Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
  Go To Documentation Library
Go To Product List
Solution Area
Go To Table Of Contents
Go To Index


20.2 SunONE Directory Server Integration Concepts

This section contains these topics:

20.2.1 Synchronization Between Oracle Internet Directory and SunONE Directory Server

Synchronization with SunONE Directory Server is based on reading incremental changes from the source directory to the destination directory. If changes are to be made in both directories, then both directories need to have change logging enabled.

See Also:

  • The Oracle Internet Directory server administration tools chapter of the Oracle Identity Management User Reference for instructions on how to start an Oracle directory server with change logging enabled.

  • SunONE Directory Server documentation for instructions on how to configure change logging. If you plan to synchronize with SunONE (iPlanet) Directory Server Release versions 5.0 or later, the retro changelog plug-in must be enabled.

20.2.2 Synchronization of Deletions from SunONE Directory Server to Oracle Internet Directory

If you want to synchronize deletions, and the mapping rules have mandatory attributes, then be sure that the tombstone is configured correctly.

To verify that the tombstone is configured in SunONE Directory Server, execute the following command:

$ORACLE_HOME/bin/ldapsearch -h connected_directory_host 
-p connected_directory_port -D  connected_directory_account  
-w connected_directory_password -b source_domain 
-s sub "objectclass=nstombstone"

This returns information on all deleted entries.

See Also:

SunONE documentation for details about configuring tombstones


Tombstones are automatically configured on the SunONE Directory Server if replication is enabled.

20.2.3 The SunONE Directory Server External Authentication Plug-in

Oracle components are clients of Oracle Internet Directory. However, in an integrated environment, you have the option of storing security credentials for those components in an external repository —in this case, SunONE Directory Server—rather than in Oracle Internet Directory. When security credentials are stored in an external repository, user authentication to an Oracle component happens in the external repository and not in Oracle Internet Directory.

To communicate with the external repository, the Oracle component relies on the Oracle directory server. The Oracle directory server, in turn, uses a plug-in that can access the external repository. The entire authentication process is transparent to the Oracle components, which perceive all the LDAP requests as being handled by the Oracle directory server. Types of External Authentication

To verify a user's security credentials, an Oracle component can, by way of the Oracle directory server, send to the external repository a simple bind with a request for one of the following:

  • Non-SSL ldapbind

  • SSL ldapbind

  • ldapcompare How Authentication to an External Repository Works

When an Oracle directory server has the plug-in configured and enabled, the following process occurs to authenticate a user to an Oracle component.

  1. The user seeks access to an Oracle component.

  2. The Oracle component, which is a client of Oracle Internet Directory, receives the authentication request, and passes to the Oracle directory server either an ldapbind or ldapcompare request.

  3. The Oracle directory server passes the control to the plug-in.

  4. The plug-in issues the request to the external repository.

  5. The plug-in obtains the results of that request and passes the results back to the Oracle directory server.

  6. The Oracle directory server passes the results back to client application, which then grants or denies access to the user.