|Oracle Internet Directory Administrator's Guide
Part Number A90151-01
This chapter introduces the Oracle Directory Integration platform, its components, architecture, and administration tools.
This chapter contains these topics:
The Oracle Directory Integration platform enables you to synchronize various directories with Oracle Internet Directory. It also makes it easier for third party metadirectory vendors and developers to develop and deploy their own connectivity agents.
This section contains these topics:
Enterprises today often deploy multiple directories to store information for applications such as ERP systems, database applications, messaging systems, and Network Operating Systems (NOS). Managing so many different directories has many drawbacks, including:
A metadirectory solves these problems by synchronizing information between all enterprise directories, forming one virtual directory. It centralizes administration, thereby reducing administrative costs. It ensures that data is consistent and up-to-date across the enterprise.
For example, in a metadirectory environment, you can create a global directory entry for each employee. You can populate this entry with data from various synchronized directories--for example, Human Resources applications, messaging systems, or NOS databases. Users can then access this global entry, knowing that the data it contains is up-to-date and synchronized with each connected directory.
You can also ensure that the synchronization process respects all existing data ownership policies. For example, you can grant to only the Human Resources department the privilege to change the value of an employee's salary attribute.
In an Oracle Directory Integration platform environment, each connected directory synchronizes with Oracle Internet Directory, which serves as the central directory. This provides:
Oracle Directory Integration platform enables you to:
Figure 1-1 shows the architecture of the Oracle Directory Integration platform:
The following sections describe each component and its relation to the rest of the Oracle Directory Integration platform.
This section contains these topics:
Oracle Internet Directory release 3.0.1 is an LDAP v3-compliant directory server that uses Oracle9i as a data store. In the Oracle Directory Integration platform, it is the central directory for all information, the directory against which all other directories are synchronized.
This synchronization is bidirectional: Changes in Oracle Internet Directory are exported to connected directories, and changes in connected directories are imported into Oracle Internet Directory.
In an Oracle Internet Directory environment with multiple nodes, Oracle Internet Directory synchronizes the directory servers by using its own replication capabilities instead of the platform.
In the Oracle Directory Integration platform environment, connected directories are those other than Oracle Internet Directory, the central directory. They could include, for example, relational databases, Oracle HR, Microsoft Exchange, or Lotus Notes.
The Oracle directory integration server, a multithreaded daemon server process, is the central component of Oracle Directory Integration platform. It performs:
You can run multiple servers, each on a different computer. You can also run multiple instances of directory integration server on the same computer at the same time. Each instance has a configuration set entry listing the agents the Oracle directory integration server instance is to run.
A directory integration agent is a program that synchronizes data between Oracle Internet Directory and connected directories. When it synchronizes the data, it does one or more of the following:
Partner agents run under the control of the Oracle directory integration server--that is, the Oracle directory integration server performs scheduling, data mapping, and error handling for them. Before deploying a partner agent, you register it in Oracle Internet Directory. This registration involves creating a directory integration profile in the directory. To create the profile, you can use either Oracle Directory Manager or command-line tools.
A partner agent uses either an import file or an export file to exchange data between a connected directory and Oracle Internet Directory. At execution time, they may use additional agent configuration information stored in Oracle Internet Directory.
Unlike partner agents, external agents are independent of the Oracle directory integration server--that is, the Oracle directory integration server performs neither scheduling nor data mapping for them. You do not need to register external agents with Oracle Internet Directory.
Typically, you use external agents when a third party metadirectory solution is integrated with the platform. In this case, the third party metadirectory solution uses its own metadirectory engine to perform mapping and scheduling.
These files store data extracted from either a connected directory or Oracle Internet Directory. The platform uses them to exchange data between Oracle Internet Directory and connected directories.
Import data files are those to which changes in connected directories are written. Export data files are those to which changes in Oracle Internet Directory are written.
The directory integration toolkit allows third party metadirectory vendors and developers to integrate their metadirectory solutions with the Oracle Directory Integration platform environment The toolkit consists of:
A directory integration profile contains configuration information required for synchronization--for example, the name and type of an agent, how and when to invoke it, the mapping information required for synchronization, and status information. There must be a directory integration profile for each partner agent.
The directory integration profile is managed in the directory. You create it by using either Oracle Directory Manager or the command-line tools.
This section discusses two elements of the directory integration profile. It contains these topics:
An agent may need some configuration information at runtime for performing various operations. For example, to make it easier for users to specify which connected directory attributes are to be synchronized with Oracle Internet Directory, you may want an agent to store a list of these attributes as part of its configuration information. This kind of information is called agent configuration information.
You can store agent configuration information wherever and however you want. However, the Oracle Directory Integration platform enables you to store it as a binary attribute, called
orclIPAgentConfigInfo, in the directory integration profile. The Oracle directory integration server passes this information as a temporary file to the agent at the time of the agent's invocation.
Agent configuration information is optional. If an agent does not require such information, then the corresponding attribute in the Oracle Directory Integration platform profile is left empty.
Mapping rules govern the conversion of attributes between a connected directory and Oracle Internet Directory. There is one set of mapping rules for each connected directory. This set is stored as a binary value in an attribute called
orclODIPAttributeMappingRules in the integration profile in Oracle Internet Directory.
The directory integration server uses these rules to map attributes, as necessary, when generating an export file or interpreting an import file. When the directory integration server imports changes into Oracle Internet Directory, it converts the connected directory change records into LDAP change records, following the mapping rules specified in the integration profile. Similarly, when the directory integration server exports changes from Oracle Internet Directory, it converts the Oracle Internet Directory change records into connected directory change records, following the mapping rules specified in the integration profile.
It supports both one-to-many and many-to-one mapping.
The directory integration server can map one attribute in a connected directory to many attributes in Oracle Internet Directory. For example, it can map an attribute in the connected directory--
The directory integration server can map multiple attributes in a connected directory to one attribute in Oracle Internet Directory. For example, suppose that the Human Resources directory represents Anne Smith by using two attributes:
This section contains these topics:
Oracle Directory Manager, a Java-based graphical user interface tool, enables you to administer the Oracle Directory Integration platform. Specifically, it enables you to:
OID Control and OID Monitor enable you to start, stop, and monitor the Oracle directory integration server.
In Oracle Internet Directory release 3.0.1, you can use OID Control and OID Monitor to control the directory integration server only on a host containing Oracle Internet Directory server installations. If Oracle Internet Directory installation is client-only, then the OID Control utility and OID Monitor are not installed. In this case, start the Oracle directory integration server manually. In this configuration you can still use Oracle Directory Manager to learn the status of the Oracle directory integration server.
This diagram shows the directions in which information flows in an import operation and in an export operation.
To export changes from Oracle Internet Directory to a connected directory, the Oracle directory integration server first retrieves from Oracle Internet Directory any change records it has not earlier retrieved for the connected directory. It writes these records to an export file, then starts the agent. The agent:
To keep track of changes already applied by directory integration agents, Oracle Internet Directory maintains a change log. It does not purge change log information until the appropriate directories have consumed the changes.
To import changes into Oracle Internet Directory, the Oracle directory integration server first starts the agent at the specified time. The agent extracts change records from the connected directory and writes them to an import file. The directory integration server:
release 3.0.1 of Oracle Directory Integration platform includes an agent for Oracle HR.
Although an enterprise deploying Oracle Internet Directory may store employee data in Oracle Internet Directory, the Human Resources department typically controls that data. In an enterprise deploying both Oracle Human Resources and Oracle Internet Directory, Oracle Directory Integration platform synchronizes the employee data from Oracle Human Resources into Oracle Internet Directory.
The Oracle Human Resources agent extracts changes from Oracle Human Resources and places them in an import file. The Oracle directory integration server extracts those changes from the file and imports them into Oracle Internet Directory. This enables Oracle Human Resources to be the source of truth for employee information. All LDAP-enabled applications can then access up-to-date employee data from Oracle Internet Directory.