| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
This chapter outlines the procedures for integrating Oracle Identity Management with Sun Java System Directory, formerly known as SunONE iPlanet, in a production environment. It contains these topics:
Verifying Synchronization Requirements for Sun Java System Directory
Configuring Basic Synchronization with Sun Java System Directory
Configuring Advanced Integration with Sun Java System Directory
|
Note: This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Internet Directory Administrator's Guide. It also assumes familiarity with the earlier chapters in this book, especially:
If you are configuring a demonstration of integration with Sun Java System Directory, then see the Oracle By Example series for Oracle Identity Management Release 10g (10.1.4.0.1), available on Oracle Technology Network at |
Before configuring basic or advanced synchronization with Sun Java System Directory, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with Sun Java System directory, you must also perform the following steps:
When creating a user account in Sun Java System Directory with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstone
Enable change logging on Sun Java System Directory
Enable the Retro Change Log plug-in
You use the express configuration command to quickly establish synchronization between Oracle Internet Directory and Sun Java System Directory. Express configuration uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use express configuration to synchronize with Sun Java System Directory, follow the instructions in "Creating Synchronization Profiles with Express Configuration".
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for Sun Java System Directory are:
iPlanetImport—The profile for importing changes from Sun Java System Directory to Oracle Internet Directory
iPlanetExport—The profile for exporting changes from Oracle Internet Directory to Sun Java System Directory
You can also use the express configuration option of the Directory Integration Assistant (dipassistant) to create additional synchronization profiles, as described in "Configuring Basic Synchronization with Sun Java System Directory".
The import and export synchronization profiles created during the install process or with express configuration are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and a Sun Java System Directory. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:
Step 5: Customizing the Sun Java System Directory Connector to Synchronize Deletions
Step 8: Configuring the Sun Java System Directory External Authentication Plug-in
Step 9: Performing Post-Configuration and Administrative Tasks
Plan your integration by reading Chapter 17, "Third-Party Directory Integration Concepts and Considerations", particularly "Sun Java System Directory Integration Concepts".
Configure the realm by following the instructions in "Configuring the Realm".
Customize ACLs as described in "Customizing Access Control Lists".
When integrating with Sun Java System Directory, the following attribute-level mapping is mandatory for all objects:
Targetdn:1: : :orclsourceobjectdn: : orclSUNOneobject:
Example 21-1 Attribute-Level Mapping for the User Object in Sun Java System Directory
Cn:1: : :person: cn: :person: sn:1: : :person: sn: :person:
Example 21-2 Attribute-Level Mapping for the Group Object in Sun Java System Directory
Cn:1: : :groupofname: cn:groupofuniquenames
In the preceding examples, Cn and sn from Sun Java System Directory are mapped to cn and sn in Oracle Internet Directory.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
If you want to synchronize deletions, and the mapping rules have mandatory attributes, then be sure that the tombstone is configured correctly.
To verify that the tombstone is configured in Sun Java System Directory, execute the following command:
$ORACLE_HOME/bin/ldapsearch -h connected_directory_host -p connected_directory_port -D connected_directory_account -w connected_directory_password -b source_domain -s sub "objectclass=nstombstone"
This returns information on all deleted entries.
|
See Also: Sun Java System Directory documentation for details about configuring tombstones |
|
Note: Tombstones are automatically configured for Sun Java System Directory if replication is enabled. |
Oracle Internet Directory and Sun Java System Directory support the same set of password hashing techniques. To synchronize passwords between Oracle Internet Directory and Sun Java System Directory, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file:
Userpassword: : :person:userpassword: :person
Configure Sun Java System Directory for synchronization in SSL mode by following the instructions in "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode".
Configure the Sun Java System Directory external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".
Read Chapter 23, "Managing Integration with a Third-Party Directory" for information on post-configuration and ongoing administration tasks.
