Skip Headers
Oracle® Identity Management Integration Guide
10
g
Release 2 (10.1.2)
Part No. B14085-01
Home
Solution Area
Index
Next
Contents
Title and Copyright Information
Send Us Your Comments
Preface
Intended Audience
Documentation Accessibility
Structure
Related Documentation
Conventions
What's New in Oracle Identity Management Integration?
New Features Introduced with Oracle Application Server 10
g
Release 2 (10.1.2)
New Features Introduced with Oracle Internet Directory 10
g
(9.0.4)
New Features Introduced with Oracle Internet Directory Release 9.0.2
New Features Introduced with Oracle Internet Directory Release 3.0.1
New Features Introduced with Oracle Internet Directory Release 2.1.1
Part I Getting Started with Oracle Identity Management Integration
1
Introduction to Oracle Identity Management Integration
Why
Oracle Identity Management Integration?
Installation Options
Synchronization, Provisioning, and the Difference Between Them
Synchronization
Provisioning
How Synchronization and Provisioning Differ
Components Involved in Oracle Identity Management Integration
Oracle Internet Directory
Oracle Directory Integration and Provisioning Server
Oracle Application Server Single Sign-On
2
Security Features in Oracle Directory Integration and Provisioning
Authentication in Oracle Directory Integration and Provisioning
Secure Sockets Layer (SSL) and Oracle Directory Integration and Provisioning
Oracle Directory Integration and Provisioning Server Authentication
Profile Authentication
Access Control and Authorization and Oracle Directory Integration and Provisioning
Access Controls for the Oracle Directory Integration and Provisioning Server
Access Controls for Profiles
Data Integrity and Oracle Directory Integration and Provisioning
Data Privacy and Oracle Directory Integration and Provisioning
Tools Security and Oracle Directory Integration and Provisioning
Part II General Administration of Oracle Directory Integration and Provisioning
3
Oracle Directory Integration and Provisioning Administration Tools
The Oracle Directory Integration and Provisioning Server Administration Tool
Starting the Oracle Directory Integration and Provisioning Server Administration Tool
Connecting to a Directory Server by Using the Oracle Directory Integration and Provisioning Server Administration Tool
Navigating the Oracle Directory Integration and Provisioning Server Administration Tool
Disconnecting from a Directory Server by Using the Oracle Directory Integration and Provisioning Server Administration Tool
Configuring the Display and Duration of Searches in the Oracle Directory Integration and Provisioning Server Administration Tool
Configuring the Display of ACPs in the Oracle Directory Integration and Provisioning Server Administration Tool
Graphical Tools for Oracle Directory Integration and Provisioning Administration
Oracle Directory Manager
Oracle Internet Directory Self-Service Console
Command-Line Tools for Oracle Directory Integration and Provisioning Administration
OID Control and OID Monitor
The Oracle Directory Integration and Provisioning Server Registration Tool (odisrvreg)
Directory Integration and Provisioning Assistant (dipassistant)
The Provisioning Subscription Tool (oidprovtool)
Entry and Attribute Management Command-Line Tools
The schemasync Tool
4
Managing the Oracle Directory Integration and Provisioning Server
Operational Information about the Oracle Directory Integration and Provisioning Server
Directory Integration Profiles
The Oracle Directory Integration and Provisioning Server and Configuration Set Entries
Standard Sequences of Directory Integration and Provisioning Server Events
Oracle Directory Integration and Provisioning Event Propagation in a Multimaster Oracle Internet Directory Replication Environment
Viewing Oracle Directory Integration and Provisioning Server Information
Viewing Oracle Directory Integration and Provisioning Server Runtime Information by Using the Oracle Directory Integration and Provisioning Server Administration Tool
Viewing Oracle Directory Integration and Provisioning Server Runtime Information by Using ldapsearch
Managing Configuration Set Entries Used by the Oracle Directory Integration and Provisioning Server
Managing the SSL Certificates of Oracle Internet Directory and Connected Directories
Starting, Stopping, and Restarting the Oracle Directory Integration and Provisioning Server
Starting the Oracle Directory Integration and Provisioning Server
Stopping the Oracle Directory Integration and Provisioning Server
Restarting the Oracle Directory Integration and Provisioning Server
Starting and Stopping the Oracle Directory Integration and Provisioning Server in a High Availability Scenario
The Oracle Directory Integration and Provisioning Server in a Real Application Cluster Environment
The Oracle Directory Integration and Provisioning Server in an Oracle Application Server Cold Failover Cluster (Infrastructure)
Setting the Debug Level for the Oracle Directory Integration and Provisioning Server
Managing Oracle Directory Integration and Provisioning in a Replicated Environment
Finding the Log Files
Manually Registering the Oracle Directory Integration and Provisioning Server
Manually Registering the Oracle Directory Integration and Provisioning Server by Using Oracle Enterprise Manager 10
g
Application Server Control Console
Part III Synchronization in Oracle Identity Management Integration
5
Oracle Directory Synchronization Service
Components Involved in Oracle Directory Synchronization
Connectors for Directory Synchronization
Directory Synchronization Profiles
How Synchronization Works
Synchronizing from Oracle Internet Directory to a Connected Directory
Synchronizing from a Connected Directory to Oracle Internet Directory
Synchronizing with Directories with Interfaces Not Supported by Oracle Internet Directory
6
Configuration of Directory Synchronization Profiles
Registration of Connectors into Oracle Directory Integration and Provisioning
Sample Synchronization Profiles
Configuring Connection Details
Additional Configuration Information
The SearchDeltaSize Parameter
The SkipErrorToSyncNextChange Parameter
Configuring Mapping Rules
Distinguished Name Mapping
Attribute-Level Mapping
How to Construct a New Mapping File
Supported Attribute Mapping Rules and Examples
Example: A Mapping File for a TAGGED-File Interface
Example: Mapping Files for an LDIF Interface
Updating Mapping Rules
Applying Matching Filters
Filtering Changes with an LDAP Search
Filtering Changes from a Change Log
Location and Naming of Files
7
Administration of Directory Synchronization
Managing Synchronization Profiles by Using the Oracle Directory Integration and Provisioning Server Administration Tool
Creating a Profile by Using the Oracle Directory Integration and Provisioning Server Administration Tool
Deleting a Profile by Using the Oracle Directory Integration and Provisioning Server Administration Tool
Changing the Synchronization Status Attribute
Managing Synchronization Profiles by Using Command-Line Tools
8
Bootstrapping of a Directory in Oracle Directory Integration and Provisioning
About Directory Bootstrapping in Oracle Directory Integration and Provisioning
Bootstrapping by Using a Parameter File
Bootstrapping Without Using an LDIF File
Bootstrapping by Using an LDIF File
Bootstrapping Directly by Using the Default Integration Profile
9
Synchronization with Relational Database Tables
Preparing the Additional Configuration Information File
Preparing the Mapping File
Preparing the Directory Integration Profile
Example: Synchronizing a Relational Database Table to Oracle Internet Directory
Configuring the Additional Configuration Information File
Configuring the Mapping File
Configuring the Directory Integration Profile
Uploading the Additional Configuration Information File
Uploading the Mapping File
The Synchronization Process
Observations on the Example
10
Synchronization with Oracle Human Resources
Introduction to Synchronization with Oracle Human Resources
Data that You Can Import from Oracle Human Resources
Managing Synchronization Between Oracle Human Resources and Oracle Internet Directory
Task 1: Configure a Directory Integration Profile for the Oracle Human Resources Connector
Task 2: Configure the List of Attributes to Be Synchronized with Oracle Internet Directory
Task 3: Configure Mapping Rules for the Oracle Human Resources Connector
Task 4: Prepare for Synchronization from Oracle Human Resources to Oracle Internet Directory
The Synchronization Process
Bootstrapping Oracle Internet Directory from Oracle Human Resources
11
Synchronization with Third-Party Metadirectory Solutions
About Change Logs
Enabling Third-Party Metadirectory Solutions to Synchronize with Oracle Internet Directory
Task 1: Perform Initial Bootstrapping
Task 2: Create a Change Subscription Object in Oracle Internet Directory for the Third-Party Metadirectory Solution
The Synchronization Process
How a Connected Directory Retrieves Changes the First Time from Oracle Internet Directory
How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory
Disabling and Deleting Change Subscription Objects
Disabling a Change Subscription Object
Deleting a Change Subscription Object
Part IV Provisioning in Oracle Identity Management
12
The Oracle Provisioning Service
About Provisioning
Provisioning Procedures
User Enrollment in Applications
Provisioning Information
How the Oracle Provisioning Service Works
How the Oracle Provisioning Service Retrieves Changes from Oracle Internet Directory
How an Application Registers with the Oracle Provisioning Service
How an Application Receives Provisioning Information from Oracle Internet Directory
How Oracle Internet Directory Receives Provisioning Information from an Application
How an Application Unsubscribes from the Oracle Provisioning Service
About the Oracle Directory Integration and Provisioning Server
Security and the Oracle Provisioning Service
The Need to Control Access to Provisioning Profiles
Entities Needing Access
Entry-Level Privileges Granted to Entities
Attribute-Level Privileges Granted to Entities
13
Administration of Oracle Provisioning Service
Overview: Deploying the Oracle Provisioning Service
Managing Provisioning Profiles
14
Integration of Provisioning Data with the Oracle E-Business Suite
Part V Integrating with Third-Party Identity Management Systems
15
Considerations for Integrating with Third-Party Directories
Preliminary Considerations for Integrating with a Third-Party Directory
Choose Which Directory Is to Be the Central Enterprise Directory
Oracle Internet Directory as the Central Enterprise Directory
Third-Party Directory as the Central Directory
Choose Where to Store Passwords
Advantages and Disadvantages of Storing the Password in One Directory
Advantages and Disadvantages of Storing the Password in Both Directories
Choose the Structure of the Directory Information Tree
Create Identical DIT Structures on Both Directories
Distinguished Name Mapping and Limitations
Select the Attribute for the Login Name
Select the User Search Base
Select the Group Search Base
Decide How to Address Security Concerns
Step-by-Step Guide to Configuring Synchronization with a Third-Party Directory
Limitations of Third-Party Integration in Oracle Internet Directory 10
g
Release 2 (10.1.2)
16
Integration with the Microsoft Active Directory Environment
Concepts and Architecture of Microsoft Active Directory Integration
Components for Integrating with Microsoft Active Directory
How Oracle Directory Integration and Provisioning Maintains Synchronization
Oracle Internet Directory Schema Elements for Integration with Microsoft Active Directory
Directory Information Tree in an Integration with Microsoft Active Directory
Deployment Options for Integrating with Microsoft Active Directory
Deployments with Oracle Internet Directory as the Central Directory
Deployments with Microsoft Active Directory as the Central Directory
Configuration of Integration with Microsoft Active Directory
Configuring the Realm
Configuring Synchronization Profiles
Customizing Access Control Lists
Configuring the Active Directory Connector for Synchronization in SSL Mode
Considerations for Synchronizing with a Multiple-Domain Microsoft Active Directory Environment
Configuring the Active Directory Connector Profiles
Configuring the Active Directory External Authentication Plug-in
Configuring Windows Native Authentication
Configuring Synchronization of Oracle Internet Directory Foreign Security Principal References with Microsoft Active Directory
Managing Integration with Microsoft Active Directory
Tasks After Configuring with Microsoft Active Directory
Typical Management of Integration with Microsoft Active Directory
17
Integration with the Microsoft Windows NT 4.0 Environment
Overview of Integration with Microsoft Windows NT 4.0
Installing and Configuring Windows NT External Authentication and Auto-Provisioning Plug-ins
Installing and Enabling the Windows NT External Authentication and Provisioning Plug-ins
Managing the Windows NT External Authentication and Provisioning Plug-ins
18
Integration with SunONE (iPlanet) Directory Server
About the SunONE Connector
SunONE Directory Server Integration Concepts
Synchronization Between Oracle Internet Directory and SunONE Directory Server
Synchronization of Deletions from SunONE Directory Server to Oracle Internet Directory
The SunONE Directory Server External Authentication Plug-in
Configuring the SunONE Connector
Task 1: Configure the Synchronization Profiles for the SunONE Connector
Task 2: Configure Access Control Lists
Task 3: Prepare Both Directories for Synchronization
Task 4: (Optional) Configure the SunONE Directory Server External Authentication Plug-in
Task 5: Start the Synchronization
The Synchronization Process
Supported Configurations for Integrating with SunONE Directory Server
Part VI Appendixes
A
Syntax for LDIF and Command-Line Tools
LDAP Data Interchange Format (LDIF) Syntax
Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers
The OID Monitor (oidmon) Syntax
The OID Control Utility (oidctl) Syntax
The OPMN Control Utility (opmnctl) Syntax for Starting and Stopping Oracle Internet Directory Servers
OID Server Diagnostic Tool (oiddiag)
OID Server Diagnostic Tool Syntax
OID Server Diagnostic Tool Usage Examples
Entry and Attribute Management Command-Line Tools Syntax
The Catalog Management Tool (catalog.sh) Syntax
ldapadd Syntax
ldapaddmt Syntax
ldapbind Syntax
ldapcompare Syntax
ldapdelete Syntax
ldapmoddn Syntax
ldapmodify Syntax
ldapmodifymt Syntax
ldapsearch Syntax
Bulk Operations Command-Line Tools Syntax
bulkdelete Syntax
bulkload Syntax
bulkmodify Syntax
ldifwrite Syntax
The schemasync Tool Syntax
The Oracle Directory Integration and Provisioning Server Registration Tool (odisrvreg)
The Directory Integration and Provisioning Assistant (dipassistant) Syntax
Creating, Modifying, and Deleting Synchronization Profiles
Listing All Synchronization Profiles in Oracle Internet Directory
Viewing the Details of a Specific Synchronization Profile
Performing an Express Configuration of the Active Directory Connector Profiles
Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant
Properties Expected by the Bootstrapping Command
Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server
Changing the Password of the Administrator of Oracle Directory Integration and Provisioning
Moving an Integration Profile to a Different Identity Management Node
Limitations of the Directory Integration and Provisioning Assistant in Oracle Internet Directory 10
g
Release 2 (10.1.2)
The Provisioning Subscription Tool (oidprovtool) Syntax
OID Database Password Utility (oidpasswd) Syntax
Changing the Password to the Oracle Internet Directory Database
Creating Wallets for the Oracle Internet Directory Database Password and the Oracle Directory Replication Server Password
Unlocking a Super User Account
Resetting the Super User Password
Managing Super User Restricted ACPs
OID Database Statistics Collection Tool (oidstats.sh) Syntax
The OID Migration Tool (ldifmigrator) Syntax
Examples: Using the OID Migration Tool
OID Migration Tool Error Messages
B
LDAP Schema Elements for Oracle Directory Integration and Provisioning
C
Elements in the Oracle Directory Integration and Provisioning Server Administration Tool
Windows and Fields for Connecting to a Directory Server
Credentials
SSL
Configure Entry Management
Configure Access Control Policy Management
Directory Server Connection
Select Distinguished Name (DN) Path: Tree View
Select Directory Server
Windows and Fields for Viewing Server Information
Active Processes
Configuration Sets: Integration Profiles
Windows and Fields for Registering and Editing a Directory Integration Profile
Integration Profiles
General
Execution
Mapping
Status
Windows and Fields for Configuring the Active Directory Connector
Active Directory Connector Express Synchronization Setup
D
Case Study: A Deployment of Oracle Directory Integration and Provisioning
Components in the MyCompany Enterprise
Requirements of the MyCompany Enterprise
Overall Deployment in the MyCompany Enterprise
User Creation and Provisioning in the MyCompany Enterprise
Modification of User Properties in the MyCompany Enterprise
Deletion of Users in the MyCompany Enterprise
E
Troubleshooting Oracle Directory Integration and Provisioning
Troubleshooting the Oracle Directory Integration and Provisioning Server
Troubleshooting the Oracle Directory Integration and Provisioning Server in an Infrastructure Installation
Troubleshooting the Oracle Directory Integration and Provisioning Server in an Oracle Directory Integration and Provisioning-Only Installation
Troubleshooting Utilities
Troubleshooting Provisioning
Troubleshooting Synchronization
Oracle Directory Integration and Provisioning Server Synchronization Process Flow
Checklist for Debugging Synchronization
Sample Valid Trace Files in Debug Level 63 Mode
Troubleshooting Integration with Microsoft Active Directory
Debugging the Active Directory Connector
Debugging Windows Native Authentication
Troubleshooting the Microsoft Active Directory External Authentication Plug-in
Troubleshooting Integration with the SunONE Connector
Troubleshooting Error Messages and Other Problems
Location of Error Messages
Oracle Directory Integration and Provisioning Server Errors
Provisioning Errors and Problems
Synchronization Errors and Problems
Windows Native Authentication Error and Problems
Microsoft Active Directory and SunONE Directory Server Synchronization Errors and Problems
Need More Help?
Glossary
Index
