1. Configuring the Oracle Internet Directory Application
  2. About the Oracle Internet Directory Connector

1 About the Oracle Internet Directory Connector

Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.

The OID connector lets you onboard LDAP directory server applications in Oracle Identity Governance. The various LDAP directory servers that this connector supports are Oracle Internet Directory (OID), Oracle Unified Directory (OUD), and Oracle Directory Server Enterprise Edition (ODSEE).
The connector uses the LDAPv3 protocol, so you can also use the connector for any LDAPv3-compliant directory server such as Open LDAP.

Note:

In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).
From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.

Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.

The following sections provide a high-level overview of the connector:

Note:

At some places in this guide, ODSEE, OID, OUD, and an LDAPv3-compliant directory server are referred to as the target system.

1.1 Certified Components

These are the software components and their versions required for installing and using the connector.

Table 1-1 Certified Components

Component Requirement for AOB Application Requirement for CI-Based Connector

Oracle Identity Governance or Oracle Identity Manager

You can use one of the following releases:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

    Note: If you are using Oracle Identity Governance 12c (12.2.1.3.0), then ensure to download and apply patches 26616250 and 25323654 from My Oracle Support.

You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

Target systems

The target system can be any one of the following:

  • Oracle Unified Directory 11g release (11.1.1.5.0, 11.1.2.0.0, 11.1.2.2.0, and 11.1.2.3.0) and 12c release (12.2.1.3.0 and 12.2.1.4.0)

  • Oracle Internet Directory release 9.x, 10.1.4.x,11g release 1 (11.1.1.5.0, 11.1.1.6.0, 11.1.1.7.0 and 11.1.1.9.0), and 12c release (12.2.1.3.0, 12.2.1.4.0)

  • Oracle Directory Server Enterprise Edition 11g release 1 (11.1.1.5.0 and 11.1.1.7.2)

  • An LDAPv3-compliant directory server

The target system can be any one of the following:

  • Oracle Unified Directory 11g release (11.1.1.5.0, 11.1.2.0.0, 11.1.2.2.0, and 11.1.2.3.0) and 12c release (12.2.1.3.0 and 12.2.1.4.0)

  • Oracle Internet Directory release 9.x, 10.1.4.x,11g release 1 (11.1.1.5.0, 11.1.1.6.0, 11.1.1.7.0 and 11.1.1.9.0), and 12c release (12.2.1.3.0, 12.2.1.4.0)

  • Oracle Directory Server Enterprise Edition 11g release 1 (11.1.1.5.0 and 11.1.1.7.2)

  • An LDAPv3-compliant directory server

  • NetIQ eDirectory 8.7.3, 8.8

  • NetIQ eDirectory 9.2

    Note:

    Currently certified with OID11.1.1.6.0L patch 31366708 only

  • Oracle Virtual Directory 10g and 11g release 1 (11.1.1.5.0)

  • Sun Java System Directory Server Enterprise Edition 6.3 and 7.0

  • Sun ONE Directory Server 5.2

Connector Server

11.1.2.1.0

11.1.2.1.0

Connector Server JDK and JRE

JDK or JRE 1.6 and above

JDK or JRE 1.6 and above

1.2 Usage Recommendation

These are the recommendations for the OID connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.

Note:

If you are using Oracle Identity Manager release 11.1.x, then you can install and use the connector only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.

  • If you are using Oracle Identity Governance 12c (12.2.1.3.0) and want to integrate it with any of the following target systems, then use the latest 12.2.1.x version of this connector and deploy it using the Applications option on the Manage tab of Identity Self Service:

    • Oracle Internet Directory release 9.x, 10.1.4.x, 11g release 1 (11.1.1.5.0, 11.1.1.6.0, 11.1.1.7.0 and 11.1.1.9.0), and 12c release (12.2.1.3.0, 12.2.1.4.0)

    • Oracle Unified Directory 11g release (11.1.1.5.0, 11.1.2.0.0, 11.1.2.2.0, and 11.1.2.3.0), and 12c release (12.2.1.3.0, 12.2.1.4.0)

    • Oracle Directory Server Enterprise Edition 11g release 1 (11.1.1.5.0 and 11.1.1.7.2)

    • An LDAPv3-compliant directory server

  • If you are using Oracle Identity Governance 12c (12.2.1.3.0) and want to integrate it with any of the following target systems, then use the latest 12.2.1.x version of this connector and deploy it using the Manage Connector option in Oracle Identity System Administration:

    • Oracle Virtual Directory 10g and 11g release 1 (11.1.1.5.0)

    • Novell eDirectory 8.7.3 and 8.8

    • Sun Java System Directory Server Enterprise Edition 6.3 and 7.0

    • Sun ONE Directory Server 5.2

  • If you are using any of the Oracle Identity Manager 11.1.x releases listed in the “Requirement for CI-Based Connector” column of Table 1-1, then use the 11.1.x version of the OID connector. If you want to use the 12.2.1.x version of this connector with Oracle Identity Manager 11.1.x releases, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.

    Note:

    If you are using the latest 12.2.1.x version of the Oracle Internet Directory connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Oracle Internet Directory, Release 11.1.1 for complete details on connector deployment, usage, and customization.

  • If you are using an Oracle Identity Manager release that is earlier than Oracle Identity Manager 11g Release 1 (11.1.1), then depending on the target system that you are using, install and use one of the following connectors:

    • For Oracle Internet Directory, use the 9.0.4.x version of the Oracle Internet Directory connector.

    • For Sun ONE Directory Server and Sun Java System Directory Server Enterprise Edition, use the 9.0.4.x version of the Sun Java System Directory connector.

    • For Novell eDirectory, use the 9.0.4.x version of the Novell eDirectory connector.

1.3 Certified Languages

These are the languages that the connector supports.

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Czech

  • Danish

  • Dutch

  • English

  • Finnish

  • French

  • German

  • Greek

  • Hebrew

  • Hungarian

  • Italian

  • Japanese

  • Korean

  • Norwegian

  • Polish

  • Portuguese (Brazilian)

  • Romanian

  • Russian

  • Slovak

  • Spanish

  • Swedish

  • Thai

  • Turkish

1.4 Supported Connector Operations

These are the list of operations that the connector supports for your target system.

Table 1-2 Supported Connector Operations

Operation Supported for OID? Supported for OUD? Supported for ODSEE? Supported for LDAPv3-compliant directory server? Supported for Novell eDirectory?

User Management

          

Create user

Yes

Yes

Yes

Yes

Yes

Update user

Yes

Yes

Yes

Yes

Yes

Delete User

Yes

Yes

Yes

Yes

Yes

Enable user

Yes

Yes

Yes

Yes

Yes

Disable user

Yes

Yes

Yes

Yes

Yes

Reset password

Yes

Yes

Yes

Yes

No

Groups and Organization Units Management

          

Create group or organization unit

Yes

Yes

Yes

Yes

Yes

Update group name or organization unit name

Yes

Yes

Yes

Yes

Yes

Delete group or organization unit

Yes

Yes

Yes

Yes

Yes

Update container DN

Yes

Yes

Yes

Yes

Yes

Roles Management

          

Create role

Yes

No

Yes

Yes, if your target system supports creation of roles

Yes

Update role name

Yes

No

Yes

Yes

Yes

Delete role

Yes

No

Yes

Yes

Yes

Update container DN

Yes

No

Yes

Yes

Yes

Entitlement Grant Management

          

Add groups

Yes

Yes

Yes

Not applicable

Yes

Revoke groups

Yes

Yes

Yes

Not applicable

Yes

Add roles

No

No

Yes

Not applicable

Yes

Revoke Roles

No

No

Yes

Not applicable

Yes

Add organizations

No

No

No

Not applicable

Yes

Remove organizations

No

No

No

Not applicable

Yes

Add domain scope

Not applicable

Not applicable

Not applicable

Not applicable

Yes

Add profiles

Not applicable

Not applicable

Not applicable

Not applicable

Yes

Add role containers

Not applicable

Not applicable

Not applicable

Not applicable

Yes

1.5 Connector Architecture

The Oracle Internet Directory connector is implemented by using the Identity Connector Framework (ICF). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. The ICF is shipped along with Oracle Identity Governance. Therefore, you need not configure or modify the ICF.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

The OID connector uses JNDI to access the target system.

This connector can be configured to run in one of the following modes:

  • Identity reconciliation

    Identity reconciliation is also known as authoritative or trusted source reconciliation. In this form of reconciliation, OIG Users are created or updated corresponding to the creation of and updates to users on the target system. Note that the identity reconciliation mode supports reconciliation of user objects only.

    See Reconciliation Scheduled Jobs for Groups and Organizational Units Management in OID for information about the LDAP Connector Trusted User Reconciliation scheduled job that is used in this mode.

  • Account Management

    Account management is also known as target resource management. This mode of the connector enables the following operations:

    • Provisioning

      Provisioning involves creating, updating, or deleting users, groups, roles, and organizational units (OUs) on the target system through Oracle Identity Governance.

      When you allocate (or provision) a target system resource to an OIG User, the operation results in the creation of an account on the target system for that user. In the Oracle Identity Governance context, the term "provisioning" is also used to mean updates (for example enabling or disabling) made to the target system account through Oracle Identity Governance.

      Users and organizations are organized in hierarchical format on the target system. Before you can provision users to (that is, create users in) the required organizational units (OUs) on the target system, you must fetch into Oracle Identity Governance the list of OUs used on the target system. This is achieved by using the LDAP Connector OU Lookup Reconciliation scheduled job for lookup synchronization.

      Similarly, before you can provision users to the required groups or roles on the target system, you must fetch into Oracle Identity Governance the list of all groups and roles used on the target system. This is achieved by using the LDAP Connector Group Lookup Reconciliation and LDAP Connector Role Lookup Recon scheduled jobs for lookup synchronization.

    • Target resource reconciliation

      To perform target resource reconciliation, the LDAP Connector User Search Reconciliation or LDAP Connector User Sync Reconciliation scheduled jobs is used. The connector applies filters to locate users to be reconciled from the target system and then fetches the attribute values of these users.

      Depending on the data that you want to reconcile, you use different scheduled jobs. For example, you use the LDAP Connector User Search Reconciliation scheduled job to reconcile user data in the target resource mode. See Reconciliation Scheduled Jobs for Groups and Organizational Units Management in OID for more information about scheduled jobs used in this mode.

1.6 Supported Connector Features Matrix

Provides the list of features supported by the AOB application and CI-based connector.

Table 1-3 Supported Connector Features Matrix

Feature AOB Application CI-Based Connector

Full reconciliation

Yes

Yes

Incremental reconciliation

Yes

Yes

Limited reconciliation

Yes

Yes

Connection pooling

Yes

Yes

Use connector server

Yes

Yes

Transformation and validation of account data

Yes

Yes

Compatibility with high-availability target system environments

Yes

Yes

SSL communication between the target system and Oracle Identity Governance

Yes

Yes

Reconcile deleted user records

Yes

Yes

Reconcile deleted groups, roles, and organizations

Yes

Yes

Test connection

Yes

No

1.7 Connector Features

The features of the connector include support for connector server, support for high-availability configuration of the target system, connection pooling, reconciliation of deleted user records, support for groovy scripts, and so on.

The following are the features of the connector:

1.7.1 Full and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.

After you create the application, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance. After the first full reconciliation run, incremental reconciliation is automatically enabled. In incremental reconciliation, user accounts that have been added or modified since the last reconciliation run are fetched into Oracle Identity Governance.

After you create the application, you can first perform full reconciliation. After the first full reconciliation run, incremental reconciliation is automatically enabled.

For more information, see Performing Full and Incremental Reconciliation.

1.7.2 Limited Reconciliation

You can set a reconciliation filter as the value of the Filter attribute of a reconciliation scheduled job. This filter specifies the subset of added and modified target system records that must be reconciled.

For more information, see Performing Limited Reconciliation.

1.7.3 Support for the Connector Server

Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.

A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.

For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

1.7.4 Transformation and Validation of Account Data

You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.

For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

1.7.5 Support for High-Availability Configuration of the Target System

You can configure the connector for compatibility with high-availability target system environments.

The connector can read information about backup target system hosts from the failover parameter of the Basic Configuration section and apply this information when it is unable to connect to the primary host.

For more information about the Failover parameter, see Basic Configuration Parameters for OID or Basic Configuration Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server.

1.7.6 Reconciliation of Deleted User Records

You can use the connector to reconcile user records that are deleted on the target system into Oracle Identity Governance.

For more information about the reconciliation job used for reconciling these deleted records, see one of the following sections:

1.7.7 Reconciliation of Deleted Groups, Roles, and Organizations

You can use the connector to reconcile groups, roles, and organizations that are deleted on the target system into Oracle Identity Governance.

For more information about the reconciliation job used for reconciling these deleted records, see one of the following sections:

1.7.8 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Governance connectors can use these connections to communicate with target systems.

At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each set of basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.

For more information about the parameters that you can configure for connection pooling, see:

1.7.9 Support for Running Pre and Post Action Scripts

You can run pre and post action scripts on a computer where the connector is deployed. These scripts can be of type SQL/StoredProc/Groovy. You can configure the scripts to run before or after the create, update, or delete an account provisioning operations.

For more information, see Updating the Provisioning Configuration in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

1.7.10 Secure Communication to the Target System

To provide secure communication to the target system, SSL is required. You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.

If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.

For more information, see Configuring SSL for the Connector.

1.7.11 Support for Cloning Applications and Creating Instance Applications

You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.

When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.

For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.