Customizing the Active Directory Connector

The section "Configuring the Active Directory Connector" describes how to configure the Active Directory connector in a simple deployment that requires minimal configurations beyond the default ones. However, your deployment may be more complex and require you to customize the connector configurations.

Note: Be sure that your ORACLE_HOME is set to the correct value, otherwise the commands specified in various scenarios do not function properly.

This section describes various customizations a deployment may require. It contains these topics:

• Creating and Customizing a Synchronization Profile

• Customizing Mapping Rules

• Customizing the Search Filter to Get Information from Microsoft Active Directory

• Running the Active Directory Connector in SSL Mode

• Synchronizing Passwords

• Customizing ACLs

• Customizing the LDAP Schema

Creating and Customizing a Synchronization Profile

A deployment may require you to create new profiles instead of using the default profiles. It may also require you to modify the configurations in these profiles. There are three tools available for creating new profiles. These are:

• The Directory Integration and Provisioning Assistant, a command-line tool for creating profiles and setting various configuration parameters (attributes) in a profile.

• The script adprofilecfg.sh that creates the default profiles and sets the minimal information required for the Microsoft Active Directory environment into all the default profiles. This minimal information includes, for example, the Microsoft Active Directory host and port information.

• Oracle Directory Manager, a standalone Java-based GUI tool that enables you to create, modify, and delete profiles. This is suitable when a deployment requires extensive customization.

  See Also: "The Directory Integration and Provisioning Assistant" "About the adprofilecfg.sh Tool" "Using Oracle Directory Manager"

Customizing Mapping Rules

You must customize mapping rules when you need to:

• Change domain-level mappings. The domain-level mappings establish how the DIT from Microsoft Active Directory maps to that of Oracle Internet Directory.

• Change what attributes needs to be synchronized

• Change what transformations (mapping rules) are required to be performed while synchronizing them from the source directory to the target directory.

Domain-Level Mapping

An example of domain level mapping is:

DomainRules
%USERBASE%:%USERBASE%:

USERBASE refers to the container from which the Microsoft Active Directory users and groups must be mapped. Usually, this is the users container under the root of the Microsoft Active Directory domain.

For example, if the Microsoft Active Directory host is in the domain us.mycompany.com, then the root of the Microsoft Active Directory domain is us.mycompany.com and a user container under the domain would have a DN value cn=users, dc=us,dc=mycompany,dc=com.

For one-to-one domain mapping between Microsoft Active Directory and Oracle Internet Directory, Oracle Internet Directory must be installed with a default realm value of dc=us,dc=mycompany,dc=com that would automatically contain a users container under the default realm with a DN value cn=users,dc=us,dc=mycompany,dc=com. This enables one-to-one domain mapping between Microsoft Active Directory and Oracle Internet Directory.

If you plan to synchronize only the users under us.mycmpany.com, then the domain mapping rule is:

DomainRules
cn=users, dc=us, dc=mycompany, dc=com :cn=users, dc=us, dc=mycompany, dc=com 

This rule enables only the users container to be synchronized. Any changes to other entries outside users container are not synchronized.

If you later want to synchronize other objects in the domain, the rule can change to

DomainRules
dc=us, dc=mycompany, dc=com :dc=us, dc=mycompany, dc=com 

This rule enables every entry under dc=us,dc=mycompany,dc=com" to be synchronized.

Attribute-Level Mapping

An example of attribute-level mapping is:

SAMAccountName:1: :user:orclADSAMAccountName: :orclADUser
userPrincipalName: : :user:orclADUserPrincipalName:
:orclADUser:name|userPrincipalName

Here, SAMAccountName and userPrincipalName from Microsoft Active Directory are mapped to orclADSAMAccountName and orclADUserPrincipalName respectively.

Adding another attribute to be synchronized requires adding another rule as indicated above. Similarly, if an attribute is no longer to be synchronized, then the corresponding rule simply needs to be removed or commented out.

How to Customize the Mapping Rules

Customizing the mapping rules requires:

• Editing the mapping rules file stored under "" to make necessary modifications as discussed above.

• Once the changes are complete, running the following command:

  dipassistant mp -profile profile name -host oidhost -port oidport -dn DN 
  -passwd password odip.profile.mapfile=pathname
  
  

  For example:

  dipassistant mp -profile ActiveChgImp -host iasdemo.us.oracle.com -port 3060 
  -dn cn=orcladmin -passwd welcome1 odip.profile.mapfile= activechgimp.map
  
  

A sample map file is located in the directory $ORACLE_HOME/ldap/odi/conf with the extension of map.master for the various profiles.

Customizing the Search Filter to Get Information from Microsoft Active Directory

By default, the Active Directory connector pulls changes in all the types of objects from the container configured for synchronization. However, if a deployment is interested only in a certain types of changes--for example, only users and groups--then this can be easily achieved by configuring a search filter. The filter is used by the Active Directory connector to filter changes that are not required when it polls the Active Directory for changes. There is an attribute, named searchfilter, in the synchronization profile which stores the filter.

For example, if you are synchronizing changes to users and groups but not Computers objects, then the value of the searchfilter attribute should be: searchfilter=(|(objectclass=group)(&(objectclass=user)(!(objectclass=computer))).

You can use Oracle Directory Manager or the Directory Directory Integration and Provisioning Assistant to update this attribute.

Running the Active Directory Connector in SSL Mode

The Active Directory connector enables secure synchronization between Oracle Internet Directory and Microsoft Active Directory by using SSL between the two servers. Whether to synchronize in the SSL mode depends on the deployment requirements. For example, synchronizing public data does not require SSL. However, synchronizing sensitive information such as passwords requires SSL. The security settings (hard settings) enable you to synchronize password changes from Oracle Internet Directory to Microsoft Active Directory only in SSL mode with server-only Authentication--that is, SSL Mode 2.

Securing the channel requires:

• SSL between Oracle Internet Directory and the Oracle directory integration and provisioning server

• SSL between Oracle directory integration and provisioning server and Microsoft Active Directory

Although you can enable SSL between Oracle Internet Directory and the Oracle directory integration and provisioning server, or between the Oracle directory integration and provisioning server and Oracle Internet Directory, Oracle Corporation recommends that you completely secure the channel before synchronizing sensitive information. In some cases, such as password synchronization, the synchronization can happen only over SSL.

Configuring SSL requires the following:

• Running the Oracle directory server in the SSL mode as described in Chapter 13, "Secure Sockets Layer (SSL) and the Directory"

• Running the Oracle directory integration and provisioning server in the SSL mode as described in Chapter 36, "Security in the Oracle Directory Integration and Provisioning Platform". The SSL mode should be same under which Oracle Internet Directory server was started. The sslauth parameter to be specified when starting the Oracle directory integration and provisioning server will be 1 or 2 depending on whether the SSL communication is based on no authentication or server-only authentication.

• Running the Microsoft Active Directory server in the SSL mode. Communication with Microsoft Active Directory over SSL requires SSL Mode 2--that is, server-only authentication. This requires Oracle Internet Directory as well as Directory Integration & Provisioning Server also be run in SSL mode 2.

• Certificates for both Oracle Internet Directory and Microsoft Active Directory and a wallet to store them. See Chapter 13, "Secure Sockets Layer (SSL) and the Directory" for more details.

  Note: Oracle Application Server 10g does not support SSL in the client-server authentication mode

Synchronizing Passwords

You can synchronize passwords from Oracle Internet Directory to Microsoft Active Directory or the reverse.

Synchronizing Passwords from Oracle Internet Directory to Microsoft Active Directory

Before the Active Directory connector can synchronize passwords in this direction, the following are required:

• Adding a mapping rule in the mapping file that enables password synchronization. For example, the mapping rule could be:

  Userpassword: : :person:unicodepwd: :user
  
  

• Enabling the password policy and the reversible password encryption in the Oracle directory server. This, in turn, requires setting to a value of 1the orclPwdPolicyEnable and orclpwdEncryptionEnable attributes in the entry cn=PwdPolicyEntry,cn=common,cn=products,DN of realm. This can be done either from Oracle Directory Manager or by the ldapmodify command.

• Starting these servers in the SSL Mode 2 (server authentication):
  • Oracle directory server

  • Oracle directory integration and provisioning server

  • Microsoft Active Directory server

Synchronizing Passwords from Microsoft Active Directory to Oracle Internet Directory

Synchronizing passwords from Microsoft Active Directory to Oracle Internet Directory is not possible in the Oracle Application Server 10g release because passwords in Microsoft Active Directory are not accessible by LDAP clients. However, if a deployment requires passwords to be available in Oracle Internet Directory, then the following two methods are recommended:

• Build a custom plug-in for Microsoft Active Directory that captures a password change and synchronizes it with Oracle Internet Directory

• Manage Active Directory passwords from the Oracle environment. This enables passwords to be available in both Oracle Internet Directory and Microsoft Active Directory because the Active Directory connector can synchronize passwords from Oracle Internet Directory to Microsoft Active Directory.

Customizing ACLs

The default ACLs enable creating, modifying, and deleting users and groups only. Further, they enable users and groups to be created only in the users and groups containers under the default realm.

Customizing the access control lists (ACLs) is required if:

• You need to synchronize objects other than users and groups

• The containers under which users and groups are synchronized are different from the designated containers. This can be the case when either the preferred containers are not users and groups containers, or they are not under the default realm.

  See Also: Chapter 14, "Directory Access Control" for instructions on customizing ACLs

Customizing the LDAP Schema

Customizing the LDAP schema is required if:

• A directory deployment contains schema extensions such as custom object classes and attributes

• The custom attributes must be synchronized from one directory server to the other

Customizing the LDAP schema requires:

• Identifying the schema extensions on the source directory

• Creating those extensions on the target directory before starting the data migration and the synchronization.

  Note: Besides creating schema extensions, the attribute which will be required for synchronization also needs to be added into the mapping rules.