27
Oracle Directory Integration Platform Concepts and Components

This chapter introduces the Oracle Directory Integration Platform, its components, structure, and administration tools.

This chapter contains these topics:

• What Is the Oracle Directory Integration Platform?
• Why is the Oracle Directory Integration Platform Needed?
• Synchronization, Provisioning, and the Difference Between Them
• Oracle Directory Synchronization Service
• Oracle Directory Provisioning Integration Service
• Oracle Directory Integration Server
• Directory Integration Toolkit
• Administration and Monitoring Tools
• Example: A Deployment of the Oracle Directory Integration Platform

What Is the Oracle Directory Integration Platform?

The Oracle Directory Integration Platform enables an enterprise to integrate its applications and other directories with Oracle Internet Directory. It provides all the interfaces and infrastructure for keeping data in Oracle Internet Directory consistent with that in application-specific and connected directories.

For example, an enterprise might need to do the following:

• Synchronize employee records in its Oracle Human Resources database with Oracle Internet Directory. The Oracle Directory Integration Platform provides this synchronization.
• Notify certain LDAP-enabled applications--such as Oracle9iAS Portal--whenever changes are applied to Oracle Internet Directory. The Oracle Directory Integration Platform notifies these applications through a service called provisioning.

Depending on the type of integration needed, the Oracle Directory Integration Platform provides two distinct services:

• The Oracle Directory Synchronization Service, which keeps connected directories consistent with the central Oracle Internet Directory
• The Oracle Directory Provisioning Integration Service, which sends notifications to target applications periodically to reflect changes made to a user's status or information

Figure 27-1 shows the structure of the Oracle Directory Integration Platform.

Figure 27-1 Oracle Directory Integration Platform Structure

Text description of the illustration oidag071.gif

Why is the Oracle Directory Integration Platform Needed?

Using Oracle Internet Directory as the central repository for diverse LDAP-enabled applications and connected directories can greatly reduce your time and resource costs for administration. To realize these benefits requires that these connected entities reliably both receive and provide the necessary information.

The following scenarios show how these needs may arise and how Oracle Directory Integration Platform can enable your enterprise to meet them:

• Synchronization
  • An enterprise wishes to deploy LDAP-enabled applications from Oracle in the presence of a third-party LDAP directory. However, Oracle applications are certified to run against Oracle Internet Directory only. The deployment must therefore synchronize data between Oracle Internet Directory and the third-party directory.
  • Synchronization: An enterprise wishes to deploy a metadirectory solution that integrates several repositories in the enterprise with Oracle Internet Directory, thus requiring synchronization.
• Provisioning
  • An enterprise wishes to deploy certain LDAP-enabled Oracle components such as Oracle9iAS Portal, Oracle Internet File System, and Oracle9iAS Wireless. The user and group provisioning for these components is integrated with Oracle Internet Directory, requiring that they be notified of user or group changes in that repository.
  • An enterprise may be developing and deploying custom relational applications that need to be notified of changes to user and group entries in the central Oracle Internet Directory. This need is met by the provisioning integration service of the Oracle Directory Integration Platform.

Synchronization, Provisioning, and the Difference Between Them

Provisioning has to do with applications. It notifies them of changes to user or group entries or attributes that the application needs to track.

Synchronization has to do with directories rather than applications. It ensures the consistency of entries and attributes that reside in both Oracle Internet Directory and other connected directories.

This section contains these topics:

• Synchronization
• Provisioning
• How Synchronization and Provisioning Differ

Synchronization

Synchronization enables you to coordinate changes among Oracle Internet Directory and connected directories. For all directories to both use and provide only the latest data, each directory must be informed of any change made in any connected directory. The goal of synchronization is to share and make consistent any change to directory information, including data elements other than a user's name, group memberships, or privileges.

Whenever you decide to connect a directory to Oracle Internet Directory, a synchronization profile must be created for that specific directory. It specifies the format and content of the notifications between Oracle Internet Directory and the connected directory.

Provisioning

Provisioning enables you to ensure that an application is notified of changes to user or group information. Such changes can affect whether the application allows a user access to its processes and which resources can be used.

Use provisioning when you are designing or installing an application that

• Does not maintain a directory
• Is LDAP-enabled
• Can and should allow only authorized users to access its resources

A provisioning integration profile must be created during application installation. Use the Provisioning Subscription Tool to specify the necessary information and create that profile.

How Synchronization and Provisioning Differ

Provisioning and synchronization have important operational differences as described in Table 27-1.

Table 27-1  Directory Synchronization and Provisioning Integration Distinctions

Service	Provisioning Integration	Directory Synchronization
The time for action	Application design time. Provisioning integration is for application designers developing LDAP-enabled applications.	Application deployment time. Directory synchronization is for connected directories requiring synchronization with Oracle Internet Directory.
Maintenance effort	Minimal: need only register the application end-point during install	High: need to set up the mapping rules and the agents
Communication direction	One way: from Oracle Internet Directory to provisioned applications	Two-way: either from Oracle Internet Directory to connected directories or the reverse
Type of data	Restricted to provisioned users and groups	Any data in a directory
Example	Oracle9iAS Portal	Oracle Human Resources

Oracle Directory Synchronization Service

In the Oracle Directory Integration Platform environment, connected directories are those whose contents are synchronized with Oracle Internet Directory through the Oracle Directory Synchronization Service.

Oracle Internet Directory is the central directory for all information, and all other directories are synchronized with it. This synchronization can be:

• One-way: For example, some connected directories, such as Oracle Human Resources, only supply changes to Oracle Internet Directory; they do not receive changes from it.
• Two-way: Changes in Oracle Internet Directory can be exported to connected directories, and changes in connected directories can be imported into Oracle Internet Directory.

Certain attributes can be targeted or ignored by the synchronization service. For example, employee badge numbers appear in Oracle Human Resources but have no relevance to Oracle Internet Directory, its connected directories, or client applications. You might not want to synchronize them. On the other hand, employee identification numbers do have relevance, and, therefore, you might want to synchronize them.

Figure 27-2 shows the interactions between components in the Oracle Directory Synchronization Service.

Figure 27-2 Interactions of the Oracle Directory Synchronization Service

Text description of the illustration oidag069.gif

The central mechanism triggering all such synchronization activities is the Oracle Internet Directory change log. It adds one or more entries for every change to any connected directory, including Oracle Internet Directory. The Oracle Directory Synchronization Service:

• Monitors the change log
• Takes action whenever a change corresponds to one or more synchronization profiles
• Supplies the appropriate change to all other connected directories whose individual profiles correspond to the logged change. Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Exchange, or Lotus Notes. Synchronization through the Oracle Directory Integration Platform connectors ensures that Oracle Internet Directory remains up-to-date with all the information that Oracle Internet Directory clients need.

Oracle Directory Provisioning Integration Service

The Oracle Directory Provisioning Integration Service requires a provisioning profile for each application that is to be notified of changes in user or group information. Each provisioning profile:

• Uniquely identifies the application and organization to which it applies
• Specifies the users, groups, and operations requiring the application to be notified.

The profile must be created when the application is installed, by using the Provisioning Subscription Tool.

See Also: "The Provisioning Subscription Tool" for information about the Provisioning Subscription Tool

When changes in Oracle Internet Directory match the provisioning profile of an application, the Oracle Directory Provisioning Integration Service sends the relevant data to that application.

A legacy application--that is, one that was operational before the Oracle Directory Provisioning Integration Service was installed--did not subscribe in the usual way during installation. To enable such an application to receive provisioning information, a provisioning agent, in addition to the provisioning profile, must be developed. The agent must be specifically designed and built to translate the relevant data from Oracle Internet Directory into the exact format required by the legacy application.

Figure 27-3 shows these interactions, including the special case of a provisioning agent for a legacy application.

Figure 27-3 Interactions of the Oracle Directory Provisioning Integration Service

Text description of the illustration oidag070.gif

Oracle Directory Integration Server

The Oracle directory integration server is the shared server process consisting of the Oracle Directory Synchronization Service and the Oracle Directory Provisioning Integration Service. It performs these functions:

• For the Oracle Directory Synchronization Service:
  • Scheduling--Processing a synchronization profile based on a predefined schedule
  • Mapping--Executing rules for converting data between connected directories and Oracle Internet Directory
  • Data propagation--Sending data to connected directories using a connector
  • Error handling
• For the Oracle Directory Provisioning Integration Service:
  • Scheduling--Processing a Provisioning Profile based on a predefined schedule
  • Event Notification--Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory
  • Error handling

    See Also: Chapter 30, "Oracle Directory Integration Server Administration"

Directory Integration Toolkit

The directory integration toolkit enables third-party vendors and developers to integrate their solutions with the Oracle Directory Integration Platform environment. Such vendors can include providers of metadirectories and provisioning solutions. The toolkit also allows application vendors whose products are based on or use Oracle technology to integrate provisioning of their users and groups with Oracle Internet Directory.

The toolkit includes the following interfaces, tools, and procedures:

• Interfaces for accessing changes in Oracle Internet Directory by clients:
  • IETF standard change log interface
  • Oracle proprietary change log interface
  • Interfaces to register or modify directory integration connectors in Oracle Internet Directory, for scheduling or data mapping, using either:
    • Oracle Directory Manager
    • Command-line tools to add and modify data by using an LDIF file configuration
• Tools and procedures for bootstrapping connected directories into the Oracle Directory Integration Platform environment. These enable you to:
  • Bulk import data from LDIF files
  • Bulk export Oracle Internet Directory data into LDIF files
• Interfaces to subscribe to user and group provisioning events--that is, changes--in Oracle Internet Directory
• Interfaces to consume events being sent by the Oracle Directory Provisioning Integration Service

Administration and Monitoring Tools

This section describes the tools you can use to administer Oracle Directory Integration Platform. It contains these topics:

• Oracle Directory Manager
• OID Control and OID Monitor
• Oracle Enterprise Manager

Oracle Directory Manager

Oracle Directory Manager, a Java-based graphical user interface tool, enables you to administer the Oracle Directory Integration Platform by:

• Creating, modifying, and deleting directory integration profiles
• Monitoring the synchronization of directory integration profiles
• Monitoring the status of all Oracle directory integration server instances

  See Also: Chapter 4, "Directory Administration Tools" Chapter 30, "Oracle Directory Integration Server Administration"

OID Control and OID Monitor

OID Control and OID Monitor enable you to start, stop, and monitor the Oracle directory integration server.

In Oracle Internet Directory, you can use OID Control and OID Monitor to control the directory integration server in the ORACLE_HOME where either the Oracle directory server or Oracle directory integration server are installed.

If Oracle Internet Directory installation is client-only, then the OID Control utility and OID Monitor are not installed. In this case, start Oracle directory integration server manually. In this configuration you can still use Oracle Directory Manager to learn the status of Oracle directory integration server.

See Also: Chapter 3, "Preliminary Tasks and Information" Chapter 4, "Directory Administration Tools" Chapter 30, "Oracle Directory Integration Server Administration"

Oracle Enterprise Manager

You can use Oracle Enterprise Manager to monitor the status of various integration profiles. This integrated, comprehensive, systems management platform combines a graphical console, agents, common services, and tools to aid you in scheduling, monitoring, and administering your heterogeneous environment.

See Also: Oracle Enterprise Manager Concepts Guide Oracle Enterprise Manager Administrator's Guide Oracle Enterprise Manager online help

Example: A Deployment of the Oracle Directory Integration Platform

This section describes a deployment in which the Oracle Directory Integration Platform integrates various applications in the MyCompany enterprise.

This section contains these topics:

• Components in the MyCompany Enterprise
• Requirements of the MyCompany Enterprise
• Overall Deployment in the MyCompany Enterprise
• User Creation and Provisioning in the MyCompany Enterprise
• Modification of User Properties in the MyCompany Enterprise
• Deletion of Users in the MyCompany Enterprise

Components in the MyCompany Enterprise

This enterprise has the following components:

• Oracle Human Resources system, in which all employees and contractors are managed
• An existing iPlanet Directory Server, which is being used by certain applications
• An installation of Oracle9iAS Portal, which is used as the intranet portal for all employees
• An installation of Oracle Internet File System Release 9.2, which is used as a document repository for all corporate documents

Requirements of the MyCompany Enterprise

The enterprise requires:

1. All employees and contractors to be created in Oracle Human Resources. Once created, all applications in the enterprise must share this information through Oracle Internet Directory.
2. All applications in the enterprise, including single sign-on services, to be able to honor any employee created in Oracle Human Resources
3. Notification to all applications interested in changes to user properties when such changes occur
4. Revocation of a user's access rights when the user is terminated in Oracle Human Resources

Overall Deployment in the MyCompany Enterprise

Figure 27-4 illustrates the various components and their relationships to each other.

Figure 27-4 Example of Oracle Directory Integration Platform in the MyCompany Deployment

Text description of the illustration oidag075.gif

Figure 27-4 illustrates the following:

• Oracle Internet Directory is the central user repository for all enterprise applications.
• Oracle Human Resources is the source of truth for all user-related information. It is synchronized with Oracle Internet Directory by using the Oracle Directory Synchronization Service.
• iPlanet Directory Server, which is already deployed in the enterprise, is synchronized with Oracle Internet Directory by using the Oracle Directory Synchronization Service
• Oracle9iAS Portal is notified of changes in Oracle Internet Directory by using the Oracle Directory Provisioning Integration Service
• Oracle Internet File System is notified of changes in Oracle Internet Directory by using the Oracle Directory Provisioning Integration Service.

User Creation and Provisioning in the MyCompany Enterprise

In this example, the MyCompany enterprise requires that all users be created in Oracle Human Resources. It is the responsibility of the Oracle Directory Integration Platform to propagate new user records to all other repositories in the enterprise.

Figure 27-5 illustrates the various interactions that help the Oracle Directory Integration Platform complete this task.

Figure 27-5 User Creation and Provisioning

Text description of the illustration oidag076.gif

Figure 27-5 shows the creation of a new user in Oracle Human Resources, which, in turn, causes an entry for that user to be created in Oracle Internet Directory and the iPlanet Directory Server. It also shows the process of provisioning the user to access two applications in the enterprise: Oracle9iAS Portal and Oracle Internet File System. User creation and provisioning occur in the following manner:

1. The Oracle Human Resources administrator creates the user in the Oracle Human Resources database.
2. The Oracle Directory Synchronization Service detects the new-user creation.
3. The Oracle Directory Synchronization Service creates the entry for the user in Oracle Internet Directory.
4. The Oracle Directory Synchronization Service creates an entry in the iPlanet Directory Server.
5. Since the user entry is available in Oracle Internet Directory, the Oracle9iAS Portal administrator can now provision the user to use the services of Oracle9iAS Portal. During this task, the Oracle9iAS Portal software automatically fetches the user details from Oracle Internet Directory.
6. The Oracle Internet File System administrator also provisions the user to use Oracle Internet File System services by using a similar process.

Note that the Oracle Directory Integration Platform does not directly notify Oracle9iAS Portal or Oracle Internet File System about new users. This is because not all users created in Oracle Human Resources need access to all services. In this case, the deployment must explicitly provision the users to use these services, as in steps 5 and 6.

Modification of User Properties in the MyCompany Enterprise

In this example, the MyCompany enterprise requires that any modification to user properties must be communicated to all components interested in such changes. Figure 27-6 illustrates the actions that Oracle Directory Integration Platform takes to meet this requirement.

Figure 27-6 Modification of User Properties

Text description of the illustration oidag077.gif

Figure 27-6 shows the process by which Oracle Directory Integration Platform communicates the modification of user properties to all systems in the enterprise. The process is as follows:

1. The user is first modified in Oracle Human Resources.
2. The Oracle Directory Integration Platform retrieves these changes through the Oracle Directory Synchronization Service.
3. The Oracle Directory Integration Platform makes the corresponding user modification in Oracle Internet Directory.
4. The Oracle Directory Synchronization Service modifies the user in the iPlanet Directory Server.
5. The Oracle Directory Provisioning Integration Service notifies Oracle9iAS Portal about the change in user properties.
6. The Oracle Directory Provisioning Integration Service notifies Oracle Internet File System about the same change in user properties.

Deletion of Users in the MyCompany Enterprise

In this example, the MyCompany enterprise requires that a user being deleted or terminated in Oracle Human Resources should automatically be denied access to all enterprise resources that are based on the directory service.

Figure 27-7 shows the flow of events during the deletion of users:

Figure 27-7 Deletion of Users from the Corporate Human Resources

Text description of the illustration oidag078.gif

Figure 27-7 shows the process by which Oracle Directory Integration Platform communicates the deletion of users to all systems in the enterprise. The process is as follows:

1. The user is first deleted in the Oracle Human Resources.
2. The Oracle Directory Integration Platform retrieves these changes through the Oracle Directory Synchronization Service.
3. The Oracle Directory Integration Platform makes the corresponding user deletion in Oracle Internet Directory.
4. The Oracle Directory Synchronization Service deletes the users in the iPlanet Directory Server.
5. The Oracle Directory Provisioning Integration Service notifies Oracle9iAS Portal about the deletion of the user.
6. The Oracle Directory Provisioning Integration Service notifies Oracle Internet File System about the deletion of the user.

Once all of the steps are completed, a deleted user in Oracle Human Resources can no longer access Oracle9iAS Portal or Oracle Internet File System.