21 Integrating with Microsoft Active Directory
This chapter outlines the procedures for integrating Oracle Identity Management with Microsoft Active Directory in a production environment.
Topics:
-
Verify Synchronization Requirements for Microsoft Active Directory
-
Configuring Basic Synchronization with Microsoft Active Directory
-
Configuring Advanced Integration with Microsoft Active Directory
-
Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
-
Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server
Note:
Before continuing with this chapter, you should be familiar with the concepts presented in previous chapters. The following chapters in particular are important:
If you are configuring a demonstration of integration with Microsoft Active Directory, then see the Oracle By Example series for Oracle Identity Management, available on Oracle Technology Network at http://www.oracle.com/technology/
21.1 Verify Synchronization Requirements for Microsoft Active Directory
Before configuring basic or advanced synchronization with Microsoft Active Directory, ensure that your environment meets the necessary synchronization requirements.
You must follow the instructions in "Verifying Synchronization Requirements".
21.2 Configuring Basic Synchronization with Microsoft Active Directory
You can use Oracle Enterprise Manager Fusion Middleware Control or the manageSyncProfiles
command to configure synchronization profiles for Microsoft Active Directory.
Refer to Managing Directory Synchronization Profiles for more information.
Tip:
Oracle Directory Integration Platform can synchronize one Microsoft Active Directory (AD) with multiple Oracle directory servers at the same time.
21.3 Configuring Advanced Integration with Microsoft Active Directory
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported connected directories.
The sample synchronization profiles created for Microsoft Active Directory are:
-
ActiveImport
—The profile for importing changes from Microsoft Active Directory to the Oracle back-end directory by using the DirSync approach -
ActiveChgImp
—The profile for importing changes from Microsoft Active Directory to the Oracle back-end directory by using the USN-Changed approach -
ActiveExport
—The profile for exporting changes from the Oracle back-end directory to Microsoft Active Directory
Note:
-
Whether you use
ActiveImport
orActiveChgImp
depends on the method you chose for tracking changes, either DirSync or USN-Changed. -
If you establish integration between Active Directory and the Oracle back-end directory for both exporting and importing users, then you must customize the
ActiveExport
search filter to prevent Oracle Directory Integration Platform from exporting or importing users twice. The following is an example of a customizedActiveExport
search filter that may be used when both export and import operations are enabled for the same Active Directory instance:odip.profile.condirfilter ="searchfilter=(|(objectclass= group)(objectclass= organizationalunit)(&(objectclass=user) (!(objectclass=computer))))"
See Also:
"Customizing the Search Filter to Retrieve Information from Microsoft Active Directory" for information on customizing the search filter
You can also use the expressSyncSetup
command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with expressSyncSetup
are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Microsoft Active Directory. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:
-
Understanding How to Plan Integration with Microsoft Active Directory
-
Customizing the Search Filter to Retrieve Information from Microsoft Active Directory
-
Understanding How to Customize the ACLs for Microsoft Active Directory
-
Customize Attribute Mappings for Integrating with Microsoft Active Directory
-
Synchronizing with Multiple Microsoft Active Directory Domains
-
About How to Synchronize Deletions from Microsoft Active Directory
-
Synchronizing Passwords from the Oracle back-End Directory to Microsoft Active Directory
-
About the Microsoft Active Directory External Authentication Plug-in Configuration
21.3.1 Understanding How to Plan Integration with Microsoft Active Directory
Plan your integration by reading Connected Directory Integration Concepts and Considerations, particularly "Microsoft Active Directory Integration Concepts". Be sure to create a new profile by copying the existing Active Directory template profile by following the instructions in “Creating Synchronization Profiles”.
21.3.2 Configure the Realm for Microsoft Active Directory
If your Oracle back-end directory is Oracle Internet Directory, configure the realm by following the instructions in "Configuring the Realm".
21.3.3 Customizing the Search Filter to Retrieve Information from Microsoft Active Directory
By default, Microsoft Active Directory Connector retrieves changes to all objects in the container configured for synchronization. If you are interested in retrieving only a certain type of change, for example only changes to users and groups, then you should configure an LDAP search filter. This filter screens out changes that are not required when Microsoft Active Directory Connector queries Microsoft Active Directory. The filter is stored in the searchfilter
attribute in the synchronization profile.
In the sample profiles activeChgImp
and activeImport
, only groups and users are retrieved from Microsoft Active Directory. Computers are not retrieved. The value of the searchfilter
attribute is set as:
searchfilter=(|(objectclass=group)(&(objectclass=user)(!(objectclass=computer))))
You can use Oracle Enterprise Manager Fusion Middleware Control to customize the search filter by completing the following steps:
-
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
-
Log in to Oracle Enterprise Manager Fusion Middleware Control.
-
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the search filter you want to customize.
-
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles Page appears.
-
On the Manage Synchronization Server page, select an existing profile and click Edit. The Edit Synchronization Profile page appears, opened to the General tab.
-
On the Edit Synchronization Profile page, select the Filtering tab.
-
In the Source Matching Filter (
orclODIPConDirMatchingFilter
) and the Destination Matching Filter (orclODIPOIDMatchingFilter
) fields, enter the appropriate values for thesearchfilter
attribute. Instructions for specifying thesearchfilter
attribute are provided in the section "Filtering Changes with an LDAP Search". -
Choose OK.
To customize the search filter by using the manageSyncProfiles command:
Note:
All attributes specified in the searchfilter
attribute should be configured as indexed attributes in Microsoft Active Directory.
See Also:
The appendix about the LDAP filter definition in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions on configuring an LDAP search filter
21.3.4 Understanding How to Customize the ACLs for Microsoft Active Directory
Customize ACLs as described in "Customizing Access Control Lists".
21.3.5 Customize Attribute Mappings for Integrating with Microsoft Active Directory
When integrating with Microsoft Active Directory, the following attribute-level mapping is mandatory for all objects:
ObjectGUID: : : :orclObjectGUID: ObjectSID: : : :orclObjectSID:
Example 21-1 Attribute-Level Mapping for the User Object in Microsoft Active Directory
SAMAccountName:1: :user:orclADSAMAccountName: :orclADUser userPrincipalName: : :user:orclADUserPrincipalName::orclADUser:userPrincipalName
Example 21-2 Attribute-Level Mapping for the Group Object in Microsoft Active Directory
SAMAccountName:1: :group:orclADSAMAccountName: :orclADGroup
In the preceding examples, SAMAccountName
and userPrincipalName
from Microsoft Active Directory are mapped to orclADSAMAccountName
and orclADUserPrincipalName
in Oracle Internet Directory.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
21.3.6 Synchronizing with Multiple Microsoft Active Directory Domains
When synchronizing with multiple Microsoft Active Directory domains, you need separate import and export synchronization profiles for each domain in most cases. However, the profiles for each domain should be very similar. The only exception involves using Global Catalog with import synchronization profiles. In this case, you only need to create a single import synchronization profile for the entire Microsoft Active Directory forest. For more information, see "About Configuration Required for Importing from Microsoft Active Directory to the Oracle Back-end Directory".
Note:
Be sure to perform attribute and DN mapping before attempting to synchronize with multiple domains.
The best approach to creating separate import and export synchronization profiles for multiple domains is as follows:
21.3.7 About How to Synchronize Deletions from Microsoft Active Directory
To synchronize deletions in Microsoft Active Directory with the Oracle back-end directory, you must grant the necessary privilege to the Microsoft Active Directory user account that the Oracle directory integration server uses to perform synchronizations with Microsoft Active Directory. Microsoft Active Directory deletions can be synchronized with the Oracle back-end directory by querying for them in Microsoft Active Directory. The way to do this depends on whether you are using the DirSync approach or the USN-Changed approach.
For the DirSync approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted Replicating Directory Changes permissions.
See Also:
Article ID 303972 at http://support.microsoft.com
for information on how to grant Replicating Directory Changes permissions
For the USN-Changed approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have "List Content" and "Read Properties" permission to the cn=Deleted Objects
container of a given domain. In order to set these permissions, you must use the dsacls.exe command that is available with recent versions of Microsoft Active Directory Lightweight Directory Service (AD LDS), which was previously known as Active Directory Application Mode or ADAM.
Regardless of whether you are using the DirSync approach or the USN-Changed approach to synchronize deletions in Microsoft Active Directory with the Oracle back-end directory, if you create a matching filter for the ActiveImport
profile (for the DirSync approach) or the ActiveChgImp
profile (for the USN-Changed profile) be sure to include only the following key Microsoft Active Directory attributes:
-
ObjectGUID
-
ObjectSID
-
ObjectDistName
-
USNChanged
In you specify any attributes in a matching filter other than the preceding key attributes, deletions in Microsoft Active Directory are not propagated to the Oracle back-end directory.
See Also:
-
Article ID 230113 at
http://support.microsoft.com
for more information on deleting items from Microsoft Active Directory -
The attribute reference chapter in Oracle Fusion Middleware Reference for Oracle Identity Management for a listing of the standard LDAP attributes that the Oracle back-end directory supports
21.3.8 About Synchronization in SSL Mode
Configure the Microsoft Active Directory connector for synchronization in SSL mode by following the instructions in "Configuring the Connected Directory Connector for Synchronization in SSL Mode".
21.3.9 Synchronizing Passwords from the Oracle back-End Directory to Microsoft Active Directory
To synchronize password changes from the Oracle back-end directory to Microsoft Active Directory, follow these steps:
- Configure the Oracle back-end directory, Oracle Directory Integration Platform, and Microsoft Active Directory to run in SSL server authentication mode.
- Enable password synchronization from the Oracle back-end directory to Microsoft Active Directory by following the instructions in "Enable Password Synchronization from the Oracle Back-end Directory to a Connected Directory".
21.3.10 About the Microsoft Active Directory External Authentication Plug-in Configuration
Configure the Microsoft Active Directory external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".
21.3.11 Perform Post-Configuration and Administrative Tasks
Read Managing Integration with a Connected Directory for information on post-configuration and ongoing administration tasks.
21.4 Using DirSync Change Tracking for Import Operations
By default, the import synchronization profile created with expressSyncSetup
uses the USN-Changed approach for tracking changes. If you want to use the DirSync change tracking approach, be sure to perform the steps in this section before beginning synchronization.
Note:
You may want to back up your current import synchronization profile before performing the following procedures. You can create a backup copy of a profile by using the copy
operation of the manageSyncProfiles
command.
To modify the import synchronization profile to use the DirSync change tracking approach:
21.5 Configuring Synchronization of Microsoft Active Directory Foreign Security Principal References with an Oracle Back-End Directory
This section explains how to synchronize Microsoft Active Directory foreign security principal references with an Oracle back-end directory.
Although Microsoft Active Directory stores information for group members in a trusted domain as foreign security principal references, Oracle back-end directory stores the DNs of these members. This results in a mismatch between an entry and its value as a member of a group. The relationship between a user and a group cannot be directly established in Oracle back-end directory.
To establish the relationship between users and groups, the member DNs that refer to the foreign security principals must be replaced by the DNs of the entries during the synchronization of such groups. This is called resolving foreign key references.
Note:
Synchronization of foreign security principal references is supported only on Windows 2003 and above.
Tasks to Resolve Foreign Key References
This section explains the steps for resolving foreign key references.
Task 1: Update Agent Configuration Information
For each profile that can have foreign security principal references, perform the following steps. The sample configuration files are in the $ORACLE_HOME/ldap/odi/conf/ directory.
-
Copy the activeimp.cfg.fsp file. The following is an example of the activeimp.cfg.fsp file:
[INTERFACEDETAILS] Package: gsi Reader: ActiveReader [TRUSTEDPROFILES] prof1 : <Name of the profile1> prof2 : <Name of the profile2> [FSPMAXSIZE] val=10000
The preceding example assumes you are using the DirSync change tracking approach. If you are using the USN-Changed approach for tracking changes, assign a value of
ActiveChgReader
to the Reader parameter. -
In the activeimp.cfg.fsp file, under the
[TRUSTEDPROFILES]
tag, specify the profile names of the other domains that have foreign security principal references in this domain.Referring to Example 21-3, agent configuration information for Domain A contains the following:
[INTERFACEDETAILS] Package: gsi Reader: ActiveReader [TRUSTEDPROFILES] prof1: profile_name_for_domain_B prof2: profile_name_for_domain_C
Agent configuration information for domain B contains the following:
[INTERFACEDETAILS] Package: gsi Reader: ActiveReader [TRUSTEDPROFILES] prof1: profile_name_for_domain_C
Agent configuration information for domain C has no changes because domain C has no foreign key references.
-
Under the
[FSPMAXSIZE]
tag, specify the foreign security principal cache size. This can be the average number of foreign security principals you can have. A sample value of1000
is specified in the activeimp.cfg.fsp file. -
Load the new agent configuration information file by using the update operation of the manageSyncProfiles command as follows:
manageSyncProfiles update -h host -p port -D WLS_login_ID -pf profile_name_for_domain_A_or_B -params "odip.profile.configfile activeimp.cfg.fsp"
-
Repeat this task for every profile of interest.
Task 2: Update the Mapping Rules to Resolve the Foreign Security Principals During Synchronization
After bootstrapping, modifications to groups must be reflected in back-end directory with the correct group membership values. The fsptodn
mapping rule enables you to do this when you synchronize. Modify this mapping rule in every profile that needs foreign security principal resolution. Referring to Example 21-3, the mapping rules must be modified for Domains A and B.
If you do not have DN mapping, then change your mapping rule for the member
attribute to the following:
member: : :group:uniquemember: :groupofUniqueNames: fsptodn(member)
If you have DN mapping, then change the mapping rules as follows:
Example 21-3 How Foreign Key References Are Resolved
The example in this section illustrates how foreign key references are resolved.Assume that there are three domains: A, B and C.
- Domain A has a one-way non-transitive trust to Domain B. It can have foreign security principal references for users and groups from Domain B.
- Domain A has a one-way non-transitive trust to Domain C. It can have foreign security principal references for users and groups from Domain C.
- Domain B has a one-way non-transitive trust to Domain C. It can have foreign security principal references for users and groups from Domain C.
In this example, the one-way non-transitive trusts are from Domain A to Domain B, from Domain A to Domain C, and from Domain B to Domain C.
21.6 Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
You can use the USN-Changed approach or DirSync approach to change the Microsoft Active Directory domain controller to which changes are exported.
Topics:
21.6.1 Changing the Microsoft Active Directory Domain Controller by Using the USN-Changed Approach
If you are using the USN-Changed approach, then perform the following:
-
Disable the current running profile. Modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item that you need to update.
-
Obtain the current value of the
highestCommittedUSN
by searching the new domain controller's root DSE for the current highestUSNChanged
value (attribute value of thehighestCommittedUSN
attribute of the root DSE):ldapsearch -h host -p port -b "" -s base -D binddn -q \ "objectclass=*" highestCommittedUSN
Note:
You will be prompted for the password.
-
Use Oracle Directory Integration Platform to run a full synchronization from Microsoft Active Directory.
-
Run
ldifde
, the command to dump entries from Microsoft Active Directory to the Oracle back-end directory, using the intended LDAP search scope and search filter. Normally, the search filter should be the same as that specified in the running profile. For example, the following search filter is set in the sample properties file. Note thatldifde
can be run only from a Microsoft Windows environment.searchfilter=(&(|(objectclass=user)(objectclass=organizationalunit))(!(objectclass=group)))
Essentially, run
ldifde
with a search scope and search filter that retrieves all Oracle back-end directory objects (entries) that were configured to be synchronized with Microsoft Active Directory by the running profile. -
Run Oracle Directory Integration Platform to upload the LDIF file generated in Step 3.a using the same profile.
-
-
After the full synchronization is completed, update the
lastchangenumber
attribute with thehighestCommittedUSN
value obtained in Step 2. -
Resume the normal synchronization, that is, incremental synchronization from Microsoft Active Directory using
USNChanged
attribute.
21.6.2 Changing the Microsoft Active Directory Domain Controller by Using the DirSync Approach
If you are using the DirSync approach, perform the following steps:
- Stop the current profile that is running.
- Use the
copy
operation of the manageSyncProfiles command to create a new profile exactly the same as the profile already being used. In the newly created profile, modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item you need to update. - Resume normal synchronization with the modified profile. Note that all the domain controllers must be in the same Microsoft Active Directory domain.
21.7 About Configuration for Microsoft Active Directory Connector with Microsoft Active Directory Lightweight Directory Service
The Microsoft Active Directory connector can be used for synchronizing the entries between Microsoft Active Directory Lightweight Directory Service (AD LDS), which was previously known as Active Directory Application Mode or ADAM, and the Oracle back-end directory.
21.8 Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server
The Microsoft Active Directory Connector can provision users in Microsoft Exchange in deployments that have Microsoft Active Directory Server 2000 or later as their identity store. You can use the Fusion Middleware Control or manageSyncProfiles
command to configure the Microsoft Active Directory connector for Microsoft Exchange Server.
Topics:
-
Enabling Microsoft Exchange User Synchronization Using the Fusion Middleware Control
-
Enabling Microsoft Exchange User Synchronization From the Command Line
To further customize your integration with Microsoft Exchange, follow the instructions in "Configuring Advanced Integration with Microsoft Active Directory".
21.8.1 Enabling Microsoft Exchange User Synchronization Using the Fusion Middleware Control
-
Use the Oracle Enterprise Manager Fusion Middleware Control to create a synchronization profile, as described in “Creating Synchronization Profiles”.
On the General tab, set the Use DIP-OID as? field to Source and select MS Exchange Server from the Type list.
On the Mapping tab, in addition to creating domain mapping rules, you need to create two attribute mapping rules. Following are instructions on how to create the mapping rules.
-
On the Mapping tab, click Create in the Attribute Mapping Rules section.
The Add Attribute Mapping Rule dialog box opens.
-
Create the first (of two) attribute mapping rules using the following steps:
-
Select
inetorgperson
from the Source ObjectClass drop-down menu. -
Select the Single Attribute option, then select
uid
from the Source Attribute drop-down menu. -
Select
User
from the Destination ObjectClass drop-down menu. -
Select
homeMTA
from the Destination Attribute drop-down menu. -
Type the value of the MTA DN in the Mapping Expression field.
To obtain the value for
homeMTA
, run a simple LDAP search query on any user in Active Directory.The MTA DN follows this format:
CN=Microsoft MTA,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>
For example:
CN=Microsoft MTA,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com
-
Click OK to save the rule.
-
-
Create the second attribute mapping rule using the following steps:
-
Select
inetorgperson
from the Source ObjectClass drop-down menu. -
Select the Single Attribute option, then select
uid
from the Source Attribute drop-down menu. -
Select
User
from the Destination ObjectClass drop-down menu. -
Select
homeMDB
from the Destination Attribute drop-down menu. -
Type the value of the MDB DN in the Mapping Expression field.
To obtain the value for
homeMDB
, run a simple LDAP search query on any user in Active Directory.The MDB DN follows this format:
CN=Mailbox Store (<host>),CN=First Storage Group, CN=InformationStore,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>
For example:
CN=Mailbox Store (DADVMN0152),CN=First Storage Group, CN=InformationStore,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com
-
Click OK to save the rule.
-
21.8.2 Enabling Microsoft Exchange User Synchronization From the Command Line
-
Use the
manageSyncProfiles
command. For more information, see manageSyncProfiles Utility.When you run the command, specify
ExchangeServer2003
as the value assigned to the-conDirType
argument.Import and export profiles will be created. The import profile is based on the Active Directory USN template profile and the export profile is based on the Exchange Sever template profile.
-
Edit the
msexchangeexp.map.master
mapping file and create domain mapping rules and attribute mapping rules. Details about how to create the attribute mapping rules are included below. For general information about mapping rules, see Customizing Mapping Rules.-
Open the
msexchangeexp.map.master
mapping file (located inORACLE_HOME/ldap/odi/conf/
) and locate the following attribute mapping rule:uid:: :inetorgperson:homeMTA: :User:'%DN_OF_MTA%'
-
Replace
%DN_OF_MTA%
with the actual value of the MTA DN.To obtain the value for
homeMTA
, run a simple LDAP search query on any user in Active Directory.The MTA DN follows this format:
CN=Microsoft MTA,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>
For example:
CN=Microsoft MTA,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com
-
In the
msexchangeexp.map.master
mapping file locate the following attribute mapping rule:uid:: :inetorgperson:homeMDB: :User:'%DN_OF_MDB%'
-
Replace
%DN_OF_MDB%
with the actual value of the MDB DN.To obtain the value for
homeMDB
, run a simple LDAP search query on any user in Active Directory.The MDB DN follows this format:
CN=Mailbox Store (<host>),CN=First Storage Group, CN=InformationStore,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>
For example:
CN=Mailbox Store (DADVMN0152),CN=First Storage Group, CN=InformationStore,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com
-
Save your changes.
-
-
Edit the
msexchangeexp.properties
file (located inORACLE_HOME/ldap/odi/conf/
) and specify the following:-
Microsoft Exchange server host name
-
Microsoft Exchange server port number
-
User name
-
Password
-
The location of the
msexchangeexp.map.master
file and theactiveexp.cfg.master
file
-