Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform
11
g
Release 1 (11.1.1)
Part Number E10031-02
Home
Book List
Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in Oracle Directory Integration Platform?
Part I Getting Started with Oracle Directory Integration Platform
1
Introduction to Oracle Identity Management Integration
Why Oracle Identity Management Integration?
Oracle Identity Management Installation Options
Synchronization, Provisioning, and the Differences Between Them
Synchronization
Provisioning
How Synchronization and Provisioning Differ
Components Involved in Oracle Identity Management Integration
Oracle Internet Directory
Oracle Directory Integration Platform
Understanding the Oracle Directory Integration Platform Server
Understanding the Oracle Directory Integration Platform Synchronization Service
Understanding the Oracle Directory Integration Platform Provisioning Service
Oracle Application Server Single Sign-On
2
Security Features in Oracle Directory Integration Platform
Authentication in Oracle Directory Integration Platform
Secure Sockets Layer and Oracle Directory Integration Platform
Oracle Directory Integration Platform Authentication in SSL Mode
Profile Authentication
Access Control and Authorization and Oracle Directory Integration Platform
Access Controls for the Oracle Directory Integration Platform
Access Controls for Profiles
Data Integrity and Oracle Directory Integration Platform
Data Privacy and Oracle Directory Integration Platform
Tools Security and Oracle Directory Integration Platform
Credential Storing
Part II General Administration of Oracle Directory Integration Platform
3
Administering Oracle Directory Integration Platform
Graphical Tools for Administering Oracle Directory Integration Platform
Using Fusion Middleware Control
The Oracle Directory Integration Platform Home Page
Using Oracle Internet Directory Self-Service Console
Using Oracle Internet Directory Provisioning Console
Command-Line Tools for Administering Oracle Directory Integration Platform
Using Standard LDAP Command-Line Tools
4
Managing the Oracle Directory Integration Platform
Operational Information About the Oracle Directory Integration Platform
Directory Integration Profiles
Oracle Directory Integration Platform Event Propagation in a Multimaster Oracle Internet Directory Replication Environment
Directory Synchronization in an Oracle Internet Directory Multimaster Replication Environment
Directory Provisioning in an Oracle Internet Directory Multimaster Replication Environment
Viewing Oracle Directory Integration Platform Status and Registration Information
Viewing the Status of Oracle Directory Integration Platform Using the dipStatus Utility
Syntax for dipStatus
Arguments for dipStatus
Examples for dipStatus
Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility
Managing Oracle Directory Integration Platform Using Fusion Middleware Control
Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
Starting Oracle Directory Integration Platform with Fusion Middleware Control
Stopping Oracle Directory Integration Platform with Fusion Middleware Control
Managing the Oracle Directory Integration Platform Server Configuration
Managing Oracle Directory Integration Platform Logging Using Fusion Middleware Control
Auditing Oracle Directory Integration Platform Using Fusion Middleware Control
Starting and Stopping Oracle Directory Integration Platform Using WLST
Managing Oracle Directory Integration Platform Using manageDIPServerConfig
Syntax for manageDIPServerConfig
Arguments for manageDIPServerConfig
Tasks and Examples for manageDIPServerConfig
Configuring Oracle Directory Integration Platform for SSL Mode 2 Server-Only Authentication
Managing the SSL Certificates of Oracle Internet Directory and Connected Directories
Detecting and Removing an Expired Certificate
Oracle Directory Integration Platform in a High Availability Scenario
Managing Oracle Directory Integration Platform in a Replicated Environment
Part III Synchronization Using Oracle Directory Integration Platform
5
Understanding the Oracle Directory Synchronization Service
Components Involved in Oracle Directory Synchronization
Connectors for Directory Synchronization
Using Connectors with Supported Interfaces
Using Connectors Without Supported Interfaces
Directory Synchronization Profiles
How Synchronization Works
Synchronizing from Oracle Internet Directory to a Connected Directory
Synchronizing from a Connected Directory to Oracle Internet Directory
Synchronizing Directories with Interfaces Not Supported by Oracle Internet Directory
6
Configuring Directory Synchronization
Registering Connectors in Oracle Directory Integration Platform
Synchronization Profile Templates
Configuring Connection Details
Configuring Mapping Rules
Distinguished Name Mapping
Excluding Domains
Attribute-Level Mapping
Excluding Attributes
Manually Creating New Mapping Files
Supported Attribute Mapping Rules and Examples
Example: Mapping File for a Tagged-File Interface
Example: Mapping Files for an LDIF Interface
Updating Mapping Rules
Adding an Entry to the Mapping Rules File
Modifying an Entry in the Mapping Rules File
Deleting an Entry from the Mapping Rules File
Extending Mappings Using Custom Plug-ins
Writing Custom Plug-Ins
Mapping Plug-In Evaluation Constraints
Adding Mapping Plug-Ins
Applications of Mapping Plug-Ins
Support for New Mapping Operations
Support for Multiple Literal Values
Example Plug-In Usage
Configuring Matching Filters
Filtering Changes with an LDAP Search
Filtering Changes from a Change Log
Location and Naming of Files
7
Managing Directory Synchronization Profiles
Managing Synchronization Profiles Using Fusion Middleware Control
Creating Synchronization Profiles
Editing Synchronization Profiles
Enabling and Disabling Synchronization Profiles
Deleting Synchronization Profiles
Managing Synchronization Profiles Using manageSyncProfiles
Syntax for manageSyncProfiles
Arguments for manageSyncProfiles
Tasks and Examples for manageSyncProfiles
Modifying the Synchronization Status Attributes
Setting Null Values in Synchronization Profiles
8
Bootstrapping a Directory in Oracle Directory Integration Platform
Directory Bootstrapping Using syncProfileBootstrap
Syntax for syncProfileBootstrap
Arguments for syncProfileBootstrap
Tasks and Examples for syncProfileBootstrap
Recommended Bootstrapping Methodology
Bootstrapping Using a Parameter File
Bootstrapping Without Using an LDIF File
Bootstrapping Using an LDIF File
Bootstrapping Directly Using the Default Integration Profile
Bootstrapping in SSL Mode
9
Synchronizing with Relational Database Tables
Preparing the Additional Configuration Information File
Preparing the Mapping File
Preparing the Directory Integration Profile
Example: Synchronizing a Relational Database Table to Oracle Internet Directory
Configuring the Additional Configuration Information File
Configuring the Mapping File
Configuring the Directory Integration Profile
Uploading the Additional Configuration Information and Mapping Files
Synchronization Process
Observations About the Example
10
Synchronizing with Oracle Human Resources
Introduction to Synchronization with Oracle Human Resources
Data You Can Import from Oracle Human Resources
Managing Synchronization Between Oracle Human Resources and Oracle Internet Directory
Task 1: Configure a Directory Integration Profile for the Oracle Human Resources Connector
Task 2: Configure the List of Attributes to Be Synchronized with Oracle Internet Directory
Modifying Additional Oracle Human Resources Attributes for Synchronization
Excluding Oracle Human Resources Attributes from Synchronization
Configuring a SQL SELECT Statement in the Configuration File to Support Complex Selection Criteria
Task 3: Configure Mapping Rules for the Oracle Human Resources Connector
Task 4: Prepare to Synchronize from Oracle Human Resources to Oracle Internet Directory
Preparing for Synchronization
The Synchronization Process
Bootstrapping Oracle Internet Directory from Oracle Human Resources
11
Synchronizing with Third-Party Metadirectory Solutions
About Change Logs
Enabling Third-Party Metadirectory Solutions to Synchronize with Oracle Internet Directory
Task 1: Perform Initial Bootstrapping
Task 2: Create a Change Subscription Object in Oracle Internet Directory for the Third-Party Metadirectory Solution
About the Change Subscription Object
Creating a Change Subscription Object
Synchronization Process
How a Connected Directory Retrieves Changes the First Time from Oracle Internet Directory
How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory
Disabling and Deleting Change Subscription Objects
Disabling a Change Subscription Object
Deleting a Change Subscription Object
Part IV Provisioning with the Oracle Directory Integration Platform
12
Understanding the Oracle Directory Integration Platform for Provisioning
What Is Provisioning?
Components of the Oracle Directory Integration Platform Service
Understanding Provisioning Concepts
Synchronous Provisioning
Asynchronous Provisioning
Provisioning Data Flow
Overview of Provisioning Methodologies
Provisioning Users from the Provisioning Console
Provisioning Users that are Synchronized from an External Source
Provisioning Users Created with Command-Line LDAP Tools
Bulk Provisioning Using the provProfileBulkProv Tool
Syntax for provProfileBulkProv
Arguments for provProfileBulkProv
Tasks and Examples for provProfileBulkProv
On-Demand Provisioning
Application Bootstrapping
Organization of User Profiles in Oracle Internet Directory
Organization of Provisioning Entries in the Directory Information Tree
Understanding User Provisioning Statuses
Provisioning Status in Oracle Internet Directory
Provisioning Status Transitions
Upgrading and Coexistence Provisioning Statuses
Provisioning Statuses and Exception Handling
Understanding Provisioning Flow
Creating and Modifying Users with the Provisioning Console
Deleting Users with the Provisioning Console
Viewing and Editing Provisioning Profiles Using Fusion Middleware Control
User Provisioning from an External Source
How Are Administrative Privileges Delegated?
Provisioning Administration Model
Oracle Delegated Administration Services Privileges
Provisioning Administration Privileges
Application Administration Privileges
Oracle Delegated Administration Services and Provisioning Administration Privileges
Application Administration and Oracle Delegated Administration Services Privileges
Application Administration Privileges and Oracle Delegated Administration Services User Creation Privileges
Application Administration Privileges and Oracle Delegated Administration Services User Editing Privileges
Application Administration Privileges and Oracle Delegated Administration Services User Deletion Privileges
Provisioning and Application Administration Privileges
Oracle Delegated Administration Services, Provisioning, and Application Administration Privileges
13
Deploying Provisioning-Integrated Applications
Deployment Overview for Provisioning-Integrated Applications
Managing Provisioning Profiles Using oidprovtool
Syntax for oidprovtool
Arguments for oidprovtool
Tasks and Examples for oidprovtool
Creating a Provisioning Profile
Modifying a Provisioning Profile
Deleting a Provisioning Profile
Disabling a Provisioning Profile
Registering Applications for Provisioning
Configuring Application Provisioning Properties
14
Understanding the Oracle Provisioning Event Engine
What Are the Oracle Provisioning Events?
Working with the Oracle Provisioning Event Engine
Creating Custom Event Object Definitions
Defining Custom Event Generation Rules
15
Integration of Provisioning Data with Oracle E-Business Suite
Part V Integrating with Third-Party Directories
16
Third-Party Directory Integration Concepts and Considerations
Concepts and Architecture of Third-Party Directory Integration
Oracle Identity Management Components for Integrating with a Third-Party Directory
Oracle Internet Directory Schema Elements for Synchronizing with Third-Party Directories
Directory Information Tree in an Integration with a Third-Party Directory
About Realms in Oracle Internet Directory
Planning the Deployment
Example: Integration with a Single Third-Party Directory Domain
Planning Your Integration Environment
Preliminary Considerations for Integrating with a Third-Party Directory
Choose the Directory for the Central Enterprise Directory
Oracle Internet Directory as the Central Enterprise Directory
Third-Party Directory as the Central Enterprise Directory
Customizing the LDAP Schema
Choose Where to Store Passwords
Advantages and Disadvantages of Storing the Password in One Directory
Advantages and Disadvantages of Storing Passwords in Both Directories
Choose the Structure of the Directory Information Tree
Create Identical DIT Structures on Both Directories
Distinguished Name Mapping and Limitations
Select the Attribute for the Login Name
Select the User Search Base
Select the Group Search Base
Decide How to Address Security Concerns
Administering Your Deployment with Oracle Access Manager
Microsoft Active Directory Integration Concepts
Synchronizing from Microsoft Active Directory to Oracle Internet Directory
Requirement for Using WebDAV Protocol
Windows Native Authentication
Understanding Windows Native Authentication
Authenticating Users Against Multiple Microsoft Active Directory Domains
Overriding an Application Authentication Mechanism with Windows Native Authentication
Oracle Internet Directory Schema Elements for Microsoft Active Directory
Integration with Multiple Microsoft Active Directory Domain Controllers
Synchronizing with a Multiple-Domain Microsoft Active Directory Environment
Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory
Configuration Required for Importing from Microsoft Active Directory Lightweight Directory Service to Oracle Internet Directory
Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory
Example: Integration with Multiple Third-Party Directory Domains
Foreign Security Principals
Sun Java System Directory Server Integration Concepts
Synchronizing from Sun Java System Directory Server to Oracle Directory Integration Platform
Oracle Internet Directory Schema Elements for Sun Java System Directory Server
IBM Tivoli Directory Server Integration Concepts
Changes to Directory Objects in IBM Tivoli Directory Server
Oracle Internet Directory Schema Elements for IBM Tivoli Directory Server
Novell eDirectory and OpenLDAP Integration Concepts
Synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory
Oracle Internet Directory Schema Elements for Novell eDirectory
Oracle Internet Directory Schema Elements for OpenLDAP
Limitations of Third-Party Integration in Oracle Directory Integration Platform 11
g
Release 1 (11.1.1)
17
Configuring Synchronization with a Third-Party Directory
Verifying Synchronization Requirements
Creating Import and Export Synchronization Profiles Using expressSyncSetup
Syntax for expressSyncSetup
Arguments for expressSyncSetup
Tasks and Examples for expressSyncSetup
Understanding the expressSyncSetup Command
Configuring Advanced Integration Options
Configuring the Realm
Customizing Access Control Lists
Customizing ACLs for Import Profiles
Customizing ACLs for Export Profiles
ACLs for Other Oracle Components
Customizing Mapping Rules
Configuring the Third-Party Directory Connector for Synchronization in SSL Mode
Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory
Configuring External Authentication Plug-ins
Configuring External Authentication Against Multiple Domains
Writing Custom Synchronization Connectors
Inbound Connectors
Sample Reader
Outbound Connectors
Sample Writer
18
Integrating with Microsoft Active Directory
Verifying Synchronization Requirements for Microsoft Active Directory
Configuring Basic Synchronization with Microsoft Active Directory
Configuring Advanced Integration with Microsoft Active Directory
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the Search Filter to Retrieve Information from Microsoft Active Directory
Step 4: Customizing the ACLs
Step 5: Customizing Attribute Mappings
Step 6: Synchronizing with Multiple Microsoft Active Directory Domains
Step 7: Synchronizing Deletions from Microsoft Active Directory
Step 8: Synchronizing in SSL Mode
Step 9: Synchronizing Passwords
Step 10: Configuring the Microsoft Active Directory External Authentication Plug-in
Step 11: Performing Post-Configuration and Administrative Tasks
Using DirSync Change Tracking for Import Operations
Configuring Windows Native Authentication
What are the System Requirements for Windows Native Authentication?
Avoiding HTTP-401 Errors and Repeat Login Challenges for External Users
Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain
Configuring Windows Native Authentication with Multiple Microsoft Active Directory Domains or Forests
Implementing Fallback Authentication
Understanding the Possible Login Scenarios
Configuring Synchronization of Oracle Internet Directory Foreign Security Principal References with Microsoft Active Directory
Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
Configuring the Microsoft Active Directory Connector for Microsoft Active Directory Lightweight Directory Service
Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server
19
Deploying the Oracle Password Filter for Microsoft Active Directory
Overview of the Oracle Password Filter for Microsoft Active Directory
What is the Oracle Password Filter for Microsoft Active Directory?
How Does the Oracle Password Filter for Microsoft Active Directory Work?
Clear Text Password Changes Captured
Password Changes Stored when Oracle Internet Directory is Unavailable
Password Synchronization Delayed Until Microsoft Active Directory Users are Synchronized with Oracle Identity Management
Password Bootstrapping
How Do I Deploy the Oracle Password Filter for Microsoft Active Directory?
Configuring and Testing Oracle Internet Directory with SSL Server-Side Authentication
Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller
Testing SSL Communication Between Oracle Internet Directory and Microsoft Active Directory
Installing and Reconfiguring the Oracle Password Filter for Microsoft Active Directory
Installing the Oracle Password Filter for Microsoft Active Directory
Reconfiguring the Oracle Password Filter for Microsoft Active Directory
Removing the Oracle Password Filter for Microsoft Active Directory
20
Integrating with Sun Java System Directory Server
Verifying Synchronization Requirements for Sun Java System Directory Server
Configuring Basic Synchronization with Sun Java System Directory Server
Configuring Advanced Integration with Sun Java System Directory Server
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the ACLs
Step 4: Customizing Attribute Mappings
Step 5: Customizing the Sun Java System Directory Server Connector to Synchronize Deletions
Step 6: Synchronizing Passwords
Step 7: Synchronizing in SSL Mode
Step 8: Configuring the Sun Java System Directory Server External Authentication Plug-in
Step 9: Performing Post-Configuration and Administrative Tasks
21
Integrating with IBM Tivoli Directory Server
Verifying Synchronization Requirements for IBM Tivoli Directory Server
Configuring Basic Synchronization with IBM Tivoli Directory Server
Configuring Advanced Integration with IBM Tivoli Directory Server
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the ACLs
Step 4: Customizing Attribute Mappings
Step 5: Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions
Step 6: Synchronizing Passwords
Step 7: Synchronizing in SSL Mode
Step 8: Configuring the IBM Tivoli Directory Server External Authentication Plug-in
Step 9: Performing Post-Configuration and Administrative Tasks
22
Integrating with Novell eDirectory or OpenLDAP
Verifying Synchronization Requirements for Novell eDirectory or OpenLDAP
Configuring Basic Synchronization with Novell eDirectory or OpenLDAP
Synchronizing Multiple Profiles from eDirectory or OpenLDAP to One Oracle Internet Directory Container
Configuring Advanced Integration with Novell eDirectory or OpenLDAP
Step 1: Planning Your Integration
Step 2: Configuring the Realm
Step 3: Customizing the Search Filter to Retrieve Information from Novell eDirectory or OpenLDAP
Step 4: Customizing the ACLs
Step 5: Customizing Attribute Mappings
Step 6: Customizing the Novell eDirectory or OpenLDAP Connector to Synchronize Deletions
How Do I Define a Reconciliation Rule?
How are Reconciliation Rules Used to Synchronize Deletions?
Step 7: Specifying Synchronization Parameters for the Advanced Configuration Information Attribute
Step 8: Configuring the OpenLDAP Connector to Synchronize Passwords
Step 9: Synchronizing in SSL Mode
Step 10: Configuring the Novell eDirectory or OpenLDAP External Authentication Plug-in
Step 11: Performing Post-Configuration and Administrative Tasks
23
Managing Integration with a Third-Party Directory
Tasks After Configuring with a Third-Party Directory
Typical Management of Integration with a Third-Party Directory
Bootstrapping Data Between Directories
Managing a Third-Party Directory External Authentication Plug-in
Deleting a Third-Party Directory External Authentication Plug-in
Disabling a Third-Party External Authentication Plug-in
Re-enabling a Third-Party External Authentication Plug-in
Part VI Appendixes
A
Comparing Oracle Directory Integration Platform 11g Release 1 (11.1.1) and 10g Releases (10.1.4.x)
Process Management
Configuration Files
Templates for Mapping, Configuration, and Properties Files
Log Files
Graphical User Interfaces
Command-Line Tools
Audit Configurables
Audit Log Location
B
Example Properties File for Synchronization Profiles
Example Properties File for Synchronization Profiles
C
Starting and Stopping the Oracle Stack
Starting the Stack
Stopping the Stack
D
Case Study: A Deployment of Oracle Directory Integration Platform
Components in the MyCompany Enterprise
Requirements of the MyCompany Enterprise
Overall Deployment in the MyCompany Enterprise
User Creation and Provisioning in the MyCompany Enterprise
Modification of User Properties in the MyCompany Enterprise
Deletion of Users in the MyCompany Enterprise
E
Troubleshooting the Oracle Directory Integration Platform
Checklist for Troubleshooting Oracle Directory Integration Platform
The DIP Tester Utility
Problems and Solutions
Provisioning Errors and Problems
Synchronization Errors and Problems
Windows Native Authentication Errors and Problems
Novell eDirectory and OpenLDAP Synchronization Errors and Problems
Oracle Password Filter for Microsoft Active Directory Errors and Problems
Troubleshooting Provisioning
Viewing Diagnostic Settings
Provisioning-Integration Applications Not Visible in the Provisioning Console
Unable to Create Users
Troubleshooting Data Entry Plug-ins
Troubleshooting Provisioning Plug-ins
Using Provisioning Status to Identify Problems
Users Cannot Log In After Account Creation
Monitoring Provisioning Execution Status with the Fusion Middleware Control
Troubleshooting Synchronization
Oracle Directory Integration Platform Synchronization Process Flow
Oracle Directory Integration Platform Synchronization Process Flow for an Import Profile
Oracle Directory Integration Platform Synchronization Process Flow for an Export Profile
Understanding Synchronization Profile Registration
Understanding the diagnostic.log File
Troubleshooting Integration with Microsoft Active Directory
Debugging Windows Native Authentication
Synchronizing Changes Following a Period when Oracle Internet Directory is Unavailable
Need More Help?
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.