9 Configuring Directory Synchronization
This chapter explains how to configure directory synchronization and how to format mapping rules.
Topics:
See Also:
Administering Oracle Directory Integration Platform for information on using Oracle Enterprise Manager Fusion Middleware Control.
9.1 Registering Connectors in Oracle Directory Integration Platform
Before deploying a connector, you must register it in the Oracle back-end directory that you are using with Oracle Directory Integration Platform. This registration involves creating a synchronization profile, which is stored as an entry in the directory.
Refer to “Creating Synchronization Profiles” for information about creating a directory synchronization profile using Oracle Enterprise Manager Fusion Middleware Control.
See Also:
Attributes in a synchronization profile entry belong to the object class orclodiProfile
. The only exception is the orclodiplastappliedchangenumber
attribute, which belongs to the orclchangesubscriber
object class.
The 2.16.840.1.113894.8
object identifier prefix is assigned to Oracle Directory Integration Platform platform-related classes and attributes.
The various synchronization profile entries in the directory are created under the following container:
cn=subscriber profile,cn=changelog subscriber,cn=Directory Integration Platform,cn=products,cn=oracleContext
For example, a connector called OracleHRAgent
is stored in the directory as follows:
orclodipagentname=OracleHRAgent,cn=subscriber profile,cn=changelog subscriber,cn=Directory Integration Platform,cn=products,cn=oracleContext
9.2 About Synchronization Profile Templates
When you install Oracle Directory Integration Platform, template profiles for synchronization are created for different types of directories.
For a complete list of supported directories, refer to the Oracle Fusion Middleware Supported System Configurations certification matrix.
The property and mapping files used to create the template profiles are available in the $ORACLE_HOME/ldap/odi/conf
directory.
Note:
The synchronization profile template are examples. You must configure the mapping rules as described in Configuring Mapping Rules, before using the template profile.
9.3 Configure Connection Details for a Third-Party Directory
You can configure the connection details for a third-party directory by creating or editing a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control.
To use one of the sample synchronization profiles that was creating during installation, be sure to specify the correct connection details.
You can also create the profiles based on the template properties file provided during installation. If you are doing this, then you must specify the connection details in the odip.profile.condirurl
, and odip.profile.condiraccount
properties of the profile. You will be prompted for the password.
Each third-party directory requires a different configuration for getting deleted entries. Refer to the third-party directory's documentation to set up the tombstone configuration and privileges required to read tombstone entries.
Note:
If you are using Microsoft Active Directory as the third-party directory, ensure that the user account has the privileges to replicate directory changes for every domain of the forest monitored for changes. You can do this by one of the following methods:
-
Grant to this account Domain Administrative permissions
-
Make this account a member of the Domain Administrator's group
-
Grant to this account Replicating Directory Changes permissions for every domain of the forest that is monitored for changes
To grant this permission to a non-administrative user, follow the instructions in the "More Information" section of the Microsoft Help and Support article "How to Grant the 'Replicating Directory Changes' Permission for the Microsoft Metadirectory Services ADAM Service Account" available at http://support.microsoft.com/
.
Some of the most important pieces of a directory synchronization profile include the connection details you assign to the properties listed in Table 9-1:
Table 9-1 Connection Detail Properties
Property | Description |
---|---|
|
The URL of the connected directory:
|
|
The DN or account name used to connect to the third-party directory |
Note:
-
The account information you specify must have sufficient privileges in the directory to which you are connecting.
-
The account name is not required if you are using the LDIF or tagged data formats.
-
You will be prompted for a password.
9.4 Configuring Mapping Rules
This section discusses how to configure mapping rules. It contains these topics:
9.4.1 About Mapping Rules Attribute
You use the mapping rules attribute to specify how to convert entries from the source to the destination.
The Oracle back-end directory must either be the source or the destination. When converting the entries, there are three types of mapping rules: domain rules, attribute rules, and reconciliation rules. These mapping rules allow you to specify distinguished name mapping, attribute-level mapping, and reconciliation rules. Note that reconciliation rules are only used with Novell eDirectory and OpenLDAP. For more information on using reconciliation rules, see Integrating with Novell eDirectory or OpenLDAP.
Note:
For information about configuring mapping rules that connect to Oracle Database, see Updating the Configuration File in the "Synchronizing with Tables in Oracle Database" chapter.
Mapping rules are organized in a fixed, tabular format, and you must follow that format carefully. Each set of mapping rules appears between a line containing only the word DomainRules or AttributeRules.
DomainRules srcDomainName1: [dstDomainName1]: [DomainMappingRule1] srcDomainName2: [dstDomainName2]: [DomainMappingRule2] [DomainExclusionList] srcDomainForExclusion1 srcDomainforExclusion2 AttributeRules srcAttrName1:[ReqAttrSeq]:[SrcAttrType]:[SrcObjectClass]:[dstAttrName1]: [DstAttrType]:[DstObjectClass]:[AttrMappingRule1] srcAttrName1,srcAttrName2:[ReqAttrSeq]:[SrcAttrType]:[SrcObjectClass]: [dstAttrName2]:[DstAttrType]:[DstObjectClass]:[AttrMappingRule2] [AttributeExclusionList] exclusionAttribute1 exclusionAttribute2
The expansion of srcAttrName1
and srcAttrName2
in the preceding example should be on a single, unwrapped long line.
9.4.2 Distinguished Name Mapping
This section specifies how entries are mapped between the Oracle back-end directory and a connected directory. If the mapping is between the Oracle back-end directory and an LDAP directory, then you can create multiple mapping rules. The domain rule specifications appear after a line containing only the keyword DomainRules
.
Each domain rule is represented with the components, separated by colons, and are described in Table 9-2.
Table 9-2 Domain Rule Components
Component Name | Description |
---|---|
|
Name of the domain or container of interest. Specify NONLDAP for sources other than LDAP and LDIF. |
|
Name of the domain of interest in the destination. Specify this component if the container for the entries in the destination directory is different from that in the source directory. If the value assigned to If not specified, this field assumes the value of |
|
This rule is used to construct the destination DN. For more information, see About Domain Mapping Rules. |
Example 9-1 Example of Distinguished Name Mapping
Distinguished Name Rules %USERBASE INSOURCE%:%USERBASE ATDEST%:
USERBASE
refers to the container from which the source directory users and groups must be mapped. Usually, this is the users
container under the root of the source directory domain.
Example 9-2 Example of One-to-One Distinguished Name Mapping
For one-to-one mapping to occur, the DN in the source directory must match that in the destination directory. In this example, the DN in the third-party directory matches the DN in the destination directory. More specifically:
-
The source directory host is in the domain
us.mycompany.com
, and, accordingly, the root of the third-party directory domain isus.mycompany.com
. A user container under the domain would have a DN valuecn=users,dc=us,dc=mycompany,dc=com
. -
The destination directory has a default realm value of
dc=us,dc=mycompany,dc=com
. This default realm automatically contains ausers
container with a DN valuecn=users,dc=us,dc=mycompany,dc=com
.
Because the DN in the source directory matches the DN in the destination directory, one-to-one distinguished name mapping between the directories can occur.
If you plan to synchronize only the cn=users
container under dc=us,dc=mycompany,dc=com
, then the domain mapping rule is:
Distinguished Name Rules cn=users,dc=us,dc=mycompany,dc=com:cn=users,dc=us,dc=mycompany,dc=com
This rule synchronizes every entry under cn=users,dc=us,dc=mycompany,dc=com
. However, the type of object synchronized under this container is determined by the attribute-level mapping rules that follow the DN Mapping rules.
If you plan to synchronize the subtree cn=groups,dc=us,dc=mycompany,dc=com
from the source directory under the entry cn=users,dc=us,dc=mycompany,dc=com
, then the domain mapping rule is as follows:
cn=groups,dc=us,dc=mycompany,dc=com:cn=groups,cn=users,dc=us,dc=mycompany,dc=com
9.4.3 About Domain Mapping Rules
This rule is used to construct the destination DN from the source domain name, from the attribute given in AttributeRules, or both. This field is typically in the form of cn=%,l=%,o=oracle,dc=com
. These specifications are used to put entries under different domains or containers in the directory. In the case of non-LDAP sources, this rule specifies how to form the target DN so it can add entries to the directory.
This field is meaningful only when importing to the Oracle back-end directory, or when exporting to an LDIF file or another external LDAP-compliant directory. Specify this component if any part of an entry's DN in the destination directory is different from that in the source directory entry.
This component is optional for LDAP-to-LDIF, LDAP-to-LDAP, or LDIF-to-LDAP synchronizations. If it is not specified, then the source domain and destination domain names are considered to be the same.
dnpart Attribute
You use the dnpart
attribute as a variable to store a string and then you can reuse the variable in a domain mapping rule.
For the rdn
attribute, a comma is part of the attribute and in the dnpart
attribute, the comma is used as a separator to create extra levels in the directory tree.
To enable virtual distinguished name mapping, the domain mapping rule is as follows:
dc=source,dc=com:dc=destination,dc=com:cn=*,dnpart,dc=destination,dc=com
You must edit the attribute mapping rules as shown in the following example:
l:1: :europeanPerson:dnpart: : :"cn=" + l + ",cn=europe" l:1: :americanPerson:dnpart: : :"cn=" + l + ",cn=america"
In the above example, an ObjectClass
is used to define the creation of the DN with the extra level cn=europe
or cn=america
.
multivalued Attribute
In some cases, the RDN of the DN needs to be constructed by using the name of a multivalued attribute. For example, to construct an entry with the DN of cn=%,l=%,dc=myCompany,dc=com
, where cn
is a multivalued attribute, the DomainMappingRule can be in this form: rdn,l=%,dc=myCompany,dc=com
where rdn
is one of the destination attributes having a non null value. A typical mapping file supporting this could have the following form:
DomainRules NONLDAP:dc=us,dc=myCompany,dc=com:rdn,l=%,dc=us,dc=myCompany,dc=com AttributeRules firstname: : :cn: :person email : : : :cn: :person: trunc(email,'@') email : 1: : :rdn: :person: 'cn='+trunc(email,'@') firstname,lastname: : : :cn: :person: firstname+","+lastname lastname,firstname: : : :cn: :person: lastname+","+firstname firstname,lastname: : : :sn: :person: lastname | firstname EmployeeNumber: : : :employeenumber: :inetOrgperson EMail: : : :mail: :inetOrgperson telephoneNumber:1 : : :telephonenumber: :person address:1: : :postaladdress: :person address:1: : :postaladdress: :person address:1: : :postaladdress: :person state: : : :st: :locality street:1: : :street: :locality zip: : : :postalcode: :locality
9.4.4 Domain Exclusion List
You can insert the DomainExclusionList
header in map files and identify domains to be excluded during bootstrap and synchronization. Domains listed in the DomainExclusionList
will be excluded during bootstrap and synchronization.
Note:
The distinguished names (DNs) listed in the domainexclusionlist
identify the DNs of the containers in the source directory.
The following is an example of the DomainExclusionList
header with example domains to exclude:
DomainExclusionList cn=sales,cn=users,dc=us,dc=mycompany,dc=com cn=marketing,cn=users,dc=us,dc=mycompany,dc=com
Example 9-3 shows an example map file that includes the DomainExclusionList
header. In this example, the entries under cn=sales,cn=users,dc=us,dc=mycompany,dc=com
and cn=marketing,cn=users,dc=us,dc=mycompany,dc=com
will be excluded.
9.4.5 Attribute-Level Mapping
The attribute rule specifications appear after a line containing only the keyword AttributeRules
. Attribute rules specify how property values for an entry are related between two LDAP directories. For example, the cn
attribute of a user object in one directory can be mapped to the givenname
object in another directory. Similarly, the cn
attribute of a group object in one directory can be mapped to the displayname
attribute in another directory. Each attribute rule is represented with the components, separated by colons, and are described in Table 9-3.
Note:
You can specify the literals using single quotation marks (''
) or with double quotation marks (" "
). Ensure that a single character is enclosed by single quotation marks (''
) and multi character literals are enclosed by double quotation marks (" "
).
Table 9-3 Components in Attribute Rules
Component Name | Description |
---|---|
|
For LDAP-compliant directory repositories, this parameter refers to the name of the attribute to be translated. For Oracle Database repositories, it refers to the For other repositories this parameter can be appropriately interpreted. |
|
Indicator of whether the source attribute must be passed to the destination. When entries are synchronized between the Oracle back-end directory and the connected directory, some attributes need to be used as synchronization keys. This field indicates whether the specified attribute is being used as a key. If so, regardless of whether the attribute has changed or not, the value of the attribute is extracted from the source. A nonzero integer value should be placed in this field if the attribute needs to be always passed on to the other end. |
|
This parameter refers to the attribute type—for example, integer, string, binary—that validates the mapping rules. |
|
If the source of the shared attribute is an LDAP-compliant directory, then this parameter names the object class to which the attribute belongs. If the source of the shared attribute is an Oracle Database repository, then this parameter refers to the table name and is mandatory. For other repositories, this parameter may be ignored. |
|
Optional attribute. If it is not specified, then the For LDAP-compliant directories, this parameter refers to the name of the attribute at the destination. For Oracle Database repositories, it refers to the ColumnName in the table specified by the For other repositories, this parameter can be appropriately interpreted. If you specify "-" and leave the |
|
This parameter refers to the attribute type. It supports all the attributes types that is supported by the Oracle Internet Directory syntax. You must ensure compatibility of the source and destination attribute types. Oracle Directory Integration Platform does not ensure this compatibility. |
|
If it is not specified, then the For LDAP-compliant directories, this parameter refers to the object class to which the attribute belongs, and is optional. For Oracle Database repositories, it refers to the table name, and is mandatory. For other repositories this parameter may be ignored. |
|
Optional arithmetic expression with the following operators (+ and|) and functions. For more information, see "Supported Attribute Mapping Rules and Examples". If nothing is specified, then the source attribute value is copied as the value of the destination attribute. Literals can be specified with single quotation marks ('') or with double quotation marks (""). |
To enter mapping rules in a synchronization profile, edit a file that strictly follows the correct format.
Note:
When attributes and object classes are defined in the mapping file, it is assumed that source directories contain the respective attributes and object classes defined in the schema.
If a parent container is selected for synchronization, then all its children that match the mapping rules are likewise synchronized. Child containers cannot be selectively ignored for synchronization.
9.4.6 Attribute Exclusion List
You can insert the AttributeExclusionList
header in map files and identify attributes to be excluded during bootstrap and synchronization. Attributes listed in the AttributeExclusionList
will be excluded during bootstrap and synchronization.
The following is an example of the AttributeExclusionList
header with example attributes to exclude:
AttributeExclusionList facsimileTelephoneNumber telephonenumber
Example 9-3 shows an example map file that includes both the DomainExclusionList
and AttributeExclusionList
headers. In this example, the entries under cn=sales,cn=users,dc=us,dc=mycompany,dc=com and cn=marketing,cn=users,dc=us,dc=mycompany,dc=com will be excluded, and all filtered entries will exclude (not contain) the facsimileTelephoneNumber
and telephonenumber
attributes.
Example 9-3 Example Map File Using DomainExclusionList and AttributeExclusionList Headers
DomainRules cn=users,dc=us,dc=mycompany,dc=com : ou=people,dc=us,dc=myothercompany,dc=com: DomainExclusionList cn=sales,cn=users,dc=us,dc=mycompany,dc=com cn=marketing,cn=users,dc=us,dc=mycompany,dc=com AttributeRules # attribute rule common to all objects objectguid: :binary: :orclobjectguid:string: :bin2b64(objectguid) ObjectSID: :binary: :orclObjectSID:string:orclADObject:bin2b64(ObjectSID) distinguishedName: : : :orclSourceObjectDN: :orclADObject # USER ENTRY MAPPING RULES # attribute rule for mapping windows LOGIN id sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname # attribute rule for mapping Active Directory LOGIN id userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName # Map the userprincipalname to the nickname attr by default userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName # Map the SamAccountName to the nickname attr if required # If this rule is enabled, userprincipalname rule needs to be disabled #sAMAccountName: : :user:uid: :inetorgperson # Assign the userprincipalname to Kerberaos principalname userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@')) # This rule is mapped as SAMAccountName is a mandatory attr on AD # and sn is mandatory on OID. sn is not mandatory on Active Directory SAMAccountName: : :user:sn: : person: # attributes to map to cn - normally this is the given name cn: : :person:cn: :person: AttributeExclusionList facsimileTelephoneNumber telephonenumber
9.4.7 Manually Creating New Mapping Files
This section describes how to create mapping files manually without using Oracle Enterprise Manager Fusion Middleware Control.
Note:
Oracle recommends using Oracle Enterprise Manager Fusion Middleware Control to create synchronization mapping rules when you create and configure synchronization profiles. You create mapping rules on the Mapping tab described in Creating Synchronization Profiles.
To create new mapping files manually:
Mapping rules are flexible. They can include both one-to-many and many-to-one mappings.
-
One-to-many
One attribute in a connected directory can map to many attributes in the Oracle back-end directory. For example, suppose an attribute in the connected directory is
Address:123 Main Street/MyTown, MyState 12345
. You can map this attribute in the Oracle back-end directory to both the LDAP attributehomeAddress
and the LDAP attributepostalAddress
. -
Many-to-one
Multiple attributes in a connected directory can map to one attribute in the Oracle back-end directory. For example, suppose that the Oracle Human Resources directory represents Anne Smith by using two attributes:
firstname=Anne
andlastname=Smith
. You can map these two attributes to one attribute in the Oracle back-end directory:cn=Anne Smith
. However, in bidirectional synchronization, you cannot then map in reverse. For example, you cannot mapcn=Anne Smith
to many attributes.
See Also:
The mapping file examples at the end of this chapter
9.4.8 Supported Attribute Mapping Rules and Examples
This section list the supported attribute mapping rules.
-
Concatenation operator (+): Concatenates two string attributes.
The mapping rule looks like:
Firstname,lastname: : : : givenname: : inetorgperson: firstname+lastname
For example, if the
Firstname
isJohn
andLastName
isDoe
in the source, then this rule results in thegivenname
attribute in the destination with the valueJohnDoe
. -
OR operator ( | ): Assigns one of the values of the two string attributes to the destination.
The mapping rule looks like this:
Fistname,lastname : : : :givenname: :inetorgperson: firstname | lastname
In this example,
givenname
is assigned the value offirstname
if it exists. If thefirstname
attribute does not exist, thengivenname
is assigned the value oflastname
. If both the values are empty, then no value is assigned. -
bin2b64 ( )
: Stores a binary value of the source directory as a base64 encoded value in the destination directory. Typical usage is as follows:objectguid: : : :binary: :orclobjectguid: orcladuser:bin2b64(objectguid)
This is required when you need search on the value of (
objectguid
). -
tolower()
: Converts the String attribute value to lowercase.firstname: : : :givenname: :inetorgperson: tolower(firstname)
-
toupper ()
: Converts the String attribute value to uppercase.firstname: : : :givenname: :inetorgperson: toupper(firstname)
-
trunc(str,char)
: Truncates the string and removes the first occurrence of the specifiedchar
and everything that appears on the right side of thechar
. For example:mail : : : : uid : : inetorgperson : trunc(mail,'@')
For example, if
mail
isJohn.Doe@example.com
in the source, then this rule results in theuid
attribute in the destination with the value John.Doe. -
truncl(str,char)
: Truncates the string and removes the first occurrence of the specifiedchar
and everything that appears on the left side of thechar
. For example:mail : : : : ou : : inetorgperson : truncl(mail,'@')
-
truncr(str,char)
: Truncates the string and removes the first occurrence of the specifiedchar
and everything that appears on the right side of thechar
. For example:mail : : : : uid : : inetorgperson : truncr(mail,'@')
-
dnconvert (str)
: Converts DN type attributes if domain mapping is used.This example assumes the following domain mapping rule:
DomainRules cn=srcdomain:cn=dstdomain:
For example:
uniquemember : : : groupofuniquenames : uniquemember : :groupofuniquenames : dnconvert(uniquemember)
In this example, if
uniquemember
in the source iscn=testuser1,cn=srcdomain,
thenuniquemember
in the destination becomescn=testuser1,cn=dstdomain
. -
substring(String src,String startPosition,String endPosition)
: To return the substringstarting
at the <start position> andending
at the <end position> or until the end of the string, if it is not provided.sn: : : person: employeenumber: : inetorgperson:substring(sn,"2","5") sn: : : person: givenname: : inetorgperson:substring(sn,"3")
-
Literals:
Userpassword: : :person: userpassword: :person: 'password'
-
fsptodn
: To compute a DN from a FSP (Foreign Security Principals). For example:fsp : : : : dn : : top : fsptodn(fsp)
-
AccountLockOut
: To lock user accounts after multiple failed bind attempts. For example:pwdAccountLockedTime::::-:::AccountLockOut(pwdAccountLockedTime,<lockout-duration>, <bind-failures>)
For more information, see Configuring Account Locking Synchronization.
-
AccountDisable
: To temporarily disable a user's account, then enable it again. For example, if using Oracle Unified Directory as the source and destination directory:ds-pwp-account-disabled:1:::ds-pwp-account-disabled::top:
For more information, see Configuring Account Disabling Synchronization.
-
OnDemandPassword
: To synchronize the password from the connected directory to the back-end directory by configuring an import profile. For example:pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)
For more information, see Password Synchronization.
-
PasswordTranslate
: To synchronize the password from the back-end directory to the connected directory by configuring an export profile. For example,orclodiptranslatepassword: : : : unicodepwd : : user : passswordtranslate(orclodiptranslatepassword)
For more information, see Password Synchronization.
9.4.9 Configuring Account Locking Synchronization
You can use the back-end directory or connected directory account lockout feature to lock user accounts after too many failed bind attempts. Once an account has been locked, that user will not be allowed to authenticate. The lockout may be temporary (automatically ending after a specified period of time) or permanent (remaining in effect until an administrator resets the user's password).
If the back-end directory and the associated connected directories are synchronized with Oracle Directory Integration Platform, and if an account on one directory is locked out then the Oracle Directory Integration Platform will also lock out the account for other directory.
Note:
Account lockout synchronization in Oracle Directory Integration Platform is supported only for Oracle Unified Directory and Oracle Directory Server Enterprise Edition back-end directories.
Topics:
9.4.9.1 Prerequisites for Account Lockout Synchronization
Complete the following before configuring account lockout synchronization.
-
Ensure that the back-end directory and the connected directory are time synchronized. Refer to your operating system-specific documentation for more information on time synchronization.
-
Ensure that the password policies for the back-end directory and the connected directory is configured to have the same properties like enabling or disabling account lockout, bind failures, and lockout duration.
For more information, see
-
"Managing the Default Password Policy" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
-
"Managing Password Policies" in the Oracle Fusion Middleware Administering Oracle Unified Directory.
-
Note:
If the password policies are not assigned to an entry, then the default value is assigned. Ensure that the source directory and the connected directory are configured to have the same default password policies.
9.4.9.2 Enabling Account Lockout Synchronization
This section describes how to enable account lockout synchronization for Oracle Unified Directory, Oracle Directory Server Enterprise Edition, or Microsoft Active Directory source directory.
You can enable account lockout synchronization, by editing the mapping rule as follow:
When the Source Directory is Oracle Unified Directory or Oracle Directory Server Enterprise Edition
To enable account lockout synchronization:
pwdAccountLockedTime::::-:::AccountLockOut(pwdAccountLockedTime, <lockout-duration>, <bind-failures>)
bind-failures
: The number of failed binds after which an account can be locked out by Oracle Directory Integration Platform for the destination directory.
lockout-duration
: The time that was configured for the password policies for automatic unlocking after an account is automatically locked. Ensure that the password policies in the source and destination directories have the same duration.
Example:
pwdAccountLockedTime::::-:::AccountLockOut(pwdAccountLockedTime,"300","3")
When the Source Directory is Microsoft Active Directory
You can add the following mapping rule:
lockoutTime,msds-user-account-control-computed:::user:-:::AccountLockOut(msds-user-account-control-computed,<bind-failures>)
bind-failures
: The number of failed binds after which an account can be locked out by Oracle Directory Integration Platform for the destination directory.
Example:
lockoutTime,msds-user-account-control-computed:::user:-:::AccountLockOut(msds-user-account-control-computed,"3")
9.4.10 Configuring Account Disabling Synchronization
If the Administrator disables an account, then you cannot login until the Administrator enables it. You can use the back-end directory or the connected directory feature to temporarily disable a user's account, then enable it again. If the account is temporarily disabled or enabled in one directory then Oracle Directory Integration Platform will temporarily disable or enable the account in the associated directory.
You can configure account disable synchronization, by adding the mapping rules described in Table 9-4:
Note:
Account disabling synchronization in Oracle Directory Integration Platform is supported only for Oracle Unified Directory and Oracle Directory Server Enterprise Edition back-end directories.
Table 9-4 Mapping Attribute for Account Disabling Synchronization
Source Directory | Destination Directory | Mapping Rules |
---|---|---|
Oracle Unified Directory |
Oracle Unified Directory |
|
Oracle Directory Server Enterprise Edition |
Oracle Unified Directory |
|
Microsoft Active Directory |
Oracle Unified Directory |
|
Oracle Unified Directory |
Oracle Directory Server Enterprise Edition |
|
Oracle Directory Server Enterprise Edition |
Oracle Directory Server Enterprise Edition |
|
Microsoft Active Directory |
Oracle Directory Server Enterprise Edition |
|
Oracle Unified Directory |
Microsoft Active Directory |
Oracle Directory Integration Platform uses |
Oracle Directory Server Enterprise Edition |
Microsoft Active Directory |
Oracle Directory Integration Platform uses |
Note:
To disable the user in the source directory, see:
9.4.11 Example: Mapping File for a Tagged-File Interface
This example describes a sample mapping file for importing user entries from the Oracle Human Resources database tables by using the tagged-file interface.
Note that the source is a non-LDAP directory. This sample file is supplied during installation at $ORACLE_HOME/ldap/odi/conf/oraclehragent.map.master
.
DomainRules NONLDAP:dc=metahr,dc=com:cn=%,dc=metahr,dc=com AttributeRules firstname: : : :cn: :person lastname: : : :sn: :person lastname: : : :cn: :person email: : : :cn: :person: trunc(email,'@') firstname,lastname: : : :cn: :person: firstname+","+lastname firstname,lastname: : : :cn: :person: lastname+","+firstname EmployeeNumber: : : :employeenumber: :inetOrgperson EMail: : : :mail: :inetOrgperson TelephoneNumber1: : : :telephonenumber: :person TelephoneNumber2: : : :telephonenumber: :person TelephoneNumber3: : : :telephonenumber: :person Address1: : : :postaladdress: :person:Address1 | Address2 Address2: : : :Telephonenumber: :person: state: : : :st: :locality street1: : : :street: :locality zip: : : :postalcode: :locality town_or_city: : : :l: :locality Title: : : :title: :organizationalperson #Sex: : : :sex: :person #socialsecurity: : : :ssn: :person country: : : :c: :country #BirthDate: : : :birthday: :organizationalperson employeenumber:1: : :userpassword: :person: "********"+employeenumber
Note:
About Domain Mapping Rules for more information.
As described earlier, the mapping file consists of keywords and a set of domain and attribute mapping rule entries. The mapping file in this example contains the domain rule NONLDAP:dc=myCompany,dc=com:cn=%,dc=myCompany,dc=com
.
-
This rule implies that the source domain is NONLDAP—that is, there is no source domain.
-
The destination domain (
:dc=myCompany,dc=com
) implies that all the directory entries this profile deals with are in the domaindc=myCompany,dc=com
. Be sure that the domain exists before you start synchronization. -
The domain mapping rule (
:uid=%,dc=myCompany,dc=com
) implies that the data from the source refers to the entry in the directory with the DN that is constructed using this domain mapping rule. In this case,uid
must be one of the destination attributes that should always have a non null value. If any data corresponding to an entry to be synchronized has a null value, then the mapping engine assumes that the entry is not valid and proceeds to the next entry. To identify the entry correctly in the directory, it is also necessary thatuid
is a single value. -
In the case of the tagged file, the source entry does not have an object class to indicate the type of object to which it is synchronizing. Note that the
SrcObjectClass
field is empty. -
Every object whose destination is the Oracle back-end directory must have an object class.
-
Note that
email
is specified as a required attribute in the sample mapping file. This is because theuid
attribute is derived from theemail
attribute. Successful synchronization requires theemail
attribute to be specified in all changes specified in the tagged file as follows:Email : 1 : : :uid : : person : trunc(email,'@')
9.4.12 Example: Mapping Files for an LDIF Interface
Sample integration profiles are created as part of the Oracle Directory Integration Platform installation. The property files used to created the sample integration profiles are located in the $ORACLE_HOME/ldap/odi/samples
directory.
Note:
See Configure the Mapping File for a sample import mapping file for a connected Oracle database.
The following is an example of a sample import mapping file:
Sample Import Mapping File
DomainRules dc=mycompany.oid,dc=com:dc=mycompany.iplanet,dc=com AttributeRules # Mapping rules to map the domains and containers o: : :organization: o: :organization ou: : :organizationalUnit: ou: : organizationalUnit dc: : :domain:dc: :domain # Mapping Rules to map users uid : : :person: uid: :inetOrgperson sn: : :person:sn: :person cn: : :person:cn: :person mail: :inetorgperson: mail: :inetorgperson employeenumber: :organizationalPerson: employeenumber: :organizationalperson c: : :country:c: :country l: : :locality: l: :locality telephonenumber: :organizationalPerson: telephonenumber: :organizationalperson userpassword: : :person: userpassword: :person uid: : :person: orcldefaultProfileGroup: :orclUserV2 # Mapping Rules to map groups cn: : :groupofuniquenames:cn: :groupofuniquenames member: : :groupofuniquenames:member: :orclgroup uniquemember: : :groupofuniquenames:uniquemember: :orclgroup owner: : :groupofuniquenames:owner: :orclgroup # userpassword: :base64:userpassword: :binary:
Notice, in the preceding example that both the source domain and destination domain are specified in the Domain Mapping rule section. In this example, the source and the destination domains are the same. However, you can specify a different destination domain, provided the container exists in the destination directory.
Also notice, in the preceding example, that the attribute rules are divided into two sections: user attribute mapping rules and group attribute mapping rules. Specifying the object class in a mapping rule helps to uniquely map a specific attribute of an object.
9.4.13 Updating Mapping Rules
You can customize mapping rules by adding new ones, modifying existing ones, or deleting some from the mapping rule set specified in the orclodipAttributeMappingRules
attribute. In general, to perform any of these operations, you identify the file containing the mapping rules, or store the value of the attribute for a file by using an ldapsearch
command as described in the documentation for your Oracle back-end directory.
Topics:
9.4.13.1 Adding an Entry to the Mapping Rules File
To add a new entry to the mapping rules file, edit this file and add a record to it. To do this:
9.4.13.2 Modifying an Entry in the Mapping Rules File
After you identify an entry to be modified in the mapping rules file, generate the mapping rule element for the desired conversion of attribute values.
9.4.13.3 Deleting an Entry from the Mapping Rules File
After you identify an entry to be deleted in the mapping rules file, you can either delete the entry from the file or comment it out by putting a number sign (#) in front of it.
See Also:
-
"Location and Naming of Files" for the names of the mapping rule files
-
Note 261342.1 Understanding DIP Mapping Files in My Oracle Support.
9.5 Extending Mappings Using Custom Plug-ins
You can extend mapping functionality using custom plug-ins. The oracle.ldap.odip.util.mapapi.IMapOperation
Java interface is defined to support plug-ins for new mapping operations. This topic explains Oracle Directory Integration Platform support for custom plug-ins to extend mapping functionality.
Topics:
9.5.1 Writing Custom Plug-Ins
This section describes how to extend mapping functionality using custom plug-ins.
To extend mapping functionality using custom plug-ins you must implement a class in the oracle.ldap.odip.util.mapapi.plugin
package and implement the oracle.ldap.odip.util.mapapi.IMapOperation
interface, as follows:
package oracle.ldap.odip.util.mapapi; import java.util.Vector; public interface IMapOperation { public Vector evaluate(Vector operands); }
The operands
argument received by the evaluate()
method is a vector. Elements of the operands
vector can be one of the following, based on the plug-in invocation given in the mapping rule:
-
Vector of values (attributes passed as argument for the plug-in)
-
String (String literal is passed as argument for the plug-in)
-
Character (Character literal)
Return type is a Vector. All elements of this Vector must be Strings or byte arrays. If you want to return a single string, a new vector of size 1 must be created and the string has to be added to it. This restriction is enforced to allow multi-valued attributes.
Note:
The Vector evaluate
method can also return an empty vector (It cleans or deletes the attribute) or a null value (It keeps the current values unmodified).
For example:
cn,sn: : :person:description: :person:PLUGIN#MyPlugin(cn, sn, “Mr")
The plug-in class MyPlugin should implement Vector evaluate(Vector operands) method. As per the plug-in invocation in the above mapping rule, the following are the elements of operands:
-
element1 is a Vector containing all values of cn (Even if cn has only a single value)
-
element2 is a Vector containing all values of sn (Even if sn has only a single value)
-
element3 is a String literal "Mr"
For example:
package oracle.ldap.odip.util.mapapi.plugin; import java.util.Vector; public class MyPlugin implements oracle.ldap.odip.util.mapapi.IMapOperation { public Vector evaluate(Vector operands) { ... } }
9.5.2 Understanding Mapping Plug-In Evaluation Constraints
This section explains the Mapping plug-in evaluation constraints.
-
If an attribute has multiple values, the corresponding plug-in will be called only once with all the attribute values stored in a Vector. The plug-in will not be called once per each attribute value.
-
Empty String literals (" ") or Character literals (' ') will be ignored.
-
You must identify the type of each element in the vector operands of the evaluate() method and process accordingly, as per the plug-in invocation.
-
A combination of plug-ins and the existing mapping rule operators or functions is not supported. For example, the following combination is not supported as mapping rule:
Plugin#MyPlugin(cn, sn) + givenanme toupper(Plugin#(MyPlugin(cn,sn)) Plugin#TempPlugin1(cn) + Plugin#TempPlugin2(sn)
-
Oracle recommends that Mapping plug-in invocation in different attribute rules follow the same invocation signature. The following example is not recommended and is highly error prone because Myplugin has different invocation signatures:
sn: : :person:givenname: :person:PLUGIN#MyPlugin(sn,"Mr") cn: : :person:description: :person:PLUGIN#MyPlugin(cn)
9.5.3 Adding Mapping Plug-Ins
You can add a mapping plug-in to Oracle Directory Integration Platform by copying the mapping plug-in JAR file.
To add a mapping plug-in to Oracle Directory Integration Platform:
9.5.4 Applications of Mapping Plug-Ins
This section describes various applications of Mapping plug-ins.
Topics:
9.5.4.1 Support for New Mapping Operations
Applications can implement their own mapping operations that are not supported internally by the mapping framework.
Support for Conditional Mapping
- Conditional Attribute Mapping Support
-
You can support attribute mapping based on a condition. For example, a mapping rule can be written such that, if the
credential
attribute is present, thenorclisenabled
is set toENABLED
, and, if not,orclisenabled
is set toDISABLED
. This logic can be supported by implementing a plug-in to assign this value. The mapping rule should be as follows:credential: : :UserType:orclisenabled::orcluserv2:PLUGIN#ConditionalAttrBasedOnPresence(credential)
The
PLUGIN#
keyword must be in the attribute mapping rule for any custom plugin (in this case,ConditionalAttrBasedOnPresence
). - Conditional DN Mapping Support
-
You can support DN container mapping based on a condition. For example, users must be mapped to container
ou=sales,dc=acme,dc=com
if department isSales
and mapped to containerou=IT,dc=acme,dc=com
if department isIT
. To support this mapping:-
The DomainRules section can have a construction rule like:
NONLDAP:dc=acme,dc=com:cn=%,ou=%,dc=acme,dc=com
-
The AttributeRules section can have a rule with a plug-in operation to map ou as follows:
department: : :UserType:ou: :orcluserv2:ConditionalOUMapping(department)
-
9.5.4.2 Support for Multiple Literal Values
The current mapping framework only supports specifying a single literal value for an attribute. However, there might be a need to specify more than one literal value when an attribute can have multiple default values. For example, in case of Microsoft Exchange, there is a showInAddressBook attribute which can have more than one value. This can also be implemented using plug-ins.
9.5.5 Example Plug-In Usage
This section provides examples of plug-in usage.
Example 1: Attribute Mapping Rule
cn: : :person:initials: :person:PLUGIN#PluginSamp1(cn)
Example 1: Corresponding Plug-In Implementation
vector evaluate(Vector operands) { Vector all_cnValues = (Vector)operands.get(0); Vector result = new Vector(); //All the elements of this result must be strings. return result; }
Example 2: Attribute Mapping Rule
cn: : :person:givenname: :person:PLUGIN#Myplugin(cn,"Mr")
Example 2: Corresponding Plug-In Implementation
Vector evaluate(Vector operands) { Vector all_cnValues = (Vector)operands.get(0); String strOperand = (String)operands.get(1); Vector result = new Vector(); for(int i=0; i<all_cnValues.size(); i++) { String cnValue = (String) all_cnValues.get(i); String givenNameNewValue = strOperand + cnValue; result.add(givenNameNewVlaue); } //All the elements of this result must be strings. return result; }
Example 3: Attribute Mapping Rule
mail: : :inetorgperson:mail: :inetorgperson: Plugin#MyPlugin(mail, '@')
Example 3: Corresponding Plug-In Implementation
Vector evaluate(Vector operands) { Vector all_mailValues = (Vector) operands.get(0); Character charOperand = (Character) operands.get(1); char charOperandValue = charOperand.charValue(); Vector result = new Vector(); return result; }
Example 4: Attribute Mapping Rule
cn,sn,mail: : :inetorgperson:description: :inetorgperson Plugin#MyPlugin(cn, sn, mail)
Example 4: Corresponding Plug-In Implementation
Vector evaluate(Vector operands) { Vector all_cnValues = (Vector) operands.get(0); Vector all_snValues = (Vector) operands.get(1); Vector all_mailValues = (Vector) operands.get(2); Vector result = new Vector(); … … … return result; }
9.6 Configuring Matching Filters
By default, a connector retrieves changes to all objects in the container configured for synchronization. However, you may want to synchronize only certain types of changes, such as changes to just users and groups. While mapping rules allow you to specify how entries are converted from one directory to another, you can also filter objects that are synchronized among directories.
Before changes from a connected directory are imported into the Oracle back-end directory, they can be filtered with the Connected Directory Matching Filter (orclODIPConDirMatchingFilter
) attribute in the synchronization profile. Similarly, before changes are exported from the Oracle back-end directory to a connected directory, they can be filtered with the OID Matching Filter (orclODIPOIDMatchingFilter
) attribute.
For both attributes, you can specify a filter for connected directories that either obtain incremental changes through an LDAP search or that store changes in a change log, as described in the following sections:
9.6.1 Filtering Changes with an LDAP Search
For connected directories that do not support change logs, the latest footprint of the entries are obtained by performing an LDAP search. Because an LDAP search that is performed with objectclass=*
will return all entries in a given tree or subtree, to retrieve only the objects of interest for synchronization, you must provide a filter using LDAP filter syntax.
For example, you can assign a search filter to the orclOdipConDirMatchingFilter
attribute. Specify the filter as searchfilter=
LDAP_SEARCH_FILTER
.
The following example creates an LDAP search filter that retrieves organizational units, groups, and users, but not computers:
searchfilter=(|(objectclass=group)(objectclass=organizationalUnit) (&(objectclass=user)(!(objectclass=computer))))
9.6.2 Filtering Changes from a Change Log
This section describes the operators, which are provided by Oracle Directory Integration Platform, to specify a matching filter.
For connected directories that store changes in a change log, you can use the following simple operators to specify a matching filter for either the Connected Directory Matching Filter (orclODIPConDirMatchingFilter
) or the OID Matching Filter (orclODIPOIDMatchingFilter
):
-
= (equal operator)
-
! (not equal operator)
Note:
You can use the preceding operators with either an LDAP or non-LDAP directory, provided the directory obtains incremental changes from a change log.
Connected directories that obtain incremental changes through an LDAP search can also use the preceding operators, however, you can only specify a single expression or the search will fail.
Specify the filter as searchfilter=
CHANGELOG_SEARCH_FILTER
.
For example, the following filter prevents syncing if a change is made by profile imp1
OR profile imp2
:
searchfilter=(!(|(modifiersname=orclodipagentname=imp1,cn=subscriberprofile,cn=changelog subscriber,cn=products,cn=oraclecontext)(modifiersname=orclodipagentname=imp2,cn=subscriberprofile,cn=changelog subscriber,cn=products,cn=oraclecontext)))
For connected directories that store changes in a change log, a matching filter can synchronize changes for only the attributes that appear in the change log. If you include attributes in a matching filter that do not appear in the change log, the search operation will fail. For this reason, matching filters are of limited use for connected directories that store incremental changes in a change log.
9.7 Location and Naming of Files
This section lists where to find the various files used during synchronization.
By default, when file based interfaces (Tagged/LDIF) are used for synchronization, the files are read from and written to the following locations.
Table 9-5 Location and Names of Files
File | File Name |
---|---|
Import data file |
|
Export data file |
$ORACLE_HOME/ldap/odi/data/export/Profile_Name.dat |
For example, the name of the data file of the Oracle Human Resources profile is oraclehrprofile.dat
.
9.8 Password Synchronization
Using the Oracle Directory Integration Platform password synchronization functionality, you can maintain a single password across the back-end directory and the connected directory.
Topics:
-
Configuring Password Synchronization for Oracle Unified Directory
-
Configuring Password Synchronization for Oracle Directory Server Enterprise Edition
-
Configuring Password Synchronization for Oracle Internet Directory
Note:
Oracle recommends using the SSL connection to synchronize the password for the back-end directory and the connected directory.
9.8.1 Understanding Password Synchronization Mechanism
Password synchronization differs depending on the back-end directory and the connected directory due to different configuration mode and deployment mode. Oracle Directory Integration Platform provides several mechanisms to synchronize passwords depending on the selected back-end directory and connected directory.
Oracle Directory Integration Platform supports the following password mechanism:
-
Enabling the Oracle Internet Directory Password policy: To synchronize passwords from Oracle Internet Directory to a non Oracle Internet Directory connected directory, you must enable the password policy and you may have to enable reversible password encryption in the Oracle Internet Directory server. For more information, see Enable Password Synchronization from the Oracle Back-end Directory to a Connected Directory.
-
Delegated Authentication: External authentication plug-ins, such as the Microsoft Active Directory external authentication plug-in, are available for the back-end directory and enable users to log in to the Oracle environment by using their Microsoft Windows credentials.
-
Oracle Internet Directory External Authentication Plug-ins: To synchronize passwords from Oracle Internet Directory to a non Oracle Internet Directory connected directory using Java-based external authentication plug-ins. For more information, see Configuring External Authentication Plug-ins.
-
Pass-Through Authentication: Pass-through authentication (PTA) is a mechanism by which bind requests are filtered by bind DN. One Directory Server (the delegator) receives the bind request and, based on the filter, can consult another Directory Server (the delegate) to authenticate bind requests. As part of this functionality, the PTA plug-in enables the delegator Directory Server to accept simple password-based bind operations for entries that are not necessarily stored in its local database. A typical scenario for pass-through authentication involves passing authentication through to Active Directory for users coming from Oracle Unified Directory or Oracle Directory Server Enterprise Edition. For more information, see:
-
The section "Understanding Pass-Through Authentication" in the Oracle Fusion Middleware Administering Oracle Unified Directory.
-
The section "Pass-Through Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
-
-
-
Oracle Password Filter: To synchronize password only from Microsoft Active Directory to a back-end directory using the Oracle Password Filter. For more information, see Deploying the Oracle Password Filter for Microsoft Active Directory.
-
Synchronization using password hashing techniques: To synchronize password from Oracle Directory Integration Platform to Oracle Unified Directory or Oracle Directory Server Enterprise Edition.
Oracle Unified Directory and Oracle Directory Server Enterprise Edition support the same set of password hashing techniques. To synchronize passwords between Oracle Directory Integration Platform and Oracle Directory Server Enterprise Edition:
-
Ensure that SSL server authentication mode is configured for both directories, as described in Configuring Oracle Unified Directory (SSL) for Oracle Directory Integration Platform.
-
Ensure that the following mapping rule exists in the mapping file:
Userpassword: : :person:userpassword: :person
For more information on Oracle Directory Server Enterprise Edition hashing synchronization, see Understanding How to Synchronize Passwords for Oracle Directory Server Enterprise Edition.
-
-
On-Demand Password: To synchronize the password from a connected directory to Oracle Unified Directory or Oracle Directory Server Enterprise Edition back-end directories. You can synchronize the password from the connected directory to the back-end directory by configuring an import profile. For more information, see:
-
Password Translate: To synchronize the password from a Oracle Unified Directory or Oracle Directory Server Enterprise Edition back-end directory to a connected directory. You can synchronize the password from the back-end directory to the connected directory by configuring an export profile. For more information, see:
Table 9-6 lists the password synchronization mechanism options for the Oracle Directory Integration Platform supported directory server.
Table 9-6 Password Synchronization Mechanism
Source | Destination | Supported Password Synchronization Mechanisms |
---|---|---|
Oracle Unified Directory |
Oracle Unified Directory |
|
Oracle Unified Directory |
Oracle Internet Directory |
|
Oracle Unified Directory |
Oracle Directory Server Enterprise Edition |
|
Oracle Unified Directory |
Microsoft Active Directory |
|
Oracle Internet Directory |
Oracle Unified Directory |
|
Oracle Internet Directory |
Oracle Internet Directory |
|
Oracle Internet Directory |
Oracle Directory Server Enterprise Edition |
|
Oracle Internet Directory |
Microsoft Active Directory |
|
Oracle Directory Server Enterprise Edition |
Oracle Unified Directory |
|
Oracle Directory Server Enterprise Edition |
Oracle Internet Directory |
|
Oracle Directory Server Enterprise Edition |
Oracle Directory Server Enterprise Edition |
|
Oracle Directory Server Enterprise Edition |
Microsoft Active Directory |
Password Translate |
Microsoft Active Directory |
Oracle Unified Directory |
|
Microsoft Active Directory |
Oracle Internet Directory |
|
Microsoft Active Directory |
Oracle Directory Server Enterprise Edition |
|
9.8.2 Configuring Password Synchronization for Oracle Unified Directory
You can synchronize the password between the connected directory to the Oracle Unified Directory used as the back-end directory.
Topics:
Note:
Ensure that you configured Oracle Unified Directory for Oracle Directory Integration Platform using dipConfigurator setup
command, as described in Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Unified Directory.
9.8.2.1 Synchronizing Password from a Connected Directory to the Oracle Unified Directory using On-Demand Password
You can synchronize the password from a connected directory to Oracle Unified Directory by configuring an import profile. To do so, complete the following steps:
-
Configure the Oracle Directory Integration Platform plug-ins by running the
dipConfigurator setupPlugin
command on the command line and enter the following arguments:Table 9-7 setupPlugin Properties
Argument Definition wlshost
Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default value is
localhost
.wlsport
Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. The default value is
7001
.wlsuser
Oracle WebLogic Server login ID.
ldaphost
Oracle Unified Directory host name. The default value is
localhost
.ldapport
Oracle Unified Directory server port number. The default value is
636
.isldapssl
Enable or disable SSL. The default value is
true
.ldapuser
The bind DN to connect to the directory. The default value is
cn=Diretory Manager
.ldapadminport
The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is
4444
.Note:
You can view the
dipConfig.log
file, located at<ORACLE_HOME>/ldap/log/
.Example:
$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
-
Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
-
Log in to the Oracle Enterprise Manager Fusion Middleware Control.
-
In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
-
Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Unified Directory.
-
Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
-
Select the Mapping tab.
-
In the Attribute Mapping Rules section select the Create icon.
The Add Attribute Mapping Rule screen is displayed.
-
Enter the following parameters:
-
Source ObjectClass: Select the required option. For example, select User if you are using Microsoft Active Directory as the connected directory.
-
Attribute(s): Select pwdLastSet.
-
DIP-OUD ObjectClass: Select top.
-
DIP-OUD Attribute: Select orclodippwdlastset.
-
Mapping Expression: Depending on the connected directory select an option. For example:
Microsoft Active Directory:
onDemandPassword(pwdLastSet)
Oracle Unified Directory:
onDemandPassword(pwdChangedTime)
Oracle Directory Server Enterprise Edition:
onDemandPassword(pwdChangedTime)
Note:
The
onDemandPassword
attribute is available, if the password expiration is configured for Oracle Directory Server Enterprise Edition. For more information, see "Policy for Password Expiration" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
Click OK.
You can click the Validate All Mapping Rules button to test your mapping rules.
-
Note:
You can also edit the mapping rules by adding the following attribute mapping rule:
pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)
For more information, see Adding an Entry to the Mapping Rules File.
-
9.8.2.2 Synchronizing Password from the Oracle Unified Directory to a Connected Directory using Password Translate
You can synchronize the password from Oracle Unified Directory (back-end directory) to a connected directory by configuring an export profile. To do so, complete the following steps:
-
If the Oracle Directory Integration Platform plug-ins is not configured, then you must run the
dipConfigurator setupPlugin
command on the command line:$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
For more information on the arguments, see Table 9-7.
Note:
Do not run the
dipConfigurator setupPlugin
command if you have already executed the command in Synchronizing Password from a Connected Directory to the Oracle Unified Directory using On-Demand Password. -
Run
dipConfigurator setupPasswordTranslation
command on the command line:$ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
For more information on the arguments, see Table 9-7.
Note:
You can view the
dipConfig.log
file, located at<ORACLE_HOME>/ldap/log/
. -
Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
-
Log in to Oracle Enterprise Manager Fusion Middleware Control.
-
In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
-
Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Unified Directory.
-
Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
-
Select the Mapping tab.
-
In the Attribute Mapping Rules section select the Create icon.
The Add Attribute Mapping Rule screen is displayed.
-
Enter the following parameters:
-
Source ObjectClass: Select the required option. For example, select User if you are using Microsoft Active Directory as the connected directory.
-
Attribute(s): Select unicodepwd.
-
DIP-OUD ObjectClass: Select top.
-
DIP-OUD Attribute: Select orclodiptranslatepassword.
-
Mapping Expression: Enter
orclODIPTranslatePassword
.
Click OK.
You can click the Validate All Mapping Rules button to test your mapping rules.
-
Note:
You can also edit the mapping rules by adding the following attribute mapping rule:
orclodiptranslatepassword: : : : unicodepwd : : user : passswordtranslate(orclodiptranslatepassword)
For more information, see Adding an Entry to the Mapping Rules File.
-
9.8.3 Configuring Password Synchronization for Oracle Directory Server Enterprise Edition
This is an optional step, you can import or export the password from the connected directory to the Oracle Directory Server Enterprise Edition used as the back-end directory.
Topics:
9.8.3.1 Synchronizing Password from a Connected Directory to the Oracle Directory Server Enterprise Edition using On-Demand Password
You can synchronize the password from a connected directory to Oracle Directory Server Enterprise Edition by configuring an import profile. To do so, complete the following steps:
-
Configure the Oracle Directory Integration Platform plug-ins by running the
dipConfigurator setupPlugin
(<ORACLE_HOME>/bin
) command on the command line and enter the following arguments:Table 9-8 setupPlugin Properties
Argument Definition wlshost
Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default value is
localhost
.wlsport
Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. The default value is
7001
.wlsuser
Oracle WebLogic Server login ID.
ldaphost
Oracle Directory Server Enterprise Edition host name. The default value is
localhost
.ldapport
Oracle Directory Server Enterprise Edition server port number. The default value is
636
.isldapssl
Enable or disable SSL. The default value is
true
.ldapuser
The bind DN to connect to the directory. The default value is
cn=Diretory Manager
.ldapadminport
The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is
4444
.Example:
$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 636 -ldapuser "cn=Directory Manager" -isldapssl true
Note:
You can view thedipConfig.log
file, located at<ORACLE_HOME>/ldap/log/
. -
Restart the directory server instance:
dsadm restart
-
Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
-
Log in to the Oracle Enterprise Manager Fusion Middleware Control.
-
In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
-
Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Directory Server Enterprise Edition.
-
Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
-
Select the Mapping tab.
-
In the Attribute Mapping Rules section select the Create icon.
The Add Attribute Mapping Rule screen is displayed.
-
Enter the following parameters:
-
Source ObjectClass: Select the required option. For example, select User if you using Microsoft Active Directory as the connected directory.
-
Attribute(s): Select pwdLastSet.
-
DIP-ODSEE ObjectClass: Select operational attributes.
-
DIP-ODSEE Attribute: Select orclodippwdlastset.
-
Mapping Expression: Enter
onDemandPassword(pwdChangedTime)
as the mapping expression.
Click OK.
You can click the Validate All Mapping Rules button to test your mapping rules.
-
-
-
Add the following attribute mapping rule to the synchronization profile:
pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)
The
orclSourceObjectDN
attribute is needed by the plug-ins. It belongs to several objectClasses:orclSunOneObject, orclADObject, orclNDSObject, orclOpenLDAPObject, and orclTDSObject
. A rule assigning this value must be included in the (import) profile, although the templates already include it. For example:targetdn: : :top:orclSourceObjectDN: :orclADObject:
For more information, see Adding an Entry to the Mapping Rules File.
9.8.3.2 Synchronizing Password from the Oracle Directory Server Enterprise Edition to a Connected Directory Using Password Translate
You can synchronize the password from Oracle Directory Server Enterprise Edition (back-end directory) to a connected directory by configuring an export profile. To do so, complete the following steps:
-
Configure the Oracle Directory Integration Platform plug-ins by running the
dipConfigurator setupPlugin
(<ORACLE_HOME>/bin
) command on the command line:$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 636 -ldapuser "cn=Directory Manager"
For more information on the arguments, see Table 9-8.
-
Restart the directory server instance:
dsadm restart
-
Run
dipConfigurator setupPasswordTranslation
(<ORACLE_HOME>/bin
) command on the command line:$ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseelocalhost -ldapport 636 -ldapuser "cn=Directory Manager" -isldapssl true
For more information on the arguments, see Table 9-8.
Note:
You can view the
dipConfig.log
file, located at<ORACLE_HOME>/ldap/log/
. -
Edit the attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
-
Log in to Oracle Enterprise Manager Fusion Middleware Control.
-
In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
-
Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Directory Server Enterprise Edition.
-
Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
-
Select the Mapping tab.
-
In the Attribute Mapping Rules section select the Create icon.
The Add Attribute Mapping Rule screen is displayed.
-
Enter the following parameters:
-
Source ObjectClass: Select the required option. For example, select User if you using Microsoft Active Directory as the connected directory.
-
Attribute(s): Select unicodepwd.
-
DIP-ODSEE ObjectClass: Select operational attributes.
-
DIP-ODSEE Attribute: Select orclodiptransalepassword.
-
Mapping Expression: Enter orclODIPTranslatePassword as the mapping expression.
Click OK.
You can click the Validate All Mapping Rules button to test your mapping rules.
-
Note:
You can also edit the mapping rules by adding the following attribute mapping rule:
orclodiptranslatepassword: : : top : unicodepwd : : user : passswordtranslate(orclodiptranslatepassword)
For more information, see Adding an Entry to the Mapping Rules File.
-
9.8.4 Configuring Password Synchronization for Oracle Internet Directory
To synchronize passwords from Oracle Internet Directory to a connected directory, you must enable the password policy and you may have to enable reversible password encryption in the Oracle Internet Directory server.
For example, IBM Tivoli Directory Server and Oracle Directory Server Enterprise Edition support similar hashing algorithms as Oracle Internet Directory. Therefore, to synchronize passwords from Oracle Internet Directory to IBM Tivoli Directory Server or Oracle Directory Server Enterprise Edition, you must enable only the password policy in the Oracle Internet Directory server.
However, to synchronize passwords from Oracle Internet Directory to Microsoft Active Directory or Novell eDirectory, which both do not support similar hashing algorithms as Oracle Internet Directory, you must enable the password policy and reversible password encryption in the Oracle Internet Directory server.
Note:
Oracle Internet Directory supports multiple password policies in each realm, commonly known as Fine-Grained Password Policies.
See, the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for more information about Fine-Grained Password Policies.
To enable the password policy, assign a value of 1
to the orclPwdPolicyEnable
attribute in the appropriate container. To enable reversible password encryption in the Oracle Internet Directory server, assign a value of 1
to the orclpwdEncryptionEnable
attribute in the appropriate container.
For example, to enable the password policy and reversible password encryption on the default policy for a realm, assign a value of 1
to the orclPwdPolicyEnable
and orclpwdEncryptionEnable
attributes in the following entry:
cn=default,cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,Realm_DN
You can do this by using ldapmodify
and uploading an LDIF file containing the following entries:
dn: cn=default,cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,Realm_DN
changetype: modify
replace: orclpwdpolicyenable
orclpwdpolicyenable: 1
-
replace: orclpwdencryptionenable
orclpwdencryptionenable: 1
See Also:
Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on managing Oracle Internet Directory password policies.