23 Integrating with Oracle Directory Server Enterprise Edition (Connected Directory)
This chapter outlines the procedures for integrating Oracle Identity Management with Oracle Directory Server Enterprise Edition connected directory (previously known as Sun Java System Directory Server, and, before that, SunONE iPlanet).
Topics:
-
Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition
-
Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition
-
Configuring Advanced Integration with Oracle Directory Server Enterprise Edition
Note:
Before continuing with this chapter, you should be familiar with the concepts presented in the following chapters:
If you are configuring a demonstration of integration with Oracle Directory Server Enterprise Edition / Sun Java System Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/
23.1 Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition
Before configuring basic or advanced synchronization with Oracle Directory Server Enterprise Edition, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with Oracle Directory Server Enterprise Edition, you must also perform the following steps:
For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
23.2 Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition
You use the expressSyncSetup
command to quickly establish synchronization between the Oracle back-end directory and Oracle Directory Server Enterprise Edition.
The expressSyncSetup
command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup
command to synchronize with Oracle Directory Server Enterprise Edition, see "Creating Import and Export Synchronization Profiles Using expressSyncSetup".
23.3 Configuring Advanced Integration with Oracle Directory Server Enterprise Edition
You can also use the expressSyncSetup
command or to create Oracle Enterprise Manager Fusion Middleware Control additional synchronization profiles from the templates.
The import and export synchronization profiles created with the expressSyncSetup
command are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Oracle Directory Server Enterprise Edition. Because these synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps:
Note:
When you install Oracle Directory Integration Platform, import and export templete files are automatically created (ORACLE_HOME/ldap/odi/conf.
). The template files created for Oracle Directory Server Enterprise Edition are:
-
iPlanetImport
—The profile for importing changes from Oracle Directory Server Enterprise Edition to the Oracle back-end directory -
iPlanetExport
—The profile for exporting changes from the Oracle back-end directory to Oracle Directory Server Enterprise Edition
-
Understanding How to Plan Integration with Oracle Directory Server Enterprise Edition
-
Configure the Realm for Oracle Directory Server Enterprise Edition
-
Understanding How to Customize the ACLs for Oracle Directory Server Enterprise Edition
-
Customize Attribute Mappings for Oracle Directory Server Enterprise Edition
-
Understanding How to Synchronize Passwords for Oracle Directory Server Enterprise Edition
23.3.1 Understanding How to Plan Integration with Oracle Directory Server Enterprise Edition
Plan your integration by reading Connected Directory Integration Concepts and Considerations, particularly "Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) Integration Concepts". Be sure to create a new profile by copying the existing Oracle Directory Server Enterprise Edition or Sun Java System Directory Server template profile by following the instructions in “Creating Synchronization Profiles”.
23.3.2 Configure the Realm for Oracle Directory Server Enterprise Edition
Configure the realm by following the instructions in Configuring the Realm.
23.3.3 Understanding How to Customize the ACLs for Oracle Directory Server Enterprise Edition
Customize ACLs as described in Customizing Access Control Lists.
23.3.4 Customize Attribute Mappings for Oracle Directory Server Enterprise Edition
When integrating with Oracle Directory Server Enterprise Edition, the following attribute-level mapping is mandatory for all objects:
Targetdn:1: :person:orclsourceobjectdn: : orclSUNOneobject:
Example 23-1 Attribute-Level Mapping for the User Object in Oracle Directory Server Enterprise Edition
Cn:1: :person: cn: :person: sn:1: :person: sn: :person:
Example 23-2 Attribute-Level Mapping for the Group Object in Oracle Directory Server Enterprise Edition
cn:1: :groupofname: cn: : groupofuniquenames:
In the preceding examples, Cn
and sn
from Oracle Directory Server Enterprise Edition are mapped to cn
and sn
in the Oracle back-end directory.
Customize the attribute mappings by following the instructions in Customizing Mapping Rules.
23.3.5 About How to Customize the Oracle Directory Server Enterprise Edition Connector to Synchronize Deletions
If you want to synchronize deletions, and the mapping rules have mandatory attributes, then ensure that they are present in the change log when the entry is deleted. You must add Objectclass
and other values to the list of attributes to be included when an entry is deleted, as described in "To Configure the Retro Change Log to Record Attributes of a Deleted Entry" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
23.3.6 Understanding How to Synchronize Passwords for Oracle Directory Server Enterprise Edition
You can synchronize the password, as described in Password Synchronization.
23.3.7 Synchronizing in SSL Mode
You must configure Oracle Directory Server Enterprise Edition for synchronization in SSL mode.
To do so, by following the instructions in Configuring the Connected Directory Connector for Synchronization in SSL Mode.
Note:
Oracle recommends you to synchronize the password using the SSL communication for the back-end directory and connected directory.
23.3.8 Perform Post-Configuration and Administrative Tasks
This section describes the task you must complete after configuring advanced integration with Oracle Directory Server Enterprise Edition.
See Managing Integration with a Connected Directory for information on post-configuration and ongoing administration tasks.