|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
 Previous |
 Next |
|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
|
Previous |
Next |
This chapter explains how to integrate the Oracle Identity Management infrastructure with SunONE Directory Server (Netscape Directory Server and iPlanet Directory Server) by using the SunONE connector in Oracle Directory Integration and Provisioning.
|
Note: This chapter assumes that you have read Chapter 15, "Considerations for Integrating with Third-Party Directories" and made the necessary deployment decisions and basic configurations. |
This chapter contains these topics:
The SunONE connector includes a synchronization component that is driven by the Oracle directory integration and provisioning server. This component maintains consistency between the directories by:
Importing data and incremental changes from an SunONE Directory Server into Oracle Internet Directory
Exporting data and incremental changes from Oracle Internet Directory into an SunONE Directory Server
The SunONE Directory Server and Oracle Internet Directory support similar hashing techniques for storing passwords. If the mapping rules are configured appropriately, then the SunONE connector can synchronize passwords, the same as any other attribute. In this case, passwords are in the hashed format. However, if you store passwords only in the SunONE Directory Server, use the SunONE Directory Server external authentication plug-in discussed in this chapter.
|
Note: Oracle Internet Directory 10g Release 2 (10.1.2) can synchronize with Netscape Directory Server Release 4.13 and SunONE (iPlanet) Directory Server Releases 5.0, 5.1, and 5.2 |
|
See Also:
|
This section contains these topics:
Synchronization Between Oracle Internet Directory and SunONE Directory Server
Synchronization of Deletions from SunONE Directory Server to Oracle Internet Directory
Synchronization with SunONE Directory Server is based on reading incremental changes from the source directory to the destination directory. If changes are to be made in both directories, then both directories need to have change logging enabled.
|
See Also:
|
If you want to synchronize deletions, and the mapping rules have mandatory attributes, then be sure that the tombstone is configured correctly.
To verify that the tombstone is configured in SunONE Directory Server, execute the following command:
$ORACLE_HOME/bin/ldapsearch -h connected_directory_host -p connected_directory_port -D connected_directory_account -w connected_directory_password -b source_domain -s sub "objectclass=nstombstone"
This returns information on all deleted entries.
|
See Also: SunONE documentation for details about configuring tombstones |
|
Note: Tombstones are automatically configured on the SunONE Directory Server if replication is enabled. |
Oracle components are clients of Oracle Internet Directory. However, in an integrated environment, you have the option of storing security credentials for those components in an external repository —in this case, SunONE Directory Server—rather than in Oracle Internet Directory. When security credentials are stored in an external repository, user authentication to an Oracle component happens in the external repository and not in Oracle Internet Directory.
To communicate with the external repository, the Oracle component relies on the Oracle directory server. The Oracle directory server, in turn, uses a plug-in that can access the external repository. The entire authentication process is transparent to the Oracle components, which perceive all the LDAP requests as being handled by the Oracle directory server.
To verify a user's security credentials, an Oracle component can, by way of the Oracle directory server, send to the external repository a simple bind with a request for one of the following:
Non-SSL ldapbind
SSL ldapbind
ldapcompare
When an Oracle directory server has the plug-in configured and enabled, the following process occurs to authenticate a user to an Oracle component.
The user seeks access to an Oracle component.
The Oracle component, which is a client of Oracle Internet Directory, receives the authentication request, and passes to the Oracle directory server either an ldapbind or ldapcompare request.
The Oracle directory server passes the control to the plug-in.
The plug-in issues the request to the external repository.
The plug-in obtains the results of that request and passes the results back to the Oracle directory server.
The Oracle directory server passes the results back to client application, which then grants or denies access to the user.
This section explains the tasks to configure the SunONE connector. It contains these topics:
Task 1: Configure the Synchronization Profiles for the SunONE Connector
Task 4: (Optional) Configure the SunONE Directory Server External Authentication Plug-in
The following two default Integration profiles for synchronization with the SunONE Directory Server are created in the Oracle directory server as a part of the installation process:
iPlanetImport—for importing entries and changes from the SunONE Directory Server by using the directory synchronization approach
iPlanetExport—for exporting changes from Oracle Internet Directory to SunONE Directory Server
Although you can enable synchronization with the SunONE Directory Server by customizing the default iPlanetImport and iPlanetExport integration profiles, the recommended approach is to create new profiles based on the default integration profiles. You can use either the Directory Integration and Provisioning Assistant's createprofilelike command or the Oracle Directory Integration and Provisioning Server Administration tool to create new profiles based on existing profiles.
To use the Directory Integration and Provisioning Assistant's createprofilelike command to create new profiles based on the existing default integration profiles, use the following syntax:
dipassistant createprofilelike [-h hostName] [-p port] [-D bindDn] [-w password] -profile origProfName -newprofile newProfName
Use the preceding command to make copies of both the iPlanetImport and iPlanetExport integration profiles.
To use the Oracle Directory Integration and Provisioning Server Administration to create new profiles based on the existing default integration profiles:
Launch the Oracle Directory Integration and Provisioning Server Administration tool by entering:
$ORACLE_HOME/bin/dipassistant -gui
In the navigator pane, expand directory_integration_and_provisioning_server, then expand Integration Profile Configuration.
Select the configuration set, and, in the right pane, choose Create. The Integration Profiles window appears.
This window is described in "Integration Profiles".
In the Integration Profile window, select the IplanetImport or IplanetExport profile, and then choose Create Like. The General tab of the Integration Profile window appears.
This tab is described in "General".
Enter a name for the new profile and make any additional changes in the General tab or other tabs in the Integration Profile window to finish customizing the profile.
Choose OK.
You must update the SunONE Directory server connection details in the synchronization profiles as follows:
Create a user account in the SunONE Directory server with administrative privileges. Oracle Directory Integration and Provisioning will use this account to connect to SunONE Directory server. You must grant sufficient privileges to perform both import and export operations.
For Import Operations from SunONE Directory Server: Grant the user account the following permissions:
Permissions to read the change log entry
Permissions to read the tombstone
Permissions to read the entries under the container to be synchronized
For Export Operations to SunONE Directory Server: Grant the user account write permission to the subtree root that is the parent of all the containers to which the Oracle directory integration and provisioning server will export users.
Update the connection details in the odip.profile.condirurl, odip.profile.condiraccount, and odip.profile.condirpassword properties of the synchronization profiles. You can use either the Directory Integration and Provisioning Assistant or the Oracle Directory Integration and Provisioning Server Administration tool.
Use this method when:
The SunONE Directory Server has no custom schema changes to the objects to be synchronized—that is, the user and group object attributes and object classes are the default ones
No custom schema elements have been added to the user or group object attributes and object classes
At the end of synchronization, user and group objects synchronized from the SunONE Directory Server are visible to Oracle components integrated with the Oracle Application Server infrastructure.
The script iplconfig.sh resides in $ORACLE_HOME/ldap/odi/admin. It prompts you for the following:
Oracle Internet Directory super user DN and password
SunONE Directory Server URL (host:port)
SunONE Directory Server user account and password to be used by the SunONE connector
SunONE Directory Server domain to be synchronized
Once you have entered the parameter values, iplconfig.sh invokes the Directory Integration and Provisioning Assistant to set up the SunONE Directory Server connection information and mapping rules information in the default SunONE Directory Server integration profiles.
The default mapping rules are not appropriate for password synchronization between the SunONE Directory Server and Oracle Internet Directory.
If Oracle Internet Directory and the SunONE Directory Server use the same password hashing technique, then insert the following mapping rule to the mapping file and upload the mapping file to the profile.
Userpassword: : :person:userpassword: :person
If the two directories do not use the same hashing technique, then the same mapping rule works when the Oracle directory integration and provisioning server and the directory integration profile are configured in SSL mode 2—that is, server-only authentication.
If you have two-way synchronization enabled, then you need to avoid having the same changes synchronized back and forth between the directories by setting the filter attributes for the connected directory and for Oracle Internet Directory. You can use either the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant to perform this task.
In the import profile, set the connected directory filter as follows:
modifiersname != <DN of the user account with which changes are made by the export profile in SunONE>
In the export profile, set the Oracle Internet Directory filter as follows:
modifiersname != orclodipagentname=<import profile name>,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
The default profiles have the default mapping rules for mapping the user and group attributes and object classes in SunONE Directory Server to those on Oracle Internet Directory. These mapping rules assume that no user- and group-specific schema changes have been made to either directory after installation. If there are such changes, then they must be appropriately reflected in the mapping files.
To verify and modify the mapping rules, do the following:
Decide which domains, or containers, you want to synchronize. In the case of SunONE Directory Server, the container to be specified for synchronization can be any naming context in the directory.
Decide on the objects—that is, the types of entries—to be synchronized. In an identity management environment these are typically user and group entries.
Identify the attributes and how you want to map them between the directories during synchronization.
Generate a mapping file with appropriate mapping rules.
|
See Also: "Configuring Mapping Rules" for instructions on creating mapping rules and for sample mapping files |
Set up appropriate ACLs allowing read, add, or modify access rights on the subscribed domains.
During import operations, you would privilege the Oracle Internet Directory user orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory to update the subscribed domain in Oracle Internet Directory.
For example, assuming that no ACLs are applied to the domain of interest, the following LDIF sample can be used. In this file, the domain of interest is Synchronization_domain_in_OID.
ACL in OID:
dn: Synchronization_domain_in_OID
changetype: modify
add: orclaci
orclaci: access to entry by "orclodipagentname=iPlanetImport,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete)
orclaci: access to attr=(*) by "orclodipagentname=iPlanetImport,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory"
(read,search,write,compare)"
On the other hand, the privileges can also be granted to the group cn=odipgroup,cn=odi,cn=oracle internet directory of which the profile is a member. However, remember that, when privileges are granted to the group, all members of the group are, intentionally or not, granted privileges.
During import operations, the user specified by the Connected Directory Account attribute in the integration profile must have read access to the change log and source container in the SunONE Directory Server. During export operations, the user specified by the Connected Directory Account attribute in the integration profile must have write access to the target container in the SunONE Directory Server.
|
See Also: SunONE Directory Server documentation for instructions on how to apply ACLs on the SunONE Directory Server change log container and the SunONE Directory Server subscribed domain |
Follow these steps:
Before the start of the synchronization, make the data in the domains of interest to be equivalent. This can be achieved by the Directory Integration and Provisioning Assistant with the bootstrap option. Bootstrapping is described in Chapter 8, " Bootstrapping of a Directory in Oracle Directory Integration and Provisioning".
If you have used LDIF file-based bootstrapping, then you must initialize the lastchangenumber value. You can do this by using the Directory Integration and Provisioning Assistant:
dipassistant mp –profile profile_name -updlcn
At the end of bootstrapping, be sure that the change logging option for the Oracle directory server is set to the default, namely, TRUE. If it is set to FALSE, then shut down the Oracle Internet Directory server and start with the change log enabled by using the OID Control Utility.
Similarly, verify that change logging is enabled in SunONE Directory Server.
|
See Also:
|
If you are storing passwords only in SunONE Directory Server and do not want to synchronize them with Oracle Internet Directory, then, to authenticate SunONE Directory Server users from Oracle Internet Directory, you must use the SunONE Directory Server external authentication plug-in.
This section tells how to install, delete, enable, and disable the SunONE Directory Server external authentication plug-in by using the command line. You can perform these operations, except for installation, by using Oracle Directory Manager as described in Oracle Internet Directory Administrator's Guide.
|
Note: The SunONE Directory Server external authentication plug-in can be configured to authenticate to only one single SunONE Directory Server. |
To install the plug-in:
Execute $ORACLE_HOME/ldap/admin/oidspipi.sh.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
To execute oidspipi.sh, enter:
cd $ORACLE_HOME/ldap/admin
oidspipi.sh
If you are using the Windows operating system, then execute oidspipi.sh after you have installed the UNIX emulation utility by entering:
sh oidspipi.sh
Enter the SunONE Directory Server host name. This is the SunONE Directory Server to which you are going to synchronize. This value is required.
Choose whether to use an SSL connection.
When specifying the wallet location on the Microsoft Windows operating system, add an additional backslashes (\). For example, if the wallet location is D: storage\wallet, then enter D:\\storage\\wallet.
Enter the SunONE Directory Server port number.
Enter the database connect string.
Enter the ODS password. The default ODS password is the same as that set for the Oracle Application Server administrator during installation.
Enter Oracle directory server host name. This value is required.
Enter Oracle directory server port number. The default port is 389.
Enter the password of the Oracle administrator (orcladmin). This value is required.
Enter the distinguished name of the container to which the plug-in needs to be applied. Every entry in this container will be authenticated against SunONE Directory Server. Note that this need not necessarily be the User Search Base supplied in Oracle Internet Directory Self-Service Console. All the users under this search base are authenticated externally to the SunONE Directory Server. If more than one value is specified, then use semi-colons (;) to separate them.
Enter the Plug-in Request Group DN. For security reasons, the plug-in can be invoked only by users belonging to this group. For example, suppose that the Oracle Application Server Single Sign-On administrators are in the group cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext. If you enter this value for the Plug-in Request Group DN, then only requests coming from Oracle Application Server Single Sign-On administrators can trigger the external authentication plug-in. You can enter multiple DN values. Use a semicolon (;) to separate them. This value is not required, but, for security purposes, it should be specified.
Enter the value of the entry that is to be excluded from authentication to SunONE Directory Server. This value is the exception to item 10. You need to enter the value in the standard ldapsearch filter format. For example, if you specify the value (&(objectclass=inetorgperson)(cn=orcladmin)), then any entry under the user container specified in item 10 that has the cn=orcladmin and objectclass=inetorgperson attribute value will not be authenticated to SunONE Directory Server.
Specify whether you want to back up the SunONE Directory Server for failover.
To delete the SunONE Directory Server plug-in by using Oracle Directory Manager, follow the instructions in the chapter on the Oracle Internet Directory plug-in framework in Oracle Internet Directory Administrator's Guide.
To delete the SunONE Directory Server plug-in by using command-line tools, use these commands:
ldapdelete -h host -p port -D cn=orcladmin -w password "cn=ipwhencompare,cn=plugin,cn=subconfigsubentry" ldapdelete -h host -p port -D cn=orcladmin -w password "cn=ipwhenbind,cn=plugin,cn=subconfigsubentry"
To enable the SunONE Directory external authentication plug-in by using Oracle Directory Manager, follow the instructions in the chapter on the Oracle Internet Directory plug-in framework in Oracle Internet Directory Administrator's Guide. Set the Plug-in Enable field to 1.
To enable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 1 EOF
To disable the SunONE Directory Server external authentication plug-in by using Oracle Directory Manager, follow the instructions in the chapter on the Oracle Internet Directory plug-in framework in Oracle Internet Directory Administrator's Guide. Set the Plug-in Enable field to 0.
To disable the SunONE Directory Server external authentication plug-in by using command-line tools, enter the following commands:
ldapmodify -h host_name -p port_number -D cn=orcladmin -w password <<EOF dn: cn=ipwhencompare,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 EOF
ldapmodify -h <host> -p <port> -D cn=orcladmin -w <password> <<EOF dn: cn=ipwhenbind,cn=plugin,cn=subconfigsubentry changetype: modify replace: orclpluginenable orclpluginenable: 0 EOF
If you are experiencing unknown errors, the you can enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
sqlplus ods/ods select * from plg_debug_log order by id;
To delete the plug-in debugging log, enter:
sqlplus ods/ods truncate table plg_debug_log
To disable the plug-in debugging, enter:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
|
Note: If you need to change the plug-in setup—that is, the information you entered in the installation steps—then you can rerun the installation script. Before you rerun the script, delete the SunONE Directory external authentication plug-in by following the instructions in "Deleting the SunONE Directory External Authentication Plug-in". |
|
See Also:
|
To start synchronization:
Enable the profile by setting the profileStatus attribute to ENABLE in either the Oracle Directory Integration and Provisioning Server Administration tool or the Directory Integration and Provisioning Assistant
Start the Oracle directory integration and provisioning server by using the OID Control Utility (oidctl) with the appropriate configuration set entry in which the profile is stored.
The synchronization process is as follows:
In an import operation, the SunONE connector extracts all the changes from the SunONE Directory Server based on the value specified in the orclodipConDirLastAppliedChgNum attribute. It then applies them to Oracle Internet Directory.
In an export operation, the SunONE connector extracts all the changes from Oracle Internet Directory based on the orclodipLastAppliedChangeNumber and applies them to the SunONE Directory Server.
Once all the changes are read and applied, the appropriate attribute—either orclodipConDirLastAppliedChgNum or orclodipLastAppliedChangeNumber—is updated.
After the execution is finished, the directory integration and provisioning server updates the execution status attributes.
In a deployment with Oracle Internet Directory as the central directory, the following configurations are supported:
Identical DITs on both directories
Synchronization by using domain mapping
Password synchronization. In this environment, synchronization ensures only the creation of footprints on the SunONE Directory Server. Any other configuration changes required to access the user or group entries must be specifically handled by the deployment.
In a deployment with SunONE Directory Server as the central repository, the following configurations are supported:
Identical DITs on both directories
Synchronization by using domain mapping
Password synchronization
Plug-in-based authentication from Oracle Internet Directory
