Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Integration with the Microsoft Windows Environment, 7 of 13
The section "Configuring the Active Directory Connector" describes how to configure the Active Directory connector in a simple deployment that requires minimal configurations beyond the default ones. However, your deployment may be more complex and require you to customize the connector configurations.
This section describes various customizations a deployment may require. It contains these topics:
A deployment may require you to create new profiles instead of using the default profiles. It may also require you to modify the configurations in these profiles. There are three tools available for creating new profiles. These are:
You must customize mapping rules when you need to:
An example of domain level mapping is:
DomainRules %USERBASE%:%USERBASE%:
USERBASE
refers to the container from which the Microsoft Active Directory users and groups must be mapped. Usually, this is the users
container under the root of the Microsoft Active Directory domain.
For example, if the Microsoft Active Directory host is in the domain us.mycompany.com
, then the root of the Microsoft Active Directory domain is us.mycompany.com
and a user
container under the domain would have a DN value cn=users, dc=us,dc=mycompany,dc=com
.
For one-to-one domain mapping between Microsoft Active Directory and Oracle Internet Directory, Oracle Internet Directory must be installed with a default realm value of dc=us,dc=mycompany,dc=com
that would automatically contain a users
container under the default realm with a DN value cn=users,dc=us,dc=mycompany,dc=com
. This enables one-to-one domain mapping between Microsoft Active Directory and Oracle Internet Directory.
If you plan to synchronize only the users under us.mycmpany.com
, then the domain mapping rule is:
DomainRules cn=users, dc=us, dc=mycompany, dc=com :cn=users, dc=us, dc=mycompany, dc=com
This rule enables only the users
container to be synchronized. Any changes to other entries outside users
container are not synchronized.
If you later want to synchronize other objects in the domain, the rule can change to
DomainRules dc=us, dc=mycompany, dc=com :dc=us, dc=mycompany, dc=com
This rule enables every entry under dc=us,dc=mycompany,dc=com
" to be synchronized.
An example of attribute-level mapping is:
SAMAccountName:1: :user:orclADSAMAccountName: :orclADUser userPrincipalName: : :user:orclADUserPrincipalName: :orclADUser:name|userPrincipalName
Here, SAMAccountName
and userPrincipalName
from Microsoft Active Directory are mapped to orclADSAMAccountName
and orclADUserPrincipalName
respectively.
Adding another attribute to be synchronized requires adding another rule as indicated above. Similarly, if an attribute is no longer to be synchronized, then the corresponding rule simply needs to be removed or commented out.
Customizing the mapping rules requires:
""
to make necessary modifications as discussed above.
dipassistant mp -profile profile name -host oidhost -port oidport -dn DN -passwd password odip.profile.mapfile=pathname
For example:
dipassistant mp -profile ActiveChgImp -host iasdemo.us.oracle.com -port 3060 -dn cn=orcladmin -passwd welcome1 odip.profile.mapfile= activechgimp.map
A sample map file is located in the directory $
ORACLE_HOME
/ldap/odi/conf
with the extension of map.master
for the various profiles.
By default, the Active Directory connector pulls changes in all the types of objects from the container configured for synchronization. However, if a deployment is interested only in a certain types of changes--for example, only users and groups--then this can be easily achieved by configuring a search filter. The filter is used by the Active Directory connector to filter changes that are not required when it polls the Active Directory for changes. There is an attribute, named searchfilter
, in the synchronization profile which stores the filter.
For example, if you are synchronizing changes to users and groups but not Computers objects, then the value of the searchfilter attribute should be: searchfilter=(|(objectclass=group)(&(objectclass=user)(!(objectclass=computer)))
.
You can use Oracle Directory Manager or the Directory Directory Integration and Provisioning Assistant to update this attribute.
The Active Directory connector enables secure synchronization between Oracle Internet Directory and Microsoft Active Directory by using SSL between the two servers. Whether to synchronize in the SSL mode depends on the deployment requirements. For example, synchronizing public data does not require SSL. However, synchronizing sensitive information such as passwords requires SSL. The security settings (hard settings) enable you to synchronize password changes from Oracle Internet Directory to Microsoft Active Directory only in SSL mode with server-only Authentication--that is, SSL Mode 2.
Securing the channel requires:
Although you can enable SSL between Oracle Internet Directory and the Oracle directory integration and provisioning server, or between the Oracle directory integration and provisioning server and Oracle Internet Directory, Oracle Corporation recommends that you completely secure the channel before synchronizing sensitive information. In some cases, such as password synchronization, the synchronization can happen only over SSL.
Configuring SSL requires the following:
sslauth
parameter to be specified when starting the Oracle directory integration and provisioning server will be 1 or 2 depending on whether the SSL communication is based on no authentication or server-only authentication.
You can synchronize passwords from Oracle Internet Directory to Microsoft Active Directory or the reverse.
Before the Active Directory connector can synchronize passwords in this direction, the following are required:
Userpassword: : :person:unicodepwd: :user
1
the orclPwdPolicyEnable
and orclpwdEncryptionEnable
attributes in the entry cn=PwdPolicyEntry,cn=common,cn=products,
DN of realm. This can be done either from Oracle Directory Manager or by the ldapmodify command.
Synchronizing passwords from Microsoft Active Directory to Oracle Internet Directory is not possible in the Oracle Application Server 10g release because passwords in Microsoft Active Directory are not accessible by LDAP clients. However, if a deployment requires passwords to be available in Oracle Internet Directory, then the following two methods are recommended:
The default ACLs enable creating, modifying, and deleting users and groups only. Further, they enable users and groups to be created only in the users
and groups
containers under the default realm.
Customizing the access control lists (ACLs) is required if:
Chapter 14, "Directory Access Control" for instructions on customizing ACLs
See Also:
Customizing the LDAP schema is required if:
Customizing the LDAP schema requires:
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|