|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
 Previous |
 Next |
|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
|
Previous |
Next |
This section describes what to do immediately after configuration and ongoing administration tasks. It contains these topics:
Once configuration is complete, do the following:
Migrate data from one directory to the other as needed. This is described in "Bootstrapping Data Between Directories".
Enable the integration profile. You can do this by using either the Oracle Directory Integration and Provisioning Server Administration tool or the command-line version of the Directory Integration and Provisioning Assistant.
To enable the integration profile by using the Oracle Directory Integration and Provisioning Server Administration tool, perform the following:
Launch the Oracle Directory Integration and Provisioning Server Administration by entering the following:
$ORACLE_HOME/bin/dipassistant -gui
In the navigator pane, expand directory_integration_and_provisioning_server, then expand Integration Profile Configuration.
In the navigator pane, select the configuration set. A list of the available profiles appears in the right pane.
In the right pane, select the profile, then choose Edit. The General tab page window appears.
In the General tab page, in the Profile Status field, select ENABLE.
Choose OK.
To enable the synchronization profile by using the command-line version of the Directory Integration and Provisioning Assistant, enter the following command:
$ORACLE_HOME/bin/dipassistant modifyprofile [-h host name] [-p port_number] [-D bind_DN] [-w password] -profile profile_name_in_OID odip.profile.status=ENABLE [-configset configset_number]
Start the Oracle directory integration and provisioning server using the configuration set that corresponds to that of the profile. See "Starting, Stopping, and Restarting the Oracle Directory Integration and Provisioning Server".
Management tasks typically include:
Managing synchronization profiles and mapping rules:
Creating new profiles. You create new profiles if you need to synchronize with an additional domain controller in a multiple domain Active Directory environment.
You can create new profiles by using existing profiles as templates.To do this, use the createlike command of the Directory Integration and Provisioning Assistant.
Changing configurations (attributes) in the profile
Disabling profiles to allow maintenance and then reenabling them. Disabling profiles stops synchronization related to that profile.
Managing mapping rules:
Creating new rules when additional attributes need to be synchronized
Changing existing rules when the way attributes are synchronized needs to change
Deleting or commenting out rules not required when a particular attribute is not required to be synchronized
Managing access control
Starting and stopping the Oracle directory server and the Oracle directory integration and provisioning server
This section contains these topics:
Managing the Active Directory External Authentication Plug-in
Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
|
See Also:
|
Bootstrapping is sometimes called data migration. To bootstrap data, do the following once the Active Directory Connector and plug-in configurations are complete:
Identify the data you want to migrate. You can choose to migrate all data in the directory or only a subset of data.
Make sure the synchronization is not enabled yet.
Bootstrap from one directory to another by using the Directory Integration and Provisioning Assistant with the -bootstrap option. Bootstrapping is described in Chapter 8, " Bootstrapping of a Directory in Oracle Directory Integration and Provisioning".
Once bootstrapping is accomplished, the profile status attributes are appropriately updated in the synchronization profile by the Directory Integration and Provisioning Assistant.
If you used LDIF file-based bootstrapping, then initialize the lastchangekey value with the Directory Integration and Provisioning Assistant as follows:
$ORACLE_HOME/bin/dipassistant modifyprofile -updlcn
This lastchangekey attribute should be set to the value of the last change number in the source directory before you started the bootstrap.
In order to update the last change number, the value assigned to the odip.profile.condirurl property in the import synchronization profile must be for a non-SSL connection. If you have already configured the import synchronization profile for SSL, then before attempting to update the last change number, you must temporarily change the value assigned to the odip.profile.condirurl property so it points to a non-SSL port.
If two-way synchronization is required, then enable the export profile and make sure the change logging option is enabled for the Oracle directory server. Change logging is controlled by the -l option while starting Oracle Internet Directory. By default, it is set to TRUE, meaning that change logging is enabled. If it is set to FALSE, then use the OID Control Utility to shut down the Oracle directory server, and then to start the server again with the change log enabled.
This section explains how to delete, disable, and re-enable the Active Directory external authentication plug-in.
To delete the Active Directory external authentication plug-in, enter the following commands:
ldapdelete -h host -p port -D cn=orcladmin -w password "cn=adwhencompare,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port -D cn=orcladmin -w password "cn=adwhenbind,cn=plugin,cn=subconfigsubentry"
To disable the Microsoft Active Directory external authentication plug-in:
Create an LDIF file with the following entries:
dn: cn=adwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0
Load the LDIF file with the ldapmodify command, as follows:
ldapmodify -h host -p port -D cn=orcladmin -w password -f fileName
To re-enable the Active Directory external authentication plug-in, use these two commands:
Create an LDIF file with the following entries:
dn: cn=adwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1
Load the LDIF file with the ldapmodify command, as follows:
ldapmodify -h host -p port -D cn=orcladmin -w password -f fileName
This section explains how to change the Microsoft Active Directory domain controller to which changes are exported. There are two methods, one for the USN-Changed approach and the other for the DirSync approach.
How to Change the Active Directory Domain Controller by Using the USN-Changed Approach
If you are using the USN-Changed approach, then perform the following:
Stop the current running profile. Modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item that you need to update.
Obtain the current value of the highestCommittedUSN by searching the new domain controller's root DSE for the current highest uSNChanged value (attribute value of the highestCommittedUSN attribute of the root DSE):
ldapsearch -h host -p port -b "" -s base -D userDN -w password "objectclass=*" highestCommittedUSN
Use Oracle Directory Integration and Provisioning to run a full synchronization from Microsoft Active Directory.
Run ldifde, the command to dump entries from Microsoft Active Directory to Oracle Internet Directory, using the intended ldapsearch scope and search filter. Normally, the search filter should be the same as that specified in the running profile. For example, the following search filter is set in the sample properties file in Release 10.1.2: Note that ldifde can be run only from a Microsoft Windows environment.
searchfilter=(&(|(objectclass=user)(objectclass=organizationalunit))(!(objectclass=group)))
Essentially, run ldifde with a search scope and search filter that retrieve all Oracle Internet Directory objects (entries) that were configured to be synchronized with Microsoft Active Directory by the running profile.
Run Oracle Directory Integration and Provisioning to upload the LDIF file generated in Step a using the same profile.
After the full synchronization is completed, update the lastchangenumber attribute with the highestCommittedUSN value obtained in Step 2.
Resume the normal synchronization, that is, incremental synchronization from Microsoft Active Directory using uSNChanged attribute.
How to Change the Active Directory Domain Controller by Using the DirSync Approach
If you are using the DirSync approach, perform the following:
Stop the current profile that is running.
Use the Directory Integration and Provisioning Assistant createlike option to create a new profile exactly the same as the profile already being used. In the newly created profile, modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item you need to update.
Resume normal synchronization with the modified profile. Note all the domain controllers must be in the same Active Directory domain.
