Integrating with Novell eDirectory or OpenLDAP

25 Integrating with Novell eDirectory or OpenLDAP

This chapter outlines the procedures for integrating Oracle Identity Management with Novell eDirectory or OpenLDAP in a production environment.

Topics:

Note:

Before continuing with this chapter, you should be familiar with the concepts presented in previous chapters. The following chapters in particular are important:

Synchronization is supported between Oracle Fusion Middleware 14c (14.1.2.1.0) and Novell eDirectory 8.6.2 or later or OpenLDAP 2.2.

25.1 Verify Synchronization Requirements for Novell eDirectory or OpenLDAP

Before configuring basic or advanced synchronization with Novell eDirectory or OpenLDAP, ensure that your environment meets the necessary synchronization requirements.

You must complete the steps described in "Verifying Synchronization Requirements".

Note:

To reconcile correctly, additions and deletions must be performed from only one of the synchronized directories. In other words, you can perform additions and deletions from the Oracle back-end directory or eDirectory/OpenLDAP, but not both. However, modifications can be performed from either directory.

25.2 Configuring Basic Synchronization with Novell eDirectory or OpenLDAP

You can use the expressSyncSetup command to quickly establish synchronization between the Oracle back-end directory and Novell eDirectory or OpenLDAP.

The expressSyncSetup command uses default settings to automatically perform all required configurations. To use the expressSyncSetup command to synchronize with Novell eDirectory or OpenLDAP, refer to "Creating Import and Export Synchronization Profiles Using expressSyncSetup".

25.3 Synchronizing Multiple Profiles from eDirectory or OpenLDAP to One Oracle Back-end Directory Container

When synchronizing multiple profiles from eDirectory or OpenLDAP to one Oracle back-end directory container, you must filter out only the specific users to be reconciled to prevent the reconciliation process from inadvertently deleting users.

You can filter out only the specific users to be reconciled by performing either of the following steps:

Modify the mapping rule so each profile creates the user in a different container. Refer to "Customizing Mapping Rules" for more information.
Modify the reconciliation rules in the mapping file to synchronize only a specific subset of users. Refer to "About How to Define a Reconciliation Rule?" for more information.

25.4 Configuring Advanced Integration with Novell eDirectory or OpenLDAP

You can use the expressSyncSetup command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles from the templates.

The import and export synchronization profiles created with expressSyncSetup are only intended as a starting point for you to use when deploying your integration of the Oracle back-end directory and Novell eDirectory or OpenLDAP. Because these synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps:

Note:

When you install Oracle Directory Integration Platform, import and export template files (ORACLE_HOME/ldap/odi/conf) are created for each of the supported directories. The template files created for Novell eDirectory are:

Novell eDirectoryImp—The profile for importing changes from Novell eDirectory to the Oracle back-end directory.
Novell eDirectoryExp—The profile for exporting changes from the Oracle back-end directory to Novell eDirectory.

The synchronization profiles templates created for OpenLDAP are:

OpenLDAPImport—The profile for importing changes from OpenLDAP to the Oracle back-end directory.
OpenLDAPExport—The profile for exporting changes from the Oracle back-end directory to OpenLDAP.

25.4.1 Understanding How to Plan Integration with Novell eDirectory or OpenLDAP

Plan your integration by reading Connected Directory Integration Concepts and Considerations, particularly "Novell eDirectory and OpenLDAP Integration Concepts". Be sure to create a new profile by copying the existing eDirectory or OpenLDAP template profile by following the instructions in “Creating Synchronization Profiles”.

25.4.2 About Realm Configuration for Novell eDirectory or OpenLDAP

Configure the realm by following the instructions in "Configuring the Realm".

25.4.3 Customize the Search Filter to Retrieve Information from Novell eDirectory or OpenLDAP

By default, the Novell eDirectory or OpenLDAP Connector retrieves changes to all objects in the container based on the modifytimestamp attribute. If you are interested in retrieving changes to specific types of objects, such as changes to users and groups, then you should configure an LDAP search filter. This filter screens out changes that are not required when the Novell eDirectory or OpenLDAP Connector queries Novell eDirectory or OpenLDAP. The filter is stored in the connected directory matching filter attribute (orclodipcondirmatchingfilter) in the synchronization profile.

The Novell eDirectory and OpenLDAP sample import profiles are configured to retrieve changes to users, groups, and container objects from Novell eDirectory and OpenLDAP, respectively. Computers are not retrieved. The value of the searchfilter attribute is set as follows:

searchfilter=(&(!(modifiersname=connected_dir_account))
(|(objectclass=domain)(objectclass=organizationalunit)
(objectclass=organization)(objectclass=person) (objectclass=groupofnames)))

You use the update operation of the manageSyncProfiles command to update the searchfilter attribute if you want to synchronize entries other than users or groups. For example, the following command updates the searchfilter attribute to synchronize only users and groups:

manageSyncProfiles -operation update -profile profile_name odip.profile.condirfilter searchfilter= (|(objectclass=groupofnames)(objectclass=person))

Note:

All attributes specified in the searchfilter attribute should be configured as indexed attributes in Novell eDirectory or OpenLDAP.
Refer to "Managing Synchronization Profiles Using manageSyncProfiles" for more information about the manageSyncProfiles command.

25.4.4 Understanding the ACLs Customization for Novell eDirectory or OpenLDAP

Customize ACLs as described in "Customizing Access Control Lists".

25.4.5 Customize Attribute Mappings for Novell eDirectory

When integrating with Novell eDirectory, the following attribute-level mapping is mandatory for all objects:

GUID:1: : :orclNDSObjectGUID: :orclndsObject:bin2b64(guid)
Modifytimestamp:1 : : :orclsourcemodifytimestamp: :orclndsobject:
Createtimestamp:1 : : :orclsourcecreatetimestamp: :orclndsobject:
Targetdn:1: : :orclsourceobjectdn: : orclndsobject:

When integrating with OpenLDAP, the following attribute-level mapping is mandatory for all objects:

entryuuid:1: : : orclOpenLdapEntryUUID: : orclOpenLdapObject:
Modifytimestamp:1 : : :orclsourcemodifytimestamp: : orclOpenLdapObject:
Createtimestamp:1 : : :orclsourcecreatetimestamp: : orclOpenLdapObject:
Targetdn:1: : :orclsourceobjectdn: : orclOpenLdapObject:

Example 25-1 Attribute-Level Mapping for the User Object in Novell eDirectory or OpenLDAP

Cn:1: :person: cn: :person:
sn:1: :person: sn: :person:

Example 25-2 Attribute-Level Mapping for the Group Object in Novell eDirectory or OpenLDAP

cn:1: :groupofname: cn: : groupofuniquenames:

In the preceding examples, Cn and sn from Novell eDirectory or OpenLDAP are mapped to cn and sn in the Oracle back-end directory.

Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".

25.4.6 Customizing the Novell eDirectory or OpenLDAP Connector to Synchronize Deletions

Synchronizing deletions from Novell eDirectory or OpenLDAP in the Oracle back-end directory is handled with the reconciliation approach, as described in "About Synchronization from Novell eDirectory or OpenLDAP to the Oracle Back-end Directory". Because the reconciliation process is time and CPU intensive, by default, reconciliation occurs at a 3600 second (or 1 hour) interval. You can modify the length of this interval according to your environment by using the manageSycnProfiles command and -params option to modify the odip.profile.reconciliationtimeinterval parameter.

To avoid decreased performance on the server when synchronizing deletions from Novell eDirectory or OpenLDAP in the Oracle back-end directory, you can customize the comparison to search specific subsets of the DIT. You specify the subset search criteria as part of the map file by using the ReconciliationRules keyword.

The default reconciliation rules for Novell eDirectory are as follows:

inetorgperson:cn:*
groupofnames:cn:*

The default reconciliation rules for OpenLDAP are as follows:

inetorgperson:cn:*
groupofuniquenames:cn:*

Note:

For more information, see:

The preceding rules specify that the search criteria be applied in the following two steps:

Search for all entries in the inetorgperson object class. You can also specify different subsets within this rule according to the attribute values.
Search for all entries in the groupofnames object class in Novell eDirectory or in the groupofuniquenames object class in OpenLDAP.

25.4.7 About How to Define a Reconciliation Rule?

You define a reconciliation rule with one object class, one attribute, and any number of values. You can use any attribute that is synchronized with the Oracle back-end directory to define a reconciliation rule. However, you must observe the following two requirements:

The attribute of the specified object class must be defined in the mapping rules.
The corresponding Oracle back-end directory attribute must be indexed.

For example, consider the following reconciliation rule:

myobjclass:myattr:val1:val2:val3

In the preceding reconciliation rule, the name of the object class is myobjclass and the name of the attribute is myattr. You can assign values of val1, val2, or val3 to the myattr attribute. To use the myattr attribute, the following mapping rule must be defined:

myattr: : : myobjclass:attr: :objclass:

The preceding mapping rule defines the myattr attribute in the myobjclass object class, and attr is the corresponding Oracle back-end directory attribute that should be indexed.

25.4.8 Reconciliation Rules Used to Synchronize Deletions?

Defining reconciliation rules generates search filters that query Novell eDirectory or OpenLDAP to determine the number of deleted entries. For example, with the myobjclass and attr reconciliation rule example in the previous section, the following search filters are generated in Novell eDirectory or OpenLDAP:

(&(objectclass= myobjclass) (createtimestamp<=orclodipreconciliationtimestamp) (myattr=val1))
(&(objectclass= myobjclass) (createtimestamp<= orclodipreconciliationtimestamp) (myattr=val2))
(&(objectclass= myobjclass)(createtimestamp<= orclodipreconciliationtimestamp)(myattr=val3))

The reconciliation rule and mapping rule also generate corresponding filters in the Oracle back-end directory. For example, the following Oracle back-end directory filters are generated for the myobjclass and attr reconciliation rule:

(&(objectclass= objclass) (orclndsobjectguid=*)(orclSourceCreateTimeStamp<= orclodipreconciliationtimestamp)(attr=val1))
(&(objectclass= objclass) (orclndsobjectguid=*)(orclSourceCreateTimeStamp<= orclodipreconciliationtimestamp)(attr=val2))
(&(objectclass= objclass) (orclndsobjectguid=*)(orclSourceCreateTimeStamp<= orclodipreconciliationtimestamp)(attr=val3))

25.4.9 Synchronization Parameters for the Advanced Configuration Information Attribute

The Advanced Configuration Information (orclodipAgentConfigInfo) attribute in a synchronization profile stores any additional configuration information needed by a connector to synchronize the Oracle back-end directory with a connected directory. You can use the SearchDeltaSize and SkipErrorToSyncNextChange parameters with any connected directory.

For Novell eDirectory and OpenLDAP, you can also use the parameters listed in Table 25-1 to specify additional configuration information.

Tip:

Refer to the Advanced tab section in “Creating Synchronization Profiles” for a description of all Advanced Configuration parameters for synchronization profiles.

Table 25-1 Novell eDirectory and OpenLDAP Synchronization Parameters for the Advanced Configuration Information Attribute

Parameter	Description
`AttributeType`	Indicates the type of the `UniqueAttribute` parameter. You assign to this parameter a value of `Binary` for Novell eDirectory or `nonBinary` for OpenLDAP. This parameter is used to obtain the corresponding Oracle back-end directory attribute for the attribute that is defined in the mapping file.
`SearchTimeDeltaInSeconds`	This parameter is applicable only for eDirectory and OpenLDAP, which handle synchronization based on timestamps and do not support changelog. Search Time Delta Size in seconds determines the time interval for processing changes during each synchronization cycle iteration. The default value is 3600. The number of iterations performed during each synchronization cycle depend on the number of pending changes. For example, if the Search Time Delta In Seconds parameter is set to 60 and there are changes pending for about one minute, synchronization will require a single iteration. If changes are pending for three minutes, synchronization will require three iterations. When the number of changes per minute is small, you will experience better synchronization efficiency by setting Search Time Delta Size in seconds to a higher value. Be sure the value you set for the Search Time Delta In Seconds parameter does not exceed the LDAP search limit of the connected directory server. Otherwise, you may receive an error during synchronization and some changes may not be processed.
`CheckAllEntries`	Determines how deleted entries in Novell eDirectory or OpenLDAP are synchronized with the Oracle back-end directory. If you assign a value of `true` to this parameter, the Oracle Directory Integration Platform identifies deleted entries by performing a linear comparison between the entries in the Oracle back-end directory and Novell eDirectory or OpenLDAP. If an entry does not exist in Novell eDirectory or OpenLDAP, the entry is deleted from the Oracle back-end directory. If you assign a value of `false` to this parameter, deleted entries are synchronized according to the difference between the number of entries in the connected directory and the number of entries in the Oracle back-end directory. If the number of deleted entries is 0 or less than 0, then there are no deleted entries to synchronize. However, if the number of deleted entries is greater than 0, then the Oracle Directory Integration Platform compares each entry in the Oracle back-end directory with Novell eDirectory or OpenLDAP to identify the deleted entries to synchronize. The Oracle Directory Integration Platform continues to compare entries until it locates the same number of deleted entries as the difference between the number of entries in the connected directory and the number of entries in the Oracle back-end directory. For better performance, you should assign a value of `false` to this parameter.
`ReduceFilterTimeInSeconds`	Specifies the time difference between the computer that is running the Oracle back-end directory and the computer that is running Novell eDirectory. This parameter is necessary because synchronization between the Oracle back-end directory and Novell eDirectory will not function properly if the time on the Novell eDirectory computer is earlier than the time on the Oracle back-end directory computer. You assign to this parameter a value in seconds that is equal to the time difference between the two computers. The default value is 0. If one computer's clock is drifting apart from the other, then must periodically update this value, by keeping the clocks synchronized using the Network Time Protocol (NTP).
`UniqueAttribute`	Identifies the unique attribute in Novell eDirectory or OpenLDAP that can be used to search for an entry. You assign to this parameter a value of `GUID` for Novell eDirectory or `entryuuid` for OpenLDAP.
`Reconciler`	Identifies the class used by the profile for reconciliation purposes.

25.4.10 Configuring the OpenLDAP Connector to Synchronize Passwords

You cannot synchronize passwords from Novell eDirectory to the Oracle back-end directory. You can, however, synchronize passwords from OpenLDAP to the Oracle back-end directory.

Going the other direction, the Oracle Directory Integration Platform can synchronize password changes from the Oracle back-end directory to Novell eDirectory or OpenLDAP only when the directories are running SSL server-side authentication and only when the Oracle back-end directory is Oracle Internet Directory.

Note:

The Oracle back-end directory requires that the password be a minimum of 5 characters. If any OpenLDAP passwords are less than 5 characters, the password synchronization to the Oracle back-end directory will fail.

Perform the following tasks to synchronize passwords from OpenLDAP to the Oracle back-end directory:

Add a mapping rule that enables password synchronization. For example:
```
userpassword: : : inetorgperson: userpassword: person
```
(Optional) This step is only required if the hashing algorithm in OpenLDAP is not compatible with the hashing algorithm in Oracle Internet Directory.
WARNING:

Completing this step will save the userpassword attribute in OpenLDAP as a plain-text password.

Enable the password policy and reversible password encryption in the Oracle directory server. To do this, assign a value of 1 to the orclPwdPolicyEnable and orclpwdEncryptionEnable attributes in the entry cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,DN_of_realm. You can do this by using ldapmodify and uploading an LDIF file containing the following entries:
```
dn:cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,DN_of_realm.
changetype: modify
replace: orclpwdpolicyenable
orclpwdpolicyenable: 1
-
replace: orclpwdencryptionenable
orclpwdencryptionenable: 1
```

25.4.11 Synchronize the Novell eDirectory or OpenLDAP connector in SSL Mode

Configure the Novell eDirectory or OpenLDAP connector for synchronization in SSL mode by following the instructions in "Configuring the Connected Directory Connector for Synchronization in SSL Mode".

25.4.12 Configure the Novell eDirectory or OpenLDAP External Authentication Plug-in

Configure the Novell eDirectory or OpenLDAP external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".

25.4.13 Perform Post-Configuration and Administrative Tasks

This section describes the task you must complete after configuring advanced integration with Novell eDirectory or OpenLDAP.

See Managing Integration with a Connected Directory for information on post-configuration and ongoing administration tasks.