23 Integrating with Oracle Directory Server Enterprise Edition (Connected Directory)

This chapter outlines the procedures for integrating Oracle Identity Management with Oracle Directory Server Enterprise Edition connected directory (previously known as Sun Java System Directory Server, and, before that, SunONE iPlanet).

Topics:

• Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition

• Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition

• Configuring Advanced Integration with Oracle Directory Server Enterprise Edition

Note:

Before continuing with this chapter, you should be familiar with the concepts presented in the following chapters:

• Introduction to Oracle Directory Integration Platform

• Managing the Oracle Directory Integration Platform

• Understanding the Oracle Directory Synchronization Service

• Connected Directory Integration Concepts and Considerations

If you are configuring a demonstration of integration with Oracle Directory Server Enterprise Edition / Sun Java System Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/

23.1 Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition

Before configuring basic or advanced synchronization with Oracle Directory Server Enterprise Edition, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with Oracle Directory Server Enterprise Edition, you must also perform the following steps:

1. Enable change logging on Oracle Directory Server Enterprise Edition.
2. Enable the retro change log plug-in, as described in Enabling the Retro Change Log for Oracle Directory Server Enterprise Edition
3. Configure the retro change log to record specified attributes of an entry that is deleted, as described in "To Configure the Retro Change Log to Record Attributes of a Deleted Entry" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
4. Add an attribute to an existing list of specified attributes, by running the following command:

   $ dsconf set-server-prop -w /tmp/pwd -h host -p port retro-cl-deleted-entry-attr+:attribute
   

For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

23.2 Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition

You use the expressSyncSetup command to quickly establish synchronization between the Oracle back-end directory and Oracle Directory Server Enterprise Edition.

The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup command to synchronize with Oracle Directory Server Enterprise Edition, see "Creating Import and Export Synchronization Profiles Using expressSyncSetup".

23.3 Configuring Advanced Integration with Oracle Directory Server Enterprise Edition

You can also use the expressSyncSetup command or to create Oracle Enterprise Manager Fusion Middleware Control additional synchronization profiles from the templates.

The import and export synchronization profiles created with the expressSyncSetup command are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Oracle Directory Server Enterprise Edition. Because these synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps:

Note:

When you install Oracle Directory Integration Platform, import and export templete files are automatically created (ORACLE_HOME/ldap/odi/conf.). The template files created for Oracle Directory Server Enterprise Edition are:

• iPlanetImport—The profile for importing changes from Oracle Directory Server Enterprise Edition to the Oracle back-end directory

• iPlanetExport—The profile for exporting changes from the Oracle back-end directory to Oracle Directory Server Enterprise Edition

• Understanding How to Plan Integration with Oracle Directory Server Enterprise Edition

• Configure the Realm for Oracle Directory Server Enterprise Edition

• Understanding How to Customize the ACLs for Oracle Directory Server Enterprise Edition

• Customize Attribute Mappings for Oracle Directory Server Enterprise Edition

• About How to Customize the Oracle Directory Server Enterprise Edition Connector to Synchronize Deletions

• Understanding How to Synchronize Passwords for Oracle Directory Server Enterprise Edition

• Synchronizing in SSL Mode

• Perform Post-Configuration and Administrative Tasks

23.3.1 Understanding How to Plan Integration with Oracle Directory Server Enterprise Edition

Plan your integration by reading Connected Directory Integration Concepts and Considerations, particularly "Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) Integration Concepts". Be sure to create a new profile by copying the existing Oracle Directory Server Enterprise Edition or Sun Java System Directory Server template profile by following the instructions in “Creating Synchronization Profiles”.

23.3.2 Configure the Realm for Oracle Directory Server Enterprise Edition

Configure the realm by following the instructions in Configuring the Realm.

23.3.3 Understanding How to Customize the ACLs for Oracle Directory Server Enterprise Edition

Customize ACLs as described in Customizing Access Control Lists.

23.3.4 Customize Attribute Mappings for Oracle Directory Server Enterprise Edition

When integrating with Oracle Directory Server Enterprise Edition, the following attribute-level mapping is mandatory for all objects:

Targetdn:1: :person:orclsourceobjectdn: : orclSUNOneobject:

Example 23-1 Attribute-Level Mapping for the User Object in Oracle Directory Server Enterprise Edition

Cn:1: :person: cn: :person:
sn:1: :person: sn: :person:

Example 23-2 Attribute-Level Mapping for the Group Object in Oracle Directory Server Enterprise Edition

cn:1: :groupofname: cn: : groupofuniquenames:

In the preceding examples, Cn and sn from Oracle Directory Server Enterprise Edition are mapped to cn and sn in the Oracle back-end directory.

Customize the attribute mappings by following the instructions in Customizing Mapping Rules.

23.3.5 About How to Customize the Oracle Directory Server Enterprise Edition Connector to Synchronize Deletions

If you want to synchronize deletions, and the mapping rules have mandatory attributes, then ensure that they are present in the change log when the entry is deleted. You must add Objectclass and other values to the list of attributes to be included when an entry is deleted, as described in "To Configure the Retro Change Log to Record Attributes of a Deleted Entry" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

23.3.6 Understanding How to Synchronize Passwords for Oracle Directory Server Enterprise Edition

You can synchronize the password, as described in Password Synchronization.

23.3.7 Synchronizing in SSL Mode

You must configure Oracle Directory Server Enterprise Edition for synchronization in SSL mode.

To do so, by following the instructions in Configuring the Connected Directory Connector for Synchronization in SSL Mode.

Note:

Oracle recommends you to synchronize the password using the SSL communication for the back-end directory and connected directory.

23.3.8 Perform Post-Configuration and Administrative Tasks

This section describes the task you must complete after configuring advanced integration with Oracle Directory Server Enterprise Edition.

See Managing Integration with a Connected Directory for information on post-configuration and ongoing administration tasks.