24 Integrating with IBM Tivoli Directory Server
This chapter outlines the procedures for integrating Oracle Identity Management with IBM Tivoli Directory Server.
Topics:
-
Verifying Synchronization Requirements for IBM Tivoli Directory Server
-
Configuring Basic Synchronization with IBM Tivoli Directory Server
-
Configuring Advanced Integration with IBM Tivoli Directory Server
Note:
Before continuing with this chapter, you should be familiar with the concepts presented in previous chapters. The following chapters in particular are important:
If you are configuring a demonstration of integration with IBM Tivoli Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11gRelease 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/
24.1 Verifying Synchronization Requirements for IBM Tivoli Directory Server
Before configuring basic or advanced synchronization with IBM Tivoli Directory Server, ensure that your environment meets the necessary synchronization requirements.
You must complete the steps described in "Verifying Synchronization Requirements". Before synchronizing with IBM Tivoli Directory Server, you must also perform the following steps:
- When creating a user account in IBM Tivoli Directory Server with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstones.
- Enable change logging on IBM Tivoli Directory Server.
24.2 Configuring Basic Synchronization with IBM Tivoli Directory Server
You use the expressSyncSetup command to quickly establish synchronization between the Oracle back-end directory and IBM Tivoli Directory Server.
The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export.
To use the expressSyncSetup command to synchronize with IBM Tivoli Directory Server, refer to "Creating Import and Export Synchronization Profiles Using expressSyncSetup".
24.3 Configuring Advanced Integration with IBM Tivoli Directory Server
You can also use the expressSyncSetup command to create additional synchronization profiles from the template files.
The import and export synchronization profiles that you created with expressSyncSetup are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and an IBM Tivoli Directory Server. Because these synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps:
Note:
When you install Oracle Directory Integration Platform, import and export template files (ORACLE_HOME/ldap/odi/conf) are automatically created for each of the supported third-party directories. You can use the template files, to create the user's profile. The sample files created for IBM Tivoli Directory Server are:
-
TivoliImport—The profile for importing changes from IBM Tivoli Directory Server to the Oracle back-end directory. -
TivoliExport—The profile for exporting changes from the Oracle back-end directory to IBM Tivoli Directory Server
-
Understanding How to Plan Integration with IBM Tivoli Directory
-
Understanding How to Customize the ACLs for IBM Tivoli Directory
-
Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions
-
Understand How to Synchronize IBM Tivoli Directory in SSL Mode
-
Configuring the IBM Tivoli Directory Server External Authentication Plug-in
24.3.1 Understanding How to Plan Integration with IBM Tivoli Directory
Plan your integration by reading Connected Directory Integration Concepts and Considerations, particularly "IBM Tivoli Directory Server Integration Concepts". Be sure to create a new profile by copying the existing IBM Tivoli Directory Server template profile by following the instructions in “Creating Synchronization Profiles”.
24.3.2 Configure the Realm for IBM Tivoli Directory
Configure the realm by following the instructions in "Configuring the Realm".
24.3.3 Understanding How to Customize the ACLs for IBM Tivoli Directory
Customize ACLs as described in "Customizing Access Control Lists".
24.3.4 Customize Attribute Mappings for IBM Tivoli Directory
When integrating with IBM Tivoli Directory Server, the following attribute-level mapping is mandatory for all objects:
targetdn: : :top:orclSourceObjectDN: :orclTDSObject:
Example 24-1 Attribute-Level Mapping for the User Object in IBM Tivoli Directory Server
Cn:1: :person: cn: :person: sn: : :person: sn: :person:
Example 24-2 Attribute-Level Mapping for the Group Object in IBM Tivoli Directory Server
cn:1: :groupofname: cn: : groupofuniquenames:
In the preceding examples, Cn and sn from IBM Tivoli Directory Server are mapped to cn and sn in the Oracle back-end directory.
If you specify anything other than the RDN attribute as a required attribute in the mapping file, those changes will not be synchronized. This is due to a limitation in IBM Tivoli Directory Server where changes do not appear as deletions in the changelog when tombstones are enabled.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
24.3.5 Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions
If you want to synchronize deletions, you must ensure tombstones are not enabled in IBM Tivoli Directory Server. To check if tombstones are enabled, execute the following command:
ldapsearch -h connected_directory_host -p connected_directory_port \ -D binddn -q \ -b "cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration" -s base "objectclass=*" ibm-slapdTombstoneEnabled
Note:
You will be prompted for the password.
See Also:
IBM Tivoli Directory Server documentation for details about configuring tombstones.
24.3.6 Synchronize Passwords for IBM Tivoli Directory
The Oracle back-end directory and IBM Tivoli Directory Server support the same set of password hashing techniques. To synchronize passwords from IBM Tivoli Directory Server to the Oracle back-end directory, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file:
Userpassword: : :person:userpassword: :person:
Two-way password synchronization is not supported from an Oracle Unified Directory back-end directory or an Oracle Directory Server Enterprise Edition back-end directory. Two-way password synchronization is only supported if the back-end directory is Oracle Internet Directory.
24.3.7 Understand How to Synchronize IBM Tivoli Directory in SSL Mode
Configure IBM Tivoli Directory Server for synchronization in SSL mode by following the instructions in "Configuring the Connected Directory Connector for Synchronization in SSL Mode".
24.3.8 Configuring the IBM Tivoli Directory Server External Authentication Plug-in
Perform the following steps to configure an IBM Tivoli Directory Server external authentication plug-in:
-
Add the configuration entries for the external authentication plug-in for IBM Tivoli Directory Server to the Oracle back-end directory by performing the following steps:
Note:
The wallet referred to in the configuration entries for the external authentication plug-in for IBM Tivoli Directory Server is ORACLE wallet. Accordingly, use Oracle wallet commands to add and remove certificates from the wallet. JKS commands are used only for the certificates that Oracle Directory Integration Platform uses.-
Copy the following entries to an LDIF file, for example, input.ldif:
dn: cn=oidexplg_compare_tivoli,cn=plugin,cn=subconfigsubentry cn: oidexplg_compare_tivoli objectclass: orclPluginConfig objectclass: top orclpluginname: oidexplg orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapcompare orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginattributelist: userpassword orclpluginentryproperties: (!(&(objectclass=orclTDSobject)(objectclass=orcluserv2))) orclpluginflexfield;host2: myhost.us.example.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: myhost.us.example.com orclpluginflexfield;walletloc2: /location/wallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: /tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginclassreloadenabled: 0 orclpluginenable: 0 orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com dn: cn=oidexplg_bind_tivoli,cn=plugin,cn=subconfigsubentry cn: oidexplg_bind_tivoli objectclass: orclPluginConfigobjectclass: top orclpluginname: oidexplg orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapbind orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginentryproperties: (!(&(objectclass=orclTDSobject)(objectclass=orcluserv2))) orclpluginclassreloadenabled: 0 orclpluginflexfield;walletloc2: /location/wallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: /tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginflexfield;host2: myhost.us.example.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: myhost.us.example.com orclpluginenable: 0 orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com
-
Copy the entries in the LDIF file to the Oracle back-end directory using a command similar to the following:
ldapadd -h HOST -p PORT -D binddn -q -v -f input.ldif
Note:
You will be prompted for the password.
-
-
Use the instructions in "Configuring External Authentication Plug-ins" to configure the plug-in.
24.3.9 Perform Post-Configuration and Administrative Tasks
This section describes the task you must complete after configuring advanced integration with IBM Tivoli Directory Server.
Read Managing Integration with a Connected Directory for information on post-configuration and ongoing administration tasks.