Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Considerations for Integrating with Third-Party Directories , 10 of 11
This section lists the steps in configuring a sample deployment scenario. Step "Step 4: Decide Whether to Create a New Identity Management Realm" through "Step 6: Select the Login Identifiers" involve configuring a new identity management realm and setting its parameters. might This can affect the behavior of Oracle Application Server Single Sign-On and any other middle-tier application already installed in the environment. Consequently, make careful decisions at each step and verify the behavior of the applications.
See Also:
Chapter 19, "Deployment of Oracle Identity Management Realms" for more details on identity management realms and their role in Oracle Application Server. |
This section contains these topics:
Step 1: Identify the Default Identity Management Realm in Oracle Internet Directory
Step 2: Identify the User and Group Search Bases in Oracle Internet Directory
Step 3: Identify the Naming Context on the Remote Directory
Step 4: Decide Whether to Create a New Identity Management Realm
Step 5: Select the User Search Base and Group Search Base
Step 6: Select the Login Identifiers
Step 7: Modify the Mapping File to Reflect the Changes You Have Made
Step 8: Create or Modify the Synchronization Profile with the New Set of Mapping Rules
Step 9: Configure Access Control
Step 10: Bootstrap the Directory by Using the Directory Integration and Provisioning Assistant
Step 11: Update the Last Change Number for Synchronization
Step 13 (Optional): Enable the External Authentication Plug-in for Password Synchronization
Step 14: Start the Oracle Directory Integration and Provisioning Server
To identify the default identity management realm in Oracle Internet Directory:
ldapsearch -p port -h host -D distinguished_name -w password
-b "cn=common, cn=products,cn=oraclecontext" -s base "objectclass=*" orcldefaultsubscriber
In this sample deployment, the default identity management realm in Oracle Internet Directory is dc=us,dc=mycompany,dc=com
.
To identify the user and group search contexts in Oracle Internet Directory:
ldapsearch -p <port> -h <host> -D distinguished_name -w <passwd>
b "cn=common, cn=products,cn=oraclecontext, <Identity Management Realm>" -s base "objectclass=*"
Note down the values for the orclcommonusersearchbase
and orclcommongroupsearchbase
attributes. These are the values which are shown in the Oracle Internet Directory Self-Service Console as User Search Context and Group Search Context.
In this sample deployment, the user and group search contexts in Oracle Internet Directory are:
orclcommonusersearchbase is : cn=users, dc=us,dc=mycompany,dc=com orclcommongroupsearchbase is : cn=groups, dc=us,dc=mycompany,dc=com
The default naming context is the root of the naming context under which the users are stored. Each directory has its own way of creating a default naming context.
If you are using Microsoft Active Directory, then you identify the default naming context by performing the following ldapsearch against that directory:
ldapsearch -p port -h host -D distinguished_name -w password -b "" -s base "objectclass=*" defaultnamingcontext
Typically the DNs of users in Microsoft Active Directory are of the form cn=user name, cn=users,
defaultnamingcontext
.
Note that the users also can bind with names such as, username
@
domain
.
For example, if the domain name is newcompany.com
, then the default naming context is dc=newcompany,dc=com
. The typical login identifier of a user is user@newcompany.com
.
If you are using SunONE Directory Server, then you identify the naming contexts in SunONE Directory Server by performing the following ldapsearch against SunONE Directory Server:
ldapsearch -p port -h host -D distinguished_name -w password -b "" -s base "objectclass=*" namingcontexts
Different sets of user entries reside in different subtrees. Choose the naming context that contains the objects to be synchronized.
If the DITs on Oracle Internet Directory and the third-party directory are different, then it is better to create a new identify management realm. Do this by using either the Oracle Internet Directory Self-Service Console. On the other hand, if the third-party directory is Microsoft Active Directory in which the default naming context is mycompany.com
, then you may not have to create the new identity management realm.
How you do this depends on whether you created a mew identity management realm as discussed in the previous step.
If a new identity management realm has been created, then:
Follow the same approach to set the user creation context.
Follow the same approach to set the group creation context.
If a new identity management realm has not been created, then, to enable user and group entries to be accessed by all Oracle components, you must modify the default parameters in the Oracle Internet Directory Self-Service Console. To do this:
cn=users,dc=myCompany,dc=com
dc=myCompany,dc=com
.
cn=groups,dc=myCompany,dc=com
dc=myCompany,dc=com
The attribute used for login is orclcommonnicknameattribute
. In the Oracle Internet Directory Self-Service Console, the field is named Attribute for Login Name. The default value is UID
. Oracle Corporation recommends that you keep the default value. If this attribute is modified--for example, if it is changed to mail
--then be sure that all entries under the container that you are working with have the mail
attribute value populated. Otherwise, the user cannot login through Oracle Application Server Single Sign-On.
The attributes you have just modified can require a change in the default mapping files. Look carefully at the various mapping rules and modify them according to the requirements. If the users and groups are under different containers, you may need to specify multiple set of domain rules in the same mapping file.
Default mapping rules for integration with SunONE Directory Server and Microsoft Active Directory are in the directory $
ORACLE_HOME
/ldap/odi/conf
.
The important parameters to be modified are:
loginid
attribute
loginid
attribute in the sample mapping file is:
Userprincipalname: : :user: uid: : :inetorgperson
UID
is directly mapped to the UID
attribute.
This can be modified depending on which attribute is used for login. For example, to use employeenumber
as the loginid
, modify the mapping rule as follows:
Employeenumber: : :user: uid: : :inetorgperson
orclcommonkrbprincipalattribute
in the entry cn=common,cn=public,cn=oraclecontext,
identity_management_realm
. By default, it is set to krbPrincipalName
.
For integration with Microsoft Active Directory, the default mapping rule is:
Userprincipalname: : :user: krbPrincipalName: : :orclUserV2.
This rule maps the user principal name in Microsoft Active Directory to the Kerberos principal name. To support another value for Kerberos login, modify this rule.
See Also:
Oracle Application Server Single Sign-On Administrator's Guide for information about support for Windows native authentication in Oracle Application Server Single Sign-On |
To do this, use the Directory Integration and Provisioning Assistant.
dipassistant mp -profile profile_name odip.profile.mapfile=relative_path_name_ of_mapping_file
Configure access control to various containers in either of the following:
orclodipagentname=
profile_name
,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
'
cn=odipgroup,cn=odi,cn=oracle internet directory
A sample ACI is available in ORACLE_HOME
/ldap/odi/samples/commonaci.ldif
. This sample contains the following attributes, all of which have the same values:
You can use Oracle Directory Manager to set ACIs to these containers.
To bootstrap the directory, use the bootstrap
command in the Directory Integration and Provisioning Assistant.
See Also:
|
To do this, enter:
dipassistant mp -profile profile_name -updlcn
The Directory Integration and Provisioning Assistant determines the connected directory by reading the directory integration profile.
You can do this by using either Oracle Directory Manager of the Directory Integration and Provisioning Assistant.
See Also:
|
If you need to synchronize password changes from Oracle Internet Directory to the third-party directory, then enable the external authentication plug-in by doing the following:
orclpwdencryptionenable
attribute to TRUE
.
When passwords are synchronized to directories that do not support the hashing technique used by Oracle Internet Directory, synchronization can be done only by using the SSL mode 2 (sslmode=2
).
See Also:
|
Do this by following the instructions in "Starting the Oracle Directory Integration and Provisioning Server".
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|