Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section introduces structural and operational information about the directory integration and provisioning server and contains these topics:
The Oracle Directory Integration and Provisioning Server and Configuration Set Entries
Standard Sequences of Directory Integration and Provisioning Server Events
In Oracle Directory Integration and Provisioning, you can create two types of profiles: a directory synchronization profile and a directory provisioning profile. A directory synchronization profile describes how synchronization is carried out between Oracle Internet Directory and an external system. You can create two types of directory synchronization profiles: an import profile and an export profile. An import profile imports changes from a connected directory to Oracle Internet Directory while an export profiles exports changes from Oracle Internet Directory to a connected directory. A directory provisioning profile describes the nature of provisioning-related notifications that Oracle Directory Integration and Provisioning sends to the directory-enabled applications. Each type of profiles is special kind of directory integration profile, which is an entry in Oracle Internet Directory that describes how Oracle Directory Integration and Provisioning communicates with external systems and what is communicated.
Each directory integration and provisioning server can execute a set of connectors either for:
Synchronizing between Oracle Internet Directory and connected directories. The set of connectors for synchronization is provided in the configuration set number entered in the command line when starting the Oracle directory integration and provisioning server.
Provisioning users, groups, and realms for Oracle components. The set of profiles for provisioning is provided in the grpID
argument in the command line when starting the Oracle directory integration and provisioning server.
If the configuration set number is not specified, then the directory integration and provisioning server starts in the mode for processing provisioning profiles. If the configuration set number is specified, but there are no integration profiles in the directory for the specified configuration set number, then the directory integration and provisioning server waits indefinitely until integration profiles are added to that configuration set. This wait also occurs if integration profiles are configured for the configuration set but disabled.
If the configuration set specified in the command line does not exist in the directory, then the directory integration and provisioning server logs this information in the log file and exits. For provisioning profiles, the same behavior is followed for the grpID
attribute, which is passed as an argument in the command line.
Whenever a connector is scheduled to do synchronization or provisioning, the directory integration and provisioning server starts a separate thread. This thread opens an LDAP connection to the directory server to read or write entries from Oracle Internet Directory, and then closes the connection before exiting.
The directory integration and provisioning server executes three types of threads in the process, and these are described in Table 4-1:
Table 4-1 Oracle Directory Integration and Provisioning Server Threads
Thread | Description |
---|---|
Main thread |
Daemon thread of the Oracle directory integration and provisioning server. To look for changed profiles and to refresh its cache, it starts up the scheduler and periodically sends refresh signals to it. This thread also looks for the shutdown signal from the OID Monitor ( |
Scheduler thread |
Scheduler for the connectors for synchronization based on their specified scheduling interval. On receipt of a refresh signal from the main thread, this thread refreshes the synchronization profiles to the latest values. |
Connector thread |
In a synchronization, the thread that invokes the connector executable named in the profile, and maps and filters the attributes. It is spawned by the scheduler at the specified individual scheduling intervals. Once all the changes from the source directory are propagated to the destination directory, this thread exits. |
Each instance of the Oracle directory integration and provisioning server supports either provisioning or synchronization. The directory integration and provisioning server runs as a shared server process while handling the synchronization and provisioning event propagations.
The three threads described in Table 4-1 work together to create these typical process flow sequences:
Main Thread Process Sequence
On startup, the main thread comes up. This daemon thread of the server starts the scheduler. It verifies the registration of the instance in the directory. If the instance is not registered, then it is not started up by OID Monitor. Instead, it registers itself in Oracle Internet Directory with the configuration set number and the instance number details.
The main thread periodically checks for the refresh time and signals the scheduler to refresh. It also periodically checks for the shutdown signal. On receipt of the shutdown signal, it signals the scheduler thread to shutdown.
Once the scheduler thread shuts down, the main thread unregisters and shuts down.
Scheduler Thread Process Sequence
When it is started by the main thread, the scheduler thread reads the configuration set to determine which integration profiles to schedule. It creates a list of profiles to be scheduled and schedules them based on their specified scheduling interval. While creating the list of profiles, it validates the attributes. If any of the profile attributes have invalid values, the profile is not considered for synchronization or provisioning.
When it receives the refresh signal, the scheduler thread refreshes the integration profiles. When it receives the shutdown signal, the scheduler thread waits until all the connectors complete the synchronization or provisioning event propagation. It then returns control to the main thread.
Connector Thread Process Sequence for Synchronization
A synchronization thread follows this process:
Establishes connection with the connected directory and Oracle Internet Directory
In an import operation, executes any agent execution command that may be specified in the connector
Opens the DB/LDAP/LDIF/Tagged file if required
Reads the changes from the source one at a time
Filters the changes if applicable
Maps the changes as specified by the mapping rules
Creates the destination change record
Write the changes to the destination
After applying all the changes, closes the thread
Connector Thread Process Sequence for Provisioning
A provisioning thread follows this process:
Establishes a connection with the connected directory
Reads the changes from the source, one at a time
Filters the changes if applicable
Identifies the change as a specific event—that is:
USER Add/Modify/Delete
GROUP Add/Modify/Delete
Creates the event notification record
Invokes the given package to consume the event notification
In a multimaster Oracle Internet Directory replication environment, changes to directory integration profiles on one Oracle Internet Directory node are not automatically replicated on other Oracle Internet Directory nodes. For this reason, you must observe the considerations that are outlined in this section when implementing Oracle Directory Integration and Provisioning in a multimaster Oracle Internet Directory replication environment.
Because directory synchronization profiles on a primary Oracle Internet Directory node are not automatically replicated to secondary Oracle Internet Directory nodes, you should manually copy the profiles on the primary node to any secondary nodes on a periodic basis. This allows a directory synchronization profile to execute on a secondary node in the event of a problem on the primary node. However, the value assigned to the lastchangenumber
attribute in a directory synchronization profile is local to the Oracle Internet Directory node where the profile is located. This means that if you simply copy a directory synchronization profile from one Oracle Internet Directory node to another, the correct state of synchronization or event propagation will not be preserved.
Note: If the primary node running either the directory replication server (oidrepld ), or the Oracle directory integration and provisioning server (odisrv ), or both fails, then the OID Monitor on the secondary node starts these processes on the secondary node after five minutes. However, when the primary node is restarted, these servers are not automatically restarted on the primary node.
Normal shutdown is not treated as a failover—that is, after a normal shutdown, the OID Monitor on the secondary node does not start these processes on the secondary node after five minutes. However, as in the case of a failure, when the primary node is restarted, these servers are not automatically restarted on the primary node. |
When copying import profiles from one node to another, the lastchangenumber
attribute is irrelevant because the value is obtained from the connected directory. However, after copying an export profile to a target node, you must update the lastchangenumber
attribute with the value from the target node as follows:
Stop the Oracle directory integration and provisioning server as explained in "Stopping the Oracle Directory Integration and Provisioning Server".
Obtain the value of the lastchangenumber
attribute on the target node by following the instructions in the dipassistant showprofile
section in the Oracle Directory Integration and Provisioning tools chapter of the Oracle Identity Management User Reference.
Copy the directory synchronization profiles from the primary node to the target nodes by following the instructions in the dipassistant reassociate
section of the Oracle Directory Integration and Provisioning tools chapter of of the Oracle Identity Management User Reference.
Use the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant (dipassistant
) to update the lastchangenumber
attribute in the export profile you copied to the target node with the value you obtained in Step 2.
Start the Oracle directory integration and provisioning server as explained in "Starting the Oracle Directory Integration and Provisioning Server".
In a default multimaster Oracle Internet Directory replication environment, the Oracle directory integration and provisioning server is installed in the same location as the primary Oracle Internet Directory. If the primary node fails, event propagation stops for all profiles located on the node. Although the events are queued and not lost while the primary node is stopped, the events will not be propagated to any applications that expect them. In order to ensure that events continue to be propagated even when the primary node is down, you must copy the directory provisioning profiles to other secondary nodes in a multimaster Oracle Internet Directory environment. However, directory provisioning profiles should only be copied from the primary node to any secondary nodes immediately after an application is installed and before any user changes are made in Oracle Internet Directory.
To copy the directory provisioning profiles from a primary node to any secondary nodes, follow the instructions in the dipassistant reassociate
command section in the Oracle Directory Integration and Provisioning tools chapter of the Oracle Identity Management User Reference.