Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New in Oracle Directory Integration Platform?

Part I Getting Started with Oracle Directory Integration Platform

1 Introduction to Oracle Identity Management Integration

• Why Oracle Identity Management Integration?
• Oracle Identity Management Installation Options
• Synchronization, Provisioning, and the Differences Between Them
  • Synchronization
  • Provisioning
  • How Synchronization and Provisioning Differ
• Components Involved in Oracle Identity Management Integration
  • Oracle Internet Directory
  • Oracle Directory Integration Platform
    • Understanding the Oracle Directory Integration Platform Server
    • Understanding the Oracle Directory Integration Platform Synchronization Service
    • Understanding the Oracle Directory Integration Platform Provisioning Service
  • Oracle Application Server Single Sign-On

2 Security Features in Oracle Directory Integration Platform

• Authentication in Oracle Directory Integration Platform
  • Secure Sockets Layer and Oracle Directory Integration Platform
  • Oracle Directory Integration Platform Authentication in SSL Mode
  • Profile Authentication
• Access Control and Authorization and Oracle Directory Integration Platform
  • Access Controls for the Oracle Directory Integration Platform
  • Access Controls for Profiles
• Data Integrity and Oracle Directory Integration Platform
• Data Privacy and Oracle Directory Integration Platform
• Tools Security and Oracle Directory Integration Platform
• Credential Storing

Part II General Administration of Oracle Directory Integration Platform

3 Administering Oracle Directory Integration Platform

• Graphical Tools for Administering Oracle Directory Integration Platform
  • Using Fusion Middleware Control
    • The Oracle Directory Integration Platform Home Page
  • Using Oracle Internet Directory Self-Service Console
  • Using Oracle Internet Directory Provisioning Console
• Command-Line Tools for Administering Oracle Directory Integration Platform
  • Using Standard LDAP Command-Line Tools

4 Managing the Oracle Directory Integration Platform

• Operational Information About the Oracle Directory Integration Platform
  • Directory Integration Profiles
  • Oracle Directory Integration Platform Event Propagation in a Multimaster Oracle Internet Directory Replication Environment
    • Directory Synchronization in an Oracle Internet Directory Multimaster Replication Environment
    • Directory Provisioning in an Oracle Internet Directory Multimaster Replication Environment
• Viewing Oracle Directory Integration Platform Status and Registration Information
  • Viewing the Status of Oracle Directory Integration Platform Using the dipStatus Utility
    • Syntax for dipStatus
    • Arguments for dipStatus
    • Examples for dipStatus
  • Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility
• Managing Oracle Directory Integration Platform Using Fusion Middleware Control
  • Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
  • Starting Oracle Directory Integration Platform with Fusion Middleware Control
  • Stopping Oracle Directory Integration Platform with Fusion Middleware Control
  • Managing the Oracle Directory Integration Platform Server Configuration
  • Managing Oracle Directory Integration Platform Logging Using Fusion Middleware Control
  • Auditing Oracle Directory Integration Platform Using Fusion Middleware Control
• Starting and Stopping Oracle Directory Integration Platform Using WLST
• Managing Oracle Directory Integration Platform Using manageDIPServerConfig
  • Syntax for manageDIPServerConfig
  • Arguments for manageDIPServerConfig
  • Tasks and Examples for manageDIPServerConfig
• Configuring Oracle Directory Integration Platform for SSL Mode 2 Server-Only Authentication
• Managing the SSL Certificates of Oracle Internet Directory and Connected Directories
  • Detecting and Removing an Expired Certificate
• Oracle Directory Integration Platform in a High Availability Scenario
• Managing Oracle Directory Integration Platform in a Replicated Environment

Part III Synchronization Using Oracle Directory Integration Platform

5 Understanding the Oracle Directory Synchronization Service

• Components Involved in Oracle Directory Synchronization
  • Connectors for Directory Synchronization
    • Using Connectors with Supported Interfaces
    • Using Connectors Without Supported Interfaces
  • Directory Synchronization Profiles
• How Synchronization Works
  • Synchronizing from Oracle Internet Directory to a Connected Directory
  • Synchronizing from a Connected Directory to Oracle Internet Directory
  • Synchronizing Directories with Interfaces Not Supported by Oracle Internet Directory

6 Configuring Directory Synchronization

• Registering Connectors in Oracle Directory Integration Platform
• Synchronization Profile Templates
• Configuring Connection Details
• Configuring Mapping Rules
  • Distinguished Name Mapping
    • Excluding Domains
  • Attribute-Level Mapping
    • Excluding Attributes
  • Manually Creating New Mapping Files
  • Supported Attribute Mapping Rules and Examples
  • Example: Mapping File for a Tagged-File Interface
  • Example: Mapping Files for an LDIF Interface
  • Updating Mapping Rules
    • Adding an Entry to the Mapping Rules File
    • Modifying an Entry in the Mapping Rules File
    • Deleting an Entry from the Mapping Rules File
• Extending Mappings Using Custom Plug-ins
  • Writing Custom Plug-Ins
  • Mapping Plug-In Evaluation Constraints
  • Adding Mapping Plug-Ins
  • Applications of Mapping Plug-Ins
    • Support for New Mapping Operations
    • Support for Multiple Literal Values
  • Example Plug-In Usage
• Configuring Matching Filters
  • Filtering Changes with an LDAP Search
  • Filtering Changes from a Change Log
• Location and Naming of Files

7 Managing Directory Synchronization Profiles

• Managing Synchronization Profiles Using Fusion Middleware Control
  • Creating Synchronization Profiles
  • Editing Synchronization Profiles
  • Enabling and Disabling Synchronization Profiles
  • Deleting Synchronization Profiles
• Managing Synchronization Profiles Using manageSyncProfiles
  • Syntax for manageSyncProfiles
  • Arguments for manageSyncProfiles
  • Tasks and Examples for manageSyncProfiles
• Modifying the Synchronization Status Attributes
• Setting Null Values in Synchronization Profiles

8 Bootstrapping a Directory in Oracle Directory Integration Platform

• Directory Bootstrapping Using syncProfileBootstrap
  • Syntax for syncProfileBootstrap
  • Arguments for syncProfileBootstrap
  • Tasks and Examples for syncProfileBootstrap
  • Recommended Bootstrapping Methodology
  • Bootstrapping Using a Parameter File
    • Bootstrapping Without Using an LDIF File
    • Bootstrapping Using an LDIF File
  • Bootstrapping Directly Using the Default Integration Profile
• Bootstrapping in SSL Mode

9 Synchronizing with Relational Database Tables

• Preparing the Additional Configuration Information File
• Preparing the Mapping File
• Preparing the Directory Integration Profile
• Example: Synchronizing a Relational Database Table to Oracle Internet Directory
  • Configuring the Additional Configuration Information File
  • Configuring the Mapping File
  • Configuring the Directory Integration Profile
  • Uploading the Additional Configuration Information and Mapping Files
  • Synchronization Process
  • Observations About the Example

10 Synchronizing with Oracle Human Resources

• Introduction to Synchronization with Oracle Human Resources
• Data You Can Import from Oracle Human Resources
• Managing Synchronization Between Oracle Human Resources and Oracle Internet Directory
  • Task 1: Configure a Directory Integration Profile for the Oracle Human Resources Connector
  • Task 2: Configure the List of Attributes to Be Synchronized with Oracle Internet Directory
    • Modifying Additional Oracle Human Resources Attributes for Synchronization
    • Excluding Oracle Human Resources Attributes from Synchronization
    • Configuring a SQL SELECT Statement in the Configuration File to Support Complex Selection Criteria
  • Task 3: Configure Mapping Rules for the Oracle Human Resources Connector
  • Task 4: Prepare to Synchronize from Oracle Human Resources to Oracle Internet Directory
    • Preparing for Synchronization
• The Synchronization Process
• Bootstrapping Oracle Internet Directory from Oracle Human Resources

11 Synchronizing with Third-Party Metadirectory Solutions

• About Change Logs
• Enabling Third-Party Metadirectory Solutions to Synchronize with Oracle Internet Directory
  • Task 1: Perform Initial Bootstrapping
  • Task 2: Create a Change Subscription Object in Oracle Internet Directory for the Third-Party Metadirectory Solution
    • About the Change Subscription Object
    • Creating a Change Subscription Object
• Synchronization Process
  • How a Connected Directory Retrieves Changes the First Time from Oracle Internet Directory
  • How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory
• Disabling and Deleting Change Subscription Objects
  • Disabling a Change Subscription Object
  • Deleting a Change Subscription Object

Part IV Provisioning with the Oracle Directory Integration Platform

12 Understanding the Oracle Directory Integration Platform for Provisioning

• What Is Provisioning?
• Components of the Oracle Directory Integration Platform Service
• Understanding Provisioning Concepts
  • Synchronous Provisioning
  • Asynchronous Provisioning
  • Provisioning Data Flow
• Overview of Provisioning Methodologies
  • Provisioning Users from the Provisioning Console
  • Provisioning Users that are Synchronized from an External Source
  • Provisioning Users Created with Command-Line LDAP Tools
  • Bulk Provisioning Using the provProfileBulkProv Tool
    • Syntax for provProfileBulkProv
    • Arguments for provProfileBulkProv
    • Tasks and Examples for provProfileBulkProv
  • On-Demand Provisioning
  • Application Bootstrapping
• Organization of User Profiles in Oracle Internet Directory
  • Organization of Provisioning Entries in the Directory Information Tree
  • Understanding User Provisioning Statuses
    • Provisioning Status in Oracle Internet Directory
    • Provisioning Status Transitions
    • Upgrading and Coexistence Provisioning Statuses
    • Provisioning Statuses and Exception Handling
• Understanding Provisioning Flow
  • Creating and Modifying Users with the Provisioning Console
  • Deleting Users with the Provisioning Console
  • Viewing and Editing Provisioning Profiles Using Fusion Middleware Control
  • User Provisioning from an External Source
• How Are Administrative Privileges Delegated?
  • Provisioning Administration Model
  • Oracle Delegated Administration Services Privileges
  • Provisioning Administration Privileges
  • Application Administration Privileges
  • Oracle Delegated Administration Services and Provisioning Administration Privileges
  • Application Administration and Oracle Delegated Administration Services Privileges
    • Application Administration Privileges and Oracle Delegated Administration Services User Creation Privileges
    • Application Administration Privileges and Oracle Delegated Administration Services User Editing Privileges
    • Application Administration Privileges and Oracle Delegated Administration Services User Deletion Privileges
  • Provisioning and Application Administration Privileges
  • Oracle Delegated Administration Services, Provisioning, and Application Administration Privileges

13 Deploying Provisioning-Integrated Applications

• Deployment Overview for Provisioning-Integrated Applications
• Managing Provisioning Profiles Using oidprovtool
  • Syntax for oidprovtool
  • Arguments for oidprovtool
  • Tasks and Examples for oidprovtool
    • Creating a Provisioning Profile
    • Modifying a Provisioning Profile
    • Deleting a Provisioning Profile
    • Disabling a Provisioning Profile
• Registering Applications for Provisioning
• Configuring Application Provisioning Properties

14 Understanding the Oracle Provisioning Event Engine

• What Are the Oracle Provisioning Events?
• Working with the Oracle Provisioning Event Engine
  • Creating Custom Event Object Definitions
  • Defining Custom Event Generation Rules

15 Integration of Provisioning Data with Oracle E-Business Suite

Part V Integrating with Third-Party Directories

16 Third-Party Directory Integration Concepts and Considerations

• Concepts and Architecture of Third-Party Directory Integration
  • Oracle Identity Management Components for Integrating with a Third-Party Directory
  • Oracle Internet Directory Schema Elements for Synchronizing with Third-Party Directories
  • Directory Information Tree in an Integration with a Third-Party Directory
    • About Realms in Oracle Internet Directory
    • Planning the Deployment
    • Example: Integration with a Single Third-Party Directory Domain
• Planning Your Integration Environment
  • Preliminary Considerations for Integrating with a Third-Party Directory
  • Choose the Directory for the Central Enterprise Directory
    • Oracle Internet Directory as the Central Enterprise Directory
    • Third-Party Directory as the Central Enterprise Directory
  • Customizing the LDAP Schema
  • Choose Where to Store Passwords
    • Advantages and Disadvantages of Storing the Password in One Directory
    • Advantages and Disadvantages of Storing Passwords in Both Directories
  • Choose the Structure of the Directory Information Tree
    • Create Identical DIT Structures on Both Directories
    • Distinguished Name Mapping and Limitations
  • Select the Attribute for the Login Name
  • Select the User Search Base
  • Select the Group Search Base
  • Decide How to Address Security Concerns
  • Administering Your Deployment with Oracle Access Manager
• Microsoft Active Directory Integration Concepts
  • Synchronizing from Microsoft Active Directory to Oracle Internet Directory
  • Requirement for Using WebDAV Protocol
  • Windows Native Authentication
    • Understanding Windows Native Authentication
    • Authenticating Users Against Multiple Microsoft Active Directory Domains
    • Overriding an Application Authentication Mechanism with Windows Native Authentication
  • Oracle Internet Directory Schema Elements for Microsoft Active Directory
  • Integration with Multiple Microsoft Active Directory Domain Controllers
  • Synchronizing with a Multiple-Domain Microsoft Active Directory Environment
    • Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory
    • Configuration Required for Importing from Microsoft Active Directory Lightweight Directory Service to Oracle Internet Directory
    • Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory
    • Example: Integration with Multiple Third-Party Directory Domains
  • Foreign Security Principals
• Sun Java System Directory Server Integration Concepts
  • Synchronizing from Sun Java System Directory Server to Oracle Directory Integration Platform
  • Oracle Internet Directory Schema Elements for Sun Java System Directory Server
• IBM Tivoli Directory Server Integration Concepts
  • Changes to Directory Objects in IBM Tivoli Directory Server
  • Oracle Internet Directory Schema Elements for IBM Tivoli Directory Server
• Novell eDirectory and OpenLDAP Integration Concepts
  • Synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory
  • Oracle Internet Directory Schema Elements for Novell eDirectory
  • Oracle Internet Directory Schema Elements for OpenLDAP
• Limitations of Third-Party Integration in Oracle Directory Integration Platform 11g Release 1 (11.1.1)

17 Configuring Synchronization with a Third-Party Directory

• Verifying Synchronization Requirements
• Creating Import and Export Synchronization Profiles Using expressSyncSetup
  • Syntax for expressSyncSetup
  • Arguments for expressSyncSetup
  • Tasks and Examples for expressSyncSetup
  • Understanding the expressSyncSetup Command
• Configuring Advanced Integration Options
  • Configuring the Realm
  • Customizing Access Control Lists
    • Customizing ACLs for Import Profiles
    • Customizing ACLs for Export Profiles
    • ACLs for Other Oracle Components
  • Customizing Mapping Rules
  • Configuring the Third-Party Directory Connector for Synchronization in SSL Mode
  • Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory
  • Configuring External Authentication Plug-ins
    • Configuring External Authentication Against Multiple Domains
• Writing Custom Synchronization Connectors
  • Inbound Connectors
    • Sample Reader
  • Outbound Connectors
    • Sample Writer

18 Integrating with Microsoft Active Directory

• Verifying Synchronization Requirements for Microsoft Active Directory
• Configuring Basic Synchronization with Microsoft Active Directory
• Configuring Advanced Integration with Microsoft Active Directory
  • Step 1: Planning Your Integration
  • Step 2: Configuring the Realm
  • Step 3: Customizing the Search Filter to Retrieve Information from Microsoft Active Directory
  • Step 4: Customizing the ACLs
  • Step 5: Customizing Attribute Mappings
  • Step 6: Synchronizing with Multiple Microsoft Active Directory Domains
  • Step 7: Synchronizing Deletions from Microsoft Active Directory
  • Step 8: Synchronizing in SSL Mode
  • Step 9: Synchronizing Passwords
  • Step 10: Configuring the Microsoft Active Directory External Authentication Plug-in
  • Step 11: Performing Post-Configuration and Administrative Tasks
• Using DirSync Change Tracking for Import Operations
• Configuring Windows Native Authentication
  • What are the System Requirements for Windows Native Authentication?
  • Avoiding HTTP-401 Errors and Repeat Login Challenges for External Users
  • Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain
  • Configuring Windows Native Authentication with Multiple Microsoft Active Directory Domains or Forests
  • Implementing Fallback Authentication
  • Understanding the Possible Login Scenarios
• Configuring Synchronization of Oracle Internet Directory Foreign Security Principal References with Microsoft Active Directory
• Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
• Configuring the Microsoft Active Directory Connector for Microsoft Active Directory Lightweight Directory Service
• Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server

19 Deploying the Oracle Password Filter for Microsoft Active Directory

• Overview of the Oracle Password Filter for Microsoft Active Directory
  • What is the Oracle Password Filter for Microsoft Active Directory?
  • How Does the Oracle Password Filter for Microsoft Active Directory Work?
    • Clear Text Password Changes Captured
    • Password Changes Stored when Oracle Internet Directory is Unavailable
    • Password Synchronization Delayed Until Microsoft Active Directory Users are Synchronized with Oracle Identity Management
    • Password Bootstrapping
  • How Do I Deploy the Oracle Password Filter for Microsoft Active Directory?
• Configuring and Testing Oracle Internet Directory with SSL Server-Side Authentication
• Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller
• Testing SSL Communication Between Oracle Internet Directory and Microsoft Active Directory
• Installing and Reconfiguring the Oracle Password Filter for Microsoft Active Directory
  • Installing the Oracle Password Filter for Microsoft Active Directory
  • Reconfiguring the Oracle Password Filter for Microsoft Active Directory
• Removing the Oracle Password Filter for Microsoft Active Directory

20 Integrating with Sun Java System Directory Server

• Verifying Synchronization Requirements for Sun Java System Directory Server
• Configuring Basic Synchronization with Sun Java System Directory Server
• Configuring Advanced Integration with Sun Java System Directory Server
  • Step 1: Planning Your Integration
  • Step 2: Configuring the Realm
  • Step 3: Customizing the ACLs
  • Step 4: Customizing Attribute Mappings
  • Step 5: Customizing the Sun Java System Directory Server Connector to Synchronize Deletions
  • Step 6: Synchronizing Passwords
  • Step 7: Synchronizing in SSL Mode
  • Step 8: Configuring the Sun Java System Directory Server External Authentication Plug-in
  • Step 9: Performing Post-Configuration and Administrative Tasks

21 Integrating with IBM Tivoli Directory Server

• Verifying Synchronization Requirements for IBM Tivoli Directory Server
• Configuring Basic Synchronization with IBM Tivoli Directory Server
• Configuring Advanced Integration with IBM Tivoli Directory Server
  • Step 1: Planning Your Integration
  • Step 2: Configuring the Realm
  • Step 3: Customizing the ACLs
  • Step 4: Customizing Attribute Mappings
  • Step 5: Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions
  • Step 6: Synchronizing Passwords
  • Step 7: Synchronizing in SSL Mode
  • Step 8: Configuring the IBM Tivoli Directory Server External Authentication Plug-in
  • Step 9: Performing Post-Configuration and Administrative Tasks

22 Integrating with Novell eDirectory or OpenLDAP

• Verifying Synchronization Requirements for Novell eDirectory or OpenLDAP
• Configuring Basic Synchronization with Novell eDirectory or OpenLDAP
  • Synchronizing Multiple Profiles from eDirectory or OpenLDAP to One Oracle Internet Directory Container
• Configuring Advanced Integration with Novell eDirectory or OpenLDAP
  • Step 1: Planning Your Integration
  • Step 2: Configuring the Realm
  • Step 3: Customizing the Search Filter to Retrieve Information from Novell eDirectory or OpenLDAP
  • Step 4: Customizing the ACLs
  • Step 5: Customizing Attribute Mappings
  • Step 6: Customizing the Novell eDirectory or OpenLDAP Connector to Synchronize Deletions
    • How Do I Define a Reconciliation Rule?
    • How are Reconciliation Rules Used to Synchronize Deletions?
  • Step 7: Specifying Synchronization Parameters for the Advanced Configuration Information Attribute
  • Step 8: Configuring the OpenLDAP Connector to Synchronize Passwords
  • Step 9: Synchronizing in SSL Mode
  • Step 10: Configuring the Novell eDirectory or OpenLDAP External Authentication Plug-in
  • Step 11: Performing Post-Configuration and Administrative Tasks

23 Managing Integration with a Third-Party Directory

• Tasks After Configuring with a Third-Party Directory
• Typical Management of Integration with a Third-Party Directory
  • Bootstrapping Data Between Directories
  • Managing a Third-Party Directory External Authentication Plug-in
    • Deleting a Third-Party Directory External Authentication Plug-in
    • Disabling a Third-Party External Authentication Plug-in
    • Re-enabling a Third-Party External Authentication Plug-in

Part VI Appendixes

A Comparing Oracle Directory Integration Platform 11g Release 1 (11.1.1) and 10g Releases (10.1.4.x)

• Process Management
• Configuration Files
• Templates for Mapping, Configuration, and Properties Files
• Log Files
• Graphical User Interfaces
• Command-Line Tools
• Audit Configurables
• Audit Log Location

B Example Properties File for Synchronization Profiles

• Example Properties File for Synchronization Profiles

C Starting and Stopping the Oracle Stack

• Starting the Stack
• Stopping the Stack

D Case Study: A Deployment of Oracle Directory Integration Platform

• Components in the MyCompany Enterprise
• Requirements of the MyCompany Enterprise
• Overall Deployment in the MyCompany Enterprise
• User Creation and Provisioning in the MyCompany Enterprise
• Modification of User Properties in the MyCompany Enterprise
• Deletion of Users in the MyCompany Enterprise

E Troubleshooting the Oracle Directory Integration Platform

• Checklist for Troubleshooting Oracle Directory Integration Platform
• The DIP Tester Utility
• Problems and Solutions
  • Provisioning Errors and Problems
  • Synchronization Errors and Problems
  • Windows Native Authentication Errors and Problems
  • Novell eDirectory and OpenLDAP Synchronization Errors and Problems
  • Oracle Password Filter for Microsoft Active Directory Errors and Problems
• Troubleshooting Provisioning
  • Viewing Diagnostic Settings
  • Provisioning-Integration Applications Not Visible in the Provisioning Console
  • Unable to Create Users
    • Troubleshooting Data Entry Plug-ins
    • Troubleshooting Provisioning Plug-ins
  • Using Provisioning Status to Identify Problems
  • Users Cannot Log In After Account Creation
  • Monitoring Provisioning Execution Status with the Fusion Middleware Control
• Troubleshooting Synchronization
  • Oracle Directory Integration Platform Synchronization Process Flow
    • Oracle Directory Integration Platform Synchronization Process Flow for an Import Profile
    • Oracle Directory Integration Platform Synchronization Process Flow for an Export Profile
  • Understanding Synchronization Profile Registration
  • Understanding the diagnostic.log File
• Troubleshooting Integration with Microsoft Active Directory
  • Debugging Windows Native Authentication
  • Synchronizing Changes Following a Period when Oracle Internet Directory is Unavailable
• Need More Help?

Glossary

Index