| Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform 11g Release 1 (11.1.1) Part Number E10031-02 |
|
|
View PDF |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform 11g Release 1 (11.1.1) Part Number E10031-02 |
|
|
View PDF |
This chapter outlines the procedures for integrating Oracle Identity Management with Sun Java System Directory Server, formerly known as SunONE iPlanet, in a production environment. It contains these topics:
Verifying Synchronization Requirements for Sun Java System Directory Server
Configuring Basic Synchronization with Sun Java System Directory Server
Configuring Advanced Integration with Sun Java System Directory Server
Note:
This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It also assumes familiarity with the earlier chapters in this book, especially:Chapter 1, "Introduction to Oracle Identity Management Integration"
Chapter 4, "Managing the Oracle Directory Integration Platform"
Chapter 5, "Understanding the Oracle Directory Synchronization Service"
Chapter 16, "Third-Party Directory Integration Concepts and Considerations"
If you are configuring a demonstration of integration with Sun Java System Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/
Before configuring basic or advanced synchronization with Sun Java System Directory Server, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with Sun Java System Directory Server, you must also perform the following steps:
When creating a user account in Sun Java System Directory Server with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstone
Enable change logging on Sun Java System Directory Server
Enable the Retro Change Log plug-in
You use the expressSyncSetup command to quickly establish synchronization between Oracle Internet Directory and Sun Java System Directory Server. The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup command to synchronize with Sun Java System Directory Server, refer to "Creating Import and Export Synchronization Profiles Using expressSyncSetup".
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for Sun Java System Directory Server are:
iPlanetImport—The profile for importing changes from Sun Java System Directory Server to Oracle Internet Directory
iPlanetExport—The profile for exporting changes from Oracle Internet Directory to Sun Java System Directory Server
You can also use the expressSyncSetup command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with the expressSyncSetup command are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and a Sun Java System Directory Server. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:
Step 5: Customizing the Sun Java System Directory Server Connector to Synchronize Deletions
Step 8: Configuring the Sun Java System Directory Server External Authentication Plug-in
Step 9: Performing Post-Configuration and Administrative Tasks
Plan your integration by reading Chapter 16, "Third-Party Directory Integration Concepts and Considerations", particularly "Sun Java System Directory Server Integration Concepts". Be sure to create a new profile by copying the existing Sun Java System Directory Server template profile by following the instructions in "Creating Synchronization Profiles".
Configure the realm by following the instructions in "Configuring the Realm".
Customize ACLs as described in "Customizing Access Control Lists".
When integrating with Sun Java System Directory Server, the following attribute-level mapping is mandatory for all objects:
Targetdn:1: :person:orclsourceobjectdn: : orclSUNOneobject:
Example 20-1 Attribute-Level Mapping for the User Object in Sun Java System Directory Server
Cn:1: :person: cn: :person: sn:1: :person: sn: :person:
Example 20-2 Attribute-Level Mapping for the Group Object in Sun Java System Directory Server
Cn:1: :groupofname: cn:groupofuniquenames
In the preceding examples, Cn and sn from Sun Java System Directory Server are mapped to cn and sn in Oracle Internet Directory.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
If you want to synchronize deletions, and the mapping rules have mandatory attributes, then be sure that the tombstone is configured correctly.
To verify that the tombstone is configured in Sun Java System Directory Server, execute the following command:
$ORACLE_HOME/bin/ldapsearch -h connected_directory_host \ -p connected_directory_port -D connected_directory_account -q \ -b source_domain -s sub "objectclass=nstombstone"
Note:
You will be prompted for the password.This returns information on all deleted entries.
See Also:
Sun Java System Directory Server documentation for details about configuring tombstonesNote:
Tombstones are automatically configured for Sun Java System Directory Server if replication is enabled.Oracle Internet Directory and Sun Java System Directory Server support the same set of password hashing techniques. To synchronize passwords between Oracle Internet Directory and Sun Java System Directory Server, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file:
Userpassword: : :person:userpassword: :person
Configure Sun Java System Directory Server for synchronization in SSL mode by following the instructions in "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode".
Configure the Sun Java System Directory Server external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".
Read Chapter 23, "Managing Integration with a Third-Party Directory" for information on post-configuration and ongoing administration tasks.
|
 Copyright © 1999, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
