Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Integration with the Microsoft Windows Environment, 5 of 13
This section explains how to configure integration with Microsoft Active Directory in various scenarios.
This section contains these topics:
The scenarios described in this section share these assumptions:
Each scenario in this section uses an example. These examples rest on the following assumptions:
iasdemo.us.mycompany.com
. This means that the default realm of Oracle Internet Directory is dc=us,dc=mycompany,dc=com
.
welcome1
.
welcome1
.
dn=orcladmin
.
addemo.us.mycompany.com
. This means that the domain of the Microsoft Active Directory host is the same as the default realm of Oracle Internet Directory as set during installation, namely, dc=us,dc=mycompany,dc=com
.
If this is not true, then, during installation of Oracle Internet Directory, the default realm value must be set to correspond to the Microsoft Active Directory domain. In this example, that domain is dc=us,dc=mycompany,dc=com
.
If you have already installed Oracle Internet Directory and the default realm does not correspond to the domain of the Microsoft Active Directory host, then Oracle Corporation recommends that you re-install the Oracle Identity Management. As you do this, set the proper value of default realm, otherwise the setup scenarios described in this section fail.
ad1demo.a.us.mycompany.com
and ad2demo.b.us.mycompany.com
. This means that the domains of Microsoft Active Directory hosts are respectively dc=a,dc=us,dc=mycompany,dc=com
and dc=b,dc=us,dc=mycompany,dc=com
.
Further, during installation of Oracle Internet Directory, the default realm value must be set to the parent of the Microsoft Active Directory server domains. In this example, the default realm value is dc=us,dc=mycompany,dc=com
. If this is not true, then Oracle Corporation recommends that you re-install Oracle Identity Management. As you do this, set the proper value of default realm, otherwise the setup scenarios described in this section fail.
ActiveChgImp
with the profile activeImport
Tasks 1-5 required in this setup.
orclADUser
to be added the entry, which has a mandatory attribute of orclSAMAccountName
. Note that, orclSAMAccountName
cannot have any special characters in it. If you are creating users from Oracle Internet Directory Self-Service Console, then you need to modify the user creation property through the Console to include the orclADUser
object class and orclSAMAccountName
. Further, the value of the attribute orclSAMAccountName
could be given as ActiveDirectorydomain$userid
.
Most of the configuration information required for enabling synchronization is preconfigured in Oracle Internet Directory during installation. Beyond that preconfigured information, you need to add a minimal amount of information to the Active Directory connector.
The information you must add to the Active Directory connector pertains to the Microsoft Active Directory environment. This information includes:
host:port)
To add this information, you can use either command-line tools or Oracle Directory Manager.
Moreover, if the default realm is changed, then you must re-create the ACLs to enable only the owners of various synchronization profiles to create, modify, and delete entries under the user
and group
containers. Although default ACLs are created during installation, most often they must be modified to meet the security needs of the deployment. The section "Scenario 1: One-Way Synchronization from Microsoft Active Directory to Oracle Internet Directory" advises you as to when you need to change an ACL.
See Also:
"Task 3: Reset the Default Security Configuration" for more information about customizing the default access control configuration. |
The scenarios described in the next sections use the adprofilecfg.sh tool to configure Microsoft Active Directory-related information into the default profiles. This tool creates three default profiles from master default profiles and then modifies them with the information it receives from the user. If you have already customized one of the default profiles, then the adprofilecfg.sh tool overwrites it. In this case, rename your default profile as described in the next section, "Tasks Common to Various Scenarios".
This section discusses tasks that, in most scenarios, you must perform only once for a given installation. For example, suppose that you are following both Scenario 1 and Scenario 2 described later in this chapter. If, you perform these tasks to set up Scenario 1, then you do not need to perform them again to set up Scenario 2.
To do this, enter the following command against the Microsoft Active Directory server:
ldapsearch -p port -h host -D user account -w password -b "" -s base "objectclass=*" defaultnamingcontext
For example:
ldapsearch -p 389 -h adtest.us.MyCompany.com -D Administrator@us.MyCompany.com -w welcome1 -b "" -s base "objectclass=*" defaultnamingcontext
This should return the domain name of the Microsoft Active Directory server. In our
example, the exact output should be: defaultNamingContext=DC=us,DC=MyCompany,dc=com
This includes adding to the synchronization profile used for synchronization the information explained in "Information Required During Setup".
If you are using the default synchronization profiles, then run the script $ORACLE_HOME/ldap/odi/admin/adprofilecfg.sh
to set up the information. The script prompts you for the following:
host:port
)
cn=users,dc=us,dc=com
.
Once you have entered the parameter values, adprofilecfg.sh
invokes the Directory Integration and Provisioning Assistant. The Assistant sets up the Microsoft Active Directory connection information and mapping rules information in the default Active Directory synchronization profiles.
To start the directory integration and provisioning server as you would for synchronization, enter the following command:
oidctl connect=iasdb server=odisrv instance=2 configset=1 flags="port=3060" start
This section describes various scenarios for setting up one-way synchronization of users and groups between a single-domain Microsoft Active Directory and Oracle Internet Directory.
This scenario rests on these assumptions:
In general, to set up this scenario, do the following:
This task sets up the proper access controls to enable groups to be created under the users
container. To set up the proper access controls, do this:
grantrole.ldif
. The sample file is given at the end of this chapter. If the default realm is not dc=us,dc=mycompany,dc=com
, then edit the file grantrole.ldif
and replace every dc=us,dc=mycompany,dc=com
string with the actual default realm--for example, dc=us,dc=YourCompany,dc=com
.). Save the file.
ldapmodify -h host -p port -D DN of orcladmin -p password -f grantrole.ldif
For example,
ldapmodify -c -h iasdemo -p 3060 -D cn=orcladmin -w welcome1 -f grantrole.ldif
This configures the required ACL policy in Oracle Internet Directory to enable creation and modification of groups in Oracle Internet Directory.
This requires enabling the respective profile by setting the profileStatus
attribute to ENABLE
. To do this, enter the command:
Dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLE
Enter the following command:
ldapsearch -h oid_host -p oid_port -D cn=dipadmin -w orcladmin_password -b "orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory' -s base "objectclass=*" orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime
Table 43-9 shows the values of the status attributes when synchronization is successfully started.
An example of a result indicating successful synchronization is:
Synchronization successful November 04, 2003 15:56:03
This scenario rests on the same assumptions as those in "Scenario 1: One-Way Synchronization from Microsoft Active Directory to Oracle Internet Directory", but the synchronization is from Oracle Internet Directory to Microsoft Active Directory. This scenario does not require you to set up any additional information, nor does it require you to set up access controls.
In general, to set up this scenario, do the following:
This requires enabling the respective profile by setting the profileStatus
attribute to ENABLE
. To do this, enter the command:
Dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLE
Enter the following command:
ldapsearch -h oid_host -p oid_port -D cn=dipadmin -w orcladmin_password -b "orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory' -s base "objectclass=*" orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime
Table 43-9 shows the values of the status attributes when synchronization is successfully started.
An example of a result indicating successful synchronization is:
Synchronization successful November 04, 2003 15:56:03
To set up two-way synchronization, execute both Scenario 1 and Scenario 2 as previously described.
This section describes setup tasks for a two-domain Microsoft Active Directory environment. In a Microsoft Active Directory environment with more than two domains, the tasks for setting up synchronization for additional domains are similar to those outlined in this section.
To illustrate this scenario, we use a sample deployment with two Microsoft Active Directory domain servers:
If there are more than two domains, then the setup procedures are the same as those in Scenario 1, with the exception of Task 4 in which the LDIF file is customized to the actual multiple-domain environment.
In general, to set up this scenario, do the following:
As you perform Tasks 1 through 3, keep these considerations in mind:
dc=us,dc=MyCompany,dc=com
.
Oracle Internet Directory does not have the complete DIT structure ready for use in a multiple-domain Microsoft Active Directory scenario. It requires performing the following:
dc=a,dc=us,dc=mycompany,dc=com dc=b,dc=us,dc=mycompany,dc=com cn=users,dc=a,dc=us,dc=mycompany,dc=com
To create the users
container for the second domain requires creating entries with following DN:
cn=users,dc=b,dc=us,dc=mycompany,dc=com
users
containers to allow users and groups to be created under those containers
Reset the User Search Base and Group Search Base to point to the value dc=us,dc=mycompany,dc=com
. This allows all Oracle applications to be able to find users and groups in the two users containers.
multidomaindit.ldif
. This file creates the appropriate DIT structure and the required ACLs for our example.
To load this file, enter the following command:
ldapmodify -h host -p port -D DN of orcladmin -p password -f multidomaindit.ldif
For example:
ldapmodify -h iasdemo -p 3060 -D cn=orcladmin -p welcome1
-f multidomaindit.ldif
This requires enabling the respective profile by setting the profileStatus
attribute to ENABLE
. To do this, enter the following command:
Dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLE
Enter the following command:
ldapsearch -h oid_host -p oid_port -D cn=dipadmin -w orcladmin_password -b "orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory' -s base "objectclass=*" orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime
Table 43-11 shows the values of the status attributes when synchronization is successfully started.
An example of a result indicating successful synchronization is:
Synchronization successful November 04, 2003 15:56:03
In general, to set up this scenario, do the following:
a.MyOracle.com
.
As you perform Tasks 1 through 3, keep the following in mind:
a.MyOracle.com
.
dc=a,dc=us,dc=MyCompany,dc=com
.
Oracle Internet Directory does not have the complete DIT structure ready for use in a multiple-domain Microsoft Active Directory scenario. It requires performing the following:
dc=a,dc=us,dc=mycompany,dc=com dc=b,dc=us,dc=mycompany,dc=com cn=users,dc=a,dc=us,dc=mycompany,dc=com
To create the users
container for the second domain requires creating entries with following DN:
cn=users,dc=b,dc=us,dc=mycompany,dc=com
Reset the User Search Base and Group Search Base to point to the value dc=us,dc=mycompany,dc=com
. This allows all Oracle applications to be able to find users and groups in the two users
containers.
multidomainditimp.ldif
. This file creates the appropriate DIT structure and the required ACLs for our example.
You can find an example of this file at "multidomaindit.ldif".
To load this file, enter the following command:
ldapmodify -h host -p port -D DN of orcladmin -p password -f multidomaindit.ldif
For example:
ldapmodify -h iasdemo -p 3060 -D cn=orcladmin -p welcome1
-f multidomaindit.ldif
Renaming a profile requires:
For example, using the sample file in the section "renameprofile.ldif", create a profile with the name renameprofile.ldif
. The sample profile assumes that you are renaming a default import profile from ActiveChgImp
to ActiveChgImp1
. Do the following:
ActiveChgImp
and ActiveChgImp1
with your profile names.
ldapmodify -h host -p port -D DN of orcladmin -p password -f renameprofile.ldif
For example:
ldapmodify -h iasdemo -p 3060 -D cn=orcladmin -p welcome1 -f renameprofile.ldif
To do this, enter the following command:
Dipassistant cp $ORACLE_HOME/ldap/odi/conf/activechgimp.properties
This creates another profile named ActiveChgImp
.
On the second directory domain, namely, b.MyOracle.com
, perform Tasks 1 and 2 as described in "Tasks Common to Various Scenarios". Keep the following in mind:
b.MyOracle.com
.
dc=b,dc=us,dc=MyCompany,dc=com
.
This requires enabling the respective profile by setting the profileStatus
attribute to ENABLE
.
To start the synchronization enter the command:
Dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLE Dipassistant mp -profile ActiveChgImp1 odip.profile.status = ENABLE
This starts the synchronization from both Microsoft Active Directory domains to Oracle Internet Directory.
Enter the following command:
ldapsearch -h oid_host -p oid_port -D cn=dipadmin -w orcladmin_password -b "orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory' -s base "objectclass=*" orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime
Table 43-12 shows the values of the status attributes when synchronization is successfully started.
An example of a result indicating successful synchronization is:
Synchronization successful November 04, 2003 15:56:03
In general, to set up this scenario, do the following:
a.MyOracle.com
.
As you perform Tasks 1 through 3, keep the following in mind:
a.MyOracle.com
.
dc=a,dc=us,dc=MyCompany,dc=com
.
Oracle Internet Directory does not have the complete DIT structure ready for use in a multiple-domain Microsoft Active Directory scenario. It requires performing the following:
dc=a,dc=us,dc=mycompany,dc=com dc=b,dc=us,dc=mycompany,dc=com cn=users,dc=a,dc=us,dc=mycompany,dc=com
To create the users
container for the second domain requires creating entries with following DN:
cn=users,dc=b,dc=us,dc=mycompany,dc=com
Reset the User Search Base and Group Search Base to point to the value dc=us,dc=mycompany,dc=com
. This allows all Oracle applications to be able to find users and groups in the two users
containers.
multidomainditimp.ldif
. This file creates the appropriate DIT structure and the required ACLs for our example.
You can find an example of this file at "multidomaindit.ldif".
To load this file, enter the following command:
ldapmodify -h host -p port -D DN of orcladmin -p password -f multidomaindit.ldif
For example:
ldapmodify -h iasdemo -p 3060 -D cn=orcladmin -p welcome1
-f multidomaindit.ldif
Renaming a profile requires:
For example, using the sample file in the section "renameprofile.ldif", create a profile with the name renameprofile.ldif
. The sample profile assumes that you are renaming a default export profile from ActiveExport
to ActiveExport1
. Do the following:
ActiveChgImp
to ActiveExport
and ActiveChgImp1
to ActiveExport1
.
ldapmodify -h host -p port -D DN of orcladmin -p password -f renameprofile.ldif
For example:
ldapmodify -h iasdemo -p 3060 -D cn=orcladmin -p welcome1 -f renameprofile.ldif
To do this, enter the following command:
Dipassistant cp $ORACLE_HOME/ldap/odi/conf/activeexport.properties
This creates another profile named ActiveExport
.
On the second directory domain, namely, b.MyOracle.com
, perform Tasks 1 and 2 as described in "Tasks Common to Various Scenarios". Keep the following in mind:
b.MyOracle.com
.
dc=b,dc=us,dc=MyCompany,dc=com
.
This requires enabling the respective profile by setting the profileStatus
attribute to ENABLE
.
To start the synchronization enter the command:
Dipassistant mp -profile ActiveExport odip.profile.status = ENABLE Dipassistant mp -profile ActiveExport1 odip.profile.status = ENABLE
This starts the synchronization from both Microsoft Active Directory domains to Oracle Internet Directory.
Enter the following command:
ldapsearch -h oid_host -p oid_port -D cn=dipadmin -w orcladmin_password -b "orclodipagentname=ActiveExport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory' -s base "objectclass=*" orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime
Table 43-12 shows the values of the status attributes when synchronization is successfully started.
An example of a result indicating successful synchronization is:
Synchronization successful November 04, 2003 15:56:03
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|