21 Integrating with Microsoft Active Directory

This chapter outlines the procedures for integrating Oracle Identity Management with Microsoft Active Directory in a production environment.

Topics:

Note:

Before continuing with this chapter, you should be familiar with the concepts presented in previous chapters. The following chapters in particular are important:

If you are configuring a demonstration of integration with Microsoft Active Directory, then see the Oracle By Example series for Oracle Identity Management, available on Oracle Technology Network at http://www.oracle.com/technology/

21.1 Verify Synchronization Requirements for Microsoft Active Directory

Before configuring basic or advanced synchronization with Microsoft Active Directory, ensure that your environment meets the necessary synchronization requirements.

You must follow the instructions in "Verifying Synchronization Requirements".

21.2 Configuring Basic Synchronization with Microsoft Active Directory

You can use Oracle Enterprise Manager Fusion Middleware Control or the manageSyncProfiles command to configure synchronization profiles for Microsoft Active Directory.

Refer to Managing Directory Synchronization Profiles for more information.

Tip:

Oracle Directory Integration Platform can synchronize one Microsoft Active Directory (AD) with multiple Oracle directory servers at the same time.

21.3 Configuring Advanced Integration with Microsoft Active Directory

When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported connected directories.

The sample synchronization profiles created for Microsoft Active Directory are:

  • ActiveImport—The profile for importing changes from Microsoft Active Directory to the Oracle back-end directory by using the DirSync approach

  • ActiveChgImp—The profile for importing changes from Microsoft Active Directory to the Oracle back-end directory by using the USN-Changed approach

  • ActiveExport—The profile for exporting changes from the Oracle back-end directory to Microsoft Active Directory

Note:

  • Whether you use ActiveImport or ActiveChgImp depends on the method you chose for tracking changes, either DirSync or USN-Changed.

  • If you establish integration between Active Directory and the Oracle back-end directory for both exporting and importing users, then you must customize the ActiveExport search filter to prevent Oracle Directory Integration Platform from exporting or importing users twice. The following is an example of a customized ActiveExport search filter that may be used when both export and import operations are enabled for the same Active Directory instance:

    odip.profile.condirfilter ="searchfilter=(|(objectclass= group)(objectclass= organizationalunit)(&(objectclass=user) (!(objectclass=computer))))"

See Also:

"Customizing the Search Filter to Retrieve Information from Microsoft Active Directory" for information on customizing the search filter

You can also use the expressSyncSetup command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with expressSyncSetup are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Microsoft Active Directory. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:

21.3.1 Understanding How to Plan Integration with Microsoft Active Directory

Plan your integration by reading Connected Directory Integration Concepts and Considerations, particularly "Microsoft Active Directory Integration Concepts". Be sure to create a new profile by copying the existing Active Directory template profile by following the instructions in “Creating Synchronization Profiles”.

21.3.2 Configure the Realm for Microsoft Active Directory

If your Oracle back-end directory is Oracle Internet Directory, configure the realm by following the instructions in "Configuring the Realm".

21.3.3 Customizing the Search Filter to Retrieve Information from Microsoft Active Directory

By default, Microsoft Active Directory Connector retrieves changes to all objects in the container configured for synchronization. If you are interested in retrieving only a certain type of change, for example only changes to users and groups, then you should configure an LDAP search filter. This filter screens out changes that are not required when Microsoft Active Directory Connector queries Microsoft Active Directory. The filter is stored in the searchfilter attribute in the synchronization profile.

In the sample profiles activeChgImp and activeImport, only groups and users are retrieved from Microsoft Active Directory. Computers are not retrieved. The value of the searchfilter attribute is set as:

searchfilter=(|(objectclass=group)(&(objectclass=user)(!(objectclass=computer))))

You can use Oracle Enterprise Manager Fusion Middleware Control to customize the search filter by completing the following steps:

  1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.

  2. Log in to Oracle Enterprise Manager Fusion Middleware Control.

  3. In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the search filter you want to customize.

  4. Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles Page appears.

  5. On the Manage Synchronization Server page, select an existing profile and click Edit. The Edit Synchronization Profile page appears, opened to the General tab.

  6. On the Edit Synchronization Profile page, select the Filtering tab.

  7. In the Source Matching Filter (orclODIPConDirMatchingFilter) and the Destination Matching Filter (orclODIPOIDMatchingFilter) fields, enter the appropriate values for the searchfilter attribute. Instructions for specifying the searchfilter attribute are provided in the section "Filtering Changes with an LDAP Search".

  8. Choose OK.

To customize the search filter by using the manageSyncProfiles command:

  1. Enter the following command to customize the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) attribute:
    manageSyncProfiles update -h host -p port -D WLS_login_ID
    -pf synchronization_profile_name -params "odip.profile.condirfilter 
    searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclas
    s=user)(!(objectclass=computer))))"
    
  2. Enter the following command to customize the OID Matching Filter (orclODIPOIDMatchingFilter) attribute:
    manageSyncProfiles update -h host -p port -D WLS_login_ID
    -pf synchronization_profile_name -params "odip.profile.oidfilter 
    orclObjectGUID"
    

Note:

All attributes specified in the searchfilter attribute should be configured as indexed attributes in Microsoft Active Directory.

See Also:

The appendix about the LDAP filter definition in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions on configuring an LDAP search filter

21.3.4 Understanding How to Customize the ACLs for Microsoft Active Directory

Customize ACLs as described in "Customizing Access Control Lists".

21.3.5 Customize Attribute Mappings for Integrating with Microsoft Active Directory

When integrating with Microsoft Active Directory, the following attribute-level mapping is mandatory for all objects:

ObjectGUID:  :  : :orclObjectGUID:
ObjectSID:  :  : :orclObjectSID:

Example 21-1 Attribute-Level Mapping for the User Object in Microsoft Active Directory

SAMAccountName:1: :user:orclADSAMAccountName: :orclADUser
userPrincipalName: : :user:orclADUserPrincipalName::orclADUser:userPrincipalName

Example 21-2 Attribute-Level Mapping for the Group Object in Microsoft Active Directory

SAMAccountName:1: :group:orclADSAMAccountName: :orclADGroup

In the preceding examples, SAMAccountName and userPrincipalName from Microsoft Active Directory are mapped to orclADSAMAccountName and orclADUserPrincipalName in Oracle Internet Directory.

Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".

21.3.6 Synchronizing with Multiple Microsoft Active Directory Domains

When synchronizing with multiple Microsoft Active Directory domains, you need separate import and export synchronization profiles for each domain in most cases. However, the profiles for each domain should be very similar. The only exception involves using Global Catalog with import synchronization profiles. In this case, you only need to create a single import synchronization profile for the entire Microsoft Active Directory forest. For more information, see "About Configuration Required for Importing from Microsoft Active Directory to the Oracle Back-end Directory".

Note:

Be sure to perform attribute and DN mapping before attempting to synchronize with multiple domains.

The best approach to creating separate import and export synchronization profiles for multiple domains is as follows:

  1. Customize the import and export synchronization profiles for a single domain, using the procedures described earlier in this section.
  2. Once you have finished customizing the import and export synchronization profiles for the first domain, use the copy operation of the manageSyncProfiles command to duplicate profiles, as follows:
    manageSyncProfiles copy -h host -p port -D WLS_login_ID
    -pf Original_Profile_Name -newpf New_Profile_Name
    
  3. Use the update operation of the manageSyncProfiles command to customize the profiles for each additional Microsoft Active Directory domain, as follows:
    manageSyncProfiles update -h host -p port -D WLS_login_ID
    -pf Profile_Name -params "prop1 val1 prop2 val2 ..."
    
  4. If necessary, update the connection details for each domain by following the instructions listed in "Configure Connection Details for a Third-Party Directory".
  5. Update the last change number in the import and export synchronization profiles for each domain by running the following command:
    manageSyncProfiles updatechgnum -h host -p port -D WLS_login_ID
    -pf Profile_Name
    
  6. Repeat Steps 2 through 5 for each Microsoft Active Directory domain with which you need to synchronize.

21.3.7 About How to Synchronize Deletions from Microsoft Active Directory

To synchronize deletions in Microsoft Active Directory with the Oracle back-end directory, you must grant the necessary privilege to the Microsoft Active Directory user account that the Oracle directory integration server uses to perform synchronizations with Microsoft Active Directory. Microsoft Active Directory deletions can be synchronized with the Oracle back-end directory by querying for them in Microsoft Active Directory. The way to do this depends on whether you are using the DirSync approach or the USN-Changed approach.

For the DirSync approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted Replicating Directory Changes permissions.

See Also:

Article ID 303972 at http://support.microsoft.com for information on how to grant Replicating Directory Changes permissions

For the USN-Changed approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have "List Content" and "Read Properties" permission to the cn=Deleted Objects container of a given domain. In order to set these permissions, you must use the dsacls.exe command that is available with recent versions of Microsoft Active Directory Lightweight Directory Service (AD LDS), which was previously known as Active Directory Application Mode or ADAM.

Regardless of whether you are using the DirSync approach or the USN-Changed approach to synchronize deletions in Microsoft Active Directory with the Oracle back-end directory, if you create a matching filter for the ActiveImport profile (for the DirSync approach) or the ActiveChgImp profile (for the USN-Changed profile) be sure to include only the following key Microsoft Active Directory attributes:

  • ObjectGUID

  • ObjectSID

  • ObjectDistName

  • USNChanged

In you specify any attributes in a matching filter other than the preceding key attributes, deletions in Microsoft Active Directory are not propagated to the Oracle back-end directory.

See Also:

21.3.8 About Synchronization in SSL Mode

Configure the Microsoft Active Directory connector for synchronization in SSL mode by following the instructions in "Configuring the Connected Directory Connector for Synchronization in SSL Mode".

21.3.9 Synchronizing Passwords from the Oracle back-End Directory to Microsoft Active Directory

To synchronize password changes from the Oracle back-end directory to Microsoft Active Directory, follow these steps:

  1. Configure the Oracle back-end directory, Oracle Directory Integration Platform, and Microsoft Active Directory to run in SSL server authentication mode.
  2. Enable password synchronization from the Oracle back-end directory to Microsoft Active Directory by following the instructions in "Enable Password Synchronization from the Oracle Back-end Directory to a Connected Directory".

21.3.10 About the Microsoft Active Directory External Authentication Plug-in Configuration

Configure the Microsoft Active Directory external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".

21.3.11 Perform Post-Configuration and Administrative Tasks

Read Managing Integration with a Connected Directory for information on post-configuration and ongoing administration tasks.

21.4 Using DirSync Change Tracking for Import Operations

By default, the import synchronization profile created with expressSyncSetup uses the USN-Changed approach for tracking changes. If you want to use the DirSync change tracking approach, be sure to perform the steps in this section before beginning synchronization.

Note:

You may want to back up your current import synchronization profile before performing the following procedures. You can create a backup copy of a profile by using the copy operation of the manageSyncProfiles command.

To modify the import synchronization profile to use the DirSync change tracking approach:

  1. You can use the activeimp.cfg.master file, located in your $ORACLE_HOME/ldap/odi/conf directory, to change the import synchronization profile from the USN-Changed approach to DirSync. Use the following command to update the profile:
    manageSyncProfiles update -h host -p port -D WLS_login_ID -pf Profile_Name 
    -params "odip.profile.configfile $ORACLE_HOME/ldap/odi/conf/activeimp.cfg.master"
    
  2. Update the last change number by running the following command:
    manageSyncProfiles updatechgnum -h host -p port -D WLS_login_ID
    -pf Profile_Name
    

21.5 Configuring Synchronization of Microsoft Active Directory Foreign Security Principal References with an Oracle Back-End Directory

This section explains how to synchronize Microsoft Active Directory foreign security principal references with an Oracle back-end directory.

Although Microsoft Active Directory stores information for group members in a trusted domain as foreign security principal references, Oracle back-end directory stores the DNs of these members. This results in a mismatch between an entry and its value as a member of a group. The relationship between a user and a group cannot be directly established in Oracle back-end directory.

To establish the relationship between users and groups, the member DNs that refer to the foreign security principals must be replaced by the DNs of the entries during the synchronization of such groups. This is called resolving foreign key references.

Note:

Synchronization of foreign security principal references is supported only on Windows 2003 and above.

Tasks to Resolve Foreign Key References

This section explains the steps for resolving foreign key references.

Task 1: Update Agent Configuration Information

For each profile that can have foreign security principal references, perform the following steps. The sample configuration files are in the $ORACLE_HOME/ldap/odi/conf/ directory.

  1. Copy the activeimp.cfg.fsp file. The following is an example of the activeimp.cfg.fsp file:

    [INTERFACEDETAILS]
       Package: gsi
       Reader: ActiveReader
    [TRUSTEDPROFILES]
       prof1 : <Name of the profile1>
       prof2 : <Name of the profile2>
    [FSPMAXSIZE]
       val=10000
    

    The preceding example assumes you are using the DirSync change tracking approach. If you are using the USN-Changed approach for tracking changes, assign a value of ActiveChgReader to the Reader parameter.

  2. In the activeimp.cfg.fsp file, under the [TRUSTEDPROFILES] tag, specify the profile names of the other domains that have foreign security principal references in this domain.

    Referring to Example 21-3, agent configuration information for Domain A contains the following:

    [INTERFACEDETAILS]
       Package: gsi
       Reader: ActiveReader
    [TRUSTEDPROFILES]
       prof1: profile_name_for_domain_B
       prof2: profile_name_for_domain_C
    

    Agent configuration information for domain B contains the following:

    [INTERFACEDETAILS]
       Package: gsi
       Reader: ActiveReader
    [TRUSTEDPROFILES]
       prof1: profile_name_for_domain_C
    

    Agent configuration information for domain C has no changes because domain C has no foreign key references.

  3. Under the [FSPMAXSIZE] tag, specify the foreign security principal cache size. This can be the average number of foreign security principals you can have. A sample value of 1000 is specified in the activeimp.cfg.fsp file.

  4. Load the new agent configuration information file by using the update operation of the manageSyncProfiles command as follows:

    manageSyncProfiles update -h host -p port -D WLS_login_ID
    -pf profile_name_for_domain_A_or_B -params "odip.profile.configfile activeimp.cfg.fsp"
    
  5. Repeat this task for every profile of interest.

Task 2: Update the Mapping Rules to Resolve the Foreign Security Principals During Synchronization

After bootstrapping, modifications to groups must be reflected in back-end directory with the correct group membership values. The fsptodn mapping rule enables you to do this when you synchronize. Modify this mapping rule in every profile that needs foreign security principal resolution. Referring to Example 21-3, the mapping rules must be modified for Domains A and B.

If you do not have DN mapping, then change your mapping rule for the member attribute to the following:

member: : :group:uniquemember: :groupofUniqueNames: fsptodn(member)

If you have DN mapping, then change the mapping rules as follows:

  1. Add the DN mapping rules corresponding to each of the trusted domains. This is used to resolve the correct domain mapping. Referring to Example 21-3, the domainrules in the mapping file for Domain A should have content similar to the following:
    DOMAINRULES
    <Src Domain A >:<Dst domain A1 in back-end directory>
    <Src Domain B >:<Dst domain B1 in back-end directory>
    <Src Domain C >:<Dst domain C1 in back-end directory>
    
  2. Change your mapping rule for the member attribute to:
    member:::group:uniquemember::groupofUniqueNames:dnconvert(fsptodn(member))
    
  3. Upload the mapping file for the different profiles using the update operation of the manageSyncProfiles command, as follows:
    manageSyncProfiles update -h host -p port -D WLS_login_ID
    -pf Profile_Name -file File_Name
    

Example 21-3 How Foreign Key References Are Resolved

The example in this section illustrates how foreign key references are resolved.Assume that there are three domains: A, B and C.

  • Domain A has a one-way non-transitive trust to Domain B. It can have foreign security principal references for users and groups from Domain B.
  • Domain A has a one-way non-transitive trust to Domain C. It can have foreign security principal references for users and groups from Domain C.
  • Domain B has a one-way non-transitive trust to Domain C. It can have foreign security principal references for users and groups from Domain C.

In this example, the one-way non-transitive trusts are from Domain A to Domain B, from Domain A to Domain C, and from Domain B to Domain C.

21.6 Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain

You can use the USN-Changed approach or DirSync approach to change the Microsoft Active Directory domain controller to which changes are exported.

Topics:

21.6.1 Changing the Microsoft Active Directory Domain Controller by Using the USN-Changed Approach

If you are using the USN-Changed approach, then perform the following:

  1. Disable the current running profile. Modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item that you need to update.

  2. Obtain the current value of the highestCommittedUSN by searching the new domain controller's root DSE for the current highest USNChanged value (attribute value of the highestCommittedUSN attribute of the root DSE):

    ldapsearch -h host -p port -b "" -s base -D binddn -q \
    "objectclass=*" highestCommittedUSN
    

    Note:

    You will be prompted for the password.

  3. Use Oracle Directory Integration Platform to run a full synchronization from Microsoft Active Directory.

    1. Run ldifde, the command to dump entries from Microsoft Active Directory to the Oracle back-end directory, using the intended LDAP search scope and search filter. Normally, the search filter should be the same as that specified in the running profile. For example, the following search filter is set in the sample properties file. Note that ldifde can be run only from a Microsoft Windows environment.

      searchfilter=(&(|(objectclass=user)(objectclass=organizationalunit))(!(objectclass=group)))
      

      Essentially, run ldifde with a search scope and search filter that retrieves all Oracle back-end directory objects (entries) that were configured to be synchronized with Microsoft Active Directory by the running profile.

    2. Run Oracle Directory Integration Platform to upload the LDIF file generated in Step 3.a using the same profile.

  4. After the full synchronization is completed, update the lastchangenumber attribute with the highestCommittedUSN value obtained in Step 2.

  5. Resume the normal synchronization, that is, incremental synchronization from Microsoft Active Directory using USNChanged attribute.

21.6.2 Changing the Microsoft Active Directory Domain Controller by Using the DirSync Approach

If you are using the DirSync approach, perform the following steps:

  1. Stop the current profile that is running.
  2. Use the copy operation of the manageSyncProfiles command to create a new profile exactly the same as the profile already being used. In the newly created profile, modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item you need to update.
  3. Resume normal synchronization with the modified profile. Note that all the domain controllers must be in the same Microsoft Active Directory domain.

21.7 About Configuration for Microsoft Active Directory Connector with Microsoft Active Directory Lightweight Directory Service

The Microsoft Active Directory connector can be used for synchronizing the entries between Microsoft Active Directory Lightweight Directory Service (AD LDS), which was previously known as Active Directory Application Mode or ADAM, and the Oracle back-end directory.

21.8 Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server

The Microsoft Active Directory Connector can provision users in Microsoft Exchange in deployments that have Microsoft Active Directory Server 2000 or later as their identity store. You can use the Fusion Middleware Control or manageSyncProfiles command to configure the Microsoft Active Directory connector for Microsoft Exchange Server.

Topics:

To further customize your integration with Microsoft Exchange, follow the instructions in "Configuring Advanced Integration with Microsoft Active Directory".

21.8.1 Enabling Microsoft Exchange User Synchronization Using the Fusion Middleware Control

  1. Use the Oracle Enterprise Manager Fusion Middleware Control to create a synchronization profile, as described in “Creating Synchronization Profiles”.

    On the General tab, set the Use DIP-OID as? field to Source and select MS Exchange Server from the Type list.

    On the Mapping tab, in addition to creating domain mapping rules, you need to create two attribute mapping rules. Following are instructions on how to create the mapping rules.

  2. On the Mapping tab, click Create in the Attribute Mapping Rules section.

    The Add Attribute Mapping Rule dialog box opens.

  3. Create the first (of two) attribute mapping rules using the following steps:

    1. Select inetorgperson from the Source ObjectClass drop-down menu.

    2. Select the Single Attribute option, then select uid from the Source Attribute drop-down menu.

    3. Select User from the Destination ObjectClass drop-down menu.

    4. Select homeMTA from the Destination Attribute drop-down menu.

    5. Type the value of the MTA DN in the Mapping Expression field.

      To obtain the value for homeMTA, run a simple LDAP search query on any user in Active Directory.

      The MTA DN follows this format:

      CN=Microsoft MTA,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>

      For example:

      CN=Microsoft MTA,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com

    6. Click OK to save the rule.

  4. Create the second attribute mapping rule using the following steps:

    1. Select inetorgperson from the Source ObjectClass drop-down menu.

    2. Select the Single Attribute option, then select uid from the Source Attribute drop-down menu.

    3. Select User from the Destination ObjectClass drop-down menu.

    4. Select homeMDB from the Destination Attribute drop-down menu.

    5. Type the value of the MDB DN in the Mapping Expression field.

      To obtain the value for homeMDB, run a simple LDAP search query on any user in Active Directory.

      The MDB DN follows this format:

      CN=Mailbox Store (<host>),CN=First Storage Group, CN=InformationStore,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>

      For example:

      CN=Mailbox Store (DADVMN0152),CN=First Storage Group, CN=InformationStore,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com

    6. Click OK to save the rule.

21.8.2 Enabling Microsoft Exchange User Synchronization From the Command Line

  1. Use the manageSyncProfiles command. For more information, see manageSyncProfiles Utility.

    When you run the command, specify ExchangeServer2003 as the value assigned to the -conDirType argument.

    Import and export profiles will be created. The import profile is based on the Active Directory USN template profile and the export profile is based on the Exchange Sever template profile.

  2. Edit the msexchangeexp.map.master mapping file and create domain mapping rules and attribute mapping rules. Details about how to create the attribute mapping rules are included below. For general information about mapping rules, see Customizing Mapping Rules.

    1. Open the msexchangeexp.map.master mapping file (located in ORACLE_HOME/ldap/odi/conf/ ) and locate the following attribute mapping rule:

      uid:: :inetorgperson:homeMTA: :User:'%DN_OF_MTA%'

    2. Replace %DN_OF_MTA% with the actual value of the MTA DN.

      To obtain the value for homeMTA, run a simple LDAP search query on any user in Active Directory.

      The MTA DN follows this format:

      CN=Microsoft MTA,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>

      For example:

      CN=Microsoft MTA,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com

    3. In the msexchangeexp.map.master mapping file locate the following attribute mapping rule:

      uid:: :inetorgperson:homeMDB: :User:'%DN_OF_MDB%'

    4. Replace %DN_OF_MDB% with the actual value of the MDB DN.

      To obtain the value for homeMDB, run a simple LDAP search query on any user in Active Directory.

      The MDB DN follows this format:

      CN=Mailbox Store (<host>),CN=First Storage Group, CN=InformationStore,CN=<host>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain_DN>

      For example:

      CN=Mailbox Store (DADVMN0152),CN=First Storage Group, CN=InformationStore,CN=DADVMN0152,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Oracle,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=diptest,DC=us,DC=oracle,DC=com

    5. Save your changes.

  3. Edit the msexchangeexp.properties file (located in ORACLE_HOME/ldap/odi/conf/ ) and specify the following:

    • Microsoft Exchange server host name

    • Microsoft Exchange server port number

    • User name

    • Password

    • The location of the msexchangeexp.map.master file and the activeexp.cfg.master file