Integrating Oracle Internet Directory with Microsoft Active Directory Integrtion: Import Connector
Integrating Oracle Internet Directory with Microsoft
Active Directory: Import Connector
Purpose
This module provides instructions to create and configure
an Import Connector to integrate Oracle Internet Directory (OID) with Microsoft
Active Directory Server (ADS).
In an enterprise environment, you may have multiple
directory servers. In such a situation, to maintain consistency of data across
the enterprise, all the directory servers must be synchronized and have the
same data state. In the Windows environment, user and group information are
stored and maintained in Active Directory Server, which is a part of the Windows
2000 operating system. All Oracle components use OID as a central repository
to store and maintain user and group information. Oracle Directory Integration
and Provisioning platform (DIP) is used to synchronize both the directories
in an enterprise environment.
You can synchronize OID and ADS by using an import
connector or an export connector. In this tutorial, you learn to configure the
import connector. An import connector is used to import users and groups from
a single domain instance of ADS to OID. You also learn how to bootstrap or migrate
users and groups from ADS to OID.
The first step in configuring an import connection with ADS
is to set the domain and attribute mapping rules. Perform the following steps:
1.
Open a Command Prompt window and change the working directory to %ORACLE_HOME%/ldap/odi/conf
by using the following command:
cd %ORACLE_HOME%/ldap/odi/conf
2.
In this directory, copy the existing sample file activechg.map.master
to activechg.map
by using the following command:
cp activechg.map.master activechg.map
The activechg.map.master
file is a sample file which includes the generic domain and attribute
mapping rules required to map users and groups of ADS with OID.
The sample file and activechg.map
file have two sections: DomainRules
and AttributRules.
DomainRules: This section provides the DIP server
with the location of users and groups containers in the ADS. This section
also specifies the destination location of the user and group containers
in the OID server where the changes will take place.
AttributeRules: This section provides the DIP
server with the mapping of the ADS attributes with the one on the OID
server.
Verify whether your file has write permission, else
use the following command to change the permissions:
chmod 777 activechg.map
3.
Open the activechg.map
file in an editor:
vi activechg.map
4.
Make the following changes in the file:
In the DomainRules
section, change
%USERBASE%:%USERBASE%:
to CN=Users,DC=acme,DC=com:CN=Users,DC=acme,DC=com
This will change depending on your instance.
The first part of the DomainRule
is the DN of the users and groups container location in the ADS, which
is the source. The part after the colon (":")
represents the DN of the users and groups container location in the OID
server, which is the destination. The source
and the destination domain rule DNs are delimited by colon (":").
In the AttributeRules
section, do not change any of the attribute mapping rules.
For the DIP server to use the mapping file to integrate ADS
and OID, you must upload the content of the activechg.map
file to the import connector profile ActiveChgImp. To upload the content of
this file to the import profile, use the dipassistant
command.
1.
From the command prompt window, execute the following
command:
Substitute the hostname.domain,
port and password
in the above command with your OID deployment-specific Fully Qualified
Domain Name (FQDN), port number, and password.
You must use the password for the OID superuser orcladmin.
You must mention the file name and the absolute directory
path of the mapping file for the argument odip.profile.mapfile
in the command.
Granting Access Permission for Active
Directory (AD) Group Synchronization
Unlike most LDAP servers, ADS stores its groups
in the users container. Because
you are mapping all the entries in the ADS users
container to the users container
in the OID server, it is necessary that you add an extra access control policy
in OID that allows you to create the groups
container under the users container
in OID.
1.
Download the LDIF file (grantrole.ldif)
with access control policy definition.
2.
From the command prompt window, open the grantrole.ldif
file in an editor by using the following command:
vi /u01/grantrole.ldif
3.
To use this file in your OID deployment, change all
the occurrence of dc=acme,dc=com
to your own domain information.
For example, if the users in your OID deployment are
located at dc=us,dc=acme,dc=com,
then replace all dc=acme,dc=com
entries in the file with your domain dc=us,dc=acme,dc=com.
Save the changes to the grantrole.ldiffile.
4.
To apply this access control policy on the OID server,
execute the following command from the command prompt window:
You can use the dipassistant command to migrate users and
groups from ADS to OID server. This command provides a bootstrap command option
for making OID and the ADS contain the same data before exchanging information.
The dipassistant enables you to bootstrap by using either a parameter file or
a completely configured integration profile. Use the following steps to configure
the properties file:
1.
Change the working directory to %ORACLE_HOME%/ldap/odi/samples/
by using the command:
cd %ORACLE_HOME%/ldap/odi/samples/
Oracle provides you with a sample properties file in
this directory named ldp2ldp.propertiesthat you can customize and use to migrate users and groups of ADS
to OID in your deployment.
2.
Copy the ldp2ldp.properties
file to ad2oid.properties
by using the command:
cp ldp2ldp.properties
ad2oid.properties
3.
Modify the permissions and open the ad2oid.properties
file in an editor by using the following commands:
chmod 777
ad2oid.properties
vi ad2oid.properties
4.
Make the following changes in the file by setting the
following parameters:
Parameters
Description
Value
odip.bootstrap.srctype
Specifies whether the source of bootstrapping is
LDAP or LDIF
LDAP
odi.bootstrap.srcurl
Specifies the source directory location
FQDN:port for the ADS
odip.bootstrap.srcdn
Specifies the source directory Bind DN
cn=administrator,cn=users,
dc=acme,dc=com
or
administrator@acme.com
odip.bootstrap.srcpasswd
Specifies the bind password for the source Bind
DN
ADS administrator password
odip.bootstrap.desttype
Specifies whether the destination of bootstrapping
is LDAP or LDIF
LDAP
odip.bootstrap.desturl
Specifies the destination directory location
FQDN:port for the OID server
odip.bootstrap.destdn
Specifies the destination directory Bind DN
cn=orcladmin
odip.bootstrap.destpasswd
Specifies the bind password for the destination
Bind DN
welcome1
odip.bootstrap.mapfile
Specifies the location of the map file that contains
the attribute and domain mappings
activechg.map
odip.bootstrap.logfile
Specifies the log file location
/oracle/ldap/odip/scr/bootstrap.log
odip.bootstrap.logseverity
Specifies the type of the log messages that needs
to be logged
INFO ---- 1
WARNING ---- 2
DEBUG ---- 4
ERROR ---- 8
NOTE: A combination of these types can also be given. Similarly, for
all types of message, use 1 + 2 + 4 + 8 = 15.
15
odip.bootstrap.trcfile
Specifies the location of the trace file
/Oracle/ldap/odip/scr/bootstrap.trc
5.
From the command prompt window, execute the dipassistant
command to bootstrap the ADS and the OID server as follows:
After the bootstrap process is complete, the command
displays a report with the number of entries that were successfully migrated
and the ones that failed. You can view the log file generated for more
details.
You can now log in to the OID server and view the users and groups migrated
from ADS.
Configuring ADS Import Integration
Profile by Using Oracle Directory Manager
After successfully bootstrapping the ADS and OID server, you
can configure the import integration profile by using the Oracle Directory Manager.
This profile is executed by the Oracle DIP server periodically to synchronize
the OID server. Perform the following steps to configure the import profile:
1.
From the terminal, start Oracle Directory Manager.
2.
In the login dialog box, enter the username as orcladmin
and the password as the Oracle Application Server administrator password.
If the entry of the server is not displayed, then register the server
you want to connect to.
3.
In the navigation pane, navigate to Oracle Directory
Servers > orcladmin@oidhost:port > Server Management
> Integration Server > Configuration Set1.
The right pane displays all the integration profiles
available.
4.
Select ActiveChgImp from the list of integration
profiles and click Edit to modify the profile parameter values.
5.
Different parameters of the ActiveChgImport profile
is displayed in the following tabs:
1. General tab
2. Execution tab
3. Mapping tab
4. Status tab
6.
The General tab is displayed first. Make changes
to the following parameters in this tabbed page:
1.
Scheduling Interval = 10
2. Debug
Level = 63
7.
Click the Execution tab and make changes to the
following parameters:
Click the Mapping tab. You do not have to make any changes on
this tabbed page as the mapping file is already uploaded to the profile.
9.
Click the Status tab. The only parameter value
that you need to change here is the Last
Applied Change Number. To get the last change number, perform
the following command from the command prompt window:
Enter this return value as the parameter value for the
Last Applied Change Number
parameter.
After making all the required changes, save the changes
by clicking OK.
10.
Start the Oracle DIP server to execute the ActiveChgImport
integration profile. Start the DIP server by executing the following command
from the command prompt window:
Change the Agent Profile Status to Enable. Click
OK.
12.
After a scheduled time, the integration profile is executed. You can
see the status of the profile from the Status tab in the profile property
dialog box. Check whether the synchronization status is Synchronization
Successful.
Bookmark
