A Transitioning Synchronization Services
You can find information to configure DIP to synchronize the directory server sources to function as they previously functioned with ISW, in the following sections:
A.1 Understanding the Transition to Oracle Directory Integration Platform
The transition process described here, enables you to replace an existing deployment of Identity Synchronization for Windows with Oracle Directory Integration Platform.
The following sections can help you understand and plan this transition:
A.1.1 Transition Components
Learn about the transition process in the various components listed in this section and view the DIP certification matrix.
This transition process covers the following components:
-
Identity Synchronization for Windows 6.0 Service Pack 1 11g Release 1
ISW is a component of Oracle Directory Server Enterprise Edition (ODSEE), formerly Sun Java System Directory Server. ISW includes a set of Core components (configuration directory, console, command-line utilities, system manager, and central logger), individual connectors, connector subcomponents, and Oracle Message Queue.
ISW synchronizes user account information, including passwords, between ODSEE and Microsoft Active Directory. ISW requires two directory server instances: one instance for the user data that is synchronized and another instance for the ISW configuration data.
See Understanding the Product in the Oracle Fusion Middleware Installation and Configuration Guide for Identity Synchronization for Windows 6.0.
-
Oracle Directory Integration Platform 11g Release 1 (11.1.1.9.0)
DIP enables you to integrate your applications and directories, including third-party LDAP directories, with a master back-end directory being ODSEE, Oracle Internet Directory, or Oracle Unified Directory. DIP supports both uni-directional and bi-directional synchronization between ODSEE and Active Directory.
The DIP back-end directory stores the DIP metadata and also serves as a synchronization endpoint. The DIP metadata information consists of the DIP-specific schema and directory information tree (DIT).
See Introduction to Oracle Directory Integration Platform in Administrator's Guide for Oracle Directory Integration Platform.
In general, all the steps in the next sections requires compliance with the DIP certification matrix. To view this matrix:
-
Go to the Oracle Fusion Middleware Supported System Configurations page.
-
Find System Requirements and Supported Platforms for Oracle Fusion Middleware 12c (12.2.1.4.0) and open the
xls
file. -
In the
xls
file, click the FMW on WLS - Id&Access tab.
A.1.2 About This Documentation
You can configure DIP to synchronize your directory server to have the same functionality you previously had with ISW.
This appendix describes the transition steps to DIP and will help you find the equivalent basic ISW administration tasks in DIP.
This appendix considers only replacing an ISW deployment with DIP. If you also need to transition from ODSEE to OUD, see Understanding the Transition to Oracle Unified Directory.
A.1.3 Transition Process
Before the transition, ISW manages the synchronization between the ODSEE and Active Directory source directories. ISW uses one ODSEE instance for the user data that is synchronized and another ODSEE instance to store the ISW configuration data. The transition process replaces ISW (and its components) with DIP (and its components) and moves the synchronization functionality from ISW to DIP.
After the transition is finished, DIP will manage the synchronization between ODSEE and Active Directory. DIP will then use only one ODSEE instance to store the user data and the DIP metadata that is synchronized. The ODSEE instance that stored the ISW configuration data before the transition will no longer be used.
A.2 Transition Plan for Oracle Directory Integration Platform
You can plan your transition from ISW to DIPt using the information in the following sections.
This section contains the following topics:
A.2.1 Check Compliance with the DIP Certification Matrix
You must ensure that the transition process should follow the DIP certification matrix.
The transition process described in Executing the Transition to Oracle Directory Integration Platform requires compliance with the DIP certification matrix.
To find and check the DIP certification matrix, see Transition Components.
A.2.2 Comparison of ISW and DIP Functionality
Understand the comparison of the features and functionality available in ISW and DIP.
This section contains the following topics:
A.2.2.1 ISW Functionality Available in DIP
The following table describes the ISW functionality that is also available in DIP.
Table A-1 Identity Synchronization for Windows Functionality Available in Oracle Directory Integration Platform
Functionality | Identity Synchronization for Windows | Oracle Directory Integration Platform |
---|---|---|
Synchronization scope |
ISW supports Synchronization User Lists (SULs) that are the smallest synchronization units. An SUL contains a base DN from ODSEE and Active Directory that is mapped for synchronization. One or more SULs can be created under a single domain. |
DIP supports domain mapping rules that allow multiple domains (DITs) to be mapped under a base DN. Unlike ISW, DIP has all domains in a single profile share the same filter. However, DIP also allows users to have several profiles with multiple filters. |
Direction of synchronization |
ISW supports both uni-directional and bi-directional synchronization capabilities. |
DIP achieves both uni-directional and bi-directional synchronization capabilities using export and import profiles. The type of profile (export or import) depends on the back-end. |
Synchronization change types |
ISW supports synchronization of add, modify, and delete operations, selectively. The selection can be modified anytime with the UI. |
DIP supports synchronization of all LDAP operations, but it is not possible to select a subset of operation types to synchronize. |
Password synchronization |
ISW defaults to password synchronization. The synchronization of passwords cannot be avoided. |
DIP provides synchronization of all LDAP attributes including user passwords. |
User account creation, modification, and delete synchronization |
Supported |
Supported |
User account activation and inactivation |
ISW synchronizes account activation/inactivation between Active Directory and ODSEE and vice versa. |
DIP synchronizes account activation/inactivation between Active Directory and back end and vice versa. |
User account lockout/unlockout synchronization |
ISW synchronizes lockout/unlockout events between Active Directory and ODSEE and vice versa. As a pre-requisite, the password policies at both ends are expected to be same. |
DIP synchronizes lockout/unlockout events between Active Directory and the back end and vice versa. As a pre-requisite, the password policies at both ends are expected to be same. |
Server redundancy |
ISW has only one instance, so there is no redundancy. |
You can configure multiple instances of DIP in the WebLogic domain to synchronize the same endpoints. The DIP Quartz Scheduler takes care of providing the failover and load balancing capabilities. However, like ISW, DIP does not provide redundancy when the configuration directory (back-end directory) is not available. |
Failover support of endpoints |
Supported |
DIP does not support failover with ODSEE but does support failover with OUD. |
Group synchronization |
ISW has special hard-coded handling for group synchronization. |
DIP achieves this functionality through a |
Synchronization with multiple Active Directory domains. |
One or more Active Directory connectors can be installed to synchronize with a single ODSEE domain. |
DIP achieves this functionality by setting up multiple export and import profiles between different Active Directory domains and the back-end endpoint. DIP also provides a mechanism to handle Foreign Security Principals. |
Reconciliation of pre-existing entries |
ISW uses resynchronization functionality to run a refresh operation that synchronizes the pre-existing entries from ODSEE to Active Directory or vice versa. However, this operation does not synchronize user passwords. |
DIP achieves this functionality by resetting the |
Searchfilter |
ISW supports specifying a search filter for each Synchronized User List (SUL). |
DIP supports specifying one search filter per profile. You can achieve this filtering using an OR operator in the search filter. You can also have a different profile for a different domain mapping and search filter. |
Domain exclusion list |
ISW uses a search filter. |
DIP supports providing the |
Logging |
ISW supports log per connector and global logs. |
DIP supports global logs. |
A.2.2.2 ISW Functionalities Not Available in DIP
DIP does not support high availability (HA) with ODSEE.
A.2.2.3 DIP Functionalities Not Available in ISW
DIP supports the following features that are not available in ISW:
Table A-2 DIP Functionalities Not Available in ISW
Feature | ISW | DIP |
---|---|---|
Attribute Exclusion List |
Not supported |
DIP provides an |
Mapping functions |
Not supported |
DIP supports enhanced attribute mapping with mapping functions that operate on source attribute values to derive the destination attribute values. |
Mapping plug-ins |
Not supported |
DIP enables you to enrich the mapping functions through a Java plug-in mechanism. |
A.2.2.4 DIP Functionality That Requires a Plug-in
The following DIP functionality requires the ODSEE plug-in:
-
On demand password synchronization from the connected directory (Active Directory) to the backend directory
-
Translate password from the backend to the connected directory (Active Directory)
For both of these features, you must install the ODSEE plug-in, which is released with DIP. See Installing Oracle Directory Server Enterprise Edition Plug-in in Administrator's Guide for Oracle Directory Integration Platform.
A.2.3 ISW Parameters to Consider in Planning the Transition
Before you begin the transition, consider the ISW parameters and configuration described in the following sections. You will then know if the transition from ISW to DIP will ensure that you have the same level of functionality.
This section contains the following topics:
Note:
Carefully read ISW Deployment Considerations and Transition Plan so you will know if the transition from ISW to DIP will provide you with the same level of functionality, or if you also need to consider a transition from ODSEE to OUD.
A.2.3.1 ISW Deployment Considerations
Before you begin the transition, consider the following ISW parameters and configuration:
-
Synchronization direction of passwords
-
If passwords are synchronized from Active Directory to Directory Server, you must configure the on-demand password synchronization. See Password Synchronization in Administrator's Guide for Oracle Directory Integration Platform.
-
If passwords are synchronized from Directory Server to Active Directory, you must configure the Translate Password feature. See Password Synchronization in Administrator's Guide for Oracle Directory Integration Platform.
-
If passwords are synchronized in both directions, both On Demand Password and Translate Password must be configured.
These features require that you install and configure the ODSEE plug-in. You can find the ODSEE plug-in in one of the following locations in the Oracle Identity Management distribution package, depending on your platform:
-
On Windows systems:
Disk1\utils\dip-plugin\dip-plugin.dll
-
On UNIX or Linux systems:
Disk1/utils/dip-plugin/dip-plugin.so
See Installing Oracle Directory Server Enterprise Edition Plug-in in Administrator's Guide for Oracle Directory Integration Platform.
-
-
Synchronizing the creation of new users
ISW enables you to not synchronize the creation of new users. DIP does not make any difference and considers an object creation as a synchronization. If the object does not exist, it will be created with the attributes defined in the mapping rules of the profiles. So all the attributes defined as mandatory in the schema need to have a mapping rules in the profile; if not, the first synchronization of the object (that is, creation) will fail.
See Configuring Directory Synchronization in Administrator's Guide for Oracle Directory Integration Platform.
-
Number of Windows domains
There is no limitation in DIP. Many profiles can be created.
-
High Availability (no changes lost when ISW goes down)
When ISW is down, Message Queue keeps any changes already read. When ISW is up again, Message Queue and ISW synchronize the changes that occurred when ISW was down.
To support high availability, DIP is deployed on an Oracle WebLogic Cluster that has at least two servers as a part of the cluster. Oracle WebLogic Cluster starts, stops, and monitors DIP in the cluster. See Oracle Directory Integration Platform High Availability in High Availability Guide.
-
Security
DIP, as ISW does, can manage connections over SSL, if SSL is required for your deployment.
-
Bidirectional account lockout and unlockout synchronization
For these features to work correctly, set the symmetric password policy at both ends (the same as recommended for ISW).
-
Bidirectional group synchronization
DIP enables you to manage group synchronization by using the
uniquemenber
attribute anddnconvert
in the mapping rule. -
Multi-Master Replication (MMR) Deployment:
This item will have consequences in the transition to DIP. If Identity Synchronization for Windows is configured as an MMR deployment, consider the number of Directory Server masters, hubs, and read-only replicas in the deployment.
In a deployment with multiple Directory Servers, the Identity Synchronization for Windows Directory Server Plug-in must be installed on each master, hub, and read-only replica. When configuring Identity Synchronization for Windows, one Directory Server master is designated as the preferred master. The Directory Server Connector detects and applies changes at the preferred master if it is running. If the preferred master is down, the Connector can optionally apply changes at a second master.
You can configure DIP (through WebLogic Cluster) in high availability (HA) mode, but it will talk to the same ODSEE instance. However, DIP can handle two OUD instances, so to manage the second master, you must also plan a transition from ODSEE to OUD at the same time you are doing the transition from ISW to DIP.
The following table describes the differences in high availability (HA) and multi-master replication (MMR) deployments for ISW and DIP.
Table A-3 Differences for ISW and DIP in HA and MMR Deployments
Function | Identity Synchronization for Windows | Oracle Directory Integration Platform |
---|---|---|
High Availability (HA) |
ISW does not support HA in the true sense. There is only one instance of ISW and if it goes down, no synchronization can be achieved. For other cases, ISW uses Message Queue, which stores the unapplied changes. |
You can configure DIP deployed on Oracle WebLogic Cluster in HA mode. See Oracle Directory Integration Platform High Availability in High Availability Guide. |
Multi-Master Replication (MMR) |
ISW configuration enables you to specify a preferred and secondary master server. ISW can switch to the secondary server when the preferred server is down. |
DIP configuration does not allow you to specify two ODSEE servers. However, if OUD is the back end, DIP supports two OUD instances behind a load balancer. |
A.2.3.2 Transition Plan
At this point, you should know which of the following cases you have, and you can plan your transition accordingly:
-
Your ISW configuration is not using replicated directory sources, so your plan is to transition ISW to DIP only. See Executing the Transition to Oracle Directory Integration Platform.
-
Your configuration for ODSEE and ISW is in a multi-replicated directory source, so you might have two choices:
-
DIP will talk to your directory server master only, so your plan is to transition ISW to DIP only (same case as above).
-
You want a configuration with two directory server instances, so you must also transition ODSEE to OUD, which must be done before you transition from ISW to DIP. DIP will be then be configured with OUD as the backend.
-
The following table describes your transition choices.
Table A-4 Planning the ISW to DIP Transition
ISW Configuration | DIP Configuration | Transition to Plan |
---|---|---|
No replicated directory sources |
No replicated directory sources |
ISW to DIP |
Replicated directory sources |
No replicated directory sources |
ISW to DIP |
Replicated directory sources |
Replicated directory sources |
ODSEE to OUD and ISW to DIP |
The transition from ODSEE to OUD is described in Understanding the Transition to Oracle Unified Directory.
The transition from ISW to DIP is described in the Executing the Transition to Oracle Directory Integration Platform.
A.3 Components Involved in the Different Transition Steps
The ISW configuration and the transition case that you have selected determines the different components which are involved in the transition steps.
Depending on your ISW configuration and the transition case you have selected (see Transition Plan), the components involved in the transition are different, because the back-end directory can be either ODSEE or OUD.
ODSEE is the back-end directory:
The following components are involved in the transition, as shown in Figure A-1:
-
Source directories that need to be synchronized: ODSEE (back-end directory) and Active Directory (connected directory)
-
ISW (and its components) that will be replaced by DIP (and its components)
After the transition, synchronization will be managed by DIP and no longer by ISW. The directory servers are not changed.
Figure A-1 Components Involved in the Transition from ISW to DIP When ODSEE is the Back-End Directory

Description of "Figure A-1 Components Involved in the Transition from ISW to DIP When ODSEE is the Back-End Directory"
OUD is the back-end directory:
If OUD is the back-end directory, the transition from ODSEE to OUD has already been done, and you are in an intermediate situation where ISW is synchronizing changes between Active Directory and ODSEE. ODSEE is replicated to OUD with one of the strategies described in Understanding the Transition to Oracle Unified Directory. DIP will be configured with OUD as the back-end directory, and the components and the transition process are the same as described above, except for the directory back-end directory.
A.4 Executing the Transition to Oracle Directory Integration Platform
You have to perform certain tasks to transition from Identity Synchronization for Windows to Oracle Directory Integration Platform.
This section describes such tasks:
-
Collection of Identity Synchronization for Windows Information
-
Creating a Profile for Metadata Creation in Existing ODSEE Entries
-
Stopping Synchronization on Identity Synchronization for Windows
-
Uninstalling the Identity Synchronization for Windows Plug-in in ODSEE
-
Updating the Metadata in ODSEE by Running the DIP Tester Utility
-
Check for Any Remaining Changes in Identity Synchronization for Windows
-
Check Synchronization in Identity Synchronization for Windows
A.4.1 Collection of Identity Synchronization for Windows Information
You can collect all the ISW information needed to configure DIP. Fill in the tables in the following sections to order the data and to be able to create the DIP profiles.
This section contains the following topics:
A.4.1.1 Identity Synchronization for Windows Console
Identity Synchronization for Windows provides an administration Console that centralizes the ISW configuration and administration tasks. You can use the ISW Console to:
-
Configure directory sources to be synchronized
-
Define mappings for user entry attributes to be synchronized, in addition to passwords
-
Specify the users and attributes within a directory or domain topology that will, or will not, be synchronized
-
Monitor system status
-
Start and stop synchronization
To login to the ISW Console, you must know the Administration Server URL (host name, domain name, and port), administrator (admin) credentials (user ID and password), and the ISW configuration password.
After you log in, you can access the various ISW tasks and configuration tabs to collect the ISW information needed to configure DIP during the transition.
A.4.1.2 ISW Servers Connection Information
If you need information about the ISW Console, see Identity Synchronization for Windows Console.
In the ISW Console, identify the following ISW Directory sources:
-
Sun Directory Server on ISW for the DIP back-end directory (ODSEE): host, port, user, and password
-
Active Directory on ISW for the DIP connected directory (Active Directory): host, port, user DN, and password.
Note:
Clear-text passwords are not retrievable from ISW, so you must get them by other means.
Save this information in a table for the transition to DIP. For example:
Table A-5 Directory Servers for Transition
DIP Server | Host | Non-SSL Port | SSL Port | Admin User | Password |
---|---|---|---|---|---|
Backend Directory (ODSEE or OUD) |
odsee-host |
5389 |
5636 |
|
password1 |
Connected Directory (Active Directory) |
ad-host |
389 |
636 |
|
password2 |
A.4.1.3 Synchronization User Lists
For each Synchronization User List (SUL) in ISW, identify the following:
-
Sun Directory Server (ODSEE), identify the base DN:
ou=people,dc=example,dc=com
. -
Windows Directory Source (Active Directory), identify the base DN:
cn=users,dc=ad,dc=com
synchronization list
These two base DNs will be translated in DIP as Domain rules source and destination. Save this information in a table for the transition to DIP. For example:
Table A-6 Synchronization User Lists for Transition
SUL | Source Domain Name | Destination Domain Name |
---|---|---|
SUL1 |
|
|
SUL2 |
|
|
Each entry under ou=people,dc=example,dc=com
and ou=people,dc=example,dc=com
will be synchronized. The type of object synchronized under this container is determined by the attribute-level mapping rules that follow the DN mapping rules described in the next section.
You can also identify domains to be excluded during synchronization by adding a DomainExclusionList
header in map files and identify domains to be excluded during synchronization.
A.4.1.4 ISW Configuration: Mapping User Attributes
ISW supports two types of attributes:
-
Significant: attributes that are synchronized between systems when you create or modify user entries.
-
Creation: attributes that are synchronized between systems only when you create user entries.
DIP synchronizes attributes between systems when you create or modify user entries. If a referenced object class requires the presence of a certain attribute, the object creation will fail if the attribute is not synchronized. This failure is caused when a mapping rule is not defined in the profile for the attribute. Once an attribute is defined in a mapping rule, it will be synchronized, and the object creation will succeed.
The goal of this section is to collect all the attribute mappings independently of the ISW types (creation and modification) and to sort them in the way that helps to create DIP profiles. So, consider the mapping of the following user attributes in the ISW configuration:
A.4.1.4.1 Map Attributes for Synchronization
If you need information about the ISW Console, see Identity Synchronization for Windows Console.
For each attribute listed in the ISW Console Attributes tab, map the attribute as shown in the following table:
Table A-7 Attributes to Map for Synchronization
Directory Server Attribute | Active Directory Attribute |
---|---|
|
|
|
|
|
|
|
|
|
|
If you are synchronizing passwords (On Demand password or Translate Password) you will need to install the ODSEE plug-in, which is part of DIP delivery, on the ODSEE backend.
For DIP, for each attribute you want to synchronize, you must write a mapping rule. Here is the definition of the attribute mapping rule format:
srcAttrName:[ReqAttrSeq]:[SrcAttrType]:[SrcObjectClass]:[dstAttrName]:[DstAttrType]:[DstObjectClass]:[MappingFuntion]
Note:
You must write an attribute mapping rule on a single line. If the above definition displays as two lines in your browser or viewer, it is formatting purposes only.
See Configuring Mapping Rules in Administrator's Guide for Oracle Directory Integration Platform.
See also Supported Attribute Mapping Rules and Examples in Administrator's Guide for Oracle Directory Integration Platform.
A.4.1.4.2 Synchronization Flow
If you need information about the ISW Console, see Identity Synchronization for Windows Console.
From the ISW Console Object Creation tab, check the synchronization flow and create tables as follows:
-
From the backend (ODSEE or OUD) to Active Directory, you will need to create an export profile. Fill in an export table with the creation attributes.
-
From Active Directory to backend (ODSEE or OUD), you will need to create an import profile. Fill in the import table with the creation attributes.
Fill in the following tables below with the creation attributes and their objectclass
.
Table A-8 Export Table: From ODSEE or OUD to Active Directory
ODSEE or OUD Attribute | Active Directory Attribute |
---|---|
|
|
|
|
|
|
Table A-9 Import Table: From Active Directory to ODSEE or OUD
Active Directory Attribute | ODSEE or OUD Attribute |
---|---|
|
|
|
|
|
|
A.4.1.4.3 Attributes Modification
If you need information about the ISW Console, see Identity Synchronization for Windows Console.
From the ISW Console Attribute Modification tab, for each attribute, check the synchronization flow to determine in which table (export, import, or both) you will have to add the attribute mapping.
Special case: Object activation/Inactivation with Active Directory
In ISW, there are three options to synchronize object activation and inactivation with Active Directory:
-
Interoperating with Directory Server tools
-
Modifying the Directory Server's
nsAccountLock
attribute directly -
Using a custom method for Directory Server
In DIP, account activation and inactivation are configured with the Account Disabling feature. See Account Disabling Synchronization in Administrator's Guide for Oracle Directory Integration Platform.
A.4.1.4.4 Groups Synchronization
You can configure ISW to work with Domain Global Security and Domain Global Distribution groups on Active Directory.
In DIP (as with ISW), you must use the following configuration. Map the following Directory Server attributes to Active Directory:
-
Directory Server
uid
to Active DirectorySAMAccountName
-
Directory Server
cn
to Active Directorycn
If ISW group synchronization is enabled, specific mapping rules must exist in the DIP configuration.
# Mapping rules to map groups cn : : : groupofuniquenames:cn : : groupofuniquenames : member : : : groupofuniquenames:member : : orclgroup : uniquemember : : : groupofuniquenames:uniquemember : : orclgroup : owner : : : groupofuniquenames:owner : : orclgroup :
At this point, you should have filled the following tables with attribute mappings:
-
An export table (Table A-8 ) that contains attributes synchronized from the back end to Active Directory.
-
An import table ( Table A-9 ) that contains attributes synchronized from Active Directory to the back end.
If an attribute is synchronized in both directions, a row should exist in both tables.
A.4.1.5 Account Disabling
If the account disabling feature is enabled in ISW, specific mapping rules will be added in DIP.
See Account Disabling Synchronization in Administrator's Guide for Oracle Directory Integration Platform.
A.4.1.6 Synchronization Flow
Identify the synchronization flow of your data for the profiles you will need to create in DIP and identify the profiles by giving them a name. For example:
Table A-10 Synchronization Flow of Data for DIP Profiles
Flow Synchronization in ISW | Table Type to Fill | Profile Name | Source | Destination |
---|---|---|---|---|
From the back-end directory to the connected directory |
Export |
For example: ODSEEToAD |
Back-end directory |
Connected directory |
From the connected directory to the backend directory |
Import |
For example: ADToODSEE |
Connected directory |
Back-end directory |
A.4.1.7 Synthesis of ISW Configuration Data
The ISW data have been collected and are now ready to be sorted for preparing the DIP profiles. Here are the different tables that should have been filled.
Table A-11 Profiles Data for DIP
Flow Synchronization in ISW | Table Type to Fill | Source | Destination |
---|---|---|---|
From ODSEE (or OUD) to Active Directory |
Export |
odsee-host |
ad-host |
From Active Directory to ODSEE (or OUD) |
Import |
ad-host |
odsee-host |
For an export table, identify the following information:
Table A-12 Export Table Information
Item | ODSEE Source (backend) | Active Directory Destination (connected directory) |
---|---|---|
Server name: host |
odsee-host |
ad-host |
Server name: port |
5389 |
389 |
Server name: SSLport |
5636 |
636 |
Server name: password |
odsee-host-password |
ad-host-password |
Server name: user |
|
|
Domain rules |
|
|
Domain Exclusion List |
Identify the data for the export table and update Table A-13.
Table A-13 Export Attributes Mapping
Source (backend) ODSEE or OUD Attribute Name | Source Attribute Object Class | Destination (connected directory) Active Directory Attribute Name | Destination Attribute Object Class |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use Table A-14 to list the features that need to be translated in mapping rules in DIP if the features are enabled in ISW.
Table A-14 ISW Features Enabled in Direction Backend to Active Directory (Export)
Feature Enabled in ISW | Yes/No |
---|---|
Password synchronization |
yes |
Group synchronization |
no |
Account activation/inactivation |
yes |
For an import table, identify the following information:
Table A-15 Import Table Information
Item | Active Directory Source (connected directory) | ODSEE Destination (backend) |
---|---|---|
Server name: host |
ad-host |
odsee-host |
Server name: port |
389 |
5389 |
Server name: SSLport |
636 |
5636 |
Server name: password |
ad-host-password |
odsee-host-password |
Server name: user |
|
|
Domain rules |
|
|
Domain Exclusion List |
Identify the data for the import table and update Table A-16.
Table A-16 Import Attributes Mapping
Source Active Directory (connected directory) Attribute Name | Source Active Directory Object Class | Destination Backend (ODSEE or OUD) Attribute Name | Destination Backend (ODSEE or OUD) Object Class |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Use Table A-17 to list the features that need to be translated in mapping rules in DIP if the features are enabled in ISW.
Table A-17 ISW Features Enabled in Direction Active Directory to Backend (Import)
Feature Enabled in ISW | Yes/No |
---|---|
Password synchronization |
Yes |
Group synchronization |
No |
Account Activation/Inactivation |
Yes |
Now that you have collected all the information related to your ISW and ODSEE configuration, you must install and configure DIP, as described in the next sections.
A.4.2 Backing Up the Back-End Directory Data
You can backup the back-end directory data by stopping the ODSEE server instance using the backup command. You must restart the server after the backup.
Caution:
In subsequent transition steps, the DIP configuration modifies the schema, and an undo operation is not available. Therefore, Oracle recommends that you backup your existing backend data before you continue.
The backup operation might impact the back-end service availability.
To back up your existing ODSEE data:
If you later need to restore the data, use dsadm restore
.
For more information about ODSEE, see Directory Server Administration in Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
To backup your OUD data, use the backup
command. See Backing Up and Restoring Data in Administering Oracle Unified
Directory.
A.4.3 Installation of Oracle Directory Integration Platform
Yu must install the Oracle Internet Directory binaries to install Oracle Directory Integration Platform.
See Installing the Oracle Internet Directory Software in Installing and Configuring Oracle Internet Directory.
A.4.4 Configuring Oracle Directory Integration Platform
Use the procedure provided in this topic to configure Oracle Directory Integration Platform. You must run the dipConfigurator setup
command and configure the Oracle Directory Integration Platform plug-ins.
To configure Oracle Directory Integration Platform:
A.4.5 Creating Synchronization Profiles
You can create synchronization profiles by using either the CLI or GUI to create these profiles.
The section describes the synchronization profiles creation, using the information you collected in the tables in Collection of Identity Synchronization for Windows Information. Refer to the following sections to create synchronization profiles:
When you install DIP, template profiles are created for synchronization with the different directory types, including ODSEE. The files used to create the template profiles, property and mapping files, are available in the following directory:
ORACLE_HOME
/ldap/odi/conf
Note:
After you create these profiles, do not enable them. You will enable them later in a subsequent step.See Creating Synchronization Profiles in Administrator's Guide for Oracle Directory Integration Platform.
See also Password Synchronization Mechanism in Administrator's Guide for Oracle Directory Integration Platform.
A.4.5.1 Creating Export Profile
To create an export profile using the template files in the ORACLE_HOME
/ldap/odi/conf
directory:
A.4.5.2 Required Mapping Rules for the Export Profile
For the data you have collected from your ISW configuration, you must have a mapping rule for each row in Table A-18.
Table A-18 Required Mapping Rules for the Export Profile
Source (backend)ODSEE or OUD Attribute Name | Source Attribute Object Class | Destination (connected directory)Active Directory Attribute Name | Destination Attribute Object Class |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For example, here are the mapping rules for this table:
# Organizational unit mapping ou : : :organizationalunit:ou : :organizationalunit : cn : : :inetorgperson:cn : :inetorgperson : uid : : :inetorgperson:SAMAccountName : :user : mail : : :inetorgperson:givenname : :user : sn : : :person:sn : :user :
Here are considerations for writing the mapping rules in Table A-14.
-
Password Synchronization
The mapping rule is specific, as it uses a mapping function,
passwordtranslate
.orclodiptranslatepassword : : : :unicodepwd : : user :passwordtranslate(orclodiptranslatepassword)
See Password Synchronization Mechanism in Administrator's Guide for Oracle Directory Integration Platform.
If you are synchronizing passwords (Translate Password), you will need to install the ODSEE plug-in, which is part of DIP delivery, on the ODSEE backend. (For OUD, the plug-in is part of OUD). See Configuring Oracle Directory Integration Platform.
-
Group Synchronization
The following mapping rules must be added:
# Mapping rules to map groups cn : : :groupofuniquenames:cn : : groupofuniquenames : member : : :groupofuniquenames:member : : orclgroup : uniquemember : : :groupofuniquenames:uniquemember : : orclgroup : owner : : :groupofuniquenames:owner : : orclgroup :
See Supported Attribute Mapping Rules and Examples in Administrator's Guide for Oracle Directory Integration Platform.
-
Account Activation/Inactivation
The mapping rule is specific, as it is using a mapping function,
AccountDisable ****
. It depends on the backend (the attribute name is different).If ODSEE is the backend:
nsAccountLock:1:::userAccountControl::user:AccountDisable(nsAccountLock, "544")
If OUD is the backend:
ds-pwp-account-disabled:1:::userAccountControl::user:AccountDisable(ds-pwp-account-disabled, "544")
See Account Disabling Synchronization in Administrator's Guide for Oracle Directory Integration Platform.
A.4.5.3 Creating Import Profile
To create an import profile using the example files in the ORACLE_HOME
/ldap/odi/conf
directory:
A.4.5.4 General Remarks About DIP Profiles
Several considerations about DIP profiles are:
-
One DIP profile must be created for one ISW Synchronization User List (SUL).
-
One DIP profile is for one direction: source to destination. If synchronization is done in both directions, two profiles must be created and associated.
A.4.6 Creating a Profile for Metadata Creation in Existing ODSEE Entries
This profile will be used to create all of the metadata used by DIP in the existing entries of ODSEE. The metadata is normally created during synchronization or during bootstrap; however, because the metadata in ODSEE has not been created with either of these operations, it must be added in the existing entries. This profile will be created to be used once, just after the synchronization stop on ISW and before the synchronization start on DIP. This profile will add the metadata in the entries that have been synchronized with ISW.
When you install DIP, template profiles are created for synchronization with the different directory types, including ODSEE. The files used to create the template profiles, property and mapping files, are available in the following directory:
ORACLE_HOME
/ldap/odi/conf
To create a profile for the metadata using the template files in the ORACLE_HOME
/ldap/odi/conf
directory:
A profile could have many Domain Rules, so you could create one profile for many SULs.
For DIP, for each attribute you want to synchronize from ODSEE (or OUD) to Active Directory, you must write a mapping rule using mapping rule format.
See Configuring Mapping Rules in Administrator's Guide for Oracle Directory Integration Platform.
See also Supported Attribute Mapping Rules and Examples in Administrator's Guide for Oracle Directory Integration Platform.
So, regarding the data you have collected from your ISW configuration, for each line in Table A-15, you must have a mapping rule.
Note:
-
The domain rules must be updated with the data you have collected from the ISW configuration.
The
%USERBASE%
of theDomainRules
section will be filled with the information you collected in Table A-15. For example:DomainRules ou=isw-ou,dc=ad,dc=com:ou=people,dc=example,dc=com
-
The following mapping rules are mandatory:
objectguid: :binary:top:orclobjectguid:string:orclADObject:bin2b64(objectguid) distinguishedName: : :top:orclSourceObjectDN: :orclADObject:
-
The
odip.profile.updateChangeNumberatCreate
flag should be set tofalse
.
The profile will be enabled after the synchronization is stopped for ISW.
A.4.7 Stopping Synchronization on Identity Synchronization for Windows
It is strongly recommended that you stop the ISW server. At least, plan for a decrease of activity on both Active Directory and ODSEE, and then stop the synchronization on ISW.
Note:
Be sure to note the value of the last change number that has been applied, because it will be used in the last step to check that no changes have been lost.
To stop the synchronization, open a terminal window (or a Command Window) and type the idsync
stopsync
command. For example:
$ idsync stopsync -w admin-password -q configuration_password
A.4.8 Uninstalling the Identity Synchronization for Windows Plug-in in ODSEE
Before you uninstall the ISW plug-in, check for any existing entries in ODSEE that still require a bind (On-Demand Password synchronization). To find these entries, use ldapsearch
to check for the values of userPassword
attribute and dspswvalidate
attribute.
Use ldapsearch
to check for:
-
The
userPassword
attribute has the following value:userPassword: {PSWSYNC}*ON-DEMAND*SYNCHRONIZATION*REQUIRED*
and/or
-
The
dspswvalidate
attribute is set totrue
.
If you find entries that still require a bind, add the orclODIPInvalidPassword
attribute (value is true
) to every entry where the dspswvalidate
attribute is set to true
. The bind will then be performed by the DIP ODSEE plug-in.
Then, you can uninstall the ISW plug-in.
To unconfigure the ISW plug-in, open a terminal window (or a Command Window) and type the idsync
dspluginconfig
command. For example:
$ idsync dspluginconfig -U -w admin password -q configuration_password
Or, use ldapmodify
:
$ ldapmodify -h host.example.com -p 5389 -D "cn=Directory Manager" -w admin-password
dn: cn=pswsync,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled:off
Restart the ISW server, and then remove the dspswvalidate
attribute from the entries.
A.4.9 Updating the Metadata in ODSEE by Running the DIP Tester Utility
The ODSEE entries that have been created through a synchronization done with ISW do not contain the metadata needed by DIP.
Note:
In a typical DIP/ODSEE configuration, the entries are created during synchronization or during bootstrap and contain the metadata needed by DIP. In the current case, the user entries have not been created with one of these operations but synchronized with ISW, and therefore, they do not contain the metadata.
To add this metadata, a profile must be created and used once. No synchronization will trigger this profile execution, so you must run DIP Tester either through Oracle Enterprise Manager Fusion Middleware Control or the CLI (using manageSyncProfile
-testProfile
). This profile must also be registered first.
Register the profile using manageSyncProfiles
:
$ manageSyncProfiles register -h $WLSHOST -p 7005 -D weblogic -f MetaDataImp.properties -pf MetaDataImp
Then, run DIP Tester using either Oracle Enterprise Manager Fusion Middleware Control:
-
In the Advanced tab, set
lastChangeNumber
to 0. -
In the Filtering tab, the Source Matching Filter and Destination Matching Filter should be unset.
Or, run manageSyncProfile
from the command line:
$ manageSyncProfile -testProfile -h $WLSHOST -p 7005 -D weblogic -pf MetaDataImp -changenumber 0
The entries that were previously synchronized with ISW are now ready to be synchronized with DIP, and the profile can be deleted.
See Troubleshooting Synchronization Profiles Using DIP Tester and Managing Synchronization Profiles Using manageSyncProfiles in Administrator's Guide for Oracle Directory Integration Platform.
A.4.10 Enabling the Profiles in DIP
The synchronization is activated in DIP when the profiles are registered and enabled.
To register, associate, and enable the profiles:
See Managing Directory Synchronization Profiles in Administrator's Guide for Oracle Directory Integration Platform.
A.4.11 Check for Any Remaining Changes in Identity Synchronization for Windows
Some changes might have occurred while ISW synchronization was stopped. Check that the last change number of your source has been applied on the destination. DIP Tester enables you to perform synchronization tests and to return detailed log messages generated during the tests.
See Troubleshooting Synchronization Profiles Using DIP Tester in Administrator's Guide for Oracle Directory Integration Platform.
A.4.12 Check Synchronization in Identity Synchronization for Windows
To verify that the synchronization is working correctly, modify an attribute on one server and check that it is correctly synchronized on the other server.
Note:
The On-Demand Password synchronization feature should be working in the same way it was working with ISW. When a password is modified in Active Directory, the orclODIPInvalidPassword
attribute is added and set to true
in the ODSEE entry, and a bind is required to update the userPassword
attribute.
A.5 Basic Administration Tasks
Some basic administrative tasks in ISW have equivalent tasks in DIP.
Table A-19 describes some basic administrative tasks in ISW and how you perform the equivalent tasks in DIP. Here are documentation references for performing the DIP tasks in this table:
-
Enterprise Manager refers to Oracle Enterprise Manager Fusion Middleware Control. See Managing Oracle Directory Integration Platform Using Fusion Middleware Control in Administrator's Guide for Oracle Directory Integration Platform or the Enterprise Manager online Help.
-
For information about
manageSyncProfiles
, see Managing Synchronization Profiles Using manageSyncProfiles in Administrator's Guide for Oracle Directory Integration Platform. -
For information about the WebLogic Scripting Tool, see Understanding the WebLogic Scripting Tool in Understanding the WebLogic Scripting Tool.
-
For information about the WebLogic Administration Console, see Oracle WebLogic Server Administration Console Online Help.
Table A-19 Basic Administrative Tasks in ISW and DIP
ISW Task | Equivalent DIP Task | Command-Line | GUI |
---|---|---|---|
Configuring directory sources |
Edit or create profile |
|
Enterprise Manager |
Configuring synchronization settings |
Edit or create profile |
|
Enterprise Manager |
Configuring attribute settings |
Edit or create profile |
|
Enterprise Manager |
Configuring attribute modification settings |
Edit or create profile |
|
Enterprise Manager |
Configuring group synchronization settings |
Edit or create profile |
|
Enterprise Manager |
Configuring synchronization user lists (SULs) |
Edit or create profile |
|
Enterprise Manager |
Installing connectors and initializing data ( |
Not applicable |
Not applicable |
Not applicable |
Starting and stopping synchronization |
Register and activate profile |
|
Enterprise Manager |
Starting and stopping services (ISW and Message Queue) |
Start and stop WebLogic Server |
WebLogic Scripting Tool, scripts |
WebLogic Admin Console |
DIP also has the following tools to test synchronization profiles:
-
DIP Tester: Use this utility to perform synchronization tests and to return detailed log messages generated during the tests. See Troubleshooting Synchronization Profiles Using DIP Tester in Administrator's Guide for Oracle Directory Integration Platform.
-
Log Level: Specify the logging level for debugging synchronization profiles using Oracle Enterprise Manager Fusion Middleware Control. See Creating Synchronization Profiles in Administrator's Guide for Oracle Directory Integration Platform.
A.6 After the Transition to Oracle Directory Integration Platform
In case you have considered only the transition to DIP and your backend is still ODSEE, you might reconsider transitioning ODSEE to OUD in a second step.
In you transition ODSEE to OUD, OUD will be considered as a fresh installation, and you will have to create new profiles with OUD as the server instead of ODSEE. The new profiles will be similar to ODSEE profiles, but the main changes will be connection information such as server names and port numbers. Some attribute names and values might also have to be updated.
See Understanding the Transition to Oracle Unified Directory.