Configuring Directory Synchronization

9 Configuring Directory Synchronization

This chapter explains how to configure directory synchronization and how to format mapping rules.

Topics:

See Also:

Administering Oracle Directory Integration Platform for information on using Oracle Enterprise Manager Fusion Middleware Control.

9.1 Registering Connectors in Oracle Directory Integration Platform

Before deploying a connector, you must register it in the Oracle back-end directory that you are using with Oracle Directory Integration Platform. This registration involves creating a synchronization profile, which is stored as an entry in the directory.

Refer to “Creating Synchronization Profiles” for information about creating a directory synchronization profile using Oracle Enterprise Manager Fusion Middleware Control.

Attributes in a synchronization profile entry belong to the object class orclodiProfile. The only exception is the orclodiplastappliedchangenumber attribute, which belongs to the orclchangesubscriber object class.

The 2.16.840.1.113894.8 object identifier prefix is assigned to Oracle Directory Integration Platform platform-related classes and attributes.

The various synchronization profile entries in the directory are created under the following container:

cn=subscriber profile,cn=changelog subscriber,cn=Directory Integration Platform,cn=products,cn=oracleContext

For example, a connector called OracleHRAgent is stored in the directory as follows:

orclodipagentname=OracleHRAgent,cn=subscriber profile,cn=changelog subscriber,cn=Directory Integration Platform,cn=products,cn=oracleContext

9.2 About Synchronization Profile Templates

When you install Oracle Directory Integration Platform, template profiles for synchronization are created for different types of directories.

For a complete list of supported directories, refer to the Oracle Fusion Middleware Supported System Configurations certification matrix.

The property and mapping files used to create the template profiles are available in the $ORACLE_HOME/ldap/odi/conf directory.

Note:

The synchronization profile template are examples. You must configure the mapping rules as described in Configuring Mapping Rules, before using the template profile.

9.3 Configure Connection Details for a Third-Party Directory

You can configure the connection details for a third-party directory by creating or editing a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control.

To use one of the sample synchronization profiles that was creating during installation, be sure to specify the correct connection details.

You can also create the profiles based on the template properties file provided during installation. If you are doing this, then you must specify the connection details in the odip.profile.condirurl, and odip.profile.condiraccount properties of the profile. You will be prompted for the password.

Each third-party directory requires a different configuration for getting deleted entries. Refer to the third-party directory's documentation to set up the tombstone configuration and privileges required to read tombstone entries.

Note:

If you are using Microsoft Active Directory as the third-party directory, ensure that the user account has the privileges to replicate directory changes for every domain of the forest monitored for changes. You can do this by one of the following methods:

Grant to this account Domain Administrative permissions
Make this account a member of the Domain Administrator's group
Grant to this account Replicating Directory Changes permissions for every domain of the forest that is monitored for changes

To grant this permission to a non-administrative user, follow the instructions in the "More Information" section of the Microsoft Help and Support article "How to Grant the 'Replicating Directory Changes' Permission for the Microsoft Metadirectory Services ADAM Service Account" available at http://support.microsoft.com/.

Some of the most important pieces of a directory synchronization profile include the connection details you assign to the properties listed in Table 9-1:

Table 9-1 Connection Detail Properties

Property Description

Property	Description
`odip.profile.condirurl`	The URL of the connected directory: To connect to an LDAP directory, use the form host:port To connect in SSL mode, use the form host:port:1. To connect to a database, use the form host:port:serviceName
`odip.profile.condiraccount`	The DN or account name used to connect to the third-party directory

odip.profile.condirurl

The URL of the connected directory:

To connect to an LDAP directory, use the form host:port
To connect in SSL mode, use the form host:port:1.
To connect to a database, use the form host:port:serviceName

odip.profile.condiraccount

The DN or account name used to connect to the third-party directory

Note:

The account information you specify must have sufficient privileges in the directory to which you are connecting.
The account name is not required if you are using the LDIF or tagged data formats.
You will be prompted for a password.

9.4 Configuring Mapping Rules

This section discusses how to configure mapping rules. It contains these topics:

9.4.1 About Mapping Rules Attribute

You use the mapping rules attribute to specify how to convert entries from the source to the destination.

The Oracle back-end directory must either be the source or the destination. When converting the entries, there are three types of mapping rules: domain rules, attribute rules, and reconciliation rules. These mapping rules allow you to specify distinguished name mapping, attribute-level mapping, and reconciliation rules. Note that reconciliation rules are only used with Novell eDirectory and OpenLDAP. For more information on using reconciliation rules, see Integrating with Novell eDirectory or OpenLDAP.

Note:

For information about configuring mapping rules that connect to Oracle Database, see Updating the Configuration File in the "Synchronizing with Tables in Oracle Database" chapter.

Mapping rules are organized in a fixed, tabular format, and you must follow that format carefully. Each set of mapping rules appears between a line containing only the word DomainRules or AttributeRules.

DomainRules
srcDomainName1: [dstDomainName1]: [DomainMappingRule1]
srcDomainName2: [dstDomainName2]: [DomainMappingRule2]
[DomainExclusionList]
srcDomainForExclusion1
srcDomainforExclusion2

AttributeRules
srcAttrName1:[ReqAttrSeq]:[SrcAttrType]:[SrcObjectClass]:[dstAttrName1]:
[DstAttrType]:[DstObjectClass]:[AttrMappingRule1]
srcAttrName1,srcAttrName2:[ReqAttrSeq]:[SrcAttrType]:[SrcObjectClass]:
[dstAttrName2]:[DstAttrType]:[DstObjectClass]:[AttrMappingRule2]
[AttributeExclusionList]
exclusionAttribute1
exclusionAttribute2

The expansion of srcAttrName1 and srcAttrName2 in the preceding example should be on a single, unwrapped long line.

9.4.2 Distinguished Name Mapping

This section specifies how entries are mapped between the Oracle back-end directory and a connected directory. If the mapping is between the Oracle back-end directory and an LDAP directory, then you can create multiple mapping rules. The domain rule specifications appear after a line containing only the keyword DomainRules.

Each domain rule is represented with the components, separated by colons, and are described in Table 9-2.

Table 9-2 Domain Rule Components

Component Name Description

Component Name	Description
`SrcDomainName`	Name of the domain or container of interest. Specify NONLDAP for sources other than LDAP and LDIF.
`DstDomainName`	Name of the domain of interest in the destination. Specify this component if the container for the entries in the destination directory is different from that in the source directory. If the value assigned to `SrcDomainName` is an LDAP or LDIF domain, then this field assumes the same value. However, if the value assigned to `SrcDomainName` is not an LDAP or LDIF domain, you must specify the container where entries should be created. If not specified, this field assumes the value of `SrcDomainName` under valid conditions. For destinations other than LDAP and LDIF, specify `NONLDAP`. Because "import" and "export" always refer to the Oracle back-end directory, a combination of `NONLDAP:NONLDAP` is not allowed.
`DomainMappingRule`	This rule is used to construct the destination DN. For more information, see About Domain Mapping Rules.

SrcDomainName

Name of the domain or container of interest. Specify NONLDAP for sources other than LDAP and LDIF.

DstDomainName

Name of the domain of interest in the destination. Specify this component if the container for the entries in the destination directory is different from that in the source directory.

If the value assigned to SrcDomainName is an LDAP or LDIF domain, then this field assumes the same value. However, if the value assigned to SrcDomainName is not an LDAP or LDIF domain, you must specify the container where entries should be created.

If not specified, this field assumes the value of SrcDomainName under valid conditions. For destinations other than LDAP and LDIF, specify NONLDAP. Because "import" and "export" always refer to the Oracle back-end directory, a combination of NONLDAP:NONLDAP is not allowed.

DomainMappingRule

This rule is used to construct the destination DN. For more information, see About Domain Mapping Rules.

Example 9-1 Example of Distinguished Name Mapping

Distinguished Name Rules
%USERBASE INSOURCE%:%USERBASE ATDEST%:

USERBASE refers to the container from which the source directory users and groups must be mapped. Usually, this is the users container under the root of the source directory domain.

Example 9-2 Example of One-to-One Distinguished Name Mapping

For one-to-one mapping to occur, the DN in the source directory must match that in the destination directory. In this example, the DN in the third-party directory matches the DN in the destination directory. More specifically:

The source directory host is in the domain us.mycompany.com, and, accordingly, the root of the third-party directory domain is us.mycompany.com. A user container under the domain would have a DN value cn=users,dc=us,dc=mycompany,dc=com.
The destination directory has a default realm value of dc=us,dc=mycompany,dc=com. This default realm automatically contains a users container with a DN value cn=users,dc=us,dc=mycompany,dc=com.

Because the DN in the source directory matches the DN in the destination directory, one-to-one distinguished name mapping between the directories can occur.

If you plan to synchronize only the cn=users container under dc=us,dc=mycompany,dc=com, then the domain mapping rule is:

Distinguished Name Rules
cn=users,dc=us,dc=mycompany,dc=com:cn=users,dc=us,dc=mycompany,dc=com

This rule synchronizes every entry under cn=users,dc=us,dc=mycompany,dc=com. However, the type of object synchronized under this container is determined by the attribute-level mapping rules that follow the DN Mapping rules.

If you plan to synchronize the subtree cn=groups,dc=us,dc=mycompany,dc=com from the source directory under the entry cn=users,dc=us,dc=mycompany,dc=com, then the domain mapping rule is as follows:

cn=groups,dc=us,dc=mycompany,dc=com:cn=groups,cn=users,dc=us,dc=mycompany,dc=com

9.4.3 About Domain Mapping Rules

This rule is used to construct the destination DN from the source domain name, from the attribute given in AttributeRules, or both. This field is typically in the form of cn=%,l=%,o=oracle,dc=com. These specifications are used to put entries under different domains or containers in the directory. In the case of non-LDAP sources, this rule specifies how to form the target DN so it can add entries to the directory.

This field is meaningful only when importing to the Oracle back-end directory, or when exporting to an LDIF file or another external LDAP-compliant directory. Specify this component if any part of an entry's DN in the destination directory is different from that in the source directory entry.

This component is optional for LDAP-to-LDIF, LDAP-to-LDAP, or LDIF-to-LDAP synchronizations. If it is not specified, then the source domain and destination domain names are considered to be the same.

dnpart Attribute

You use the dnpart attribute as a variable to store a string and then you can reuse the variable in a domain mapping rule.

For the rdn attribute, a comma is part of the attribute and in the dnpart attribute, the comma is used as a separator to create extra levels in the directory tree.

To enable virtual distinguished name mapping, the domain mapping rule is as follows:

dc=source,dc=com:dc=destination,dc=com:cn=*,dnpart,dc=destination,dc=com

You must edit the attribute mapping rules as shown in the following example:

l:1: :europeanPerson:dnpart: : :"cn=" + l + ",cn=europe"
l:1: :americanPerson:dnpart: : :"cn=" + l + ",cn=america"

In the above example, an ObjectClass is used to define the creation of the DN with the extra level cn=europe or cn=america.

multivalued Attribute

In some cases, the RDN of the DN needs to be constructed by using the name of a multivalued attribute. For example, to construct an entry with the DN of cn=%,l=%,dc=myCompany,dc=com, where cn is a multivalued attribute, the DomainMappingRule can be in this form: rdn,l=%,dc=myCompany,dc=com where rdn is one of the destination attributes having a non null value. A typical mapping file supporting this could have the following form:

DomainRules
NONLDAP:dc=us,dc=myCompany,dc=com:rdn,l=%,dc=us,dc=myCompany,dc=com
AttributeRules
firstname: : :cn: :person
email : : : :cn: :person: trunc(email,'@')
email : 1: : :rdn: :person: 'cn='+trunc(email,'@')
firstname,lastname: : : :cn: :person: firstname+","+lastname
lastname,firstname: : : :cn: :person: lastname+","+firstname
firstname,lastname: : : :sn: :person: lastname | firstname
EmployeeNumber: : : :employeenumber: :inetOrgperson
EMail: : : :mail: :inetOrgperson
telephoneNumber:1 : : :telephonenumber: :person
address:1: : :postaladdress: :person
address:1: : :postaladdress: :person
address:1: : :postaladdress: :person
state: : : :st: :locality
street:1: : :street: :locality
zip: : : :postalcode: :locality

9.4.4 Domain Exclusion List

You can insert the DomainExclusionList header in map files and identify domains to be excluded during bootstrap and synchronization. Domains listed in the DomainExclusionList will be excluded during bootstrap and synchronization.

Note:

The distinguished names (DNs) listed in the domainexclusionlist identify the DNs of the containers in the source directory.

The following is an example of the DomainExclusionList header with example domains to exclude:

DomainExclusionList
cn=sales,cn=users,dc=us,dc=mycompany,dc=com
cn=marketing,cn=users,dc=us,dc=mycompany,dc=com

Example 9-3 shows an example map file that includes the DomainExclusionList header. In this example, the entries under cn=sales,cn=users,dc=us,dc=mycompany,dc=com and cn=marketing,cn=users,dc=us,dc=mycompany,dc=com will be excluded.

9.4.5 Attribute-Level Mapping

The attribute rule specifications appear after a line containing only the keyword AttributeRules. Attribute rules specify how property values for an entry are related between two LDAP directories. For example, the cn attribute of a user object in one directory can be mapped to the givenname object in another directory. Similarly, the cn attribute of a group object in one directory can be mapped to the displayname attribute in another directory. Each attribute rule is represented with the components, separated by colons, and are described in Table 9-3.

Note:

You can specify the literals using single quotation marks ('') or with double quotation marks (" "). Ensure that a single character is enclosed by single quotation marks ('') and multi character literals are enclosed by double quotation marks (" ").

Table 9-3 Components in Attribute Rules

Component Name	Description
`SrcAttrName`	For LDAP-compliant directory repositories, this parameter refers to the name of the attribute to be translated. For Oracle Database repositories, it refers to the `ColumnName` in the table specified by the `SrcObjectClass`. For other repositories this parameter can be appropriately interpreted.
`ReqAttrSeq`	Indicator of whether the source attribute must be passed to the destination. When entries are synchronized between the Oracle back-end directory and the connected directory, some attributes need to be used as synchronization keys. This field indicates whether the specified attribute is being used as a key. If so, regardless of whether the attribute has changed or not, the value of the attribute is extracted from the source. A nonzero integer value should be placed in this field if the attribute needs to be always passed on to the other end.
`SrcAttrType`	This parameter refers to the attribute type—for example, integer, string, binary—that validates the mapping rules.
`SrcObjectClass`	If the source of the shared attribute is an LDAP-compliant directory, then this parameter names the object class to which the attribute belongs. If the source of the shared attribute is an Oracle Database repository, then this parameter refers to the table name and is mandatory. For other repositories, this parameter may be ignored.
`DstAttrName`	Optional attribute. If it is not specified, then the `SrcAttrName` is assumed. For LDAP-compliant directories, this parameter refers to the name of the attribute at the destination. For Oracle Database repositories, it refers to the ColumnName in the table specified by the `SrcObjectClass`. For other repositories, this parameter can be appropriately interpreted. If you specify "-" and leave the `DstAttrType` and `DstObjectClass` fields empty then the value computed by the mapping function will not be stored in any attribute at the destination entry. This is useful for mapping functions that execute tasks but do not return values (For example, `AccountLockOut()`)
`DstAttrType`	This parameter refers to the attribute type. It supports all the attributes types that is supported by the Oracle Internet Directory syntax. You must ensure compatibility of the source and destination attribute types. Oracle Directory Integration Platform does not ensure this compatibility.
`DstObjectClass`	If it is not specified, then the `SrcObjectClass` value is used. For LDAP-compliant directories, this parameter refers to the object class to which the attribute belongs, and is optional. For Oracle Database repositories, it refers to the table name, and is mandatory. For other repositories this parameter may be ignored.
`AttrMapping Rule`	Optional arithmetic expression with the following operators (+ and\|) and functions. For more information, see "Supported Attribute Mapping Rules and Examples". If nothing is specified, then the source attribute value is copied as the value of the destination attribute. Literals can be specified with single quotation marks ('') or with double quotation marks ("").

To enter mapping rules in a synchronization profile, edit a file that strictly follows the correct format.

Note:

When attributes and object classes are defined in the mapping file, it is assumed that source directories contain the respective attributes and object classes defined in the schema.

If a parent container is selected for synchronization, then all its children that match the mapping rules are likewise synchronized. Child containers cannot be selectively ignored for synchronization.

9.4.6 Attribute Exclusion List

You can insert the AttributeExclusionList header in map files and identify attributes to be excluded during bootstrap and synchronization. Attributes listed in the AttributeExclusionList will be excluded during bootstrap and synchronization.

The following is an example of the AttributeExclusionList header with example attributes to exclude:

AttributeExclusionList
facsimileTelephoneNumber
telephonenumber

Example 9-3 shows an example map file that includes both the DomainExclusionList and AttributeExclusionList headers. In this example, the entries under cn=sales,cn=users,dc=us,dc=mycompany,dc=com and cn=marketing,cn=users,dc=us,dc=mycompany,dc=com will be excluded, and all filtered entries will exclude (not contain) the facsimileTelephoneNumber and telephonenumber attributes.

Example 9-3 Example Map File Using DomainExclusionList and AttributeExclusionList Headers

DomainRules
cn=users,dc=us,dc=mycompany,dc=com : ou=people,dc=us,dc=myothercompany,dc=com:
DomainExclusionList
cn=sales,cn=users,dc=us,dc=mycompany,dc=com
cn=marketing,cn=users,dc=us,dc=mycompany,dc=com

AttributeRules
# attribute rule common to all objects
objectguid: :binary: :orclobjectguid:string: :bin2b64(objectguid)
ObjectSID: :binary: :orclObjectSID:string:orclADObject:bin2b64(ObjectSID)
distinguishedName: : : :orclSourceObjectDN: :orclADObject
# USER ENTRY MAPPING RULES
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
# Map the SamAccountName to the nickname attr if required
# If this rule is enabled, userprincipalname rule needs to be disabled
#sAMAccountName: : :user:uid: :inetorgperson
# Assign the userprincipalname to Kerberaos principalname
userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
SAMAccountName: : :user:sn: : person:
# attributes to map to cn - normally this is the given name
cn: : :person:cn: :person:
AttributeExclusionList
facsimileTelephoneNumber
telephonenumber

9.4.7 Manually Creating New Mapping Files

This section describes how to create mapping files manually without using Oracle Enterprise Manager Fusion Middleware Control.

Note:

Oracle recommends using Oracle Enterprise Manager Fusion Middleware Control to create synchronization mapping rules when you create and configure synchronization profiles. You create mapping rules on the Mapping tab described in Creating Synchronization Profiles.

To create new mapping files manually:

Identify the containers of interest for synchronization in the source directory.
Identify the destination containers to which the objects in the source containers should be mapped. Be sure that the specified container already exists in the directory.
Determine the rule to create a DN of the entry to be created in the destination directory. In LDAP-to-LDAP, mapping is normally one-to-one. In non-LDAP-to-LDAP, a domain DN construct rule is required. For example, in the case of synchronizing from a tagged file or Human Resources agent, the mapping rule may be in the form uid=%,dc=mycompany,dc=com. In this case, the uid attribute must be present in all the changes to be applied from Oracle Human Resources. The uid attribute must be specified as a required attribute, as specified in step 6.
Identify the objects that you want to synchronize among directories—that is, the relevant object classes in the source and destination directories. In general, objects that get synchronized among directories include users, groups, organizational units, organizations, and other resources. Identify the actual object classes used in the directories to identify these objects.
Identify the properties of the various objects that you want to synchronize among directories—that is, the attributes in the LDAP context. All the attributes of an object need not be synchronized. The properties of users that you might want to synchronize are cn, sn, uid, and mail.
Define the mapping rules. Each mapping rule has this format:
```
<srcAttrName>:<ReqdFlag>:<srcAttrType>:<SrcObjectClass>: <dstAttrName>:<dstAttrType>:<dstObjectClass>: <Mapping Rule>
```
While defining the mapping rule, ensure the following:
- Every required attribute has a sequence number. For example, if in step 3 the uid attribute is identified as required, then assign a value of 1 in place of <ReqdFlag>.
- Every relevant object class has a schema definition on the destination directory.
- Every mandatory attribute in a destination object class has a value assigned from the source. This is true for standard object classes also, as the different LDAP implementations may not be completely standards-compliant.
It is not necessary to assign all attributes belonging to a source object class to a single-destination object class. Different attributes of a source object class can be assigned to different attributes belonging to different destination object classes.

If an attribute has binary values, then specify it as binary in the <attrtype> field.

Mapping rules are flexible. They can include both one-to-many and many-to-one mappings.

One-to-many

One attribute in a connected directory can map to many attributes in the Oracle back-end directory. For example, suppose an attribute in the connected directory is Address:123 Main Street/MyTown, MyState 12345. You can map this attribute in the Oracle back-end directory to both the LDAP attribute homeAddress and the LDAP attribute postalAddress.
Many-to-one

Multiple attributes in a connected directory can map to one attribute in the Oracle back-end directory. For example, suppose that the Oracle Human Resources directory represents Anne Smith by using two attributes: firstname=Anne and lastname=Smith. You can map these two attributes to one attribute in the Oracle back-end directory: cn=Anne Smith. However, in bidirectional synchronization, you cannot then map in reverse. For example, you cannot map cn=Anne Smith to many attributes.

See Also:

The mapping file examples at the end of this chapter

9.4.8 Supported Attribute Mapping Rules and Examples

This section list the supported attribute mapping rules.

Concatenation operator (+): Concatenates two string attributes.

The mapping rule looks like:
```
Firstname,lastname:  :  :  : givenname:  : inetorgperson: firstname+lastname
```
For example, if the Firstname is John and LastName is Doe in the source, then this rule results in the givenname attribute in the destination with the value JohnDoe.
OR operator ( | ): Assigns one of the values of the two string attributes to the destination.

The mapping rule looks like this:
```
Fistname,lastname : : : :givenname: :inetorgperson: firstname | lastname
```
In this example, givenname is assigned the value of firstname if it exists. If the firstname attribute does not exist, then givenname is assigned the value of lastname. If both the values are empty, then no value is assigned.
bin2b64 ( ): Stores a binary value of the source directory as a base64 encoded value in the destination directory. Typical usage is as follows:
```
objectguid: : : :binary: :orclobjectguid: orcladuser:bin2b64(objectguid)
```
This is required when you need search on the value of (objectguid).

tolower(): Converts the String attribute value to lowercase.

firstname: : : :givenname: :inetorgperson: tolower(firstname)

toupper (): Converts the String attribute value to uppercase.

firstname: : : :givenname: :inetorgperson: toupper(firstname)

trunc(str,char): Truncates the string and removes the first occurrence of the specified char and everything that appears on the right side of the char. For example:
```
mail : : : : uid : : inetorgperson : trunc(mail,'@')
```
For example, if mail is John.Doe@example.com in the source, then this rule results in the uid attribute in the destination with the value John.Doe.
truncl(str,char): Truncates the string and removes the first occurrence of the specified char and everything that appears on the left side of the char. For example:
```
mail : : : : ou : : inetorgperson : truncl(mail,'@')
```
truncr(str,char): Truncates the string and removes the first occurrence of the specified char and everything that appears on the right side of the char. For example:
```
mail : : : : uid : : inetorgperson : truncr(mail,'@')
```
dnconvert (str): Converts DN type attributes if domain mapping is used.

This example assumes the following domain mapping rule:
```
DomainRules
cn=srcdomain:cn=dstdomain:
```
For example:
```
uniquemember : : : groupofuniquenames : uniquemember : :groupofuniquenames : dnconvert(uniquemember)
```
In this example, if uniquemember in the source is cn=testuser1,cn=srcdomain, then uniquemember in the destination becomes cn=testuser1,cn=dstdomain.
substring(String src,String startPosition,String endPosition): To return the substring starting at the <start position> and ending at the <end position> or until the end of the string, if it is not provided.
```
sn: : : person: employeenumber: : inetorgperson:substring(sn,"2","5")
sn: : : person: givenname: : inetorgperson:substring(sn,"3")
```

Literals:

Userpassword: : :person: userpassword: :person: 'password'

fsptodn: To compute a DN from a FSP (Foreign Security Principals). For example:
```
fsp : : : : dn : : top : fsptodn(fsp)
```
AccountLockOut: To lock user accounts after multiple failed bind attempts. For example:
```
pwdAccountLockedTime::::-:::AccountLockOut(pwdAccountLockedTime,<lockout-duration>, <bind-failures>)
```
For more information, see Configuring Account Locking Synchronization.
AccountDisable: To temporarily disable a user's account, then enable it again. For example, if using Oracle Unified Directory as the source and destination directory:
```
ds-pwp-account-disabled:1:::ds-pwp-account-disabled::top:
```
For more information, see Configuring Account Disabling Synchronization.
OnDemandPassword: To synchronize the password from the connected directory to the back-end directory by configuring an import profile. For example:
```
pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)
```
For more information, see Password Synchronization.
PasswordTranslate: To synchronize the password from the back-end directory to the connected directory by configuring an export profile. For example,
```
orclodiptranslatepassword: : : : unicodepwd : : user : passswordtranslate(orclodiptranslatepassword)
```
For more information, see Password Synchronization.

9.4.9 Configuring Account Locking Synchronization

You can use the back-end directory or connected directory account lockout feature to lock user accounts after too many failed bind attempts. Once an account has been locked, that user will not be allowed to authenticate. The lockout may be temporary (automatically ending after a specified period of time) or permanent (remaining in effect until an administrator resets the user's password).

If the back-end directory and the associated connected directories are synchronized with Oracle Directory Integration Platform, and if an account on one directory is locked out then the Oracle Directory Integration Platform will also lock out the account for other directory.

Note:

Account lockout synchronization in Oracle Directory Integration Platform is supported only for Oracle Unified Directory and Oracle Directory Server Enterprise Edition back-end directories.

Topics:

9.4.9.1 Prerequisites for Account Lockout Synchronization

Complete the following before configuring account lockout synchronization.

Ensure that the back-end directory and the connected directory are time synchronized. Refer to your operating system-specific documentation for more information on time synchronization.
Ensure that the password policies for the back-end directory and the connected directory is configured to have the same properties like enabling or disabling account lockout, bind failures, and lockout duration.

For more information, see
- "Managing the Default Password Policy" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
- "Managing Password Policies" in the Oracle Fusion Middleware Administering Oracle Unified Directory.

Note:

If the password policies are not assigned to an entry, then the default value is assigned. Ensure that the source directory and the connected directory are configured to have the same default password policies.

9.4.9.2 Enabling Account Lockout Synchronization

This section describes how to enable account lockout synchronization for Oracle Unified Directory, Oracle Directory Server Enterprise Edition, or Microsoft Active Directory source directory.

You can enable account lockout synchronization, by editing the mapping rule as follow:

When the Source Directory is Oracle Unified Directory or Oracle Directory Server Enterprise Edition

To enable account lockout synchronization:

pwdAccountLockedTime::::-:::AccountLockOut(pwdAccountLockedTime, <lockout-duration>, <bind-failures>)

bind-failures: The number of failed binds after which an account can be locked out by Oracle Directory Integration Platform for the destination directory.

lockout-duration: The time that was configured for the password policies for automatic unlocking after an account is automatically locked. Ensure that the password policies in the source and destination directories have the same duration.

Example:

pwdAccountLockedTime::::-:::AccountLockOut(pwdAccountLockedTime,"300","3")

When the Source Directory is Microsoft Active Directory

You can add the following mapping rule:

lockoutTime,msds-user-account-control-computed:::user:-:::AccountLockOut(msds-user-account-control-computed,<bind-failures>)

bind-failures: The number of failed binds after which an account can be locked out by Oracle Directory Integration Platform for the destination directory.

Example:

lockoutTime,msds-user-account-control-computed:::user:-:::AccountLockOut(msds-user-account-control-computed,"3")

9.4.10 Configuring Account Disabling Synchronization

If the Administrator disables an account, then you cannot login until the Administrator enables it. You can use the back-end directory or the connected directory feature to temporarily disable a user's account, then enable it again. If the account is temporarily disabled or enabled in one directory then Oracle Directory Integration Platform will temporarily disable or enable the account in the associated directory.

You can configure account disable synchronization, by adding the mapping rules described in Table 9-4:

Note:

Account disabling synchronization in Oracle Directory Integration Platform is supported only for Oracle Unified Directory and Oracle Directory Server Enterprise Edition back-end directories.

Table 9-4 Mapping Attribute for Account Disabling Synchronization

Source Directory	Destination Directory	Mapping Rules
Oracle Unified Directory	Oracle Unified Directory	`ds-pwp-account-disabled:1:::ds-pwp-account-disabled::top:`
Oracle Directory Server Enterprise Edition	Oracle Unified Directory	`nsAccountLock:1:::ds-pwp-account-disabled::top:`
Microsoft Active Directory	Oracle Unified Directory	`userAccountControl:1:::ds-pwp-account-disabled::top:` `AccountDisable(userAccountControl)`
Oracle Unified Directory	Oracle Directory Server Enterprise Edition	`ds-pwp-account-disabled:1:::nsAccountLock::top:`
Oracle Directory Server Enterprise Edition	Oracle Directory Server Enterprise Edition	`nsAccountLock:1::: nsAccountLock::top:`
Microsoft Active Directory	Oracle Directory Server Enterprise Edition	`userAccountControl:1:::nsAccountLock::top:` `AccountDisable(userAccountControl)`
Oracle Unified Directory	Microsoft Active Directory	`modifiersName,ds-pwp-account-disabled:1:::userAccountControl::user:AccountDisable(ds-pwp-account-disabled, "544")` Oracle Directory Integration Platform uses `544` as the default value for the `userAccountControl` attribute during bootstrapping. The `ADS_UF_ACCOUNTDISABLE` attribute will be set to reflect the disabled state in the source directory. For more information on `userAccountControl` attribute, refer to the Microsoft Active Directory documentation.
Oracle Directory Server Enterprise Edition	Microsoft Active Directory	`modifiersName,nsAccountLock:1:::userAccountControl::user:AccountDisable(nsAccountLock, "544")` Oracle Directory Integration Platform uses `544` as the default value for the `userAccountControl` attribute during bootstrapping. The `ADS_UF_ACCOUNTDISABLE` attribute will be set to reflect the disabled state in the source directory. For more information on `userAccountControl` attribute, refer to the Microsoft Active Directory documentation.

Note:

To disable the user in the source directory, see:

9.4.11 Example: Mapping File for a Tagged-File Interface

This example describes a sample mapping file for importing user entries from the Oracle Human Resources database tables by using the tagged-file interface.

Note that the source is a non-LDAP directory. This sample file is supplied during installation at $ORACLE_HOME/ldap/odi/conf/oraclehragent.map.master.

DomainRules
NONLDAP:dc=metahr,dc=com:cn=%,dc=metahr,dc=com
AttributeRules
firstname: : : :cn: :person
lastname: : : :sn: :person
lastname: : : :cn: :person
email: : : :cn: :person: trunc(email,'@')
firstname,lastname: : : :cn: :person: firstname+","+lastname
firstname,lastname: : : :cn: :person: lastname+","+firstname
EmployeeNumber: : : :employeenumber: :inetOrgperson
EMail: : : :mail: :inetOrgperson
TelephoneNumber1: : : :telephonenumber: :person
TelephoneNumber2: : : :telephonenumber: :person
TelephoneNumber3: : : :telephonenumber: :person
Address1: : : :postaladdress: :person:Address1 | Address2
Address2: : : :Telephonenumber: :person:
state: : : :st: :locality
street1: : : :street: :locality
zip: : : :postalcode: :locality
town_or_city: : : :l: :locality
Title: : : :title: :organizationalperson
#Sex: : : :sex: :person
#socialsecurity: : : :ssn: :person
country: : : :c: :country
#BirthDate: : : :birthday: :organizationalperson
employeenumber:1: : :userpassword: :person: "********"+employeenumber

Note:

About Domain Mapping Rules for more information.

As described earlier, the mapping file consists of keywords and a set of domain and attribute mapping rule entries. The mapping file in this example contains the domain rule NONLDAP:dc=myCompany,dc=com:cn=%,dc=myCompany,dc=com.

This rule implies that the source domain is NONLDAP—that is, there is no source domain.
The destination domain (:dc=myCompany,dc=com) implies that all the directory entries this profile deals with are in the domain dc=myCompany,dc=com. Be sure that the domain exists before you start synchronization.
The domain mapping rule (:uid=%,dc=myCompany,dc=com) implies that the data from the source refers to the entry in the directory with the DN that is constructed using this domain mapping rule. In this case, uid must be one of the destination attributes that should always have a non null value. If any data corresponding to an entry to be synchronized has a null value, then the mapping engine assumes that the entry is not valid and proceeds to the next entry. To identify the entry correctly in the directory, it is also necessary that uid is a single value.
In the case of the tagged file, the source entry does not have an object class to indicate the type of object to which it is synchronizing. Note that the SrcObjectClass field is empty.
Every object whose destination is the Oracle back-end directory must have an object class.
Note that email is specified as a required attribute in the sample mapping file. This is because the uid attribute is derived from the email attribute. Successful synchronization requires the email attribute to be specified in all changes specified in the tagged file as follows:
```
Email : 1 : : :uid : : person : trunc(email,'@')
```

9.4.12 Example: Mapping Files for an LDIF Interface

Sample integration profiles are created as part of the Oracle Directory Integration Platform installation. The property files used to created the sample integration profiles are located in the $ORACLE_HOME/ldap/odi/samples directory.

Note:

See Configure the Mapping File for a sample import mapping file for a connected Oracle database.

The following is an example of a sample import mapping file:

Sample Import Mapping File

DomainRules
dc=mycompany.oid,dc=com:dc=mycompany.iplanet,dc=com
AttributeRules
# Mapping rules to map the domains and containers
o: : :organization: o: :organization
ou: : :organizationalUnit: ou: : organizationalUnit
dc: : :domain:dc: :domain
# Mapping Rules to map users
uid : : :person: uid: :inetOrgperson
sn: : :person:sn: :person
cn: : :person:cn: :person
mail: :inetorgperson: mail: :inetorgperson
employeenumber: :organizationalPerson: employeenumber: :organizationalperson
c: : :country:c: :country
l: : :locality: l: :locality
telephonenumber: :organizationalPerson: telephonenumber: :organizationalperson
userpassword: : :person: userpassword: :person
uid: : :person: orcldefaultProfileGroup: :orclUserV2
# Mapping Rules to map groups
cn: : :groupofuniquenames:cn: :groupofuniquenames
member: : :groupofuniquenames:member: :orclgroup
uniquemember: : :groupofuniquenames:uniquemember: :orclgroup
owner: : :groupofuniquenames:owner: :orclgroup
# userpassword: :base64:userpassword: :binary:

Notice, in the preceding example that both the source domain and destination domain are specified in the Domain Mapping rule section. In this example, the source and the destination domains are the same. However, you can specify a different destination domain, provided the container exists in the destination directory.

Also notice, in the preceding example, that the attribute rules are divided into two sections: user attribute mapping rules and group attribute mapping rules. Specifying the object class in a mapping rule helps to uniquely map a specific attribute of an object.

9.4.13 Updating Mapping Rules

You can customize mapping rules by adding new ones, modifying existing ones, or deleting some from the mapping rule set specified in the orclodipAttributeMappingRules attribute. In general, to perform any of these operations, you identify the file containing the mapping rules, or store the value of the attribute for a file by using an ldapsearch command as described in the documentation for your Oracle back-end directory.

Topics:

9.4.13.1 Adding an Entry to the Mapping Rules File

To add a new entry to the mapping rules file, edit this file and add a record to it. To do this:

Identify the connected directory attribute name and the object class that needs to be mapped to the Oracle back-end directory.
Identify the corresponding attribute name in the Oracle back-end directory and the object class to which it needs to be mapped.
Generate the mapping rule elements indicating the conversion that needs to be done on the attribute values.
Load the attribute mapping rule file to the synchronization profile using the managesyncprofiles command.
For example, if the e-mail attribute of an entry in the source directory needs to be mapped to the unique identifier of the destination, then it can be:
```
Email:  :  : inetorgperson: uid: : person:
```

9.4.13.2 Modifying an Entry in the Mapping Rules File

After you identify an entry to be modified in the mapping rules file, generate the mapping rule element for the desired conversion of attribute values.

9.4.13.3 Deleting an Entry from the Mapping Rules File

After you identify an entry to be deleted in the mapping rules file, you can either delete the entry from the file or comment it out by putting a number sign (#) in front of it.

See Also:

"Location and Naming of Files" for the names of the mapping rule files
Note 261342.1 Understanding DIP Mapping Files in My Oracle Support.

9.5 Extending Mappings Using Custom Plug-ins

You can extend mapping functionality using custom plug-ins. The oracle.ldap.odip.util.mapapi.IMapOperation Java interface is defined to support plug-ins for new mapping operations. This topic explains Oracle Directory Integration Platform support for custom plug-ins to extend mapping functionality.

Topics:

9.5.1 Writing Custom Plug-Ins

This section describes how to extend mapping functionality using custom plug-ins.

To extend mapping functionality using custom plug-ins you must implement a class in the oracle.ldap.odip.util.mapapi.plugin package and implement the oracle.ldap.odip.util.mapapi.IMapOperation interface, as follows:

package oracle.ldap.odip.util.mapapi;
 
import java.util.Vector;
 
public interface IMapOperation
{
   public Vector evaluate(Vector operands);
}

The operands argument received by the evaluate() method is a vector. Elements of the operands vector can be one of the following, based on the plug-in invocation given in the mapping rule:

Vector of values (attributes passed as argument for the plug-in)
String (String literal is passed as argument for the plug-in)
Character (Character literal)

Return type is a Vector. All elements of this Vector must be Strings or byte arrays. If you want to return a single string, a new vector of size 1 must be created and the string has to be added to it. This restriction is enforced to allow multi-valued attributes.

Note:

The Vector evaluate method can also return an empty vector (It cleans or deletes the attribute) or a null value (It keeps the current values unmodified).

For example:

cn,sn: : :person:description: :person:PLUGIN#MyPlugin(cn, sn, “Mr")

The plug-in class MyPlugin should implement Vector evaluate(Vector operands) method. As per the plug-in invocation in the above mapping rule, the following are the elements of operands:

element1 is a Vector containing all values of cn (Even if cn has only a single value)
element2 is a Vector containing all values of sn (Even if sn has only a single value)
element3 is a String literal "Mr"

For example:

package oracle.ldap.odip.util.mapapi.plugin;
 
import java.util.Vector;
 
public class MyPlugin
  implements oracle.ldap.odip.util.mapapi.IMapOperation
{
  public Vector evaluate(Vector operands)
  {
    ...
  }
}

9.5.2 Understanding Mapping Plug-In Evaluation Constraints

This section explains the Mapping plug-in evaluation constraints.

If an attribute has multiple values, the corresponding plug-in will be called only once with all the attribute values stored in a Vector. The plug-in will not be called once per each attribute value.
Empty String literals (" ") or Character literals (' ') will be ignored.
You must identify the type of each element in the vector operands of the evaluate() method and process accordingly, as per the plug-in invocation.
A combination of plug-ins and the existing mapping rule operators or functions is not supported. For example, the following combination is not supported as mapping rule:
```
Plugin#MyPlugin(cn, sn) + givenanme 
toupper(Plugin#(MyPlugin(cn,sn))
Plugin#TempPlugin1(cn) + Plugin#TempPlugin2(sn)
```
Oracle recommends that Mapping plug-in invocation in different attribute rules follow the same invocation signature. The following example is not recommended and is highly error prone because Myplugin has different invocation signatures:
```
sn: : :person:givenname: :person:PLUGIN#MyPlugin(sn,"Mr")
cn: : :person:description: :person:PLUGIN#MyPlugin(cn)
```

9.5.3 Adding Mapping Plug-Ins

You can add a mapping plug-in to Oracle Directory Integration Platform by copying the mapping plug-in JAR file.

To add a mapping plug-in to Oracle Directory Integration Platform:

If it is running, stop the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform. See Stopping the Stack.
Copy the mapping plug-in JAR file to the /APP-INF/lib/ directory in the Oracle Directory Integration Platform Managed Server. For example:
```
ORACLE_HOME/user_projects/domains/DOMAIN_NAME/servers/MANAGED_SERVER_NAME/tmp/_WL_user/DIP_VERSION_NUMBER/RANDOM_CHARACTERS/APP-INF/lib/
```
Start the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform. See Starting the Stack.

9.5.4 Applications of Mapping Plug-Ins

This section describes various applications of Mapping plug-ins.

Topics:

9.5.4.1 Support for New Mapping Operations

Applications can implement their own mapping operations that are not supported internally by the mapping framework.

Support for Conditional Mapping

Conditional Attribute Mapping Support

You can support attribute mapping based on a condition. For example, a mapping rule can be written such that, if the credential attribute is present, then orclisenabled is set to ENABLED, and, if not, orclisenabled is set to DISABLED. This logic can be supported by implementing a plug-in to assign this value. The mapping rule should be as follows:

credential: : :UserType:orclisenabled::orcluserv2:PLUGIN#ConditionalAttrBasedOnPresence(credential)

The PLUGIN# keyword must be in the attribute mapping rule for any custom plugin (in this case, ConditionalAttrBasedOnPresence).

Conditional DN Mapping Support

You can support DN container mapping based on a condition. For example, users must be mapped to container ou=sales,dc=acme,dc=com if department is Sales and mapped to container ou=IT,dc=acme,dc=com if department is IT. To support this mapping:

The DomainRules section can have a construction rule like:
```
NONLDAP:dc=acme,dc=com:cn=%,ou=%,dc=acme,dc=com
```
The AttributeRules section can have a rule with a plug-in operation to map ou as follows:
```
department: : :UserType:ou: :orcluserv2:ConditionalOUMapping(department)
```

9.5.4.2 Support for Multiple Literal Values

The current mapping framework only supports specifying a single literal value for an attribute. However, there might be a need to specify more than one literal value when an attribute can have multiple default values. For example, in case of Microsoft Exchange, there is a showInAddressBook attribute which can have more than one value. This can also be implemented using plug-ins.

9.5.5 Example Plug-In Usage

This section provides examples of plug-in usage.

Example 1: Attribute Mapping Rule

cn: : :person:initials: :person:PLUGIN#PluginSamp1(cn)

Example 1: Corresponding Plug-In Implementation

vector evaluate(Vector operands)
{ 
 Vector all_cnValues = (Vector)operands.get(0); Vector result =  new Vector();         
 //All the elements of this result must be strings.               
 return result;     
}

Example 2: Attribute Mapping Rule

cn: : :person:givenname: :person:PLUGIN#Myplugin(cn,"Mr")

Example 2: Corresponding Plug-In Implementation

Vector evaluate(Vector operands)
{
Vector all_cnValues = (Vector)operands.get(0);
String strOperand = (String)operands.get(1);
Vector result =  new Vector();
 
for(int i=0; i<all_cnValues.size(); i++)
{
String cnValue = (String) all_cnValues.get(i);
String givenNameNewValue = strOperand + cnValue;
result.add(givenNameNewVlaue);
}
//All the elements of this result must be strings.
return result;
}

Example 3: Attribute Mapping Rule

mail: : :inetorgperson:mail: :inetorgperson: Plugin#MyPlugin(mail, '@')

Example 3: Corresponding Plug-In Implementation

Vector evaluate(Vector operands)
{
    Vector all_mailValues = (Vector) operands.get(0);
    Character charOperand = (Character) operands.get(1);
    char charOperandValue = charOperand.charValue();
    
    Vector result =  new Vector();
   
    return result;
}

Example 4: Attribute Mapping Rule

cn,sn,mail: : :inetorgperson:description: :inetorgperson Plugin#MyPlugin(cn, sn, mail)

Example 4: Corresponding Plug-In Implementation

Vector evaluate(Vector operands)
{
        	Vector all_cnValues = (Vector) operands.get(0);
	        Vector all_snValues = (Vector) operands.get(1);
	        Vector all_mailValues = (Vector) operands.get(2);

        	Vector result = new Vector();
	        …
	        …
	        …

	        return result;
}

9.6 Configuring Matching Filters

By default, a connector retrieves changes to all objects in the container configured for synchronization. However, you may want to synchronize only certain types of changes, such as changes to just users and groups. While mapping rules allow you to specify how entries are converted from one directory to another, you can also filter objects that are synchronized among directories.

Before changes from a connected directory are imported into the Oracle back-end directory, they can be filtered with the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) attribute in the synchronization profile. Similarly, before changes are exported from the Oracle back-end directory to a connected directory, they can be filtered with the OID Matching Filter (orclODIPOIDMatchingFilter) attribute.

For both attributes, you can specify a filter for connected directories that either obtain incremental changes through an LDAP search or that store changes in a change log, as described in the following sections:

9.6.1 Filtering Changes with an LDAP Search

For connected directories that do not support change logs, the latest footprint of the entries are obtained by performing an LDAP search. Because an LDAP search that is performed with objectclass=* will return all entries in a given tree or subtree, to retrieve only the objects of interest for synchronization, you must provide a filter using LDAP filter syntax.

For example, you can assign a search filter to the orclOdipConDirMatchingFilter attribute. Specify the filter as searchfilter=LDAP_SEARCH_FILTER.

The following example creates an LDAP search filter that retrieves organizational units, groups, and users, but not computers:

searchfilter=(|(objectclass=group)(objectclass=organizationalUnit)
(&(objectclass=user)(!(objectclass=computer))))

9.6.2 Filtering Changes from a Change Log

This section describes the operators, which are provided by Oracle Directory Integration Platform, to specify a matching filter.

For connected directories that store changes in a change log, you can use the following simple operators to specify a matching filter for either the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) or the OID Matching Filter (orclODIPOIDMatchingFilter):

= (equal operator)
! (not equal operator)

Note:

You can use the preceding operators with either an LDAP or non-LDAP directory, provided the directory obtains incremental changes from a change log.

Connected directories that obtain incremental changes through an LDAP search can also use the preceding operators, however, you can only specify a single expression or the search will fail.

Specify the filter as searchfilter=CHANGELOG_SEARCH_FILTER.

For example, the following filter prevents syncing if a change is made by profile imp1 OR profile imp2:

searchfilter=(!(|(modifiersname=orclodipagentname=imp1,cn=subscriberprofile,cn=changelog subscriber,cn=products,cn=oraclecontext)(modifiersname=orclodipagentname=imp2,cn=subscriberprofile,cn=changelog subscriber,cn=products,cn=oraclecontext)))

For connected directories that store changes in a change log, a matching filter can synchronize changes for only the attributes that appear in the change log. If you include attributes in a matching filter that do not appear in the change log, the search operation will fail. For this reason, matching filters are of limited use for connected directories that store incremental changes in a change log.

9.7 Location and Naming of Files

This section lists where to find the various files used during synchronization.

By default, when file based interfaces (Tagged/LDIF) are used for synchronization, the files are read from and written to the following locations.

Table 9-5 Location and Names of Files

File	File Name
Import data file	`$`ORACLE_HOME/ldap/odi/data/import/Profile_Name.dat
Export data file	$ORACLE_HOME/ldap/odi/data/export/Profile_Name.dat

For example, the name of the data file of the Oracle Human Resources profile is oraclehrprofile.dat.

9.8 Password Synchronization

Using the Oracle Directory Integration Platform password synchronization functionality, you can maintain a single password across the back-end directory and the connected directory.

Topics:

Note:

Oracle recommends using the SSL connection to synchronize the password for the back-end directory and the connected directory.

9.8.1 Understanding Password Synchronization Mechanism

Password synchronization differs depending on the back-end directory and the connected directory due to different configuration mode and deployment mode. Oracle Directory Integration Platform provides several mechanisms to synchronize passwords depending on the selected back-end directory and connected directory.

Oracle Directory Integration Platform supports the following password mechanism:

Enabling the Oracle Internet Directory Password policy: To synchronize passwords from Oracle Internet Directory to a non Oracle Internet Directory connected directory, you must enable the password policy and you may have to enable reversible password encryption in the Oracle Internet Directory server. For more information, see Enable Password Synchronization from the Oracle Back-end Directory to a Connected Directory.
Delegated Authentication: External authentication plug-ins, such as the Microsoft Active Directory external authentication plug-in, are available for the back-end directory and enable users to log in to the Oracle environment by using their Microsoft Windows credentials.
- Oracle Internet Directory External Authentication Plug-ins: To synchronize passwords from Oracle Internet Directory to a non Oracle Internet Directory connected directory using Java-based external authentication plug-ins. For more information, see Configuring External Authentication Plug-ins.
- Pass-Through Authentication: Pass-through authentication (PTA) is a mechanism by which bind requests are filtered by bind DN. One Directory Server (the delegator) receives the bind request and, based on the filter, can consult another Directory Server (the delegate) to authenticate bind requests. As part of this functionality, the PTA plug-in enables the delegator Directory Server to accept simple password-based bind operations for entries that are not necessarily stored in its local database. A typical scenario for pass-through authentication involves passing authentication through to Active Directory for users coming from Oracle Unified Directory or Oracle Directory Server Enterprise Edition. For more information, see:
  - The section "Understanding Pass-Through Authentication" in the Oracle Fusion Middleware Administering Oracle Unified Directory.
  - The section "Pass-Through Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
Oracle Password Filter: To synchronize password only from Microsoft Active Directory to a back-end directory using the Oracle Password Filter. For more information, see Deploying the Oracle Password Filter for Microsoft Active Directory.
Synchronization using password hashing techniques: To synchronize password from Oracle Directory Integration Platform to Oracle Unified Directory or Oracle Directory Server Enterprise Edition.

Oracle Unified Directory and Oracle Directory Server Enterprise Edition support the same set of password hashing techniques. To synchronize passwords between Oracle Directory Integration Platform and Oracle Directory Server Enterprise Edition:
- Ensure that SSL server authentication mode is configured for both directories, as described in Configuring Oracle Unified Directory (SSL) for Oracle Directory Integration Platform.
- Ensure that the following mapping rule exists in the mapping file:
```
Userpassword: : :person:userpassword: :person
```
For more information on Oracle Directory Server Enterprise Edition hashing synchronization, see Understanding How to Synchronize Passwords for Oracle Directory Server Enterprise Edition.
On-Demand Password: To synchronize the password from a connected directory to Oracle Unified Directory or Oracle Directory Server Enterprise Edition back-end directories. You can synchronize the password from the connected directory to the back-end directory by configuring an import profile. For more information, see:
- Synchronizing Password from a Connected Directory to the Oracle Unified Directory using On-Demand Password
- Synchronizing Password from a Connected Directory to the Oracle Directory Server Enterprise Edition using On-Demand Password
Password Translate: To synchronize the password from a Oracle Unified Directory or Oracle Directory Server Enterprise Edition back-end directory to a connected directory. You can synchronize the password from the back-end directory to the connected directory by configuring an export profile. For more information, see:
- Synchronizing Password from the Oracle Unified Directory to a Connected Directory using Password Translate
- Synchronizing Password from the Oracle Directory Server Enterprise Edition to a Connected Directory Using Password Translate

Table 9-6 lists the password synchronization mechanism options for the Oracle Directory Integration Platform supported directory server.

Table 9-6 Password Synchronization Mechanism

Source	Destination	Supported Password Synchronization Mechanisms
Oracle Unified Directory	Oracle Unified Directory	Oracle Unified Directory (Destination directory) pass-through authentication On-Demand Password Password Translate Synchronization using password hashing techniques
Oracle Unified Directory	Oracle Internet Directory	Oracle Internet Directory External Authentication Plug-ins Password Translate Synchronization using password hashing techniques
Oracle Unified Directory	Oracle Directory Server Enterprise Edition	Oracle Directory Server Enterprise Edition (Destination Directory) pass-through authentication On-Demand Password Password Translate Synchronization using password hashing techniques
Oracle Unified Directory	Microsoft Active Directory	Password Translate
Oracle Internet Directory	Oracle Unified Directory	Enabling the Oracle Internet Directory password policy. Oracle Unified Directory (Destination Directory) pass-through authentication Synchronization using password hashing techniques
Oracle Internet Directory	Oracle Internet Directory	Enabling the password policy. Oracle Internet Directory External Authentication Plug-ins Synchronization using password hashing techniques
Oracle Internet Directory	Oracle Directory Server Enterprise Edition	Enabling the password policy. Oracle Directory Server Enterprise Edition (Destination Directory) pass-through authentication Synchronization using password hashing techniques
Oracle Internet Directory	Microsoft Active Directory	Enabling the password policy and reversible password encryption.
Oracle Directory Server Enterprise Edition	Oracle Unified Directory	Oracle Unified Directory (Destination Directory) pass-through authentication On-Demand Password Password Translate Synchronization using password hashing techniques
Oracle Directory Server Enterprise Edition	Oracle Internet Directory	Oracle Internet Directory External Authentication Plug-ins Password Translate Synchronization using password hashing techniques
Oracle Directory Server Enterprise Edition	Oracle Directory Server Enterprise Edition	Oracle Directory Server Enterprise Edition (destination directory) pass-through authentication On-Demand Password Password Translate Synchronization using password hashing techniques
Oracle Directory Server Enterprise Edition	Microsoft Active Directory	Password Translate
Microsoft Active Directory	Oracle Unified Directory	On-Demand Password Oracle Password Filter
Microsoft Active Directory	Oracle Internet Directory	Oracle Internet Directory External Authentication Plug-ins Oracle Password Filter
Microsoft Active Directory	Oracle Directory Server Enterprise Edition	On-Demand Password Oracle Password Filter

9.8.2 Configuring Password Synchronization for Oracle Unified Directory

You can synchronize the password between the connected directory to the Oracle Unified Directory used as the back-end directory.

Topics:

Note:

Ensure that you configured Oracle Unified Directory for Oracle Directory Integration Platform using dipConfigurator setup command, as described in Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Unified Directory.

9.8.2.1 Synchronizing Password from a Connected Directory to the Oracle Unified Directory using On-Demand Password

You can synchronize the password from a connected directory to Oracle Unified Directory by configuring an import profile. To do so, complete the following steps:

Configure the Oracle Directory Integration Platform plug-ins by running the dipConfigurator setupPlugin command on the command line and enter the following arguments:

Table 9-7 setupPlugin Properties

Argument	Definition
`wlshost`	Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default value is `localhost`.
`wlsport`	Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. The default value is `7001`.
`wlsuser`	Oracle WebLogic Server login ID.
`ldaphost`	Oracle Unified Directory host name. The default value is `localhost`.
`ldapport`	Oracle Unified Directory server port number. The default value is `636`.
`isldapssl`	Enable or disable SSL. The default value is `true`.
`ldapuser`	The bind DN to connect to the directory. The default value is `cn=Diretory Manager`.
`ldapadminport`	The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is `4444`.

Note:

You can view the dipConfig.log file, located at <ORACLE_HOME>/ldap/log/.

Example:

$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444

Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
1. Log in to the Oracle Enterprise Manager Fusion Middleware Control.
2. In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
3. Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Unified Directory.
4. Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
5. Select the Mapping tab.
6. In the Attribute Mapping Rules section select the Create icon.
  
  The Add Attribute Mapping Rule screen is displayed.
7. Enter the following parameters:
  - Source ObjectClass: Select the required option. For example, select User if you are using Microsoft Active Directory as the connected directory.
  - Attribute(s): Select pwdLastSet.
  - DIP-OUD ObjectClass: Select top.
  - DIP-OUD Attribute: Select orclodippwdlastset.
  - Mapping Expression: Depending on the connected directory select an option. For example:
    
    Microsoft Active Directory: onDemandPassword(pwdLastSet)
    
    Oracle Unified Directory: onDemandPassword(pwdChangedTime)
    
    Oracle Directory Server Enterprise Edition: onDemandPassword(pwdChangedTime)
    
    Note:
    
    The onDemandPassword attribute is available, if the password expiration is configured for Oracle Directory Server Enterprise Edition. For more information, see "Policy for Password Expiration" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
  Click OK.
  
  You can click the Validate All Mapping Rules button to test your mapping rules.
Note:

You can also edit the mapping rules by adding the following attribute mapping rule:
```
pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)
```
For more information, see Adding an Entry to the Mapping Rules File.

9.8.2.2 Synchronizing Password from the Oracle Unified Directory to a Connected Directory using Password Translate

You can synchronize the password from Oracle Unified Directory (back-end directory) to a connected directory by configuring an export profile. To do so, complete the following steps:

If the Oracle Directory Integration Platform plug-ins is not configured, then you must run the dipConfigurator setupPlugin command on the command line:
```
$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
```
For more information on the arguments, see Table 9-7.

Note:

Do not run the dipConfigurator setupPlugin command if you have already executed the command in Synchronizing Password from a Connected Directory to the Oracle Unified Directory using On-Demand Password.

Run dipConfigurator setupPasswordTranslation command on the command line:

$ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444

For more information on the arguments, see Table 9-7.

Note:

You can view the dipConfig.log file, located at <ORACLE_HOME>/ldap/log/.

Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
1. Log in to Oracle Enterprise Manager Fusion Middleware Control.
2. In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
3. Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Unified Directory.
4. Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
5. Select the Mapping tab.
6. In the Attribute Mapping Rules section select the Create icon.
  
  The Add Attribute Mapping Rule screen is displayed.
7. Enter the following parameters:
  - Source ObjectClass: Select the required option. For example, select User if you are using Microsoft Active Directory as the connected directory.
  - Attribute(s): Select unicodepwd.
  - DIP-OUD ObjectClass: Select top.
  - DIP-OUD Attribute: Select orclodiptranslatepassword.
  - Mapping Expression: Enter orclODIPTranslatePassword.
  Click OK.
  
  You can click the Validate All Mapping Rules button to test your mapping rules.
Note:

You can also edit the mapping rules by adding the following attribute mapping rule:
```
orclodiptranslatepassword: : : : unicodepwd : : user : passswordtranslate(orclodiptranslatepassword)
```
For more information, see Adding an Entry to the Mapping Rules File.

9.8.3 Configuring Password Synchronization for Oracle Directory Server Enterprise Edition

This is an optional step, you can import or export the password from the connected directory to the Oracle Directory Server Enterprise Edition used as the back-end directory.

Topics:

9.8.3.1 Synchronizing Password from a Connected Directory to the Oracle Directory Server Enterprise Edition using On-Demand Password

You can synchronize the password from a connected directory to Oracle Directory Server Enterprise Edition by configuring an import profile. To do so, complete the following steps:

Configure the Oracle Directory Integration Platform plug-ins by running the dipConfigurator setupPlugin (<ORACLE_HOME>/bin) command on the command line and enter the following arguments:

Table 9-8 setupPlugin Properties

Argument	Definition
`wlshost`	Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default value is `localhost`.
`wlsport`	Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. The default value is `7001`.
`wlsuser`	Oracle WebLogic Server login ID.
`ldaphost`	Oracle Directory Server Enterprise Edition host name. The default value is `localhost`.
`ldapport`	Oracle Directory Server Enterprise Edition server port number. The default value is `636`.
`isldapssl`	Enable or disable SSL. The default value is `true`.
`ldapuser`	The bind DN to connect to the directory. The default value is `cn=Diretory Manager`.
`ldapadminport`	The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is `4444`.

Example:

$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 636 -ldapuser "cn=Directory Manager" -isldapssl true

Note:

You can view the dipConfig.log file, located at <ORACLE_HOME>/ldap/log/.

Restart the directory server instance:
```
dsadm restart
```
Create an attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
1. Log in to the Oracle Enterprise Manager Fusion Middleware Control.
2. In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
3. Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Directory Server Enterprise Edition.
4. Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
5. Select the Mapping tab.
6. In the Attribute Mapping Rules section select the Create icon.
  
  The Add Attribute Mapping Rule screen is displayed.
7. Enter the following parameters:
  - Source ObjectClass: Select the required option. For example, select User if you using Microsoft Active Directory as the connected directory.
  - Attribute(s): Select pwdLastSet.
  - DIP-ODSEE ObjectClass: Select operational attributes.
  - DIP-ODSEE Attribute: Select orclodippwdlastset.
  - Mapping Expression: Enter onDemandPassword(pwdChangedTime) as the mapping expression.
  Click OK.
  
  You can click the Validate All Mapping Rules button to test your mapping rules.
Add the following attribute mapping rule to the synchronization profile:
```
pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)
```
The orclSourceObjectDN attribute is needed by the plug-ins. It belongs to several objectClasses: orclSunOneObject, orclADObject, orclNDSObject, orclOpenLDAPObject, and orclTDSObject. A rule assigning this value must be included in the (import) profile, although the templates already include it. For example:
```
targetdn: : :top:orclSourceObjectDN: :orclADObject:
```
For more information, see Adding an Entry to the Mapping Rules File.

9.8.3.2 Synchronizing Password from the Oracle Directory Server Enterprise Edition to a Connected Directory Using Password Translate

You can synchronize the password from Oracle Directory Server Enterprise Edition (back-end directory) to a connected directory by configuring an export profile. To do so, complete the following steps:

Configure the Oracle Directory Integration Platform plug-ins by running the dipConfigurator setupPlugin (<ORACLE_HOME>/bin) command on the command line:
```
$ORACLE_HOME/bin/dipConfigurator setupPlugin -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 636 -ldapuser "cn=Directory Manager"
```
For more information on the arguments, see Table 9-8.
Restart the directory server instance:
```
dsadm restart
```
Run dipConfigurator setupPasswordTranslation (<ORACLE_HOME>/bin) command on the command line:
```
$ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseelocalhost -ldapport 636 -ldapuser "cn=Directory Manager" -isldapssl true
```
For more information on the arguments, see Table 9-8.

Note:

You can view the dipConfig.log file, located at <ORACLE_HOME>/ldap/log/.
Edit the attribute mapping rule using the Oracle Enterprise Manager Fusion Middleware Control:
1. Log in to Oracle Enterprise Manager Fusion Middleware Control.
2. In the navigation panel on the left, click or expand Identity and Access and then select the DIP component where you want to edit the synchronization profile.
3. Click the DIP Server menu, point to Administration, and then select the synchronization profile you created for Oracle Directory Server Enterprise Edition.
4. Click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
5. Select the Mapping tab.
6. In the Attribute Mapping Rules section select the Create icon.
  
  The Add Attribute Mapping Rule screen is displayed.
7. Enter the following parameters:
  - Source ObjectClass: Select the required option. For example, select User if you using Microsoft Active Directory as the connected directory.
  - Attribute(s): Select unicodepwd.
  - DIP-ODSEE ObjectClass: Select operational attributes.
  - DIP-ODSEE Attribute: Select orclodiptransalepassword.
  - Mapping Expression: Enter orclODIPTranslatePassword as the mapping expression.
  Click OK.
  
  You can click the Validate All Mapping Rules button to test your mapping rules.
Note:

You can also edit the mapping rules by adding the following attribute mapping rule:
```
orclodiptranslatepassword: : : top : unicodepwd : : user : passswordtranslate(orclodiptranslatepassword)
```
For more information, see Adding an Entry to the Mapping Rules File.

9.8.4 Configuring Password Synchronization for Oracle Internet Directory

To synchronize passwords from Oracle Internet Directory to a connected directory, you must enable the password policy and you may have to enable reversible password encryption in the Oracle Internet Directory server.

For example, IBM Tivoli Directory Server and Oracle Directory Server Enterprise Edition support similar hashing algorithms as Oracle Internet Directory. Therefore, to synchronize passwords from Oracle Internet Directory to IBM Tivoli Directory Server or Oracle Directory Server Enterprise Edition, you must enable only the password policy in the Oracle Internet Directory server.

However, to synchronize passwords from Oracle Internet Directory to Microsoft Active Directory or Novell eDirectory, which both do not support similar hashing algorithms as Oracle Internet Directory, you must enable the password policy and reversible password encryption in the Oracle Internet Directory server.

Note:

Oracle Internet Directory supports multiple password policies in each realm, commonly known as Fine-Grained Password Policies.

See, the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for more information about Fine-Grained Password Policies.

To enable the password policy, assign a value of 1 to the orclPwdPolicyEnable attribute in the appropriate container. To enable reversible password encryption in the Oracle Internet Directory server, assign a value of 1 to the orclpwdEncryptionEnable attribute in the appropriate container.

For example, to enable the password policy and reversible password encryption on the default policy for a realm, assign a value of 1 to the orclPwdPolicyEnable and orclpwdEncryptionEnable attributes in the following entry:

cn=default,cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,Realm_DN

You can do this by using ldapmodify and uploading an LDIF file containing the following entries:

dn: cn=default,cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,Realm_DN
changetype: modify
replace: orclpwdpolicyenable
orclpwdpolicyenable: 1
-
replace: orclpwdencryptionenable
orclpwdencryptionenable: 1

See Also:

Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on managing Oracle Internet Directory password policies.