and Provisioning will use this account to connect to SunONE Directory server. You must grant sufficient privileges to perform both import and export operations.
For Import Operations from SunONE Directory Server: Grant the user account the following permissions:
Permissions to read the change log entry
Permissions to read the tombstone
Permissions to read the entries under the container to be synchronized
For Export Operations to SunONE Directory Server: Grant the user account write permission to the subtree root that is the parent of all the containers to which the Oracle directory integration and provisioning server will export users.
Update the connection details in the odip.profile.condirurl
, odip.profile.condiraccount
, and odip.profile.condirpassword
properties of the synchronization profiles. You can use either the Directory Integration and Provisioning Assistant or the Oracle Directory Integration and Provisioning Server Administration tool.
See Also:
|
Use this method when:
The SunONE Directory Server has no custom schema changes to the objects to be synchronized—that is, the user and group object attributes and object classes are the default ones
No custom schema elements have been added to the user or group object attributes and object classes
At the end of synchronization, user and group objects synchronized from the SunONE Directory Server are visible to Oracle components integrated with the Oracle Application Server infrastructure.
The script iplconfig.sh
resides in $ORACLE_HOME/ldap/odi/admin. It prompts you for the following:
Oracle Internet Directory super user DN and password
SunONE Directory Server URL (host
:
port
)
SunONE Directory Server user account and password to be used by the SunONE connector
SunONE Directory Server domain to be synchronized
Once you have entered the parameter values, iplconfig.sh
invokes the Directory Integration and Provisioning Assistant to set up the SunONE Directory Server connection information and mapping rules information in the default SunONE Directory Server integration profiles.
The default mapping rules are not appropriate for password synchronization between the SunONE Directory Server and Oracle Internet Directory.
If Oracle Internet Directory and the SunONE Directory Server use the same password hashing technique, then insert the following mapping rule to the mapping file and upload the mapping file to the profile.
Userpassword: : :person:userpassword: :person
If the two directories do not use the same hashing technique, then the same mapping rule works when the Oracle directory integration and provisioning server and the directory integration profile are configured in SSL mode 2—that is, server-only authentication.
If you have two-way synchronization enabled, then you need to avoid having the same changes synchronized back and forth between the directories by setting the filter attributes for the connected directory and for Oracle Internet Directory. You can use either the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant to perform this task.
In the import profile, set the connected directory filter as follows:
modifiersname != <DN of the user account with which changes are made by the export profile in SunONE>
In the export profile, set the Oracle Internet Directory filter as follows:
modifiersname != orclodipagentname=<import profile name>,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
The default profiles have the default mapping rules for mapping the user and group attributes and object classes in SunONE Directory Server to those on Oracle Internet Directory. These mapping rules assume that no user- and group-specific schema changes have been made to either directory after installation. If there are such changes, then they must be appropriately reflected in the mapping files.
To verify and modify the mapping rules, do the following:
Decide which domains, or containers, you want to synchronize. In the case of SunONE Directory Server, the container to be specified for synchronization can be any naming context in the directory.
Decide on the objects—that is, the types of entries—to be synchronized. In an identity management environment these are typically user and group entries.
Identify the attributes and how you want to map them between the directories during synchronization.
Generate a mapping file with appropriate mapping rules.
See Also: "Configuring Mapping Rules" for instructions on creating mapping rules and for sample mapping files |
Set up appropriate ACLs allowing read, add, or modify access rights on the subscribed domains.
During import operations, you would privilege the Oracle Internet Directory user orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
to update the subscribed domain in Oracle Internet Directory.
For example, assuming that no ACLs are applied to the domain of interest, the following LDIF sample can be used. In this file, the domain of interest is Synchronization_domain_in_OID
.
ACL in OID:
dn: Synchronization_domain_in_OID
changetype: modify
add: orclaci
orclaci: access to entry by "orclodipagentname=iPlanetImport,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete)
orclaci: access to attr=(*) by "orclodipagentname=iPlanetImport,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory"
(read,search,write,compare)"
On the other hand, the privileges can also be granted to the group cn=odipgroup,cn=odi,cn=oracle internet directory
of which the profile is a member. However, remember that, when privileges are granted to the group, all members of the group are, intentionally or not, granted privileges.
During import operations, the user specified by the Connected Directory Account attribute in the integration profile must have read access to the change log and source container in the SunONE Directory Server. During export operations, the user specified by the Connected Directory Account attribute in the integration profile must have write access to the target container in the SunONE Directory Server.
See Also: SunONE Directory Server documentation for instructions on how to apply ACLs on the SunONE Directory Server change log container and the SunONE Directory Server subscribed domain |
Follow these steps:
Before the start of the synchronization, make the data in the domains of interest to be equivalent. This can be achieved by the Directory Integration and Provisioning Assistant with the bootstrap option. Bootstrapping is described in Chapter 8, " Bootstrapping of a Directory in Oracle Directory Integration and Provisioning".
If you have used LDIF file-based bootstrapping, then you must initialize the lastchangenumber
value. You can do this by using the Directory Integration and Provisioning Assistant:
dipassistant mp –profile profile_name -updlcn
At the end of bootstrapping, be sure that the change logging option for the Oracle directory server is set to the default, namely, TRUE
. If it is set to FALSE
, then shut down the Oracle Internet Directory server and start with the change log enabled by using the OID Control Utility.
Similarly, verify that change logging is enabled in SunONE Directory Server.
See Also: The Oracle Internet Directory server administration tools chapter of the Oracle Identity Management User Reference for information on the OID Control |
If you are storing passwords only in SunONE Directory Server and do not want to synchronize them with Oracle Internet Directory, then, to authenticate SunONE Directory Server users from Oracle Internet Directory, you must use the SunONE Directory Server external authentication plug-in.
This section tells how to install, delete, enable, and disable the SunONE Directory Server external authentication plug-in by using the command line. You can perform these operations, except for installation, by using Oracle Directory Manager as described in Oracle Internet Directory Administrator's Guide.
Note: The SunONE Directory Server external authentication plug-in can be configured to authenticate to only one single SunONE Directory Server. |
To install the plug-in:
Execute $
ORACLE_HOME
/ldap/admin/oidspipi.s
h.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
To execute oidspipi.s
h, enter:
cd $ORACLE_HOME/ldap/admin
oidspipi.sh
If you are using the Windows operating system, then execute oidspipi.sh after you have installed the UNIX emulation utility by entering:
sh oidspipi.sh
Enter the SunONE Directory Server host name. This is the SunONE Directory Server to which you are going to synchronize. This value is required.
Choose whether to use an SSL connection.
When specifying the wallet location on the Microsoft Windows operating system, add an additional backslashes (\). For example, if the wallet location is D: storage\wallet
, then enter D:\\storage\\wallet
.
Enter the SunONE Directory Server port number.
Enter the database connect string.
Enter the ODS password. The default ODS password is the same as that set for the Oracle Application Server administrator during installation.
Enter Oracle directory server host name. This value is required.
Enter Oracle directory server port number. The default port is 389.
Enter the password of the Oracle administrator (orcladmin
). This value is required.
Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container will be authenticated against SunONE Directory Server. Note that this need not necessarily be the User Search Base supplied in Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the SunONE Directory Server. If more than one value is specified, then use semi-colons (;) to separate them.
Enter the Plug-in Request Group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext
. If you enter this value for the Plug-in Request Group DN, then only requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, it should be specified.
Enter the value of the entry that is to be excluded from authentication to SunONE Directory Server. This value is the exception to item 10. You need to enter the value in the standard ldapsearch filter format. For example, if you specify the value (&(objectclass=inetorgperson)(cn=orcladmin))
, then any entry under the user container specified in item 10 that has the cn=orcladmin
and objectclass=inetorgperson
attribute value will not be authenticated to SunONE Directory Server.
Specify whether you want to back up the SunONE Directory Server for failover.
To delete the SunONE Directory Server plug-in by using Oracle Directory Manager, follow the instructions in the chapter on the Oracle Internet Directory plug-in framework in Oracle Internet Directory Administrator's Guide.
To delete the SunONE Directory Server plug-in by using command-line tools, use these commands:
ldapdelete -h host -p port -D cn=orcladmin -w password "cn=ipwhencompare,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port -D cn=orcladmin -w password "cn=ipwhenbind,cn=plugin,cn=subconfigsubentry"
To enable the SunONE Directory external authentication plug-in by using Oracle Directory Manager, follow the instructions in the chapter on the Oracle Internet Directory plug-in framework in Oracle Internet Directory Administrator's Guide. Set the Plug-in Enable field to 1
.
To enable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable the SunONE Directory Server external authentication plug-in by using Oracle Directory Manager, follow the instructions in the chapter on the Oracle Internet Directory plug-in framework in Oracle Internet Directory Administrator's Guide. Set the Plug-in Enable field to 0
.
To disable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 EOF
ldapmodify -h <host> -p <port> -D cn=orcladmin -w <password> <<EOF dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 EOF
If you are experiencing unknown errors, the you can enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$
ORACLE_HOME
/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
sqlplus ods/ods select * from plg_debug_log order by id;
To delete the plug-in debugging log, enter:
sqlplus ods/ods truncate table plg_debug_log
To disable the plug-in debugging, enter:
sqlplus ods/ods @$
ORACLE_HOME
/ldap/admin/oidspdof.pls
Note: If you need to change the plug-in setup—that is, the information you entered in the installation steps—then you can rerun the installation script. Before you rerun the script, delete the SunONE Directory external authentication plug-in by following the instructions in "Deleting the SunONE Directory External Authentication Plug-in". |
See Also:
|
To start synchronization:
Enable the profile by setting the profileStatus
attribute to ENABLE
in either the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant
Start the Oracle directory integration and provisioning server by using the OID Control Utility (oidctl) with the appropriate configuration set entry in which the profile is stored.