Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Integration with SunONE (iPlanet) Directory Server, 4 of 7
This section explains the tasks to configure the SunONE connector. It contains these topics:
Integration profile templates for synchronization with the SunONE Directory Server are created in the Oracle directory server as a part of the installation process.
There are two default integration profiles:
iPlanetImport
--for importing entries and changes from the SunONE Directory Server by using the directory synchronization approach
iPlanetExport
--for exporting changes from Oracle Internet Directory to SunONE Directory Server
These are simply templates to be customized to meet the needs of your deployment.
To customize the default integration profiles, you can use a shell script, the Directory Integration and Provisioning Assistant, or Oracle Directory Manager. Configure separate profiles for import and export operations.
Use this method when:
At the end of synchronization, user and group objects synchronized from the SunONE Directory Server are visible to Oracle components integrated with the Oracle Application Server infrastructure.
The script iplanetconfig.sh
resides in $
ORACLE_HOME
/ldap/odi/admin
. Run this script as follows:
iplanetconfig.sh -oidport port -oidhost host
The script then prompts you for the following:
host
:
port
)
Once you have entered the parameter values, iplanetconfig.sh
invokes the Directory Integration and Provisioning Assistant to set up the SunONE Directory Server connection information and mapping rules information in the default SunONE Directory Server integration profiles.
Use this method when:
To configure the directory integration profile by using this method, follow these steps:
iplanetimp.map.master
file. When you make changes, use this file as the sample.
If Oracle Internet Directory and the SunONE Directory Server use the same password hashing technique, then insert the following mapping rule to the mapping file and upload the mapping file to the profile.
Userpassword: : :person:userpassword: :person
If the two directories do not use the same hashing technique, then the same mapping rule works when the Oracle directory integration and provisioning server and the directory integration profile are configured in SSL mode 2--that is, server-only authentication.
To avoid having the same changes synchronized back and forth between the directories, use either Oracle Directory Manager or the Directory Integration and Provisioning Assistant to set the filter attributes for the connected directory and for Oracle Internet Directory.
In the import profile, set the connected directory filter as follows:
modifiersname != DN of the user account with which changes are made by the export profile in SunONE
In the export profile, set the Oracle Internet Directory filter as follows:
modifiersname != orclodipagentname=import profile name,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
The default profiles have the default mapping rules for mapping the user and group attributes and object classes in SunONE Directory Server to those on Oracle Internet Directory. These mapping rules assume that no user- and group-specific schema changes have been made to either directory after installation. If there are such changes, then they must be appropriately reflected in the mapping files.
To verify and modify the mapping rules, do the following:
"Format of the Mapping Rules Attribute" for instructions on creating mapping rules and for sample mapping files
See Also:
Once the mapping file is generated, you can update the parameters in the default integration profile by using either Oracle Directory Manager or the Directory Integration and Provisioning Assistant. Table B-20 lists the attributes in the default integration profile for third-party directories. Some of those attributes, listed in Table 42-1, have values specific to integration with the SunONE Directory Server.
See Also:
|
Set up appropriate ACLs allowing read, add, or modify access rights on the subscribed domains.
During import operations, you would privilege the Oracle Internet Directory user orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
to update the subscribed domain in Oracle Internet Directory.
For example, assuming that no ACLs are applied to the domain of interest, the following LDIF sample can be used. In this file, the domain of interest is Synchronization_domain_in_OID
.
ACL in OID:dn: Synchronization_domain_in_OID changetype: modify add: orclaci orclaci: access to entry by "orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete) orclaci: access to attr=(*) by "orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (read,search,write,compare)"
On the other hand, the privileges can also be granted to the group cn=odipgroup,cn=odi,cn=oracle internet directory
of which the profile is a member. However, remember that, when privileges are granted to the group, all members of the group are, intentionally or not, granted privileges.
During import operations, the user specified by the Connected Directory Account attribute in the integration profile must have:
During export operations, the user specified by the Connected Directory Account attribute in the integration profile must have:
Follow these steps:
lastchangenumber
value. You can do this by using the Directory Integration and Provisioning Assistant:
dipassistant mp -profile profile_name -updlcn
TRUE
. If it is set to FALSE
, then shut down the Oracle Internet Directory server and start with the change log enabled by using the OID Control Utility.
Similarly, verify that change logging is enabled in SunONE Directory Server.
See Also:
|
If you are storing passwords only in SunONE Directory Server and do not want to synchronize them with Oracle Internet Directory, then, to authenticate SunONE Directory Server users from Oracle Internet Directory, you must use the SunONE Directory Server external authentication plug-in.
This section tells how to install, delete, enable, and disable the SunONE Directory Server external authentication plug-in by using the command line. You can perform these operations, except for installation, by using Oracle Directory Manager as described in "Registering and Managing Plug-ins by Using Oracle Directory Manager".
To install the plug-in:
$
ORACLE_HOME
/ldap/admin/oidspipi.s
h.
To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
Note:
http://sources.redhat.com
http://www.datafocus.com/
To execute oidspipi.s
h, enter:
cd $ORACLE_HOME/ldap/admin oidspipi.sh
If you are using the Windows operating system, then execute oidspipi.sh after you have installed the UNIX emulation utility by entering:
sh oidspipi.sh
When specifying the wallet location on the Microsoft Windows operating system, add an additional backslashes (\). For example, if the wallet location is D: storage\wallet
, then enter D:\\storage\\wallet
.
orcladmin
). This value is required.
cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext
. If you enter this value for the Plug-in Request Group DN, then only requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, it should be specified.
(&(objectclass=inetorgperson)(cn=orcladmin))
, then any entry under the user container specified in item 10 that has the cn=orcladmin
and objectclass=inetorgperson
attribute value will not be authenticated to SunONE Directory Server.
To delete the SunONE Directory Server plug-in by using Oracle Directory Manager, follow the instructions in "Deleting a Plug-in by Using Oracle Directory Manager".
To delete the SunONE Directory Server plug-in by using command-line tools, use these commands:
ldapdelete -h host -p port -D cn=orcladmin -w password "cn=ipwhencompare,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port -D cn=orcladmin -w password "cn=ipwhenbind,cn=plugin,cn=subconfigsubentry"
To enable the SunONE Directory external authentication plug-in by using Oracle Directory Manager, follow the instructions in "Editing a Plug-in by Using Oracle Directory Manager" and set the Plug-in Enable field to 1
.
To enable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable the SunONE Directory Server external authentication plug-in by using Oracle Directory Manager, follow the instructions in "Editing a Plug-in by Using Oracle Directory Manager" and set the Plug-in Enable field to 0
.
To disable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 EOF
ldapmodify -h <host> -p <port> -D cn=orcladmin -w <password> <<EOF dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 EOF
If you are experiencing unknown errors, the you can enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
sqlplus ods/ods select * from plg_debug_log order by id;
To delete the plug-in debugging log, enter:
sqlplus ods/ods truncate table plg_debug_log
To disable the plug-in debugging, enter:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
Note: If you need to change the plug-in setup--that is, the information you entered in the installation steps--then you can rerun the installation script. Before you rerun the script, delete the SunONE Directory external authentication plug-in by following the instructions in "Deleting the SunONE Directory External Authentication Plug-in". |
See Also:
|
To start synchronization:
profileStatus
attribute to ENABLE
in either Oracle Directory Manager or the Directory Integration and Provisioning Assistant
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|