 |
|
|
|
|
|
|
|
|
|
|
 |
 |
|
||||||||
 |
    |
|
||||||||
 |
|
|
||||||||
|
|
|||||||||
|
Windows
Integration: Configuring the Export Connector Configuring the Connector There is a viewlet at the bottom of this page detailing all of the steps. In this section you will get hands on experience configuring Oracle Internet Directory to Export users information from OID to Active Directory. This includes: Creating the attribute and domain mapping rules PREREQUISITES OID 10g AS infrastructure must be installed The OID server must be running Password Policy Plug-in must be configured An OID SSL configset has been created An SSL wallet has been created The DIP server has been configured for SSL The OID reversible password option has been configured There are two ways of setting up the ActiveExport connector for exporting user and group information to AD. The easiest way to get your export connector working is to run the script called "adprofileconfig.sh". By running this script you will enable OID to export to AD using a predetermined default set of attribute mapping rules. If this is your choice then go to chapter 43 page 7 Task 1 of the OID Admin guide and follow all of the instructions there. If you want to see a more detailed step by step, click by click example which also explains how to customize your export connector, follow the steps below. Creating the attribute and domain mapping rules A word about two way synchronization If you are planning to configure OID for one way export synchronization with AD you may use the default attribute mapping rules in the activeexp.map.master file. However, if you plan to do two way synchronization which includes using the default attribute mapping values from the activechg.map.master file with your ActiveChgImp profile, you will need to make a few changes to the attribute mapping rules in the activeexp.map.masters file. To make things a little easier we have provided a sample mapping file called "activeexp.map" which was provided as part of the sample file downloads. Copy this file to your $ORACLE_HOME/ldap/odi/conf directory. Change directory to your $ORACLE_HOME/ldap/odi/conf directory. Open this file in a text editor.
It is important to note that the source and destination, domain and attribute mapping rules are exactly opposite of the import mapping rules. This time OID is the source or left part of the rules and AD is the destination or right side of the rules. In the above example, lets examine the "Domain Rules" first: CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com In this domain rule you can see two DN's separated by a ":" The left DN represents the location of users in the OID source. CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com The right side of this Rule is the destination in AD where the changes will be made. CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com The complete domain mapping rule is: CN=Users,DC=acme,DC=com:cn=Users,dc=acme,dc=com Again, notice the ":" character delimiting the source and destination domain rules. Now lets examine a simple "Attribute Rules" definition cn: : :orclContainer: cn: :container The "cn" attribute value which is part of the "orclContainer" objectclass at the source (OID), will be mapped to the "cn" attribute which is part of the "container" objectclass on the destination (AD). The sample file we used to create our mapping rules contains a list of common attributes used in most OID to Active Directory synchronization integration's.
Once you are finished modifying your "activeexp.map" file we need to upload these rules in this file to the "ActiveExport" profile. We will use a program called "dipassistant" to upload the mapping file into the ActiveChgImp agent profile. From the command prompt type the following command: dipassistant mp -host hostname.domain.com -port 3060 -passwd welcome1 -profile ActiveExport odip.profile.mapfile=/oracle/home/ldap/odi/conf/activeexp.map Note: This command is one command, not three. Be sure to substitute your own FQDN, port number and password for OID in this command. The password used in this command is the password for the orcladmin. The "odip.profile.mapfile" should be set to the complete directory path to the mapping file including the name of the mapping file.
Now we will finish configuring the AD export agent. First we need to launch the Oracle Directory Manager (ODM) GUI tool. Login as the "orcladmin" user. Once your have successfully logged into ODM, navigate through the DIT tree starting at "Server Management" then to the "Integration Servers". Click on "Configuration Set1". You will see all of the default DIP profiles. Double click on the agent named "ActiveExport".
Configuring the General tab When the ActiveExport profile form comes up you will be in the "General" tab. The only properties you need to set at this time is the "Debug Level" (optional) and the "Scheduling Interval". Setting the "Debug Level" to "63" will generate a log file that records all transactions for this agent. Remember to prune this log file from time to time if you turn on debug tracing. The "Scheduling Interval" should be set in seconds to how often you want OID to export changes to the AD server.
Configuring the Execution tab Next we want to switch to the "Execution" tab. Here we need to set the "Connected Directory Account" property to an account name in AD that has administrative privileges. In this case we are using the account name "administrator". AD requires you add the domain information to the admin users name. In our example we set this value to "administrator@acme.com". We also need to set the "Connected Directory Account Password" property to the password for "administrator@acme.com". The last property we need to set on this tab is the "Connected Directory URL". This will be either the FQDN or IP address where the AD server is running, the port number AD is listening on, and the SSL mode. These values are delimited with a ":" character. Example: 138.1.145.160:636:1
Configuring the "Mapping" tab If you also plan to have an ActiveImport profile running at the same time (bi-directional synchronization), it is advisable that you have a "OID Matching Filter" set to prevent uneccessary round trip synchronization. If you are not plannig to do bi-directional synchronization, you can skip the "Mapping" tab settings. In our example we will set this value to the DN for the ActiveChgImp profile user. Example: modifiersname != orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory This filter will prevent all changes made to OID by the ActiveImport profile from being exported to AD.
Configuring the "Status" tab We need to get the last change number from the OID server. The following command will obtain this value for you: ldapsearch -p 3060 -h host_name -D "cn=orcladmin" -w oid_password -b "" -s base "objectclass=*" lastchangenumber Enter the number returned in the "OID Last Applied Change Number" field. Set the "Last Execution Time" to the current date and time.
Now we need to start the DIP server and enable the Agent profile. Stop the DIP server if it is already running with the following command: oidctl connect=iasdb server=odisrv instance=1 config=1 flags="port=3060" stop In this exercise we will use the following command to start the DIP server: oidctl connect=iasdb server=odisrv instance=1 config=1 flags="port=3230 sslauth=2 debug=63" start Now bring up your ActiveExport profile again. In the "General" tab, set the "Profile Status" to "Enable".
|
 |
|
||||||||
 |
 |
 |
 |
 |
|
|||||
 |
|
|||||||||
