Home Learn the Basics View Content Add Content Create Pages Build Portlets Administer Page Groups Administer the Portal Try the Hands-On Exercises
Home
Home
Previous PageGo to page 1 of 15Current page 2 of 15Go to page 3 of 15Go to page 4 of 15Go to page 5 of 15Go to page 6 of 15Go to page 7 of 15Go to page 8 of 15Go to page 9 of 15Go to page 10 of 15Go to page 11 of 15Go to page 12 of 15Go to page 13 of 15Go to page 14 of 15Go to page 15 of 15Next Page
 

Windows Integration: Configuring the Import Connector

Configuring the connector

There is a viewlet at the bottom of this page detailing all of the steps in this hands-on exercise.

In this section you will get hands on experience configuring Oracle Internet Directory to Import users and groups from a single domain instance of Active Directory. You will also learn how to bootstrap/migrate your users and groups from Active Directory to Oracle Internet Directory (OID).

This includes:

Creating the attribute and domain mapping rules

Uploading the mapping file to your Import profile

Grant access for AD Group synchronization

Migrating the AD users and groups to OID

Import Agent Profile Configuration

 

PREREQUISITES

OID 10g AS infrastructure must be installed

The OID server must be running

In this exercise we will be using the ActiveChgImp profile. There are two ways of setting up the ActiveChgImp connector for importing users and groups from AD.

The easiest way to get your import connector working is to run the script called "adprofileconfig.sh". By running this script you will enable OID to import users and groups from AD using a predetermined default set of attribute mapping rules.

There is one prerequisite to using the "adprofileconfig.sh" script. The DN for your users containers in AD and OID must be exactly the same. For instance. If you users in OID are located in "cn=users,dc=acme,dc=com", then your users in AD must reside in "cn=users,dc=acme,dc=com" in order to use the "adprofileconfig.sh" script. If this is your choice then go to chapter 43 page 7 Task 1 of the OID Admin guide and follow all of the steps for using the "adprofileconfig.sh" script.

If your "user" container DN for OID and AD do not match or if you want to see a more detailed step by step, click by click example which also explains how to customize your import connector, follow the steps below.

Creating the domain and attribute mapping rules

The first step in configuring the import connection with Active Directory is to set the domain and attribute mapping rules. We will be using a sample file called "activechg.map" which is included in the "samplefiles.tar" download file. Copy this file to your $ORACLE_HOME/ldap/odi/conf directory. Open the file called "activechg.map" in a text editor.

This file has two sections

The "DomainRules" tells the DIP server the location of users and groups in the AD server and where to make those changes in the OID server.

The "AttributeRules" tell the DIP server which attributes on the AD server side will be mapped to which attributes on the OID server side.

The following graphic is an example of what your should have in your activechg.map file.

In the above example, lets examine the "Domain Rules" first:

CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com

In this domain rule you can see two DN's separated by a ":"

The left DN represents the location of users in the Active directory source.

CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com

The right portion of this rule is the DN where the changes will be updated in the OID destination.

CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com

The complete domain mapping rule is:

CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com

Again, notice the ":" delimiting the source and destination domain rules.

Now lets examine a simple "Attribute Rules" definition

cn: : :container: cn: :orclContainer

The "cn" attribute value which is part of the "container" objectclass at the source (AD), will be mapped to the "cn" attribute which is part of the "orclContainer" objectclass on the destination (OID).

The sample file we used to create our mapping rules contain a list of common attributes used in most Active Directory to OID synchronization integration's.

 

Uploading the mapping file

Once you are finished modifying your "activechg.map" file we need to upload these rules to the "ActiveChgImp" profile. We will use a program called "dipassistant" to upload the mapping file into the ActiveChgImp agent profile.

From the command prompt type the following command:

dipassistant mp -host hostname.domain.com -port 3060 -passwd welcome1 -profile ActiveChgImp odip.profile.mapfile=/oracle/home/ldap/odi/conf/activechg.map

Note: This command is one command, not three.

Be sure to substitute your own FQDN, port number and password for OID in this command.

The password used in this command is the password for the orcladmin.

The "odip.profile.mapfile" should be set to the complete directory path to the mapping file including the name of the mapping file.

 

Grant access permission for AD Group synchronization

Unlike most LDAP servers, Active Directory stores its "groups" in the "users" container. Since we are mapping all the entries in the AD "users" container to the "users" container in OID, it will be necessary for us to add an extra access control policy in OID to allow us to create groups in the users container in OID.

To make this task easier for you, we have provided an LDIF file as part of the sample file download.

The file is called grantrole.ldif. You will need to make a small change to this file before applying it to OID. In this file you will see 15 references to the domain "dc=acme,dc=com". Globally replace this domain with your own domain information in OID.

For instance, if the domain in your OID server where your users are located is dc=us,dc=acme,dc=com then replace dc=acme,dc=com with this domain globally.

Once you have modified this file to reflect your own domain, apply this access control policy to OID by using the following command:

# ldapmodify -p oid_portnum -h oid_host_name -D "cn=orcladmin" -w orcladmin_pass -f /grantrole.ldif

 

Migrating the AD users and groups to OID

Migrating users and groups is often referred to as "Bootstrapping" in the OID administrators guide.

A program called the "dipassistant" is used to perform to migrate your Microsoft users and groups to OID.

The dipassistant uses a file called ldp2ldp.properties to migrate the users and groups. This file is located in your $ORACLE_HOME/ldap/odi/samples directory.

Copy the file "ldp2ldp.properties" to a new file and open the new file in a text editor and make the following changes to this file:

Set the "odip.bootstrap.srctype" to "LDAP"

Set the "odip.bootstrap.srcurl" to the fully qualified domain name and port number where the Active Directory server is running. Remember to use a ":" to separate the host name and port number. You can use an IP address instead of the FQDN is you like.

Example:

dude.acme.us.oracle.com:389

Set the "odip.bootstrap.srcdn" to the administrative account on the Active Directory server which has permission to read the directory.

Example:

cn=administrator,cn=users,dc=acme,dc=com

or

administrator@acme.com

Set the "odip.bootstrap.srcpasswd" value to the Active Directory administrators password.

Set the "odip.bootstrap.desttype" to "LDAP".

Set the "odip.bootstrap.desturl to the fully qualified domain name and port number where the OID server is running. Remember to use a ":" to separate the host name and port number

Example:

aspen.us.oracle.com:3060

Set the "odip.bootstrap.destdn" to the OID super user account "cn=orcladmin"

Set the "odip.bootstrap.destpasswd" to the OID super users password.

Set the "odip.bootstrap.mapfile" value to the full path where the AD import mapping file created earlier in this section is located. In our example we used "activechg.map". This file is used to determine which user and group attributes in the Active Directory server get mapped into OID.

Set the odip.bootstrap.logfile value to whatever location you want your log files located in your file system.

Set the odip.bootstrap.logseverity level to record your desired level of error capturing. In this example we will set the level to 15 to capture all errors.

Set the odip.bootstrap.trcfile to the location where you want your trace file located.

Complete the Bootstrapping of users and groups

Now we will run the "dipassistant" command to complete the user migration.

Example:

dipassistant bootstrap -cfg /u01/app/oracle/product/904/ldap/odi/samples/ad2oid.properties

When the migration completes you should see a report that looks like this:

After completing the migration you should be able to login to Oracle Directory Manager and see your new users and groups.

 

Import Agent configuration

Now we will finish configuring the AD import agent. First we need to launch the Oracle Directory Manager (ODM) GUI tool.

Example:

# oidadmin

Once your have successfully logged into ODM, navigate through the DIT to "Server Management -> Integration Servers".

Click on "Configuration Set1". You will see all of the default DIP agent profiles listed on the right.

Double click on the agent profile named "ActiveChgImp".

Configuring the General tab

When the ActiveChgImp profile form comes up you will be in the "General" tab. The only properties you need to set in the "General" tab at this time is the "Debug Level" (optional) and the "Scheduling Interval".

Setting the "Debug Level" to "63" will generate a log file that records all transactions for this agent. Remember to prune the log files from time to time if you turn on debug tracing as they will grow very large very fast.

The "Scheduling Interval" should be set in seconds to how often you want OID to check the AD server for changes.

 

Configuring the Execution tab

Next we want to switch to the "Execution" tab. Here we need to set the "Connected Directory Account" property to an account name on the AD server that has privilege to read the AD changelogs and deletes from the AD server.. In this case we are using the account name "administrator". AD allows you add the domain information to the admin users name. In our example we set this value to "administrator@acme.com". Alternately you could use "cn=administrator,cn=users,dc=acme,dc=com".

We also need to set the "Connected Directory Account Password" property to the password for "administrator@acme.com".

The last property we need to set on this tab is the "Connected Directory URL". This will be either the host name or IP address where AD is running and the port number AD is listening on. The IP/FQDN and port number are delimited with a ":" character.

Example:

138.1.145.160:389

There are no changes that need to be made in the "Mapping" tab so skip to the "Status" tab.

 

Configuring the "Status" tab

We need to get the last change number from the AD server change logs. The following command will obtain this value for you:

ldapsearch -p 389 -h AD_Host_name -D "administrator@acme.com" -w admin_password -b "" -s base "objectclass=*" highestCommittedUSN

Enter the number returned in the "Last Applied Change Number" field.

You also want to set the "Last Successful Execution Time" to the current date and time.

Now we need to start the DIP server and enable the Agent profile.

In this exercise we will use the following command to start the DIP server:

oidctl connect=iasdb server=odisrv instance=2 config=1 flags="port=3060" start

Substitute you OID database connect string where you see "connect".

Now bring up your ActiveChgImp profile again. In the "General" tab, set the "Profile Status" to "Enable".

After enabling the ActiveChgImp profile, refresh the profile and open it again. This time click on the "Status" tab and check the synchronization status. It should read "Synchronization Successful".

Watch a viewlet to see how its done.
Oracle Logo Next Page