Configuring the SunONE Connector

This section explains the tasks to configure the SunONE connector. It contains these topics:

• Task 1: Configure the Integration Profile for the SunONE Connector

• Task 2: Configure Access Control Lists

• Task 3: Prepare Both Directories for Synchronization

• Task 4: (Optional) Configure the SunONE Directory Server External Authentication Plug-in

• Task 5: Start the Synchronization

Task 1: Configure the Integration Profile for the SunONE Connector

Integration profile templates for synchronization with the SunONE Directory Server are created in the Oracle directory server as a part of the installation process.

There are two default integration profiles:

• iPlanetImport--for importing entries and changes from the SunONE Directory Server by using the directory synchronization approach

• iPlanetExport--for exporting changes from Oracle Internet Directory to SunONE Directory Server

These are simply templates to be customized to meet the needs of your deployment.

Customizing the Default Integration Profiles

To customize the default integration profiles, you can use a shell script, the Directory Integration and Provisioning Assistant, or Oracle Directory Manager. Configure separate profiles for import and export operations.

Configuring the Default Integration Profile through the script iplanetconfig.sh

Use this method when:

• The SunONE Directory Server has no custom schema changes to the objects to be synchronized--that is, the user and group object attributes and object classes are the default ones

• No custom schema elements have been added to the user or group object attributes and object classes

At the end of synchronization, user and group objects synchronized from the SunONE Directory Server are visible to Oracle components integrated with the Oracle Application Server infrastructure.

The script iplanetconfig.sh resides in $ORACLE_HOME/ldap/odi/admin. Run this script as follows:

iplanetconfig.sh -oidport port -oidhost host

The script then prompts you for the following:

• Oracle Internet Directory super user DN and password

• SunONE Directory Server URL (host:port)

• SunONE Directory Server user account and password to be used by the SunONE connector

• SunONE Directory Server domain to be synchronized

Once you have entered the parameter values, iplanetconfig.sh invokes the Directory Integration and Provisioning Assistant to set up the SunONE Directory Server connection information and mapping rules information in the default SunONE Directory Server integration profiles.

Configuring the Default Integration Profile by Using the Directory Integration and Provisioning Assistant or Oracle Directory Manager

Use this method when:

• The SunONE Directory Server default has been customized according to the deployment requirements--that is, the user or group objects have custom schema elements

• Oracle Internet Directory objects have custom schema elements

• The objects and attributes to be synchronized between the two directories are not the default ones

To configure the directory integration profile by using this method, follow these steps:

1. Configure the mapping rules as described in "Configuring Mapping Rules".

2. Update the default parameters as described in "Updating the Default Parameters".

3. Bootstrap the directories as described in "Task 3: Prepare Both Directories for Synchronization". The default mapping file for bootstrapping should be like the iplanetimp.map.master file. When you make changes, use this file as the sample.

4. Configure password synchronization. The default mapping rules are not appropriate for password synchronization between the SunONE Directory Server and Oracle Internet Directory.

   If Oracle Internet Directory and the SunONE Directory Server use the same password hashing technique, then insert the following mapping rule to the mapping file and upload the mapping file to the profile.

   Userpassword: : :person:userpassword: :person
   
   

   If the two directories do not use the same hashing technique, then the same mapping rule works when the Oracle directory integration and provisioning server and the directory integration profile are configured in SSL mode 2--that is, server-only authentication.

Configuring the Default Integration Profile for Two-Way Synchronization

To avoid having the same changes synchronized back and forth between the directories, use either Oracle Directory Manager or the Directory Integration and Provisioning Assistant to set the filter attributes for the connected directory and for Oracle Internet Directory.

In the import profile, set the connected directory filter as follows:

modifiersname != DN of the user account with which changes are made by the 
export profile in SunONE

In the export profile, set the Oracle Internet Directory filter as follows:

modifiersname != orclodipagentname=import profile name,cn=subscriber 
profile,cn=changelog subscriber,cn=oracle internet directory

Configuring Mapping Rules

The default profiles have the default mapping rules for mapping the user and group attributes and object classes in SunONE Directory Server to those on Oracle Internet Directory. These mapping rules assume that no user- and group-specific schema changes have been made to either directory after installation. If there are such changes, then they must be appropriately reflected in the mapping files.

To verify and modify the mapping rules, do the following:

1. Decide which domains, or containers, you want to synchronize. In the case of SunONE Directory Server, the container to be specified for synchronization can be any naming context in the directory.

2. Decide on the objects--that is, the types of entries--to be synchronized. In an identity management environment these are typically user and group entries.

3. Identify the attributes and how you want to map them between the directories during synchronization.

4. Generate a mapping file with appropriate mapping rules.

   See Also: "Format of the Mapping Rules Attribute" for instructions on creating mapping rules and for sample mapping files

Updating the Default Parameters

Once the mapping file is generated, you can update the parameters in the default integration profile by using either Oracle Directory Manager or the Directory Integration and Provisioning Assistant. Table B-20 lists the attributes in the default integration profile for third-party directories. Some of those attributes, listed in Table 42-1, have values specific to integration with the SunONE Directory Server.

Table 42-1  Default Attribute Values in the SunONE Directory Server Integration Profile

Attribute	Value
Profile Name (orclodipAgentName)	The default value for the import profile is iPlanetImport. The default value for the export profile is iPlanetExport. This attribute is mandatory.
Connected Directory URL (orclOdipConDirURL)	Connect details required to connect to the connected directory. This parameter refers to the host name and port number as host:port:sslmode. To connect by using SSL, enter host:port:1. Make sure the certificate to connect to the directory is stored in the wallet, the location of which is specified in the file odi.properties. Note: To connect to SunONE Directory Server by using SSL, the server certificate needs to be loaded into the wallet. See Also: The chapter on Oracle Wallet Manager in Oracle Advanced Security Administrator's Guide
Mapping Rules (orclOdipAttributeMappingRules)	Attribute for storing the mapping rules. Store the mapping rules in a file by using the Directory Integration and Provisioning Assistant or the ldapuploadagentfile.sh tool. See Also: "Mapping Rules and Formats" "Format of the Mapping Rules Attribute" "The Directory Integration and Provisioning Assistant"
Connected Directory Account (orclodipConDirAccessPassword)	Password to be used by the user specified in the orclOdipConDirAccessAccount attribute to connect to the connected directory. For the SunONE synchronization connector, it is the valid bind password in the SunONE Directory Server.
Connected Directory Account (orclodipConDirAccessAccount)	If the changes are to be imported from SunONE Directory Server to Oracle Internet Directory, then this user account should have privileges to read the SunONE Directory Server change log container. If the changes in Oracle Internet Directory are to be exported to SunONE Directory Server, then the user must have privileges to add and modify in the synchronization domain. Note: Create a user account in SunONE Directory Server exclusively for the SunONE connector for synchronizing.
Agent Execution Command (orclodipAgentExeCommand)	This field must be empty.

See Also: "Registration of Connectors into the Oracle Directory Integration and Provisioning Platform" for the required steps and a general description of each attribute you must set "The Directory Integration and Provisioning Assistant"

Task 2: Configure Access Control Lists

Set up appropriate ACLs allowing read, add, or modify access rights on the subscribed domains.

During import operations, you would privilege the Oracle Internet Directory user orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory to update the subscribed domain in Oracle Internet Directory.

For example, assuming that no ACLs are applied to the domain of interest, the following LDIF sample can be used. In this file, the domain of interest is Synchronization_domain_in_OID.

ACL in OID:

dn: Synchronization_domain_in_OID
changetype: modify
add: orclaci
orclaci: access to entry by "orclodipagentname=iPlanetImport,cn=subscriber 
profile,cn=changelog subscriber,cn=oracle internet directory" 
(browse,add,delete)
orclaci: access to attr=(*) by 
"orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog 
subscriber,cn=oracle internet directory" (read,search,write,compare)"

On the other hand, the privileges can also be granted to the group cn=odipgroup,cn=odi,cn=oracle internet directory of which the profile is a member. However, remember that, when privileges are granted to the group, all members of the group are, intentionally or not, granted privileges.

During import operations, the user specified by the Connected Directory Account attribute in the integration profile must have:

• Write access to the target container in Oracle Internet Directory

• Read access to the change log and source container in the SunONE Directory Server

During export operations, the user specified by the Connected Directory Account attribute in the integration profile must have:

• Write access to the target container in the SunONE Directory Server

• Read access to the change log and source container in the SunONE Directory Server

  See Also: SunONE Directory Server documentation for instructions on how to apply ACLs on the SunONE Directory Server change log container and the SunONE Directory Server subscribed domain

Task 3: Prepare Both Directories for Synchronization

Follow these steps:

1. Before the start of the synchronization, make the data in the domains of interest to be equivalent. This can be achieved by the Directory Integration and Provisioning Assistant with the bootstrap option. Bootstrapping is described in Chapter 37, "Bootstrapping of a Directory in the Oracle Directory Integration and Provisioning Platform".

2. If you have used LDIF file-based bootstrapping, then you must initialize the lastchangenumber value. You can do this by using the Directory Integration and Provisioning Assistant:

   dipassistant mp -profile profile_name -updlcn
   
   

3. At the end of bootstrapping, be sure that the change logging option for the Oracle directory server is set to the default, namely, TRUE. If it is set to FALSE, then shut down the Oracle Internet Directory server and start with the change log enabled by using the OID Control Utility.

   Similarly, verify that change logging is enabled in SunONE Directory Server.

   See Also: "The Directory Integration and Provisioning Assistant" "Starting and Stopping an Oracle Directory Server Instance" for a description of the OID Control Utility

Task 4: (Optional) Configure the SunONE Directory Server External Authentication Plug-in

If you are storing passwords only in SunONE Directory Server and do not want to synchronize them with Oracle Internet Directory, then, to authenticate SunONE Directory Server users from Oracle Internet Directory, you must use the SunONE Directory Server external authentication plug-in.

This section tells how to install, delete, enable, and disable the SunONE Directory Server external authentication plug-in by using the command line. You can perform these operations, except for installation, by using Oracle Directory Manager as described in "Registering and Managing Plug-ins by Using Oracle Directory Manager".

Note: The SunONE Directory Server external authentication plug-in can be configured to authenticate to only one single SunONE Directory Server.

Installing the SunONE Directory Server External Authentication Plug-in

To install the plug-in:

1. Execute $ORACLE_HOME/ldap/admin/oidspipi.sh.

   Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities: Cygwin 1.3.2.2-1 or later. Visit: http://sources.redhat.com MKS Toolkit 6.1. Visit: http://www.datafocus.com/

   To execute oidspipi.sh, enter:

   cd $ORACLE_HOME/ldap/admin
   oidspipi.sh
   
   

   If you are using the Windows operating system, then execute oidspipi.sh after you have installed the UNIX emulation utility by entering:

   sh oidspipi.sh
   

2. Enter the SunONE Directory Server host name. This is the SunONE Directory Server to which you are going to synchronize. This value is required.

3. Choose whether to use an SSL connection.

   When specifying the wallet location on the Microsoft Windows operating system, add an additional backslashes (\). For example, if the wallet location is D: storage\wallet, then enter D:\\storage\\wallet.

4. Enter the SunONE Directory Server port number.

5. Enter the database connect string.

6. Enter the ODS password. The default ODS password is the same as that set for the Oracle Application Server administrator during installation.

7. Enter Oracle directory server host name. This value is required.

8. Enter Oracle directory server port number. The default port is 389.

9. Enter the password of the Oracle administrator (orcladmin). This value is required.

10. Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container will be authenticated against SunONE Directory Server. Note that this need not necessarily be the User Search Base supplied in Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the SunONE Directory Server. If more than one value is specified, then use semi-colons (;) to separate them.

11. Enter the Plug-in Request Group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext. If you enter this value for the Plug-in Request Group DN, then only requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, it should be specified.

12. Enter the value of the entry that is to be excluded from authentication to SunONE Directory Server. This value is the exception to item 10. You need to enter the value in the standard ldapsearch filter format. For example, if you specify the value (&(objectclass=inetorgperson)(cn=orcladmin)), then any entry under the user container specified in item 10 that has the cn=orcladmin and objectclass=inetorgperson attribute value will not be authenticated to SunONE Directory Server.

13. Specify whether you want to back up the SunONE Directory Server for failover.

Deleting the SunONE Directory External Authentication Plug-in

To delete the SunONE Directory Server plug-in by using Oracle Directory Manager, follow the instructions in "Deleting a Plug-in by Using Oracle Directory Manager".

To delete the SunONE Directory Server plug-in by using command-line tools, use these commands:

ldapdelete -h host -p port -D cn=orcladmin -w password
"cn=ipwhencompare,cn=plugin,cn=subconfigsubentry"

ldapdelete -h host -p port -D cn=orcladmin -w password
"cn=ipwhenbind,cn=plugin,cn=subconfigsubentry"

Enabling the SunONE Directory External Authentication Plug-in

To enable the SunONE Directory external authentication plug-in by using Oracle Directory Manager, follow the instructions in "Editing a Plug-in by Using Oracle Directory Manager" and set the Plug-in Enable field to 1.

To enable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:

ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF
dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF
dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

Disabling the SunONE Directory Server External Authentication Plug-in

To disable the SunONE Directory Server external authentication plug-in by using Oracle Directory Manager, follow the instructions in "Editing a Plug-in by Using Oracle Directory Manager" and set the Plug-in Enable field to 0.

To disable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:

ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF
dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 0
EOF

ldapmodify -h <host> -p <port> -D cn=orcladmin -w <password> <<EOF
dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 0
EOF

Enabling and Disabling SunONE Directory External Authentication Plug-in Debugging

If you are experiencing unknown errors, the you can enable the plug-in debugging. To do this, enter:

sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls

To check the plug-in debugging log, enter:

sqlplus ods/ods
select * from plg_debug_log order by id;

To delete the plug-in debugging log, enter:

sqlplus ods/ods
truncate table plg_debug_log

To disable the plug-in debugging, enter:

sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls

Note: If you need to change the plug-in setup--that is, the information you entered in the installation steps--then you can rerun the installation script. Before you rerun the script, delete the SunONE Directory external authentication plug-in by following the instructions in "Deleting the SunONE Directory External Authentication Plug-in".

See Also: "Protection of User Passwords for Directory Authentication" for a list of the hashing algorithms that Oracle Internet Directory supports for password protection SunONE Directory Server documentation for instructions on how to set the appropriate hashing algorithm for passwords in SunONE Directory Server

Task 5: Start the Synchronization

To start synchronization:

1. Enable the profile by setting the profileStatus attribute to ENABLE in either Oracle Directory Manager or the Directory Integration and Provisioning Assistant

2. Start the Oracle directory integration and provisioning server by using the OID Control Utility (oidctl) with the appropriate configuration set entry in which the profile is stored.