This chapter outlines the procedures for integrating Oracle Identity Management with Oracle Directory Server Enterprise Edition connected directory (previously known as Sun Java System Directory Server, and, before that, SunONE iPlanet). It includes the following topics:
Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition
Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition
Configuring Advanced Integration with Oracle Directory Server Enterprise Edition
Note:
Before continuing with this chapter, you should be familiar with the concepts presented in the following chapters:Chapter 1, "Introduction to Oracle Directory Integration Platform"
Chapter 4, "Managing the Oracle Directory Integration Platform"
Chapter 8, "Understanding the Oracle Directory Synchronization Service"
Chapter 19, "Connected Directory Integration Concepts and Considerations"
If you are configuring a demonstration of integration with Oracle Directory Server Enterprise Edition / Sun Java System Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/
Before configuring basic or advanced synchronization with Oracle Directory Server Enterprise Edition, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with Oracle Directory Server Enterprise Edition, you must also perform the following steps:
Enable change logging on Oracle Directory Server Enterprise Edition.
Enable the retro change log plug-in, as described in Section 7.2.4, "Task 4: Enabling the Retro Change Log for Oracle Directory Server Enterprise Edition"
Configure the retro change log to record specified attributes of an entry that is deleted, as described in "To Configure the Retro Change Log to Record Attributes of a Deleted Entry" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
Add an attribute to an existing list of specified attributes, by running the following command:
$ dsconf set-server-prop -w /tmp/pwd -h host -p port retro-cl-deleted-entry-attr+:attribute
For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
You use the expressSyncSetup
command to quickly establish synchronization between the Oracle back-end directory and Oracle Directory Server Enterprise Edition. The expressSyncSetup
command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup
command to synchronize with Oracle Directory Server Enterprise Edition, see "Creating Import and Export Synchronization Profiles Using expressSyncSetup".
When you install Oracle Directory Integration Platform, import and export templete files are automatically created (ORACLE_HOME/ldap/odi/conf.
). The template files created for Oracle Directory Server Enterprise Edition are:
iPlanetImport
—The profile for importing changes from Oracle Directory Server Enterprise Edition to the Oracle back-end directory
iPlanetExport
—The profile for exporting changes from the Oracle back-end directory to Oracle Directory Server Enterprise Edition
You can also use the expressSyncSetup
command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles from the templates. The import and export synchronization profiles created with the expressSyncSetup
command are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Oracle Directory Server Enterprise Edition. Because these synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps:
Plan your integration by reading Chapter 19, "Connected Directory Integration Concepts and Considerations", particularly "Oracle Directory Server Enterprise Edition (Sun Java System Directory Server) Integration Concepts". Be sure to create a new profile by copying the existing Oracle Directory Server Enterprise Edition or Sun Java System Directory Server template profile by following the instructions in "Creating Synchronization Profiles".
Configure the realm by following the instructions in Section 20.3.1, "Configuring the Realm".
Customize ACLs as described in Section 20.3.2, "Customizing Access Control Lists".
When integrating with Oracle Directory Server Enterprise Edition, the following attribute-level mapping is mandatory for all objects:
Targetdn:1: :person:orclsourceobjectdn: : orclSUNOneobject:
Example 23-1 Attribute-Level Mapping for the User Object in Oracle Directory Server Enterprise Edition
Cn:1: :person: cn: :person: sn:1: :person: sn: :person:
Example 23-2 Attribute-Level Mapping for the Group Object in Oracle Directory Server Enterprise Edition
cn:1: :groupofname: cn: : groupofuniquenames:
In the preceding examples, Cn
and sn
from Oracle Directory Server Enterprise Edition are mapped to cn
and sn
in the Oracle back-end directory.
Customize the attribute mappings by following the instructions in Section 20.3.3, "Customizing Mapping Rules".
If you want to synchronize deletions, and the mapping rules have mandatory attributes, then ensure that they are present in the change log when the entry is deleted. You must add Objectclass
and other values to the list of attributes to be included when an entry is deleted, as described in "To Configure the Retro Change Log to Record Attributes of a Deleted Entry" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
You can synchronize the password, as described in Section 9.8, "Password Synchronization".
Configure Oracle Directory Server Enterprise Edition for synchronization in SSL mode by following the instructions in Section 20.3.4, "Configuring the Connected Directory Connector for Synchronization in SSL Mode".
Note:
Oracle recommends you to synchronize the password using the SSL communication for the back-end directory and connected directory.Read Chapter 26, "Managing Integration with a Connected Directory" for information on post-configuration and ongoing administration tasks.