Skip Headers
Oracle® Identity Management Integration Guide
10
g
(10.1.4.0.1)
Part Number B15995-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in Oracle Identity Management Integration?
New Features Introduced with Oracle Application Server 10
g
(10.1.4.0.1)
New Features Introduced with Oracle Application Server 10
g
Release 2 (10.1.2)
New Features Introduced with Oracle Internet Directory 10
g
(9.0.4)
New Features Introduced with Oracle Internet Directory Release 9.0.2
New Features Introduced with Oracle Internet Directory Release 3.0.1
New Features Introduced with Oracle Internet Directory Release 2.1.1
Part I Getting Started with Oracle Directory Integration Platform
1
Introduction to Oracle Identity Management Integration
Why Oracle Identity Management Integration?
Oracle Identity Management Installation Options
Synchronization, Provisioning, and the Differences Between Them
Synchronization
Provisioning
How Synchronization and Provisioning Differ
Components Involved in Oracle Identity Management Integration
Oracle Internet Directory
Oracle Directory Integration Server
What the Oracle Directory Integration Server Does
About the Oracle Directory Synchronization Service
About the Oracle Directory Integration Platform Service
Oracle Application Server Single Sign-On
2
Security Features in Oracle Directory Integration Platform
Authentication in Oracle Directory Integration Platform
Secure Sockets Layer and Oracle Directory Integration Platform
Oracle Directory Integration Server Authentication
Non-SSL Authentication
Authentication in SSL Mode
Profile Authentication
Access Control and Authorization and Oracle Directory Integration Platform
Access Controls for the Oracle Directory Integration Platform
Access Controls for Profiles
Data Integrity and Oracle Directory Integration Platform
Data Privacy and Oracle Directory Integration Platform
Tools Security and Oracle Directory Integration Platform
Part II General Administration of Oracle Directory Integration Platform
3
Oracle Directory Integration Platform Administration Tools
Oracle Directory Integration Server Administration Tool
Starting the Oracle Directory Integration Server Administration Tool
Connecting to a Directory Server by Using the Oracle Directory Integration Server Administration Tool
Navigating the Oracle Directory Integration Server Administration Tool
Overview of Oracle Directory Integration Server Administration
The Oracle Directory Integration Server Administration Menu Bar
Disconnecting from a Directory Server by Using the Oracle Directory Integration Server Administration Tool
Graphical Tools for Oracle Directory Integration Platform Administration
Oracle Directory Manager
Oracle Internet Directory Self-Service Console
Oracle Internet Directory Provisioning Console
Command-Line Tools for Oracle Directory Integration Platform Administration
OID Control and OID Monitor
Oracle Directory Integration Platform Registration Tool
Directory Integration Assistant
Provisioning Subscription Tool
Entry and Attribute Management Command-Line Tools
Schema Synchronization Tool
4
Managing the Oracle Directory Integration Platform
Operational Information About the Oracle Directory Integration Platform
Directory Integration Profiles
Oracle Directory Integration Platform and Configuration Set Entries
Standard Sequences of Oracle Directory Integration Platform Events
Oracle Directory Integration Platform Event Propagation in a Multimaster Oracle Internet Directory Replication Environment
Directory Synchronization in a Multimaster Oracle Internet Directory Replication Environment
Directory Provisioning in a Multimaster Oracle Internet Directory Replication Environment
Viewing Oracle Directory Integration Platform Information
Viewing Oracle Directory Integration Platform Runtime Information Using the Oracle Directory Integration Server Administration Tool
Viewing Oracle Directory Integration Platform Runtime Information Using the ldapsearch Utility
Managing Configuration Set Entries Used by the Oracle Directory Integration Platform
Managing the SSL Certificates of Oracle Internet Directory and Connected Directories
Starting, Stopping, and Restarting the Oracle Directory Integration Platform
Starting the Oracle Directory Integration Platform
Stopping the Oracle Directory Integration Platform
Restarting the Oracle Directory Integration Platform
Starting and Stopping the Oracle Directory Integration Platform in a High Availability Scenario
Oracle Directory Integration Platform in an Oracle Real Application Clusters Environment
Collocated Configurations
Outside-the-Cluster Configurations
Oracle Directory Integration Platform in an Oracle Application Server Cold Failover Cluster (Infrastructure)
Collocated Configurations
Outside-the-Cluster Configurations
Setting the Debugging Level for the Oracle Directory Integration Platform
Managing Oracle Directory Integration Platform in a Replicated Environment
Finding Log Files
Manually Registering the Oracle Directory Integration Platform
Manually Registering the Oracle Directory Integration Server Using Oracle Enterprise Manager 10
g
Application Server Control Console
Part III Synchronization with the Oracle Directory Integration Platform
5
Oracle Directory Synchronization Service
Components Involved in Oracle Directory Synchronization
Connectors for Directory Synchronization
Using Connectors with Supported Interfaces
Using Connectors Without Supported Interfaces
Directory Synchronization Profiles
How Synchronization Works
Synchronizing from Oracle Internet Directory to a Connected Directory
Synchronizing from a Connected Directory to Oracle Internet Directory
Synchronizing Directories with Interfaces Not Supported by Oracle Internet Directory
6
Configuration of Directory Synchronization Profiles
Registering Connectors in Oracle Directory Integration Platform
Sample Synchronization Profiles
Configuring Connection Details
Additional Configuration Information
SearchDeltaSize Parameter
SkipErrorToSyncNextChange Parameter
UpdateSearchCount
Configuring Mapping Rules
Distinguished Name Mapping
Attribute-Level Mapping
How to Create a New Mapping File
Supported Attribute Mapping Rules and Examples
Example: Mapping File for a Tagged-File Interface
Example: Mapping Files for an LDIF Interface
Updating Mapping Rules
Adding an Entry to the Mapping Rules File
Modifying an Entry in the Mapping Rules File
Deleting an Entry from the Mapping Rules File
Configuring Matching Filters
Filtering Changes with an LDAP Search
Filtering Changes from a Change Log
Location and Naming of Files
7
Administration of Directory Synchronization
Managing Synchronization Profiles
Creating a Profile
Modifying a Profile
Deleting a Profile
Modifying the Synchronization Status Attributes
Managing Synchronization Profiles Using Command-Line Tools
8
Bootstrapping a Directory in Oracle Directory Integration Platform
About Directory Bootstrapping in Oracle Directory Integration Platform
Bootstrapping Using a Parameter File
Bootstrapping Without Using an LDIF File
Bootstrapping Using an LDIF File
Bootstrapping from an LDIF File Using Directory-Dependent Tools to Read the Source Directory
Bootstrapping from an LDIF File Using the Directory Integration Assistant to Load Data into Oracle Internet Directory
Bootstrapping Directly Using the Default Integration Profile
Bootstrapping in SSL Mode
Recommended Bootstrapping Methodology
9
Synchronization with Relational Database Tables
Preparing the Additional Configuration Information File
Preparing the Mapping File
Preparing the Directory Integration Profile
Example: Synchronizing a Relational Database Table to Oracle Internet Directory
Configuring the Additional Configuration Information File
Configuring the Mapping File
Configuring the Directory Integration Profile
Uploading the Additional Configuration Information File
Uploading the Mapping File
Synchronization Process
Observations About the Example
10
Synchronization with Oracle Human Resources
Introduction to Synchronization with Oracle Human Resources
Data You Can Import from Oracle Human Resources
Managing Synchronization Between Oracle Human Resources and Oracle Internet Directory
Task 1: Configure a Directory Integration Profile for the Oracle Human Resources Connector
Task 2: Configure the List of Attributes to Be Synchronized with Oracle Internet Directory
Modifying Additional Oracle Human Resources Attributes for Synchronization
Excluding Oracle Human Resources Attributes from Synchronization
Configuring a SQL SELECT Statement in the Configuration File to Support Complex Selection Criteria
Task 3: Configure Mapping Rules for the Oracle Human Resources Connector
Task 4: Prepare to Synchronize from Oracle Human Resources to Oracle Internet Directory
Preparing for Synchronization
The Synchronization Process
Bootstrapping Oracle Internet Directory from Oracle Human Resources
11
Synchronization with Third-Party Metadirectory Solutions
About Change Logs
Enabling Third-Party Metadirectory Solutions to Synchronize with Oracle Internet Directory
Task 1: Perform Initial Bootstrapping
Task 2: Create a Change Subscription Object in Oracle Internet Directory for the Third-Party Metadirectory Solution
About the Change Subscription Object
Creating a Change Subscription Object
Synchronization Process
How a Connected Directory Retrieves Changes the First Time from Oracle Internet Directory
How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory
Disabling and Deleting Change Subscription Objects
Disabling a Change Subscription Object
Deleting a Change Subscription Object
Part IV Provisioning with the Oracle Directory Integration Platform
12
Oracle Directory Integration Platform Service Concepts
What Is Provisioning?
Components of the Oracle Directory Integration Platform Service
Understanding Provisioning Concepts
Synchronous Provisioning
Asynchronous Provisioning
Provisioning Data Flow
Overview of Provisioning Methodologies
Provisioning Users from the Provisioning Console
Provisioning Users that are Synchronized from an External Source
Provisioning Users Created with Command-Line LDAP Tools
Bulk Provisioning
On-Demand Provisioning
Application Bootstrapping
Organization of User Profiles in Oracle Internet Directory
Organization of Provisioning Entries in the Directory Information Tree
Understanding User Provisioning Statuses
Provisioning Status in Oracle Internet Directory
Provisioning Status Transitions
Upgrading and Coexistence Provisioning Statuses
Provisioning Statuses and Exception Handling
Understanding Provisioning Flow
Creating and Modifying Users with the Provisioning Console
Deleting Users with the Provisioning Console
User Provisioning from an External Source
How Are Administrative Privileges Delegated?
Provisioning Administration Model
Oracle Delegated Administration Services Privileges
Provisioning Administration Privileges
Application Administration Privileges
Oracle Delegated Administration Services and Provisioning Administration Privileges
Application Administration and Oracle Delegated Administration Services Privileges
Application Administration Privileges and Oracle Delegated Administration Services User Creation Privileges
Application Administration Privileges and Oracle Delegated Administration Services User Editing Privileges
Application Administration Privileges and Oracle Delegated Administration Services User Deletion Privileges
Provisioning and Application Administration Privileges
Oracle Delegated Administration Services, Provisioning, and Application Administration Privileges
13
Deploying Provisioning-Integrated Applications
Deployment Overview for Provisioning-Integrated Applications
Registering Applications for Provisioning
Configuring Application Provisioning Properties
14
Managing with the Oracle Internet Directory Provisioning Console
Managing Users with the Provisioning Console
Searching for Users Based on Provisioning Criteria
Creating Users with the Provisioning Console
Provisioning and Deprovisioning Users with the Provisioning Console
Managing Applications with the Provisioning Console
Managing Application Defaults
Reloading the Application Cache
15
Understanding the Oracle Provisioning Event Engine
What Are the Oracle Provisioning Events?
Working with the Oracle Provisioning Event Engine
Creating Custom Event Object Definitions
Defining Custom Event Generation Rules
16
Integration of Provisioning Data with Oracle E-Business Suite
Part V Integrating with Third-Party Directories
17
Third-Party Directory Integration Concepts and Considerations
Concepts and Architecture of Third-Party Directory Integration
Supported Third-Party Directories and Servers
Oracle Identity Management Components for Integrating with a Third-Party Directory
Oracle Internet Directory Schema Elements for Synchronizing with Third-Party Directories
Directory Information Tree in an Integration with a Third-Party Directory
About Realms in Oracle Internet Directory
Planning the Deployment
Example: Integration with a Single Third-Party Directory Domain
Planning Your Integration Environment
Preliminary Considerations for Integrating with a Third-Party Directory
Choose the Directory for the Central Enterprise Directory
Oracle Internet Directory as the Central Enterprise Directory
Third-Party Directory as the Central Enterprise Directory
Customizing the LDAP Schema
Choose Where to Store Passwords
Advantages and Disadvantages of Storing the Password in One Directory
Advantages and Disadvantages of Storing Passwords in Both Directories
Choose the Structure of the Directory Information Tree
Create Identical DIT Structures on Both Directories
Distinguished Name Mapping and Limitations
Select the Attribute for the Login Name
Select the User Search Base
Select the Group Search Base
Decide How to Address Security Concerns
Administering Your Deployment with Oracle Access Manager
Microsoft Active Directory Integration Concepts
Synchronizing from Microsoft Active Directory to Oracle Internet Directory
Windows Native Authentication
Understanding Windows Native Authentication
Authenticating Users Against Multiple Microsoft Active Directory Domains
Overriding an Application Authentication Mechanism with Windows Native Authentication
Oracle Internet Directory Schema Elements for Microsoft Active Directory
Integration with Multiple Microsoft Active Directory Domain Controllers
Synchronizing with a Multiple-Domain Microsoft Active Directory Environment
Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory
Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory
Example: Integration with Multiple Third-Party Directory Domains
Foreign Security Principals
Sun Java System Directory Integration Concepts
Synchronizing from Sun Java System Directory to Oracle Directory Integration Platform
Oracle Internet Directory Schema Elements for Sun Java System Directory
Novell eDirectory and OpenLDAP Integration Concepts
Synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory
Oracle Internet Directory Schema Elements for Novell eDirectory
Oracle Internet Directory Schema Elements for OpenLDAP
Limitations of Third-Party Integration in Oracle Internet Directory 10
g
(10.1.4.0.1)
18
Configuring Synchronization with a Third-Party Directory
Verifying Synchronization Requirements
Creating Synchronization Profiles with Express Configuration
Understanding Express Configuration
Running Express Configuration
Running Express Configuration with the Directory Integration Assistant
Running Express Configuration with the Oracle Directory Integration Server Administration Tool (Microsoft Active Directory Only)
Configuring Advanced Integration Options
Configuring the Realm
Customizing Access Control Lists
Customizing ACLs for Import Profiles
Customizing ACLs for Export Profiles
ACLs for Other Oracle Components
Customizing Mapping Rules
Configuring the Third-Party Directory Connector for Synchronization in SSL Mode
Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory
Configuring External Authentication Plug-ins
Configuring an External Authentication Plug-in
Configuring External Authentication Against Multiple Domains
19
Integrating with Microsoft Active Directory
Verifying Synchronization Requirements for Microsoft Active Directory
Configuring Basic Synchronization with Microsoft Active Directory
Configuring Advanced Integration with Microsoft Active Directory
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the Search Filter to Retrieve Information from Microsoft Active Directory
Step 4: Customizing the ACLs
Step 5: Customizing Attribute Mappings
Step 6: Synchronizing with Multiple Microsoft Active Directory Domains
Step 7: Synchronizing Deletions from Microsoft Active Directory
Step 8: Synchronizing in SSL Mode
Step 9: Synchronizing Passwords
Step 10: Configuring the Microsoft Active Directory External Authentication Plug-in
Step 11: Performing Post-Configuration and Administrative Tasks
Using DirSync Change Tracking for Import Operations
Configuring Windows Native Authentication
What are the System Requirements for Windows Native Authentication?
Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain
Configuring Windows Native Authentication with Multiple Microsoft Active Directory Domains or Forests
Implementing Fallback Authentication
Understanding the Possible Login Scenarios
Configuring Synchronization of Oracle Internet Directory Foreign Security Principal References with Microsoft Active Directory
Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server
20
Deploying the Oracle Password Filter for Microsoft Active Directory
Overview of the Oracle Password Filter for Microsoft Active Directory
What is the Oracle Password Filter for Microsoft Active Directory?
How Does the Oracle Password Filter for Microsoft Active Directory Work?
Clear Text Password Changes Captured
Password Changes Stored when Oracle Internet Directory is Unavailable
Password Synchronization Delayed Until Microsoft Active Directory Users are Synchronized with Oracle Identity Management
Password Bootstrapping
How Do I Deploy the Oracle Password Filter for Microsoft Active Directory?
Configuring and Testing Oracle Internet Directory with SSL Server-Side Authentication
Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller
Testing SSL Communication Between Oracle Internet Directory and Microsoft Active Directory
Installing and Reconfiguring the Oracle Password Filter for Microsoft Active Directory
Installing the Oracle Password Filter for Microsoft Active Directory
Reconfiguring the Oracle Password Filter for Microsoft Active Directory
Deinstalling the Oracle Password Filter for Microsoft Active Directory
21
Integrating with Sun Java System Directory
Verifying Synchronization Requirements for Sun Java System Directory
Configuring Basic Synchronization with Sun Java System Directory
Configuring Advanced Integration with Sun Java System Directory
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the ACLs
Step 4: Customizing Attribute Mappings
Step 5: Customizing the Sun Java System Directory Connector to Synchronize Deletions
Step 6: Synchronizing Passwords
Step 7: Synchronizing in SSL Mode
Step 8: Configuring the Sun Java System Directory External Authentication Plug-in
Step 9: Performing Post-Configuration and Administrative Tasks
22
Integrating with Novell eDirectory or OpenLDAP
Verifying Synchronization Requirements for Novell eDirectory or OpenLDAP
Configuring Basic Synchronization with Novell eDirectory or OpenLDAP
Configuring Advanced Integration with Novell eDirectory or OpenLDAP
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the Search Filter to Retrieve Information from Novell eDirectory or OpenLDAP
Step 4: Customizing the ACLs
Step 5: Customizing Attribute Mappings
Step 6: Customizing the Novell eDirectory or OpenLDAP Connector to Synchronize Deletions
How Do I Define a Reconciliation Rule?
How are Reconciliation Rules Used to Synchronize Deletions?
Step 7: Specifying Synchronization Parameters for the Additional Config Information Attribute
Step 8: Configuring the OpenLDAP Connector to Synchronize Passwords
Step 9: Synchronizing in SSL Mode
Step 10: Configuring the Novell eDirectory or OpenLDAP External Authentication Plug-in
Step 11: Performing Post-Configuration and Administrative Tasks
23
Managing Integration with a Third-Party Directory
Tasks After Configuring with a Third-Party Directory
Typical Management of Integration with a Third-Party Directory
Bootstrapping Data Between Directories
Managing a Third-Party Directory External Authentication Plug-in
Deleting a Third-Party Directory External Authentication Plug-in
Disabling a Third-Party External Authentication Plug-in
Re-enabling a Third-Party External Authentication Plug-in
Part VI Appendixes
A
Elements in the Oracle Directory Integration Server Administration Tool
Windows and Fields for Connecting to a Directory Server
Credentials
SSL
Configure Entry Management
Configure Access Control Policy Management
Directory Server Connection
Select Distinguished Name (DN) Path: Tree View
Select Directory Server
Windows and Fields for Viewing Server Information
Active Processes
Configuration Sets: Integration Profiles
Windows and Fields for Registering and Editing a Directory Integration Profile
Integration Connectors
General
Execution
Mapping
Status
Windows and Fields for Configuring the Microsoft Active Directory Connector
Microsoft Active Directory Connector Express Synchronization Setup
B
Case Study: A Deployment of Oracle Directory Integration Platform
Components in the MyCompany Enterprise
Requirements of the MyCompany Enterprise
Overall Deployment in the MyCompany Enterprise
User Creation and Provisioning in the MyCompany Enterprise
Modification of User Properties in the MyCompany Enterprise
Deletion of Users in the MyCompany Enterprise
C
Troubleshooting the Oracle Directory Integration Platform
Troubleshooting Oracle Directory Integration Platform Problems
Diagnosing the Oracle Directory Integration Platform in an Infrastructure Installation
Diagnosing the Oracle Directory Integration Platform in an Oracle Directory Integration Platform Installation
Troubleshooting Utilities
The oditest Utility
The DIP Tester Utility
Problems and Solutions
Oracle Directory Integration Server Errors
Provisioning Errors and Problems
Synchronization Errors and Problems
Windows Native Authentication Errors and Problems
Novell eDirectory and OpenLDAP Synchronization Errors and Problems
Oracle Password Filter for Microsoft Active Directory Errors and Problems
Troubleshooting Provisioning
Viewing Diagnostic Settings
Provisioning-Integration Applications Not Visible in the Provisioning Console
Unable to Create Users
Troubleshooting Data Entry Plug-ins
Troubleshooting Provisioning Plug-ins
Using Provisioning Status to Identify Problems
Users Cannot Log In After Account Creation
Monitoring Provisioning Execution Status with the Oracle Enterprise Manager 10
g
Application Server Control Console
Checklist for Troubleshooting Provisioning
Troubleshooting Synchronization
Oracle Directory Integration Platform Synchronization Process Flow
Oracle Directory Integration Platform Synchronization Process Flow for an Import Profile
Oracle Directory Integration Platform Synchronization Process Flow for an Export Profile
Checklist for Troubleshooting Synchronization
Sample Valid Trace Files in Debugging Level 63 Mode
Troubleshooting Integration with Microsoft Active Directory
Debugging Windows Native Authentication
Synchronizing Changes Following a Period when Oracle Internet Directory is Unavailable
Need More Help?
Glossary
Index