This chapter outlines the procedures for integrating Oracle Identity Management with IBM Tivoli Directory Server. It contains these topics:
Verifying Synchronization Requirements for IBM Tivoli Directory Server
Configuring Basic Synchronization with IBM Tivoli Directory Server
Configuring Advanced Integration with IBM Tivoli Directory Server
Note:
This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It also assumes familiarity with the earlier chapters in this book, especially:Chapter 1, "Introduction to Oracle Identity Management Integration"
Chapter 4, "Managing the Oracle Directory Integration Platform"
Chapter 5, "Understanding the Oracle Directory Synchronization Service"
Chapter 16, "Third-Party Directory Integration Concepts and Considerations"
If you are configuring a demonstration of integration with IBM Tivoli Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 (11.1.1), available on Oracle Technology Network at http://www.oracle.com/technology/
Before configuring basic or advanced synchronization with IBM Tivoli Directory Server, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements". Before synchronizing with IBM Tivoli Directory Server, you must also perform the following steps:
When creating a user account in IBM Tivoli Directory Server with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstone
Enable change logging on IBM Tivoli Directory Server
You use the expressSyncSetup command to quickly establish synchronization between Oracle Internet Directory and IBM Tivoli Directory Server. The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup command to synchronize with IBM Tivoli Directory Server, refer to "Creating Import and Export Synchronization Profiles Using expressSyncSetup".
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for IBM Tivoli Directory Server are:
TivoliImport—The profile for importing changes from IBM Tivoli Directory Server to Oracle Internet Directory
TivoliExport—The profile for exporting changes from Oracle Internet Directory to IBM Tivoli Directory Server
You can also use the expressSyncSetup command to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with expressSyncSetup are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and a IBM Tivoli Directory Server. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:
Step 5: Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions
Step 8: Configuring the IBM Tivoli Directory Server External Authentication Plug-in
Step 9: Performing Post-Configuration and Administrative Tasks
Plan your integration by reading Chapter 16, "Third-Party Directory Integration Concepts and Considerations", particularly "IBM Tivoli Directory Server Integration Concepts". Be sure to create a new profile by copying the existing IBM Tivoli Directory Server template profile by following the instructions in "Creating Synchronization Profiles".
Configure the realm by following the instructions in "Configuring the Realm".
Customize ACLs as described in "Customizing Access Control Lists".
When integrating with IBM Tivoli Directory Server, the following attribute-level mapping is mandatory for all objects:
targetdn: : :top:orclSourceObjectDN: :orclTDSObject:
Example 21-1 Attribute-Level Mapping for the User Object in IBM Tivoli Directory Server
Cn:1: :person: cn: :person: sn: : :person: sn: :person:
Example 21-2 Attribute-Level Mapping for the Group Object in IBM Tivoli Directory Server
Cn:1: :groupofname: cn:groupofuniquenames
In the preceding examples, Cn and sn from IBM Tivoli Directory Server are mapped to cn and sn in Oracle Internet Directory.
If you specify anything other than the RDN attribute as a required attribute in the mapping file, those changes will not be synchronized. This is due to a limitation in IBM Tivoli Directory Server where changes do not appear as deletions in the changelog when tombstones are enabled.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
If you want to synchronize deletions, you must ensure tombstones are not enabled in IBM Tivoli Directory Server. To check if tombstones are enabled, execute the following command:
ldapsearch -h connected_directory_host -p connected_directory_port \ -D binddn -q \ -b "cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration" -s base "objectclass=*" ibm-slapdTombstoneEnabled
Note:
You will be prompted for the password.This command returns information on all deleted entries.
See Also:
IBM Tivoli Directory Server documentation for details about configuring tombstones.Oracle Internet Directory and IBM Tivoli Directory Server support the same set of password hashing techniques. To synchronize passwords between Oracle Internet Directory and IBM Tivoli Directory Server, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file:
Userpassword: : :person:userpassword: :person
Configure IBM Tivoli Directory Server for synchronization in SSL mode by following the instructions in "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode".
Perform the following steps to configure an IBM Tivoli Directory Server external authentication plug-in:
Add the configuration entries for the external authentication plug-in for IBM Tivoli Directory Server to Oracle Internet Directory by performing the following steps:
Note:
The wallet referred to in the configuration entries for the external authentication plug-in for IBM Tivoli Directory Server is ORACLE wallet. Accordingly, use Oracle wallet commands to add and remove certificates from the wallet. JKS commands are used only for the certificates that Oracle Directory Integration Platform uses.Copy the following entries in to an LDIF file, for example, input.ldif:
dn: cn=oidexplg_compare_tivoli,cn=plugin,cn=subconfigsubentry cn: oidexplg_compare_tivoli objectclass: orclPluginConfig objectclass: top orclpluginname: oidexplg orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapcompare orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginattributelist: userpassword orclpluginentryproperties: (!(&(objectclass=orclTDSobject)(objectclass=orcluserv2))) orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: host.domain.com orclpluginflexfield;walletloc2: /location/wallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: /tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginclassreloadenabled: 0 orclpluginenable: 0 orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com dn: cn=oidexplg_bind_tivoli,cn=plugin,cn=subconfigsubentry cn: oidexplg_bind_tivoli objectclass: orclPluginConfigobjectclass: top orclpluginname: oidexplg orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapbind orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginentryproperties: (!(&(objectclass=orclTDSobject)(objectclass=orcluserv2))) orclpluginclassreloadenabled: 0 orclpluginflexfield;walletloc2: /location/wallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: /tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: host.domain.com orclpluginenable: 0 orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com
Copy the entries in the LDIF file in to Oracle Internet Directory using a command similar to the following:
ldapadd -h HOST -p PORT -D binddn -q -v -f input.ldif
Note:
You will be prompted for the password.Use the instructions in "Configuring External Authentication Plug-ins" to configure the plug-in.
Read Chapter 23, "Managing Integration with a Third-Party Directory" for information on post-configuration and ongoing administration tasks.