20 Integrating with Oracle Directory Server Enterprise Edition (Sun Java System Directory Server)

This chapter outlines the procedures for integrating Oracle Identity Management with Oracle Directory Server Enterprise Edition (previously known as Sun Java System Directory Server, and, before that, SunONE iPlanet). It contains these topics:

Note:

Before continuing with this chapter, you should be familiar with the concepts presented in previous chapters. The following chapters in particular are important:

If you are configuring a demonstration of integration with Oracle Directory Server Enterprise Edition / Sun Java System Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/

20.1 Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition

Before configuring basic or advanced synchronization with Oracle Directory Server Enterprise Edition (previously Sun Java System Directory Server), ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with Oracle Directory Server Enterprise Edition, you must also perform the following steps:

  • When creating a user account in Oracle Directory Server Enterprise Edition with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstone.

  • Enable change logging on Oracle Directory Server Enterprise Edition.

  • Enable the Retro Change Log plug-in.

20.2 Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition

You use the expressSyncSetup command to quickly establish synchronization between the Oracle back-end directory and Oracle Directory Server Enterprise Edition (previously Sun Java System Directory Server). The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup command to synchronize with Oracle Directory Server Enterprise Edition, refer to "Creating Import and Export Synchronization Profiles Using expressSyncSetup".

20.3 Configuring Advanced Integration with Oracle Directory Server Enterprise Edition

When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported directories that Oracle Directory Integration Platform can connect to. The sample synchronization profiles created for Oracle Directory Server Enterprise Edition are:

  • iPlanetImport—The profile for importing changes from Oracle Directory Server Enterprise Edition to the Oracle back-end directory

  • iPlanetExport—The profile for exporting changes from the Oracle back-end directory to Oracle Directory Server Enterprise Edition

You can also use the expressSyncSetup command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with the expressSyncSetup command are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Oracle Directory Server Enterprise Edition. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:

20.3.1 Step 1: Plan Your Integration

Plan your integration by reading Chapter 16, "Connected Directory Integration Concepts and Considerations", particularly "Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) Integration Concepts". Be sure to create a new profile by copying the existing Oracle Directory Server Enterprise Edition or Sun Java System Directory Server template profile by following the instructions in "Creating Synchronization Profiles".

20.3.2 Step 2: Configure the Realm

Configure the realm by following the instructions in "Configuring the Realm".

20.3.3 Step 3: Customize the ACLs

Customize ACLs as described in "Customizing Access Control Lists".

20.3.4 Step 4: Customize Attribute Mappings

When integrating with Oracle Directory Server Enterprise Edition, the following attribute-level mapping is mandatory for all objects:

Targetdn:1: :person:orclsourceobjectdn: : orclSUNOneobject:

Example 20-1 Attribute-Level Mapping for the User Object in Oracle Directory Server Enterprise Edition (Sun Java System Directory Server)

Cn:1: :person: cn: :person:
sn:1: :person: sn: :person:

Example 20-2 Attribute-Level Mapping for the Group Object in Oracle Directory Server Enterprise Edition (Sun Java System Directory Server)

Cn:1: :groupofname: cn:groupofuniquenames

In the preceding examples, Cn and sn from Oracle Directory Server Enterprise Edition are mapped to cn and sn in the Oracle back-end directory.

Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".

20.3.5 Step 5: Customize the Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) Connector to Synchronize Deletions

If you want to synchronize deletions, and the mapping rules have mandatory attributes, then be sure that the tombstone is configured correctly.

To verify that the tombstone is configured in Oracle Directory Server Enterprise Edition, execute the following command:

$ORACLE_HOME/bin/ldapsearch -h connected_directory_host \
-p connected_directory_port -D  connected_directory_account -q \
-b source_domain -s sub "objectclass=nstombstone"

Note:

You will be prompted for the password.

This returns information on all deleted entries.

See Also:

Oracle Directory Server Enterprise Edition or Sun Java System Directory Server documentation for details about configuring tombstones

Note:

Tombstones are automatically configured for Oracle Directory Server Enterprise Edition if replication is enabled.

20.3.6 Step 6: Synchronize Passwords

The Oracle back-end directory and Oracle Directory Server Enterprise Edition support the same set of password hashing techniques. To synchronize passwords between Oracle Internet Directory and Oracle Directory Server Enterprise Edition, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file:

Userpassword: : :person:userpassword: :person

If your Oracle back-end directory is Oracle Unified Directory, Oracle Directory Integration Platform does not support password synchronization to Oracle Directory Server Enterprise Edition from Oracle Unified Directory. One-way password synchronization from Oracle Directory Server Enterprise Edition to an Oracle Unified Directory back-end directory is supported.

20.3.7 Step 7: Synchronizing in SSL Mode

Configure Oracle Directory Server Enterprise Edition for synchronization in SSL mode by following the instructions in "Configuring the Connected Directory Connector for Synchronization in SSL Mode".

20.3.8 Step 8: Configure the Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) External Authentication Plug-in

Configure the Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".

20.3.9 Step 9: Perform Post-Configuration and Administrative Tasks

Read Chapter 23, "Managing Integration with a Connected Directory" for information on post-configuration and ongoing administration tasks.