Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
This chapter introduces Oracle Directory Integration Platform, its components, structure, and administration tools. It contains these topics:
Oracle Directory Integration Platform enables you to reduce administrative time and costs by integrating your applications and directories, including third-party LDAP directories, with Oracle Internet Directory. Benefits offered by Oracle Directory Integration Platform include:
Directory Synchronization—You can keep employee records in Oracle Human Resources consistent with those in Oracle Internet Directory.
Application Integration—Oracle Directory Integration Platform can notify certain LDAP-enabled applications, such as OracleAS Portal, whenever incremental changes are applied to a subset of data in Oracle Internet Directory.
Integration with Third-party LDAP Directories—You can integrate with various directories, including Microsoft Active Directory, Sun Java System Directory, Novell eDirectory, and OpenLDAP. For example, in an Oracle Application Server environment, where access to Oracle components relies on data stored in Oracle Internet Directory, you can still use Microsoft Active Directory as the central enterprise directory. Users of that directory can access Oracle components because Directory Integration Platform can synchronize the data in Microsoft Active Directory with that in Oracle Internet Directory.
Features of Oracle Directory Integration Platforminclude:
Identity Management Grid Control Plug-in—As of Oracle Application Server 10g (10.1.4.0.1), you can manage Oracle Directory Integration Platform with Identity Management Grid Control Plug-in, which uses the features of Oracle Enterprise Manager 10g Grid Control.
See Also: The "Identity Management Grid Control Plug-in" chapter in Oracle Identity Management Infrastructure Administrator's Guide. |
Installation Options—By default, Oracle Directory Integration Platform is installed as a component of Oracle Internet Directory. However, you can also install Oracle Directory Integration Platform as a standalone installation. You should install a standalone instance of Oracle Directory Integration Platform under the following circumstances:
When you need Oracle Internet Directory to run on a separate host for performance reasons
When the applications that you need to integrate and synchronize require intensive processing
When you need to run multiple instances of Oracle Directory Integration Platform for high-availability
Directory Synchronization—Directory synchronization involves movement and transformation of data between Oracle Internet Directory and another LDAP-enabled directory. It ensures the consistency of entries and attributes that reside in both Oracle Internet Directory and other connected directories.
See Also:
|
Application Integration—Application integration involves the notification of changes to entries occurring in Oracle Internet Directory to an application interested in tracking those changes. Application integration enables you to ensure that an application is notified of directory changes, for example, user or group information. Such changes can affect whether the application allows a user access to its processes and which resources can be used.
See Also:
|
Scheduling—Processing a synchronization or integration profile based on a predefined schedule
Mapping—Executing rules for converting data between connected directories and Oracle Internet Directory
Data Propagation—Exchanging data with connected directories by using a connector
Event Notification—Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory
The Oracle Directory Integration Platform Server is the shared server process that provides synchronization and integration functionality.
This section contains the following topics:
For Oracle Application Server components, Oracle Internet Directory is the central directory for all information, and all other directories are synchronized with it. This synchronization can be:
One-way: Some connected directories only supply changes to Oracle Internet Directory and do not receive changes from it. This is the case, for example, with Oracle Human Resources as the primary repository for employee information.
Two-way: Changes in Oracle Internet Directory can be exported to connected directories, and changes in connected directories can be imported into Oracle Internet Directory.
Certain attributes can be targeted or ignored by the Oracle Directory Integration Platform Service. For example, the attribute for the employee badge number in Oracle Human Resources may not be of interest to Oracle Internet Directory, its connected directories or client applications. You might not want to synchronize it. On the other hand, the employee identification number may be of interest to those components, so you might want to synchronize it.
Figure 5-1 shows the interactions between components in the Oracle Directory Integration Platform Service in a sample deployment in the context of directory synchronization.
The central mechanism triggering all such synchronization activities is the Oracle Internet Directory change log. It adds one or more entries for every change to any connected directory, including Oracle Internet Directory. The Oracle Directory Integration Platform Service:
Monitors the change log.
Takes action whenever a change corresponds to one or more synchronization profiles.
Supplies the appropriate change to all other connected directories whose individual profiles correspond to the logged change. Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Active Directory, Sun Java System Directory, Novell eDirectory, or OpenLDAP. It supplies these changes using the interface and format required by the connected directory. Synchronization through the Directory Integration Platform connectors ensures that Oracle Internet Directory remains up-to-date with all the information that Oracle Internet Directory clients need.
Additionally, the Oracle Directory Integration Platform Service ensures that each integrated application is notified of changes in, for example, user or group information. To do this, it relies on the information contained in an integration profile. Each profile:
Uniquely identifies the application and organization to which it applies
Specifies, for example, the users, groups, and operations requiring the application to be notified
The profile must be created when the application is installed, by using the Provisioning Subscription Tool.
See Also: The chapter on Oracle Directory Integration Platform tools in the Oracle Identity Management User Reference for information about the Provisioning Subscription Tool. |
When changes in Oracle Internet Directory match what is specified in the integration profile of an application, the Oracle Directory Integration Platform Service sends the relevant data to that application.
Figure 5-2 shows the interactions between components in an Oracle Directory Integration Platform Service environment, including the special case of an integration agent for a legacy application. This illustration shows the interactions between Oracle Internet Directory, the Oracle Directory Integration Platform Service, integration agents, and applications. Oracle Internet Directory is shown as containing a change log and integration profiles for several applications, including OracleAS Portal, Oracle Internet File System, and Oracle9iAS Wireless. Administrative and Transaction-generated changes are entered into Oracle Internet Directory. Change log data and integration profile data in Oracle Internet Directory are sent to the Oracle Directory Integration Platform Service. The Oracle Directory Integration Platform Service sends data to integration agents, specifically to an integration agent for a legacy application. That information is, in turn, sent to the legacy application itself. The Oracle Directory Integration Platform Service also sends data to various other integrated applications.
Figure 5-3 shows a sample deployment of Oracle Directory Integration Platform. This illustration shows the relation between components in the Oracle Directory Integration Platform. On the left is Oracle Internet Directory, which stores configuration management and status information. A bidirectional arrow shows the reciprocal relationship between Oracle Internet Directory and the administration tools. A bidirectional arrow also shows the relationship between Oracle Internet Directory and the Oracle Directory Integration Platform Service. An arrow points from the latter to examples of connected directories: Oracle Human Resources, Sun iPlanet, and Microsoft Active Directory. Another bidirectional arrow points from the Oracle Directory Integration Platform Service to examples of integrated applications: Integrated Application 1, OracleAS Portal, Integrated Application 2, Oracle Files, a legacy application, and Oracle Application Server Wireless.
In the example in Figure 5-3, Oracle Internet Directory is synchronized with connected directories by way of the Oracle Directory Integration Platform Service In this example, the connected directories are Oracle Human Resources, Sun Java System Directory, and Microsoft Active Directory. Similarly changes in Oracle Internet Directory are sent to various applications by using the same service. In this example, the integrated applications include OracleAS Portal, Oracle Files, Oracle Application Server Wireless, two unspecified integrated application, and a legacy application.