Oracle Unified Directory

Before You Begin

Introduction

Configure Oracle Identity Cloud Service to perform authoritative synchronization and provisioning for Oracle Unified Directory.

About Oracle Unified Directory

Oracle Unified Directory is an online directory with a specialized database that stores and retrieves collections of information about objects. The information can represent any resources that require management, for example:

  • Employee names, titles, and security credentials
  • Information about partners
  • Information about shared resources, such as conference rooms and printers

The information in the directory is available to different clients, such as single sign-on solutions, email clients, and database applications. Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP). Oracle Unified Directory is an LDAP directory that uses an Oracle Database for storage.

After integrating Oracle Unified Directory with Oracle Identity Cloud Service, administrators can:

  • Synchronize users, groups and user-group memberships from Oracle Unified Directory into Oracle Identity Cloud Service
  • Assign and revoke user access to Oracle Unified Directory using the Oracle Identity Cloud Service administration console
  • Manage user group membership through Oracle Identity Cloud Service

What Do You Need?

  • A fully installed and running provisioning bridge from Oracle Unified Directory. To confirm Oracle Unified Directory is installed and running, make sure that the app shows an Active status in Oracle Identity Cloud Service. See Manage Provisioning Bridges for Oracle Identity Cloud Service .
  • An Oracle Identity Cloud Service Identity Domain Administrator, Security Administrator, or Application Administrator account so that you can manage apps and user accounts.
  • Oracle Unified Directory server connectivity details such as administrator credentials, host name, and the port number.

Enable SSL between Oracle Unified Directory and Provisioning Bridge

The steps mentioned in this section are optional, but must be performed if you want to enable SSL between Oracle Unified Directory and the provisioning bridge. For detailed information on performing these steps, refer to Oracle Internet Directory documentation.

  1. In Oracle Unified Directory, ensure that SSL is enabled and a port is specified to accept connections from LDAP clients.
  2. Generate a self-signed certificate and import it into the Oracle Unified Directory server instance.
  3. Import the certificate into the Java keystore of the machine on which the provisioning bridge is installed by following the steps mentioned in Import the Certificate as a Trusted Certificate.
  4. Restart the provisioning bridge.

Configuring Oracle Unified Directory in Oracle Identity Cloud Service

Use this section to register and activate Oracle Unified Directory, and to configure Authoritative Synchronization for Oracle Unified Directory. You can then perform user, group and user-group synchronization from Oracle Unified Directory.

Register and Activate Oracle Unified Directory

  1. Register and activate Oracle Unified Directory and configure authoritative synchronization for Oracle Unified Directory so that you can perform user, group and user-group synchronization from Oracle Unified Directory. Note: that Oracle Unified Directory supports Authoritative Synchronization only.
  2. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  3. Click App Catalog.
  4. Search for Oracle Unified Directory, click Add, and then click Next.
  5. In the Name field, enter Oracle Unified Directory, and add a description.
  6. In the Provisioning Bridge drop-down, from the list of all active and inactive provisioning bridges, select the bridge that you installed as a part of the What Do You Need? section.
  7. Click Next to enable provisioning and synchronization for Oracle Unified Directory.
  8. Click Finish. Oracle Identity Cloud Service displays a confirmation message.
  9. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for Oracle Unified Directory

Use this section to synchronize user accounts from Oracle Unified Directory to Oracle Identity Cloud Service.

Enable Provisioning for Oracle Unified Directory

  1. On the Provisioning page, select Enable Provisioning.
  2. In the Grant Consent dialog box, click Continue.

  3. Specify values for the following parameters to configure connectivity with Oracle Cloud through Oracle Identity Cloud Service. The table lists the parameters that Oracle Identity Cloud Service requires to connect to Oracle Unified Directory.

    Option Description
    Host Name Enter the host name of the server that hosts Oracle Unified Directory. For example, host name value: app.cpdmqa01.com. Note: The host name value is dynamic and changes for each instance of Oracle Unified Directory.
    Port Number Enter the port number at which Oracle Unified Directory is listening. For example, port number value: 1389.
    Administrator Username Enter the Oracle Unified Directory service account user name.
    Administrator Password Enter the Oracle Unified Directory service account password
    SSL Enabled Select this checkbox if SSL communication is enabled between Oracle Unified Directory and the provisioning bridge as explained in section Enable SSL between Oracle Unified Directory and Provisioning Bridge.
    Base Contexts Enter the root dn values from which all users and groups are synchronized. For example, base context value: dc=example,dc=com. One or more base context values can be specified, which are separated by a carriage return. For example, base context value: dc=example, dc=com and dc=example2, dc=com. Note: The base contexts value is dynamic and changes for each instance of Oracle Unified Directory.
    Change Log Block Size Enter the block size to be used for an incremental synchronization operation. By default, the value selected is 100.
    Block Size Enter the block size to be used for a full synchronization operation. By default, the value selected is 100.
    Use Page Result Control Specify whether a simple paged search should be used for a full synchronization operation.
    Account User Name Attribute This specifies the user name attribute.
    UID Attribute Name Provide UID Attribute Name which uniquely identifies the entry in the DIT.
    Use Standard Change Log Enable this option to use standard changelog mechanism for synchronization.
    Changelog BaseDN Provide the distinguished name of the entry which contains the set of entries comprising this server's changelog.
    ChangelogUidAttribut Provide the UID attribute name which uniquely identifies the changelog entry.
    Change Number Attribute Provide an attribute name for the change number. It is used to uniquely identify a change made to a directory entry.
    Use Modify Timestamps Enable this option to use Modify Timestamps based for Synchronization if Standard changelog is not supported.
    Create Timestamp Attribute Provide an attribute name for the created timestamp of an entry.
    Modify Timestamp Attribute Provide attribute name for the modified timestamp of an entry.
  4. Click Test Connectivity to verify the connection with Oracle Unified Directory. Oracle Identity Cloud Service displays a confirmation message.

  5. Use this table to configure a User Object required to synchronize users from Oracle Unified Directory to . This table lists the parameters that requires to sync and provision users from Oracle Unified Directory into Oracle Identity Cloud Service. Note: To test the connectivity, the associated bridge must be in Active status and must be started on the client network.

    Option Description
    User Object Class Enter a list of object classes required for a User Object.
    User Enabled Attribute Enter the attribute name that signifies if a user is enabled or disabled in Oracle Unified Directory. By default, the value selected is ENABLED.
    User Enabled Value Enter the value present in “Account Enabled Attribute” when a user is active in Oracle Unified Directory. By default, the value selected is DISABLED.
    User Disabled Value Enter the value present in “Account Enabled Attribute” when a user is inactive in Oracle Unified Directory.

  6. Use this table to configure a Group Object required to synchronize users from Oracle Unified Directory to . This table lists the parameters that requires to sync and provision users from Oracle Unified Directory into .

    Option Description
    Group Object Class Enter a list of object classes required for a Group Object.
    Group Member Attribute Enter the attribute name that signifies user’s membership to the group in Oracle Unified Directory.
    Group UID Attribute Enter the unique identifier attribute of the group.

  7. The Configure Attributes section defines predefined attribute mappings between the user account fields defined in Oracle Unified Directory and the corresponding fields defined in Oracle Identity Cloud Service.

    To view and subsequently add Oracle Unified Directory user attributes. Click Add to view the available list of Oracle Unified Directory user attributes, then in the Add Attribute dialog box, click Refresh to get the latest list of user attributes from the Oracle Unified Directory server, and finally select the attribute that you wish to add, and select OK. To view the predefined attribute mappings between the user account fields defined in Oracle Unified Directory and the corresponding fields defined in , click Attribute Mapping, and click OK. Note: To add a new attribute, click Add Row, specify attributes in the User and Oracle Unified Directory Account columns, and then click OK.

  8. Specify the provisioning operations that you want to enable for Oracle Unified Directory:

    • Authoritative Sync: Configures Oracle Unified Directory as an authoritative source of Oracle Identity Cloud Service. In the authoritative sync configuration, users, roles, and user role memberships are created or modified on Oracle Unified Directory and the information is synchronized into Oracle Identity Cloud Service. Note: By default, Authoritative Sync and Delete Account check boxes are selected and disabled.

Enable Synchronization for Oracle Unified Directory

  1. On the Provisioning page, select Enable Synchronization.
  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from Oracle Unified Directory with an existing record in Oracle Identity Cloud Service. Note: By default, User Name is selected. Leave this default attribute for an accurate synchronization of user records.
  3. From the Application Identifier drop-down list, define a matching rule that links a record fetched from Oracle Unified Directory with an existing record in Oracle Identity Cloud Service. Note: By default, UserUid is selected. This value represents the Uid attribute of a user in Oracle Unified Directory. Leave this default attribute for an accurate synchronization of user records.
  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:
    • Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.
    • Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.
  5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.
  6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be removed during the synchronization run.

  7. From the Synchronization schedule drop-down list, select the intervals at which you want the synchronization operation to be performed.

    Note: By default, Never is selected. Change this value as per your requirement.

After enabling provisioning and synchronization for Oracle Unified Directory, you can synchronize the existing account details from Oracle Unified Directory and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Import User Accounts from a Software as a Service Application.

Discover the Schema for OUD

  1. On the Provisioning Setting tab, under Configuration Attributes, click Add Attribute.
  2. Click Refresh to display the unmapped attributes from OUD whether they are out of the box or custom.

Troubleshooting

For any issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type. Complete your service request.