Introduction to Oracle Directory Integration Platform

1.1 Why Oracle Directory Integration Platform?

Oracle Directory Integration Platform enables you to reduce administrative time and costs by integrating your applications and directories—including third-party LDAP directories—with a master back-end directory. Oracle Directory Integration Platform (DIP) supports the use of either Oracle Unified Directory, Oracle Internet Directory, or Oracle Directory Server Enterprise Edition as a back-end directory.

Use Oracle Directory Integration Platform to achieve these example objectives:

Keep employee records in Oracle Human Resources consistent with those in the Oracle back-end directory. Oracle Directory Integration Platform provides this synchronization through the Oracle Directory Synchronization Service.
Notify certain LDAP-enabled applications such as Oracle Portal—whenever changes are applied to the Oracle back-end directory. The Oracle Directory Integration Platform provides this notification through its Oracle Directory Integration Platform Provisioning Service.
Synchronize the password in Microsoft Active Directory with that in Oracle Unified Directory or Oracle Directory Server Enterprise Edition.

Throughout the integration process, Oracle Directory Integration Platform ensures that the applications and other directories receive and provide the necessary information in a reliable way.

You can integrate with various directories, including the following:

Microsoft Active Directory 2012, 2012 R2, and 2016
Active Directory Application Mode or ADAM, version 1 with SP1 on Windows 2003 (Microsoft Active Directory Lightweight Directory Service (AD LDS))
Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0)
Novell eDirectory 8.8
OpenLDAP 2.4
IBM Tivoli Directory Server 6.3
Oracle Unified Directory
Oracle Internet Directory

Note:
Oracle Internet Directory 10g is not certified/supported as the Oracle back-end directory or connected directory for Oracle Directory Integration Platform 12c.

1.2 Oracle Directory Integration Platform Installation Options

Oracle Directory Integration Platform can be installed simultaneously with other Oracle Identity Management components on the same host (server), or by itself as a standalone instance on a host system separate from other Oracle Identity Management components.

This could be the case if you want to separately manage J2EE based components (like Directory Integration Platform, Oracle Directory Services Manager (ODSM), or Fusion Middleware Control) in a dedicated Oracle WebLogic domain on a dedicated server.

To install a standalone Oracle Directory Integration Platform instance, you first need to install an Oracle Unified Directory or Oracle Internet Directory or Oracle Directory Server Enterprise Edition component. You should install a standalone instance of Oracle Directory Integration Platform under the following circumstances:

You need Oracle Directory Integration Platform to be installed in a different application server instance.
The applications that you need to provision and synchronize require intensive processing.
You need to run multiple instances of Oracle Directory Integration Platform for high availability.

See:

Configuring Oracle Directory Integration Platform in Installing and Configuring Oracle Internet Directory for complete information about installing Oracle Directory Integration Platform.

1.3 Understanding the Differences Between Synchronization and Provisioning

Before you begin working with Oracle Directory Integration Platform, you need to understand the differences between synchronization and provisioning.

Synchronization has to do with directories rather than applications. It ensures the consistency of entries and attributes that are in both the Oracle back-end directory and the other connected directories.

Note:

Synchronization and Replication are not synonymous. Replication is used for data handling between directories of the same vendor. Synchronization, on the other hand, provides better control of data that has to be kept synchronized between the back-end directory (metadirectory) and all connected third-party directories based on the transformation and mapping rules DIP provides.

Provisioning has to do with applications. It notifies them of changes to user or group entries or attributes that the application needs to track.

This section contains these topics:

1.3.1 About Synchronization

Synchronization enables you to coordinate changes between the Oracle back-end directory and the connected directories. To ensure that all directories use and provide only the latest data, each directory must be informed of changes made in the other connected directories. Synchronization ensures that changes to directory information—including, but not limited to data updated through provisioning—is kept consistent.

A single Directory Integration Platform service can simultaneously handle synchronization duties between multiple connected directories and the Oracle back-end directory. To connect an additional directory to the Oracle back-end directory, create a synchronization profile for that specific directory. This profile specifies the format and content of the data to be synchronized between the Oracle back-end directory and the connected directory. To create a synchronization profile, you can use the manageSyncProfiles utility or Oracle Enterprise Manager Fusion Middleware Control.

You can configure the following directories as the back-end directory for Oracle Directory Integration Platform synchronization:

Oracle Unified Directory
Oracle Internet Directory
Oracle Directory Server Enterprise Edition

See:

Synchronization Using Oracle Directory Integration Platform

1.3.2 About Provisioning

Provisioning enables you to ensure that an application is notified of directory changes to, for example, user or group information. Such changes can affect whether the application allows a user access to its processes and determines which resources can be used.

Use provisioning when you are designing or installing an application has the following requirements:

Does not maintain a directory
Is LDAP-enabled
Can and should allow only authorized users to access its resources

When you install an application that you want to provision, you must create a provisioning integration profile for it by using the manageProvProfiles utility.

1.3.3 How Synchronization and Provisioning Differ

Synchronization and provisioning have important operational differences.

Table 1-1 discusses the differences.

Table 1-1 Directory Synchronization and Provisioning Integration Distinctions

Consideration	Directory Synchronization	Provisioning Integration
The time for action	Application deployment time. Directory synchronization is for connected directories requiring synchronization with the Oracle back-end directory.	Application design time. Provisioning integration is for application designers developing LDAP-enabled applications.
Communication direction	Either one-way or two-way—that is, either from the Oracle back-end directory to the connected directories (including one or more connected Oracle databases), the reverse, or both.	Either one-way or two-way—that is, either from the Oracle back-end directory to applications, the reverse, or both.
Type of data	Any data in a directory.	Restricted to provisioned users and groups.
Examples	Oracle Human Resources Oracle Directory Server Enterprise Edition Oracle Unified Directory Oracle Internet Directory Microsoft Active Directory Novell eDirectory OpenLDAP IBM Tivoli Directory Server Oracle Database	Oracle Portal

1.4 Understanding Components Involved in Oracle Directory Integration Platform Integration

Oracle Directory Integration Platform integration includes the Oracle Back-End Directory and the Oracle Directory Integration Platform.

Topics:

1.4.1 About Oracle Back-End Directory

Either Oracle Unified Directory, Oracle Internet Directory, or Oracle Directory Server Enterprise Edition can be used as the repository in which Oracle components and third-party applications store and access user identities and credentials. The Oracle back-end directory uses the connected directory server to authenticate users by comparing the credentials entered by users with the credentials stored in the Oracle back-end directory.

When credentials are stored in a connected directory and not in the Oracle back-end directory, users can still be authenticated. In this case, the Oracle Internet Directory acting as the back-end directory uses an external authentication plug-in that authenticates users against the connected directory server. For more information, see "Configuring a Customized External Authentication Plug-in" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Oracle Unified Directory and Oracle Directory Server Enterprise Edition back-end directories uses pass-through authentication for passing authentication through to a connected directory like Microsoft Active Directory for users coming from Oracle Unified Directory or Oracle Directory Server Enterprise Edition. For more information, see:

The section "Understanding Pass-Through Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory.
The section "Pass-Through Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

1.4.2 About Oracle Directory Integration Platform

The Oracle Directory Integration Platform is a J2EE application that enables you to synchronize data between different repositories and the Oracle back-end directory.

Oracle Directory Integration Platform includes services and interfaces that allow you to develop synchronization solutions with other enterprise repositories. It can also provide interoperability between third party metadirectory solutions and Oracle directories.

Figure 1-1 shows an example of an Oracle Directory Integration Platform environment:

Figure 1-1 Example of an Oracle Directory Integration Platform Environment

Description of "Figure 1-1 Example of an Oracle Directory Integration Platform Environment"

In the example in Figure 1-1, the Oracle back-end directory is synchronized with connected directories using Oracle Directory Integration Platform's Synchronization Enterprise JavaBeans (EJB) and the Quartz Scheduler. Similarly, changes in the Oracle back-end directory are sent to various repositories using Oracle Directory Integration Platform's Provisioning Enterprise JavaBeans (EJB) and the Quartz Scheduler.

Note:

Figure 1-1, shows an external database for Oracle Internet Directory. Oracle Unified Directory and Oracle Directory Server Enterprise Edition uses an internal database.

1.4.2.1 Understanding the Oracle Directory Integration Platform Server

The Oracle Directory Integration Platform Server performs the following services:

Oracle Directory Integration Platform Synchronization Service:
- Scheduling—Processing a synchronization profile based on a predefined schedule
- Mapping—Executing rules for converting data between connected directories and the Oracle back-end directory
- Data propagation—Exchanging data with connected directories by using a connector
- Error handling
Oracle Directory Integration Platform Provisioning Service:
- Scheduling—Processing a provisioning profile based on a predefined schedule
- Event Notification—Notifying an application of a relevant change to the user or group data stored in the Oracle back-end directory
- Error handling
  
  See Also:
  
  Managing the Oracle Directory Integration Platform

1.4.2.2 Understanding the Oracle Directory Integration Platform Synchronization Service

In the Oracle Directory Integration Platform environment, the contents of connected directories are synchronized with the Oracle back-end directory through the Oracle Directory Integration Platform Synchronization Service, which includes Synchronization Enterprise JavaBeans (EJB) and the Quartz Scheduler.

For Oracle Fusion Middleware components, the Oracle back-end directory is the central directory for all information, and all other directories are synchronized with it. This synchronization can be:

One-way: Some connected directories only supply changes to the Oracle back-end directory and do not receive changes from it. This is the case, for example, with Oracle Human Resources, the primary repository and basis for comparison for employee information.
Two-way: Changes in the Oracle back-end directory can be exported to connected directories, and changes in connected directories can be imported into the Oracle back-end directory.

Certain attributes can be targeted or ignored by the synchronization service. For example, the attribute for the employee badge number in Oracle Human Resources may not be of interest to the Oracle back-end directory, its connected directories, or client applications. You might not want to synchronize them. On the other hand, the employee identification number may be of interest to those components, so you might want to synchronize them.

Figure 1-2 shows the interactions among components in the Oracle Directory Synchronization Service in a sample deployment.

Figure 1-2 Interactions of the Oracle Directory Integration Platform Synchronization Service

Description of "Figure 1-2 Interactions of the Oracle Directory Integration Platform Synchronization Service"

The central mechanism triggering all such synchronization activities is the Oracle back-end directory change log. It adds one or more entries for every change to any connected directory, including the Oracle back-end directory. The Oracle Directory Synchronization Service:

Monitors the change log.
Takes action whenever a change corresponds to one or more synchronization profiles.
Supplies the appropriate change to all other connected directories whose individual profiles correspond to the logged change. Such directories could include, for example, Oracle RDBMS, Oracle Human Resources, Microsoft Active Directory, Oracle Unified Directory, Oracle Directory Server Enterprise Edition, Novell eDirectory, IBM Tivoli Directory Server, or OpenLDAP. The Oracle Directory Synchronization Service supplies these changes using the interface and format required by the connected directory. Synchronization through the Oracle Directory Integration Platform connectors ensures that the Oracle back-end directory remains up-to-date with all the information that the Oracle back-end directory clients need.

1.4.2.3 Understanding the Oracle Directory Integration Platform Provisioning Service

The Oracle Directory Integration Platform Provisioning Service, which includes Provisioning Enterprise JavaBeans (EJB) and the Quartz Scheduler, ensures that each provisioned application is notified of changes in, for example, user or group information. To do this, it relies on the information contained in a provisioning integration profile. Each provisioning profile:

Uniquely identifies the application and organization to which it applies
Specifies, for example, the users, groups, and operations requiring the application to be notified

When changes in the Oracle back-end directory match what is specified in the provisioning profile of an application, the Oracle Directory Integration Platform Service sends the relevant data to that application.

Note:

A legacy application—that is, one that was operational before the Oracle Directory Integration Platform Service was installed—would not have subscribed in the usual way during installation. To enable such an application to receive provisioning information, a provisioning agent, in addition to the provisioning profile, must be developed. The agent must be able to translate the relevant data from the Oracle back-end directory into the exact format required by the legacy application.

Figure 1-3 shows the interactions among components in an Oracle Directory Integration Platform Service environment, including the special case of a provisioning agent for a legacy application.

Figure 1-3 Interactions of the Oracle Directory Integration Platform Provisioning Service

Description of "Figure 1-3 Interactions of the Oracle Directory Integration Platform Provisioning Service"