Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
This chapter outlines the procedures for integrating Oracle Identity Management with Novell eDirectory or OpenLDAP in a production environment. It contains these topics:
Verifying Synchronization Requirements for Novell eDirectory or OpenLDAP
Configuring Basic Synchronization with Novell eDirectory or OpenLDAP
Configuring Advanced Integration with Novell eDirectory or OpenLDAP
Notes: This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Internet Directory Administrator's Guide. It also assumes familiarity with the earlier chapters in this book, especially:
Synchronization is supported between Oracle Application Server 10g (10.1.4.0.1) or later and Novell eDirectory 8.6.2 or later or OpenLDAP 2.2. |
Before configuring basic or advanced synchronization with Novell eDirectory or OpenLDAP, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements".
You use the express configuration command to quickly establish synchronization between Oracle Internet Directory and Novell eDirectory or OpenLDAP. Express configuration uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use express configuration to synchronize with Novell eDirectory or OpenLDAP, follow the instructions in "Creating Synchronization Profiles with Express Configuration".
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for Novell eDirectory are:
Novell eDirectoryImp
—The profile for importing changes from Novell eDirectory to Oracle Internet Directory
Novell eDirectoryExp
—The profile for exporting changes from Oracle Internet Directory to Novell eDirectory
The sample synchronization profiles created for OpenLDAP are:
OpenLDAPImport
—The profile for importing changes from OpenLDAP to Oracle Internet Directory
OpenLDAPExport
—The profile for exporting changes from Oracle Internet Directory to OpenLDAP
You can also use the express configuration option of the Directory Integration Assistant (dipassistant
) to create additional synchronization profiles, as described in "Configuring Basic Synchronization with Novell eDirectory or OpenLDAP". The import and export synchronization profiles created during the install process or with express configuration are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and Novell eDirectory or OpenLDAP. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:
Step 3: Customizing the Search Filter to Retrieve Information from Novell eDirectory or OpenLDAP
Step 6: Customizing the Novell eDirectory or OpenLDAP Connector to Synchronize Deletions
Step 7: Specifying Synchronization Parameters for the Additional Config Information Attribute
Step 8: Configuring the OpenLDAP Connector to Synchronize Passwords
Step 10: Configuring the Novell eDirectory or OpenLDAP External Authentication Plug-in
Step 11: Performing Post-Configuration and Administrative Tasks
Plan your integration by reading Chapter 17, "Third-Party Directory Integration Concepts and Considerations", particularly "Novell eDirectory and OpenLDAP Integration Concepts".
Configure the realm by following the instructions in "Configuring the Realm".
By default, the Novell eDirectory or OpenLDAP Connector retrieves changes to all objects in the container based on the modifytimestamp
attribute. If you are interested in retrieving changes to specific types of objects, such as changes to users and groups, then you should configure an LDAP search filter. This filter screens out changes that are not required when the Novell eDirectory or OpenLDAP Connector queries Novell eDirectory or OpenLDAP. The filter is stored in the connected directory matching filter attribute (orclodipcondirmatchingfilter
) in the synchronization profile.
The Novell eDirectory and OpenLDAP sample import profiles are configured to retrieve changes to users, groups, and container objects from Novell eDirectory and OpenLDAP, respectively. Computers are not retrieved. The value of the searchfilter
attribute is set as follows:
searchfilter=(&(!(modifiersname=connected_dir_account)) (|(objectclass=domain)(objectclass=organizationalunit) (objectclass=organization)(objectclass=person) (objectclass=groupofnames)))
You use the Directory Integration Assistant (dipassistant
) to update the searchfilter
attribute if you want to synchronize entries other than users or groups. For example, the following command updates the searchfilter
attribute to synchronize only users and groups:
dipassistant mp –h host -p port -D binddn -w bindpass -profile profilename odip.profile.condirfilter=searchfilter= (|(objectclass=groupofnames)(objectclass=person))
Note: All attributes specified in thesearchfilter attribute should be configured as indexed attributes in Novell eDirectory or OpenLDAP. |
See Also: The appendix on the LDAP filter definition in Oracle Internet Directory Administrator's Guide for instructions on configuring an LDAP search filter |
Customize ACLs as described in "Customizing Access Control Lists".
When integrating with Novell eDirectory, the following attribute-level mapping is mandatory for all objects:
GUID:1: : :orclNDSObjectGUID: :orclndsObject:bin2b64(guid) Modifytimestamp:1 : : :orclsourcemodifytimestamp: :orclndsobject: Createtimestamp:1 : : :orclsourcecreatetimestamp: :orclndsobject: Targetdn:1: : :orclsourceobjectdn: : orclndsobject:
When integrating with OpenLDAP, the following attribute-level mapping is mandatory for all objects:
entryuuid:1: : : orclOpenLdapEntryUUID: : orclOpenLdapObject Modifytimestamp:1 : : :orclsourcemodifytimestamp: : orclOpenLdapObject Createtimestamp:1 : : :orclsourcecreatetimestamp: : orclOpenLdapObject Targetdn:1: : :orclsourceobjectdn: : orclOpenLdapObject:
Example 22-1 Attribute-Level Mapping for the User Object in Novell eDirectory or OpenLDAP
Cn:1: : :person: cn: :person: sn:1: : :person: sn: :person:
Example 22-2 Attribute-Level Mapping for the Group Object in Novell eDirectory or OpenLDAP
Cn:1: : :groupofname: cn:groupofuniquenames
In the preceding examples, Cn
and sn
from Novell eDirectory or OpenLDAP are mapped to cn
and sn
in Oracle Internet Directory.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
Synchronizing deletions from Novell eDirectory or OpenLDAP in Oracle Internet Directory is handled with the reconciliation approach, as described in "Synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory". To avoid decreased performance on the server when synchronizing deletions from Novell eDirectory or OpenLDAP in Oracle Internet Directory, you can customize the comparison to search specific subsets of the DIT. You specify the subset search criteria as part of the map file by using the ReconciliationRules
keyword.
The default reconciliation rules for Novell eDirectory are as follows:
inetorgperson:cn:*groupofnames:cn:*
The default reconciliation rules for OpenLDAP are as follows:
inetorgperson:cn:*groupofuniquenames:cn:*
The preceding rules specify that the search criteria be applied in the following two steps:
Search for all entries in the inetorgperson
object class. You can also specify different subsets within this rule according to the attribute values.
Search for all entries in the groupofnames
object class in Novell eDirectory or in the groupofuniquenames
object class in OpenLDAP.
You define a reconciliation rule with one object class, one attribute, and any number of values. You can use any attribute that is synchronized with Oracle Internet Directory to define a reconciliation rule. However, you must observe the following two requirements:
The attribute of the specified object class must be defined in the mapping rules
The corresponding Oracle Internet Directory attribute must be indexed
For example, consider the following reconciliation rule:
myobjclass:myattr:val1:val2:val3
In the preceding reconciliation rule, the name of the object class is myobjclass
and the name of the attribute is myattr
. You can assign values of val1
, val2
, or val3
to the myattr
attribute. To use the myattr
attribute, the following mapping rule must be defined:
myattr: : : myobjclass:attr: :objclass:
The preceding mapping rule defines the myattr
attribute in the myobjclass
object class, and attr
is the corresponding Oracle Internet Directory attribute that should be indexed.
Defining reconciliation rules generates search filters that query Novell eDirectory or OpenLDAP to determine the number of deleted entries. For example, with the myobjclass
and attr
reconciliation rule example in the previous section, the following search filters are generated in Novell eDirectory or OpenLDAP:
(&(objectclass= myobjclass) (createtimestamp<=orclodipreconciliationtimestamp) (myattr=val1))
(&(objectclass= myobjclass) (createtimestamp<= orclodipreconciliationtimestamp) (myattr=val2))
(&(objectclass= myobjclass)(createtimestamp<= orclodipreconciliationtimestamp)(myattr=val3))
The reconciliation rule and mapping rule also generate corresponding filters in Oracle Internet Directory. For example, the following Oracle Internet Directory filters are generated for the myobjclass
and attr
reconciliation rule:
(&(objectclass= objclass) (orclndsobjectguid=*)(orclSourceCreateTimeStamp<= orclodipreconciliationtimestamp)(attr=val1))
(&(objectclass= objclass) (orclndsobjectguid=*)(orclSourceCreateTimeStamp<= orclodipreconciliationtimestamp)(attr=val2))
(&(objectclass= objclass) (orclndsobjectguid=*)(orclSourceCreateTimeStamp<= orclodipreconciliationtimestamp)(attr=val3))
The Additional Config Info (orclodipAgentConfigInfo
) attribute in a synchronization profile stores any additional configuration information needed by a connector to synchronize Oracle Internet Directory with a connected directory. You can use the SearchDeltaSize
and SkipErrorToSyncNextChange
parameters with any connected directory, as described in "Additional Configuration Information". With Novell eDirectory and OpenLDAP, you can also use the parameters listed in Table 22-1 to specify additional configuration information.
Table 22-1 Novell eDirectory and OpenLDAP Synchronization Parameters for the Additional Config Info Attribute
Parameter | Description |
---|---|
|
Indicates the type of the |
|
Determines how deleted entries in Novell eDirectory or OpenLDAP are synchronized with Oracle Internet Directory. If you assign a value of |
|
Specifies the time difference between a computer that is running Oracle Internet Directory and a computer that is running Novell eDirectory. This parameter is necessary because synchronization between Oracle Internet Directory and Novell eDirectory will not function properly if the time on the Novell eDirectory computer is earlier than the time on the Oracle Internet Directory computer. You assign to this parameter a value in seconds that is equal to the time difference between the two computers. The default value is 0. |
|
Identifies the unique attribute in Novell eDirectory or OpenLDAP that can be used to search for an entry. You assign to this parameter a value of |
The Oracle directory integration platform can synchronize password changes from Oracle Internet Directory to Novell eDirectory or OpenLDAP only when the directories are running SSL server-side authentication. You cannot synchronize passwords from Novell eDirectory to Oracle Internet Directory. However, you can synchronize passwords from OpenLDAP to Oracle Internet Directory by performing the following tasks:
Add a mapping rule that enables password synchronization. For example:
userpassword: : : inetorgperson: userpassword: person
Enable the password policy and reversible password encryption in the Oracle directory server. To do this, assign a value of 1
to the orclPwdPolicyEnable
and orclpwdEncryptionEnable
attributes in the entry cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,
DN_of_realm
. You can do this by using either Oracle Directory Manager or ldapmodify
by uploading an LDIF file containing the following entries:
dn:cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,DN_of_realm. changetype: modify replace: orclpwdpolicyenable orclpwdpolicyenable: 1 - replace: orclpwdencryptionenable orclpwdencryptionenable: 1
See Also:
|
Configure the Novell eDirectory or OpenLDAP connector for synchronization in SSL mode by following the instructions in "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode".
Configure the Novell eDirectory or OpenLDAP external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".
Read Chapter 23, "Managing Integration with a Third-Party Directory" for information on post-configuration and ongoing administration tasks.