Oracle Directory Server Enterprise Edition Directory

Before You Begin

Introduction

Configure Oracle Identity Cloud Service to perform authoritative synchronization and provisioning for Oracle Directory Server Enterprise Edition (ODSEE).

About Oracle Directory Server Enterprise Edition Directory

Directory Server Enterprise Edition provides secure, highly available, scalable directory services for storing and managing identity data. Directory Server Enterprise Edition is the foundation of an enterprise identity infrastructure. It enables mission-critical enterprise applications and large-scale extranet applications to access consistent and reliable identity data.

Directory Server Enterprise Edition provides a central repository for storing and managing identity profiles, access privileges, application and network resource information. Directory Server Enterprise Edition integrates smoothly into multi-platform environments. It also provides secure, on-demand synchronization of passwords, users, and groups with Microsoft Active Directory.

After integrating ODSEE with Oracle Identity Cloud Service administrators can:

  • Synchronize users, groups and user-group memberships from ODSEE into Oracle Identity Cloud Service.
  • Assign and revoke user access to ODSEE using the Oracle Identity Cloud Service administration console.
  • Manage user group membership through Oracle Identity Cloud Service.

What Do You Need?

  • A fully installed and running provisioning bridge from ODSEE. Once this is done, to confirm, make sure that the app shows in Active status in Oracle Identity Cloud Service. See Manage Provisioning Bridges for Oracle Identity Cloud Service.

  • An Oracle Identity Cloud Service Identity Domain Administrator, Security Administrator, or Application Administrator account so that you can manage apps and user accounts.

  • ODSEE server connectivity details such as administrator credentials, host name and the port number.

Enable SSL between ODSEE and Provisioning Bridge

These steps are optional but must be performed if you want to enable SSL between ODSEE and the provisioning bridge.

  1. On ODSEE, ensure that SSL is enabled, and a port is specified to accept connections from LDAP clients.
  2. Generate a self-signed certificate and import it into the ODSEE instance.
  3. Import the certificate into the Java keystore of the machine on which the provisioning bridge is installed by following the steps mentioned in Import the Certificate as a Trusted Certificate.
  4. Restart the provisioning bridge.

For more information, see Oracle Directory Server Enterprise Edition.

Register and Activate ODSEE

Register and activate ODSEE, and configure Authoritative Synchronization for ODSEE so that you can then perform user, group and user-group synchronization from ODSEE.

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click App Catalog.
  3. Search for Oracle Directory Server Enterprise Edition, click Add, and then click Next.
  4. In the Name field, enter Oracle Directory Server Enterprise Edition, and add a description.
  5. In the Provisioning Bridge drop-down, from the list of all active and inactive provisioning bridges, select the bridge that you installed as a part of the What Do You Need? section.
  6. Click Next to enable provisioning and synchronization for ODSEE.
  7. Click Finish. Oracle Identity Cloud Service displays a confirmation message.
  8. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for ODSEE

Learn how to synchronize user accounts from Oracle Directory Enterprise Edition to Oracle Identity Cloud Service.

Enable Provisioning for ODSEE

  1. On the Provisioning page, select Enable Provisioning.
  2. In the Grant Consent dialog box, click Continue.

  3. Use this table to configure connectivity for establishing a connection with Oracle Cloud through Oracle Identity Cloud Service. Note that this table lists the parameters that Oracle Identity Cloud Service requires to connect to ODSEE.

    Option Description
    Host Name Enter the host name of the server that hosts ODSEE. For example, host name value: app.cpdmqa01.com Note: The host name value is dynamic and changes for each instance of Oracle Unified Directory.
    Port Number Enter the port number at which Oracle Unified Directory is listening. For example, port number value: 1389.
    Administrator Username Enter the Oracle Unified Directory service account user name.
    Administrator Password Enter the Oracle Unified Directory service account password.
    SSL Enabled Select this checkbox if SSL communication is enabled between Oracle Unified Directory and the provisioning bridge as explained in section Enable SSL between ODSEE and Provisioning Bridge.
    Base Contexts Enter the root dn values from which all users and groups are synchronized. For example, base context value: dc=example,dc=com. One or more base context values can be specified, which are separated by a carriage return. For example, base context value: dc=example, dc=com and dc=example2, dc=com. Note: The base contexts value is dynamic and changes for each instance of Oracle Unified Directory.
    Change Log Block Size Enter the block size to be used for an incremental synchronization operation. By default, the value selected is 100.
    Block Size Enter the block size to be used for a full synchronization operation. By default, the value selected is 100.
    Use Page Result Control This specifies whether a simple paged search should be used for a full synchronization operation or not.
    Account User Name Attribute This specifies the user name attribute.
    UID Attribute Name Provide the UID Attribute Name which uniquely identifies the entry in the DIT.
    Use Standard Change Log Enable this option to use standard changelog mechanism for synchronization.
    Changelog BaseDN Provide the distinguished name of the entry which contains the set of entries comprising this server's changelog.
    ChangelogUidAttribute Provide the UID attribute name which uniquely identifies the changelog entry.
    Change Number Attribute Provide Attribute name for the change number that is used to uniquely identifies a change made to a directory entry.
    Use Modify Timestamps Enable this option to use Modify Timestamps based for Synchronization if Standard changelog is not supported.
    Create Timestamp Attribute Provide an attribute name which gives the created timestamp of an entry.
    Modify Timestamp Attribute Provide attribute name which gives the modified timestamp of an entry.
  4. Click Test Connectivity to verify the connection with Oracle Directory Enterprise Edition. Oracle Identity Cloud Service displays a confirmation message. Note: To test the connectivity, the associated bridge must be in Active status and must be started on the client network.

  5. Use this table to configure a User Object required to synchronize users from ODSEE to Oracle Identity Cloud Service. This table lists the parameters that Oracle Identity Cloud Service requires to configure users to ODSEE.

    Option Description
    User Object Class Enter a list of object classes required for a User Object.
    User Enabled Attribute Enter the attribute name that signifies if an user is enabled or disabled in Oracle Unified Directory. By default, the value selected is ENABLED.
    User Enabled Value Enter the value present in Account Enabled Attribute when a user is active in Oracle Unified Directory. By default, the value selected is DISABLED.
    User Disabled Value Enter the value present in Account Enabled Attribute when a user is inactive in Oracle Unified Directory.

  6. Use this table to configure a Group Object required to synchronize users from ODSEE to Oracle Identity Cloud Service. This table lists the parameters that Oracle Identity Cloud Service requires to configure groups to ODSEE.

    Option Description
    Group Object Class Enter a list of object classes required for a Group Object.
    Group Member Attribute Enter the attribute name that signifies user’s membership to the group in Oracle Unified Directory.
    Group UID Attribute Enter the unique identifier attribute of the group.

  7. The Configure Attributes section defines predefined attribute mappings between the user account fields defined in ODSEE and the corresponding fields defined in Oracle Identity Cloud Service.

    a. To view and subsequently add Oracle Unified Directory user attributes: Click Add to view the available list of ODSEE user attributes. In the Add Attribute dialog box, click Refresh to get a latest list of user attributes from the Oracle Directory server Enterprise Edition. Select the attribute that you wish to newly add, and select OK.

    b. To view the predefined attribute mappings between the user account fields defined in ODSEE and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and click OK. Note: To add a new attribute, click Add Row, specify attributes in the User and ODSEE Account columns, and then click OK.

  8. Specify the provisioning operations that you want to enable for ODSEE:

    • Authoritative Sync: Configures Oracle Directory Enterprise Edition as an authoritative source of Oracle Identity Cloud Service. In the authoritative sync configuration, users, roles, and user role memberships are created or modified on ODSEE and the information is synchronized into Oracle Identity Cloud Service. Note: By default, Authoritative Sync check box is selected and all other check boxes are disabled.

Enable Synchronization for ODSEE

  1. On the Provisioning page, select Enable Synchronization.
  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from ODSEE with an existing record in Oracle Identity Cloud Service. Note: By default, User Name is selected. It is recommended to leave this default attribute for an accurate synchronization of user records.
  3. From the Application Identifier drop-down list, define a matching rule that links a record fetched from ODSEE with an existing record in Oracle Identity Cloud Service. Note: By default, UserUid is selected. This value represents the Uid attribute of a user in ODSEE. It is recommended to leave this default attribute for an accurate synchronization of user records.

  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    • Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.-
    • Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.
  5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.
  6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be removed during the synchronization run.

  7. From the Synchronization schedule drop-down list, select the intervals at which you want the synchronization operation to be performed. Note: By default, Never is selected. It is recommended to change this value as per your requirement. After enabling provisioning and synchronization for ODSEE, you can synchronize the existing account details from ODSEE and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see Import User Accounts from a Software as a Service Application .

Discover the Schema for ODSEE

  1. On the Provisioning Setting tab, under Configuration Attributes, click Add Attribute.
  2. Click Refresh to display the unmapped attribute from ODSEE whether it’s out of the box or custom.

Troubleshooting

For any issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type. Complete your service request.