26 Managing Integration with a Connected Directory

Understand the post-configuration and ongoing administration tasks after integration with a connected directory.

Topics:

• Performing Tasks After Configuring with a Connected Directory

• Typical Management of Integration with a Connected Directory

26.1 Performing Tasks After Configuring with a Connected Directory

This section describes the task you must complete after configuring with a connected directory.

Complete the following:

1. Migrate data from one directory to the other as needed. This is described in "Bootstrapping Data Between Directories".
2. Use the activate operation of the manageSyncProfiles command to enable the synchronization profile by entering the following command:

   manageSyncProfiles activate -profile profile_name
   

   You can also use Oracle Enterprise Manager Fusion Middleware Control to enable the synchronization profile, as described in Enabling and Disabling Synchronization Profiles.

26.2 Typical Management of Integration with a Connected Directory

Know more about the management tasks, after integration with a Connected Directory.

Topics:

• Overview of Management Task for after Integration with a Connected Directory

• Bootstrapping Data Between Directories

• Managing a Third-Party Directory External Authentication Plug-in

• Granting Password Privilege for Oracle Unified Directory Acting As Connected Directory

26.2.1 Overview of Management Task for after Integration with a Connected Directory

Management tasks typically include:

• Managing synchronization profiles and mapping rules:

  • Creating new profiles. You create new profiles if you need to synchronize with an additional domain controller in a multiple domain environment. You can create new profiles by using existing profiles as templates.

  • Changing configurations (attributes) in the profile.

  • Disabling profiles to allow maintenance and then reenabling them. Disabling profiles stops synchronization related to that profile.

• Managing mapping rules:

  • Creating new rules when additional attributes need to be synchronized.

  • Changing existing rules when the way attributes are synchronized needs to change.

  • Deleting or commenting out rules not required when a particular attribute is not required to be synchronized.

• Managing access control.

• Starting and stopping the Oracle directory server and the Oracle Directory Integration Platform.

26.2.2 Bootstrapping Data Between Directories

Bootstrapping is sometimes called data migration. You must bootstrap data after the third-party directory connector and plug-in configurations are complete.

To bootstrap data, perform the following steps after the third-party directory connector and plug-in configurations are complete:

1. Identify the data you want to migrate. You can choose to migrate all data in the directory or only a subset of data.
2. Use the following command to disable the import and export synchronization profile:

   manageSyncProfiles deactivate -profile profile_name
   

3. Bootstrap from one directory to another using the syncProfileBootstrap command. Refer to Bootstrapping a Directory in Oracle Directory Integration Platform for more information about bootstrapping.

   Once bootstrapping is accomplished, the profile status attributes are appropriately updated in the synchronization profile by the manageSyncProfiles command.

4. If you used LDIF file-based bootstrapping, then initialize the lastchangekey value with updatechgnum operation of the manageSyncProfiles command as follows:

   manageSyncProfiles updatechgnum -profile profile_name
   

   This lastchangekey attribute should be set to the value of the last change number in the source directory before you started the bootstrap.

5. If two-way synchronization is required, then enable the export profile and make sure the change logging option is enabled for the Oracle directory server.

   For Oracle Internet Directory, change logging is controlled by the -l option while starting Oracle Internet Directory. By default, it is set to TRUE, meaning that change logging is enabled. If it is set to FALSE, then use the OID Control Utility to shut down the Oracle Internet Directory server, and then to start the server again with the change log enabled.

26.2.3 Managing a Third-Party Directory External Authentication Plug-in

This topic explains how to delete, disable, and re-enable a third-party external authentication plug-in.

Topics:

• Deleting a Third-Party Directory External Authentication Plug-in

• Disabling a Third-Party External Authentication Plug-in

• Re-enabling a Third-Party External Authentication Plug-in

Oracle Unified Directory and Oracle Directory Server Enterprise Edition back-end directories uses pass-through authentication for passing authentication through to a connected directory like Microsoft Active Directory for users coming from Oracle Unified Directory or Oracle Directory Server Enterprise Edition. For more information, see:

• The section "Understanding Pass-Through Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory.

• The section "Pass-Through Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

26.2.3.1 Deleting a Third-Party Directory External Authentication Plug-in

To delete a third-party external authentication plug-in, enter the following commands. After executing the commands, you will be prompted for a password.

ldapdelete -h host -p port -D binddn -q \
"cn=adwhencompare,cn=plugin,cn=subconfigsubentry"

ldapdelete -h host -p port -D binddn -q \
"cn=adwhenbind,cn=plugin,cn=subconfigsubentry"

26.2.3.2 Disabling a Third-Party External Authentication Plug-in

To disable a third-party external authentication plug-in:

1. Create an LDIF file with the following entries:

   dn: cn=adwhencompare,cn=plugin,cn=subconfigsubentry
   changetype: modify
   replace: orclpluginenable
   orclpluginenable: 0
   
   dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentry
   changetype: modify
   replace: orclpluginenable
   orclpluginenable: 0
   

2. Load the LDIF file with the ldapmodify command, as follows:

   ldapmodify -h host -p port -D binddn -q -f fileName

   Note:

   You will be prompted for the password.

26.2.3.3 Re-enabling a Third-Party External Authentication Plug-in

To re-enable a third-party external authentication plug-in, use these two commands:

1. Create an LDIF file with the following entries:

   dn: cn=adwhencompare,cn=plugin,cn=subconfigsubentry
   changetype: modify
   replace: orclpluginenable
   orclpluginenable: 1
   
   dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentry
   changetype: modify
   replace: orclpluginenable
   orclpluginenable: 1
   

2. Load the LDIF file with the ldapmodify command, as follows:

   ldapmodify -h host -p port -D binddn -q -f fileName

   Note:

   You will be prompted for the password.

26.2.4 Granting Password Privilege for Oracle Unified Directory Acting As Connected Directory

Use the ldapmodify command to grant the password-reset privilege for Oracle Unified Directory (Connected Directory).

If Oracle Unified Directory is the connected directory then you must grant the password-reset privilege to the export profiles by running the following command:

$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password
dn: <your user DN>
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset