In an enterprise environment, you may have multiple
directory servers. In such a situation, to maintain consistency of data across
the enterprise, all the directory servers must be synchronized and have the
same data state. In Windows environment, user and group information is stored
and maintained in ADS, which is a part of the Windows 2000 operating system.
All Oracle components use OID as a central repository to store and maintain
user and group information. Oracle Directory Integration and Provisioning platform
(DIP) is used to synchronize both the directories in an enterprise environment.
You can synchronize OID and ADS by using an import connector
or an export connector. In this module, you learn to configure Oracle Internet
Directory to export user information from OID to Active Directory.
If you are planning to configure OID for a one-way export
synchronization with AD, then you can use the default attribute mapping rules
in the activeexp.map.master file.
However, if you plan to do a two-way synchronization that includes using the
default attribute mapping values from the activechg.map.master
file with your ActiveChgImp profile, then you must make a few changes to the
attribute mapping rules in the activeexp.map.masters
file.
1.
Copy the sample mapping file called activeexp.map to your $ORACLE_HOME/ldap/odi/conf
directory. Change directory to your $ORACLE_HOME/ldap/odi/conf
directory. Open this file in a text editor.
2.
It is important to note that the source and destination, and the domain
and attribute mapping rules are exactly opposite of the import mapping
rules. In this OID is the source or left part of the rules and AD is the
destination or right side of the rules.
Examine the Domain Rules section:
CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com
In this domain rule, you can see two DNs separated by a ":".
The left DN represents the location of users in the OID source.
CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com
The right side of this rule is the destination in AD where the changes
will be made.
CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com
The complete domain mapping rule is:
CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com
Notice the ":" character delimiting the source and destination
domain rules.
After you are finished modifying your activeexp.map
file you need to upload these rules in this file to the ActiveExport
profile. You will use a program called dipassistant
to upload the mapping file into the ActiveChgImp agent profile.
1.
From the command prompt, enter the following command:
dipassistant mp -host hostname.domain.com
-port 3060 -passwd welcome1 -profile ActiveExport odip.profile.mapfile=/oracle/home/ldap/odi/conf/activeexp.map
Be sure to substitute your own FQDN, port number and password for OID
in this command.
The password used in this command is the password for orcladmin.
The odip.profile.mapfile
must be set to the complete directory path to the mapping file including
the name of the mapping file.
For the DIP server to use the mapping file to integrate ADS
and OID, you have to upload the content of the activechg.map
file to the ActiveChgImp import connector profile. To upload the content of
this file to the import profile, use the dipassistant
command:
1.
Launch the Oracle Directory Manager (ODM) GUI
tool. Log in as the orcladmin user.
2.
After you have successfully
logged in to ODM, navigate through the DIT tree starting at Server Management
and then to the Integration Servers.
Click Configuration Set1. All the default DIP profiles are displayed.
3.
Double-click the agent named ActiveExport.
4.
When the ActiveExport profile form comes up you are in the General
page. Enter 5 in the Scheduling Interval field and 63
in the Debug Level field. The scheduling interval is set in
seconds depending on how often you want OID to export changes to the AD
server. Setting Debug Level to 63, generates a log file that records all
transactions for this agent.
5.
Click the Execution tab. Enter administrator@acme.com in
the Connected Directory Account field. Enter the password
for administrator@acme.com in the Connected Directory Account
Password field. Enter the FQDN or IP address where the
AD server is running, the port number AD is listening on, and SSL
mode in the Connected Directory URL field. The FQDN, the port
number, and the SSL mode should be delimited with a ":" character.
6.
Enter the following value in
OID Matching Filter field. This is necessary for bidirectional synchronization.
modifiersname != orclodipagentname=activechgimp,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory
This filter will prevent all changes made to OID by the ActiveImport
profile from being exported to AD.
7.
Click the Status tab.
Obtain the last change number from the OID server by issuing the following
command in a new terminal:
Enter the number returned in
the OID Last Applied Change Number field. Set the Last Execution
Time to the current date and time.
9.
Start the DIP server and enable
the agent profile. If the DIP server is already running, stop the DIP server
with the following command: oidctl connect=iasdb server=odisrv
instance=1 config=1 flags="port=3060" stop
Start the DIP server with the following command: oidctl connect=iasdb server=odisrv
instance=1 config=1 flags="port=3130 sslauth=2 debug=63" start
10.
In the Integration Profile: ActiveExport profile window, in the
General tab, set the Profile Status to Enable. Click
OK.
11.
After a scheduled time, the integration profile is executed. You can
see the status of the profile from the Status tab in the profile property
dialog box. Check the synchronization status. It must read Synchronization
Successful.
You must add new object classes to the DAS create user form
that will support AD integration and provisioning. This is necessary because,
by default, the DAS create user form does not include the orclADUser object
class. Therefore, when you create users in DAS, you are not able to populate
attributes such as krbPrincipalName or orclSAMAccountName. These attributes
are necessary for DAS to provision Microsoft Domain users.
1.
Open the DAS login page in your browser.
http://aspen.us.oracle.com:7777/oiddas
2.
Log in to DAS as the orcladmin user.
3.
Click the Configuration tab.
4.
Click the User Entry subtab.
5.
Click Add ObjectClass.
6.
From the list of Object Classes select orcladuser. Click Add.
7.
After you add the orcladuser objectclass, click Next at the bottom
of the form.
8.
Click Add New Attribute to add the new attributes.
9.
Select the orclsamaccountname attribute from the Directory
Attribute Name drop-down list. Enter SAM Account Name: Format:
ACME.COM$uid in the UI Label field. Select the Viewable
check box. Click Done.
10.
Click Add New Attribute. Select krbprincipalname from the
Directory Attribute Name drop-down list. Enter Kerberos Principal
Name: Format: uid@ACME.COM in the UI Label field. Select the
Viewable check box. Click Done.
11.
Click Add New Attribute. Select orcluserprincipalname from
the Directory Attribute Name list. Enter Principal Name for
Oracle: Format : uid@acme.com. Select the Viewable check box.
Click Done.
12.
Click Next at the bottom of the screen to continue.
13.
On the next page, click Create to create a new category for the
DAS Create User form.
14.
Enter Active Directory User Provisioning, the title of your new
category in the UI Label field. Click Done.
15.
Click Order Category. Move the new category up the category list
to where you want it. In our example, we will put it under the Basic Information
category.
16.
Select your new category by clicking the option adjacent to Active
Directory User Provisioning. Click Edit.
17.
Select orclsamaccountname. Click Move. Repeat to move krbprincipalname
and orcluserprincipalname attributes from the list on the left
to the list on the right.
18.
Click Done. Click Next. Click Finish.
19.
Click OK in the User Entry Configuration screen.
20.
When you are finished navigate
to the DAS Create User form by clicking on the Directory tab, and
then click Create.
21.
Create a new user in DAS by entering the following information: User Name: Format: First Name Last Name:
Email Address:
Password:
Confirm Password:
Select the Privilege Group check box in Roles Assignment.
Click Submit.
22.
Click OK in the User Creation screen.
23.
After you have completed creating the new user, log in to Windows as
the new user. Verify that you are able to log in to Windows.
24.
Open a browser window from the Windows machine and log in to single sign-on
Web application such as DAS
Place
the cursor over this icon to hide all screenshots.
Bookmark
