| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
This chapter outlines the procedures for integrating Oracle Identity Management with Microsoft Active Directory in a production environment. It contains these topics:
Verifying Synchronization Requirements for Microsoft Active Directory
Configuring Basic Synchronization with Microsoft Active Directory
Configuring Advanced Integration with Microsoft Active Directory
Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain
Configuring the Microsoft Active Directory Connector for Microsoft Exchange Server
|
Note: This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Internet Directory Administrator's Guide. It also assumes familiarity with the earlier chapters in this book, especially:
If you are configuring a demonstration of integration with Microsoft Active Directory, then see the Oracle By Example series for Oracle Identity Management Release 10g (10.1.4.0.1), available on Oracle Technology Network at |
Before configuring basic or advanced synchronization with Microsoft Active Directory, ensure that your environment meets the necessary synchronization requirements by following the instructions in "Verifying Synchronization Requirements".
You use the express configuration command to quickly establish synchronization between Oracle Internet Directory and Microsoft Active Directory. Express configuration uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use express configuration to synchronize with Microsoft Active Directory, follow the instructions in "Creating Synchronization Profiles with Express Configuration".
|
Note: In addition to the general assumptions listed in "Creating Synchronization Profiles with Express Configuration", the express configuration option assumes the following for integrations with Microsoft Active Directory:
|
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for Microsoft Active Directory are:
ActiveImport—The profile for importing changes from Microsoft Active Directory to Oracle Internet Directory by using the DirSync approach
ActiveChgImp—The profile for importing changes from Microsoft Active Directory to Oracle Internet Directory by using the USN-Changed approach
ActiveExport—The profile for exporting changes from Oracle Internet Directory to Microsoft Active Directory
|
Note: Whether you useActiveImport or ActiveChgImp depends on the method you chose for tracking changes, either DirSync or USN-Changed. |
You can also use the express configuration option of the Directory Integration Assistant (dipassistant) to create additional synchronization profiles, as described in "Configuring Basic Synchronization with Microsoft Active Directory". The import and export synchronization profiles created during the install process or with express configuration are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and Microsoft Active Directory. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed:
Step 3: Customizing the Search Filter to Retrieve Information from Microsoft Active Directory
Step 6: Synchronizing with Multiple Microsoft Active Directory Domains
Step 7: Synchronizing Deletions from Microsoft Active Directory
Step 10: Configuring the Microsoft Active Directory External Authentication Plug-in
Step 11: Performing Post-Configuration and Administrative Tasks
Plan your integration by reading Chapter 17, "Third-Party Directory Integration Concepts and Considerations", particularly "Microsoft Active Directory Integration Concepts".
Configure the realm by following the instructions in "Configuring the Realm".
By default, Microsoft Active Directory Connector retrieves changes to all objects in the container configured for synchronization. If you are interested in retrieving only a certain type of change, for example only changes to users and groups, then you should configure an LDAP search filter. This filter screens out changes that are not required when Microsoft Active Directory Connector queries Microsoft Active Directory. The filter is stored in the searchfilter attribute in the synchronization profile.
In the sample profiles activeChgImp and activeImport, only groups and users are retrieved from Microsoft Active Directory. Computers are not retrieved. The value of the searchfilter attribute is set as: searchfilter=(|(objectclass=group)(&(objectclass=user)(!(objectclass=computer))).
You can use either Oracle Directory Integration Server Administration tool or Directory Integration Assistant (dipassistant) to update the searchfilter attribute.
To customize the search filter by using the Directory Integration Assistant:
Enter the following command to customize the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) attribute:
$ORACLE_HOME/bin/dipassistant modifyprofile -D bindDn -w password -profile profName odip.profile.condirfilter=searchfilter=(|(objectclass=group) (objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))
Enter the following command to customize the OID Matching Filter (orclODIPOIDMatchingFilter) attribute:
$ORACLE_HOME/bin/dipassistant modifyprofile -D bindDn -w password -profile profName odip.profile.oidfilter=orclObjectGUID
To customize the search filter by using the Oracle Directory Integration Server Administration tool:
Launch the Oracle Directory Integration Server Administration tool by entering:
$ORACLE_HOME/bin/dipassistant -gui
In the navigator pane, expand directory_integration_server, then expand Integration Profile Configuration.
Select the configuration set, and, in the right pane, select the profile you want to customize. The Integration Profile window appears.
In the Integration Profile window, select the Mapping tab. The fields in this tab page are described in "Mapping" on page A-8.
In the Mapping tab page, in the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) and the OID Matching Filter (orclODIPOIDMatchingFilter) fields, enter the appropriate values for the searchfilter attribute. Instructions for specifying the searchfilter attribute are provided in the section "Filtering Changes with an LDAP Search" on page 6-13.
Choose OK.
|
Note: All attributes specified in thesearchfilter attribute should be configured as indexed attributes in Microsoft Active Directory. |
|
See Also: The appendix about the LDAP filter definition in Oracle Internet Directory Administrator's Guide for instructions on configuring an LDAP search filter |
Customize ACLs as described in "Customizing Access Control Lists".
When integrating with Microsoft Active Directory, the following attribute-level mapping is mandatory for all objects:
ObjectGUID: : : :orclObjectGUID: ObjectSID: : : :orclObjectSID:
Example 19-1 Attribute-Level Mapping for the User Object in Microsoft Active Directory
SAMAccountName:1: :user:orclADSAMAccountName: :orclADUser userPrincipalName: : :user:orclADUserPrincipalName::orclADUser:userPrincipalName
Example 19-2 Attribute-Level Mapping for the Group Object in Microsoft Active Directory
SAMAccountName:1: :group:orclADSAMAccountName: :orclADGroup
In the preceding examples, SAMAccountName and userPrincipalName from Microsoft Active Directory are mapped to orclADSAMAccountName and orclADUserPrincipalName in Oracle Internet Directory.
Customize the attribute mappings by following the instructions in "Customizing Mapping Rules".
When synchronizing with multiple Microsoft Active Directory domains, you need separate import and export synchronization profiles for each domain in most cases. However, the profiles for each domain should be very similar. The only exception involves using Global Catalog with import synchronization profiles. In this case, you only need to create a single import synchronization profile for the entire Microsoft Active Directory forest. For more information, see "Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory".
|
Note: Be sure to perform attribute and DN mapping before attempting to synchronize with multiple domains. |
The best approach to creating separate import and export synchronization profiles for multiple domains is as follows:
Customize the import and export synchronization profiles for a single domain, using the procedures described earlier in this section.
Once you have finished customizing the import and export synchronization profiles for the first domain, use the Directory Integration Assistant's createprofilelike command to duplicate profiles, as follows.
$ORACLE_HOME/bin/dipassistant createprofilelike [-h hostName] [-p port] [-D bindDn] [-w password] -profile origProfName -newprofile newProfName
Use the Directory Integration Assistant's modifyprofile command to customize the profiles for each additional Microsoft Active Directory domain, as follows:
$ORACLE_HOME/bin/dipassistant modifyprofile [-h hostName] [-p port] [-D bindDn] [-w password] {-f fileName | -profile profName [-updlcn] } [propName1=value] [propName2=value]...
If necessary, update the connection details for each domain by following the instructions listed in "Configuring Connection Details".
Update the last change number in the import and export synchronization profiles for each domain by running the following command:
$ORACLE_HOME/bin/dipassistant modifyprofile –profile profile_name -updcln
Repeat Steps 2 through 5 for each Microsoft Active Directory domain with which you need to synchronize.
To synchronize deletions in Microsoft Active Directory with Oracle Internet Directory, you must grant the necessary privilege to the Microsoft Active Directory user account that the Oracle directory integration server uses to perform synchronizations with Microsoft Active Directory. Microsoft Active Directory deletions can be synchronized with Oracle Internet Directory by querying for them in Microsoft Active Directory. The way to do this depends on whether you are using the DirSync approach or the USN-Changed approach.
For the DirSync approach, the Microsoft Active Directory user account that the Oracle directory integration platform uses to access Microsoft Active Directory must have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted Replicating Directory Changes permissions.
|
See Also: Article ID 303972 athttp://support.microsoft.com for information on how to grant Replicating Directory Changes permissions |
For the USN-Changed approach, the Microsoft Active Directory user account that the Oracle directory integration platform uses to access Microsoft Active Directory must have "List Content" and "Read Properties" permission to the cn=Deleted Objects container of a given domain. In order to set these permissions, you must use the dsacls.exe command that is available with recent versions of Microsoft Active Directory Application Mode (ADAM). You can download the most recent version of ADAM at http://www.microsoft.com/downloads/.
Regardless of whether you are using the DirSync approach or the USN-Changed approach to synchronize deletions in Microsoft Active Directory with Oracle Internet Directory, if you create a matching filter for the ActiveImport profile (for the DirSync approach) or the ActiveChgImp profile (for the USN-Changed profile) be sure to include only the following key Microsoft Active Directory attributes:
ObjectGUID
ObjectSID
ObjectDistName
USNChanged
In you specify any attributes in a matching filter other than the preceding key attributes, deletions in Microsoft Active Directory are not propagated to Oracle Internet Directory.
|
See Also:
|
Configure the Microsoft Active Directory connector for synchronization in SSL mode by following the instructions in "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode".
To synchronize password changes from Oracle Internet Directory to Microsoft Active Directory:
Configure Oracle Internet Directory, Oracle directory integration platform, and Microsoft Active Directory to run in SSL server authentication mode, as described in "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode".
Enable password synchronization from Oracle Internet Directory to Microsoft Active Directory by following the instructions in "Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory".
Configure the Microsoft Active Directory connector to synchronize passwords by installing and configuring the Oracle Password Filter for Microsoft Active Directory, as described in Chapter 20, "Deploying the Oracle Password Filter for Microsoft Active Directory".
Configure the Microsoft Active Directory external authentication plug-in by following the instructions in "Configuring External Authentication Plug-ins".
Read Chapter 23, "Managing Integration with a Third-Party Directory" for information on post-configuration and ongoing administration tasks.
By default, the import synchronization profile created with express configuration uses the USN-Changed approach for tracking changes. If you want to use the DirSync change tracking approach, be sure to perform the steps in this section before beginning synchronization.
|
Note: You may want to back up your current import synchronization profile before performing the following procedures. You can create a backup copy of a profile by using the Directory Integration Assistant'screateprofilelike command. For more information, see the dipassistant section in the Oracle Directory Integration Platform tools chapter of the Oracle Identity Management User Reference. |
To modify the import synchronization profile so it uses the DirSync change tracking approach:
You can use the activeimp.cfg.master file, located in your $ORACLE_HOME/ldap/odi/conf directory, to change the import synchronization profile from the USN-Changed approach to DirSync. Use the following command to update the profile:
$ORACLE_HOME/bin/dipassistant modifyprofile –profile profile_name odip.profile.configfile=$ORACLE_HOME/ldap/odi/conf/activeimp.cfg.master
Update the last change number by running the following command:
$ORACLE_HOME/bin/dipassistant modifyprofile –profile profile_name -updcln
This section describes the system requirements and tasks for configuring Windows Native Authentication. It contains these topics:
What are the System Requirements for Windows Native Authentication?
Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain
Windows Native Authentication is intended for intranet Web applications. Your intranet deployment must include the following:
Windows 2000 server with Microsoft Active Directory
Kerberos service account established for OracleAS Single Sign-On server
Oracle Application Server 10g (10.1.4.0.1) infrastructure installed
|
Note: Although the sample configurations in this section are for UNIX/Linux, Oracle Application Server can also be installed on Microsoft Windows. |
To set up Windows Native Authentication, configure Oracle Internet Directory, the OracleAS Single Sign-On server, and the user's browser by performing the following tasks in the order listed.
Task 1: Configure the OracleAS Single Sign-On Server
To configure the single sign-on server, complete the tasks described in these topics:
Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server Create a service account for the OracleAS Single Sign-On server in Microsoft Active Directory, then create a keytab file for the server, and map the service principal (the server) to the account name. The keytab file stores the server's secret key. This file enables the server to authenticate to the KDC. The service principal is the entity, in this case, the single sign-on server, to which the KDC grants session tickets.
Synchronize system clocks. The OracleAS Single Sign-On middle tier and the Windows 2000 server must match. If you omit this step, then authentication fails because there is a difference in the system time.Be sure the time, the date, and the time zones are synchronized.
Check the port number of the Kerberos server on the Microsoft Active Directory host. The port where the Kerberos server listens is selected from /etc/services by default. On Windows systems, the services file is found at system_drive:\WINNT\system32\drivers\etc. The service name is Kerberos. Typically the port is set to 88/udp and 88/tcp on the Windows 2000 server. When added correctly to the services file, the entries for these port numbers are:
kerberos5 88/udp kdc # Kerberos key server kerberos5 88/tcp kdc # Kerberos key server
In the hosts file, located in the same directory as the services file, check the entry for the single sign-on middle tier. The fully qualified host name, which refers to the physical host name of the Oracle Application Server Single Sign-On server, must appear after the IP address and before the short name. The following is an example of a correct entry:
130.111.111.111 sso.MyCompany.com sso loghost
Perform the following tasks to create a user account and keytab file in Microsoft Active Directory that will be used by the logical Oracle Application Server Single Sign-On host:
Log in to the Microsoft Active Directory Management tool on the Windows 2000 server, then choose Users, then New, then user.
Enter the name of the OracleAS Single Sign-On host, omitting the domain name. For example, if the host name is sso.MyCompany.com, then enter sso. This is the account name in Microsoft Active Directory.
Note the password that you assigned to the account. You will need it later. Do not select User must change password at next logon.
Create a keytab file for the OracleAS Single Sign-On server, and map the account name to the service principal name.You perform both tasks by running the following command on the Windows 2000 server:
C:> Ktpass -princ HTTP/sso.MyCompany.com@MyCompany.com -pass password -mapuser sso -out sso.keytab
The -princ argument is the service principal. Specify the value for this argument by using the format HTTP/single_sign-on_host_name@KERBEROS_REALM_NAME. Note that HTTP and the Kerberos realm must be uppercase.
Note that single_sign-on_host_name can be either the OracleAS Single Sign-On host itself or the name of a load balancer where multiple OracleAS Single Sign-On middle tiers are deployed. MyCompany.com is a fictitious Kerberos realm in Microsoft Active Directory. The user container is located within this realm. The -pass argument is the account password is the -mapuser argument is the account name of the OracleAS Single Sign-On middle tier. The -out argument is the output file that stores the service key.
Be sure to replace the example values given with values suitable for your installation. These values appear in boldface in the example.
|
Note:
|
For each Oracle Application Server Single Sign-On host, copy or FTP the keytab file, sso.keytab to the OracleAS Single Sign-On middle tier, placing it in $ORACLE_HOME/j2ee/OC4J_SECURITY/config. If you use FTP, be sure to transfer the file in binary mode.
Be sure to give the Web server a unique identifier (UID) on the OracleAS Single Sign-On middle tier and to grant read permission for the file.
Run the OracleAS Single Sign-On Configuration Assistant on each Oracle Application Server Single Sign-On Host Running the ossoca.jar tool at this point does the following:
Configures the Oracle Application Server Single Sign-On server to use the Sun JAAS login module
Configures the server as a secured application
To run the ossoca.jar tool on the OracleAS Single Sign-On middle tier:
Back up the following configuration files:
$ORACLE_HOME/sso/conf/policy.properties
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/opmn/conf/opmn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
Run the ossoca.jar tool:
UNIX/Linux:
$ORACLE_HOME/sso/bin/ssoca wna -mode sso -oh $ORACLE_HOME -ad_realm AD_REALM -kdc_host_port kerberos_server_host:port -verbose
Windows:
%ORACLE_HOME%\jdk\bin\java -jar %ORACLE_HOME%\sso\lib\ossoca.jar wna -mode sso -oh %ORACLE_HOME% -ad_realm AD_REALM -kdc_host_port kerberos_server_host:port -verbose
AD_REALM is the Kerberos realm in Microsoft Active Directory. This is the user container. Note from the syntax that this value must be entered in uppercase. The default port number for the KDC is usually 88. To confirm this, see step 2 in the section "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
Step 2 shuts down the OracleAS Single Sign-On server. Restart it:
$ORACLE_HOME/opmn/bin/opmnctl startall
Task 2: Configure Internet Explorer for Windows Native Authentication
Configure Internet Explorer to use Windows Native Authentication. How you do this depends on which version you have.
Internet Explorer 5.0 and Later
To configure Internet Explorer 5.0 and later, perform the following steps:
From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
In the Internet Options dialog box, select the Security tab.
On the Security tab page, select Local Intranet, then select Sites.
In the Local intranet dialog box, select Include all sites that bypass the proxy server; then click Advanced.
In the advanced version of the Local intranet dialog box, enter the URL of the OracleAS Single Sign-On middle tier. For example:
http://sso.mydomain.com
Click OK to exit the Local intranet dialog boxes.
In the Internet Options dialog box, select the Security tab; then choose Local intranet; then choose Custom Level.
In the Security Settings dialog box, scroll down to the User Authentication section and then select Automatic logon only in Intranet zone.
Click OK to exit the Security Settings dialog box.
From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
In the Internet Options dialog box, select the Connections tab.
On the Connections tab page, choose LAN Settings.
Confirm that the correct address and port number for the proxy server are entered, then choose Advanced.
In the Proxy Settings dialog box, in the Exceptions section, enter the domain name for the OracleAS Single Sign-On server (MyCompany.com in the example).
Click OK to exit the Proxy Settings dialog box.
Internet Explorer 6.0 Only
If you are using Internet Explorer 6.0, perform steps 1 through 12 in "Internet Explorer 5.0 and Later"; then perform the following steps:
From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
In the Internet Options dialog box, select the Advanced tab.
On the Advanced tab page, scroll down to the Security section.
Select Enable Integrated Windows Authentication (requires restart).
Task 3: Reconfigure Local Accounts
After configuring Windows Native Authentication, you must reconfigure accounts for the Oracle Internet Directory administrator (orcladmin) and other local Windows users whose accounts are in Oracle Internet Directory. If you omit this task, then these users will not be able to log in.
Use the Oracle Directory Manager for Oracle Internet Directory to perform these steps:
Add the orclADUser class to the local user entry in Oracle Internet Directory.
Add the login ID of the local user to the orclSAMAccountName attribute in the user's entry. For example, the login ID of the orcladmin account is orcladmin.
Add the local user to the exceptionEntry property of the external authentication plug-in.
This section describes how to configure Windows Native Authentication with multiple Microsoft Active Directory domains or forests in the following types of deployments:
Parent-child Microsoft Active Directory domains
Microsoft Active Directory domains in the same forest with an established tree-root trust type
Domains in different forests with an established forest trust type
|
Note: Forest trust types are only supported in Windows Server 2003 and later versions of Windows operating systems. |
To configure Windows Native Authentication with multiple Microsoft Active Directory domains or forests, perform the following tasks in the order listed:
Task 1: Verify that Trust is Established Between the Microsoft Active Directory Domains
Refer to your Microsoft Active Directory documentation for information on how to verify trust between multiple Microsoft Active Directory domains.
Task 2: Enabling Windows Native Authentication with Oracle Application Server Single Sign-On through a Load Balancer or Reverse Proxy
Configure the Oracle Application Server Single Sign-On server to run behind a load balance or through reverse proxy by following the instructions in the advanced deployment options chapter of Oracle Application Server Single Sign-On Administrator's Guide.
Task 3: Configure the OracleAS Single Sign-On Server
Configure each Oracle Application Server Single Sign-On server by following the instructions in "Task 1: Configure the OracleAS Single Sign-On Server". Be sure to use the same Microsoft Active Directory realm and corresponding key distribution center (KDC) when configuring each physical Oracle Application Server Single Sign-On server instance. Also, be sure to use the load balance or reverse proxy name as the logical Oracle Application Server Single Sign-On host name.
|
Note: With multiple Microsoft Active Directory forests, the Oracle Application Server Single Sign-On server's logical host name must belong to one of the Microsoft Active Directory domains. For example, assume you have two Microsoft Active Directory forests and each forest contains a single domain. The domain in the first forest is namedengineering.mycompany.com and the domain in the second forest is named finance.mycompany.com. The Oracle Application Server Single Sign-On server's logical host name must reside in either the engineering.mycompany.com or the finance.mycompany.com domain. |
Task 4: Configure Internet Explorer for Windows Native Authentication
Configure the Oracle Application Server Single Sign-On server by following the instructions in "Task 2: Configure Internet Explorer for Windows Native Authentication".
The only browsers that support SPNEGO-Kerberos authentication are Internet Explorer 5.0 or later. OracleAS Single Sign-On provides fallback authentication support for unsupported browsers such as Netscape Communicator. Depending upon the type of browser and how it is configured, the user is presented with the OracleAS Single Sign-On login form or the HTTP basic authentication dialog box. In either case, the user must provide a user name and password. The user name consists of the Kerberos realm name and the user ID. The default way to enter the user name is shown in the following example.
domain_name\user_id
The following example, based on the example provided in "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server", illustrates how to enter the user name.
MyCompany.COM\jdoe
Note that the user name and password are case sensitive. Additionally, password policies for Microsoft Active Directory do not apply. You can configure a different synchronization profile by using the Oracle directory integration platform. If you do, the login format just provided does not apply.
Fallback authentication is performed against Microsoft Active Directory, using an external authentication plug-in for Oracle Internet Directory.
|
Note:
|
Users may encounter a number of different login behaviors within Internet Explorer depending upon which version they are using. Table 19-1 shows under what circumstances automatic sign-on and fallback authentication are invoked.
Table 19-1 Single Sign-On Login Options in Internet Explorer
| Browser Version | Desktop Platform | Desktop Authentication Type | Integrated Authentication in Internet Explorer Browser | OracleAS Single Sign-On Login Type |
|---|---|---|---|---|
|
5.0.1 or later |
Windows 2000/XP |
Kerberos V5 |
On |
Automatic sign-on |
|
5.0.1 or later but earlier than 6.0 |
Windows 2000/XP |
Kerberos V5 |
Off |
Single sign-on |
|
6.0 or later |
Windows 2000/XP |
Kerberos V5 or NTLM |
Off |
HTTP basic authentication |
|
5.0.1 or later but earlier than 6.0 |
Windows NT/2000/XP |
NTLM |
On or off |
Single sign-on |
|
6.0 or later |
NT/2000/XP |
NTLM |
On |
Single sign-on |
|
5.0.1 or later |
Windows 95, ME, Windows NT 4.0 |
Not applicable |
Not applicable |
Single sign-on |
|
Earlier than 5.0.1 |
N/A |
Not applicable |
Not applicable |
Single sign-on |
|
All other browsers |
All other platforms |
Not applicable |
Not applicable |
Single sign-on |
This section explains how to synchronize Oracle Internet Directory foreign security principal references with Microsoft Active Directory.
Although Microsoft Active Directory stores information for group members in a trusted domain as foreign security principal references, Oracle Internet Directory stores the DNs of these members as they appear in Oracle Internet Directory. This results in a mismatch between an entry and its value as a member of a group. The relationship between a user and a group cannot be directly established in Oracle Internet Directory.
To establish the relationship between users and groups, the member DNs that refer to the foreign security principals must be replaced by the DNs of the entries during the synchronization of such groups. This is called resolving foreign key references.
|
Note: Synchronization of foreign security principal references is supported only on Windows 2003. |
Example 19-3 How Foreign Key References Are Resolved
The example in this section illustrates how foreign key references are resolved.Assume that there are three domains: A, B and C.
In this example, the one-way non-transitive trusts are from Domain A to Domain B, from Domain A to Domain C, and from Domain B to Domain C.
Tasks to Resolve Foreign Key References
This section explains the steps for resolving foreign key references.
Task 1: Update Agent Configuration Information For each profile that can have foreign security principal references, perform the following steps. The sample configuration files referred further are available in $ORACLE_HOME/ldap/odi/samples directory.
Copy the activeimp.cfg.fsp file. The following is an example of the activeimp.cfg.fsp file:
[INTERFACEDETAILS] Package: gsi Reader: ActiveReader [TRUSTEDPROFILES] prof1 : <Name of the profile1> prof2 : <Name of the profile2> [FSPMAXSIZE] val=10000
The preceding example assumes you are using the DirSync change tracking approach. If you are using the USN-Changed approach for tracking changes, assign a value of ActiveChgReader to the Reader parameter.
In the activeimp.cfg.fsp file, under the [TRUSTEDPROFILES] tag, specify the profile names of the other domains that have foreign security principal references in this domain.
Referring to Example 19-3, agent configuration information for Domain A contains the following:
[INTERFACEDETAILS] Package: gsi Reader: ActiveReader [TRUSTEDPROFILES] prof1: profile_name_for_domain_B prof2: profile_name_for_domain_C
Agent configuration information for domain B contains the following:
[INTERFACEDETAILS]
Package: gsi
Reader: ActiveReader
[TRUSTEDPROFILES]
prof1: profile_name_for_domain_C
Agent configuration information for domain C has no changes because domain C has no foreign key references.
Under the [FSPMAXSIZE] tag, specify the foreign security principal cache size. This can be the average number of foreign security principals you can have. A sample value of 1000 is specified in the activeimp.cfg.fsp file.
Load the new agent configuration information file by using the Directory Integration Assistant as follows:
$ORACLE_HOME/bin/dipassistant modifyprofile -profile profile_name_for_domain_A_or_B -host host_name -port port_name -dn bind_DN -passwd password_of_bind_DN odip.profile.configfile=activeimp.cfg.fsp
Repeat this task for every profile of interest.
Task 2: Modify the Input Data Before Bootstrapping to Resolve the Foreign Security Principal References To do this, perform the following steps:
Get the LDIF dump from the Microsoft Active Directory with appropriate filtering so that the resultant LDIF file contains only the required objects, for example users and groups.
|
Note: The command to dump entries from Microsoft Active Directory to Oracle Internet Directory isldifde. This command can be run only from a Microsoft Windows environment. |
Resolve the foreign security principal references by entering the following command:
$ORACLE_HOME/ldap/odi/admin/fsptodn host=oid_host port=oid_port dn= OID_privileged_DN (that is, superuser or dipadmin user)pwd=OID_password profile=profile_name_for_domain_A_or_B infile=input_filenameo_of_the_LDIF_dump_from_Active_Directory outfile=output_filename [sslauth=0|1]
By default, host is set to local_host, port is set to 389, and sslauth is set to 0.
|
Note: You can verify the successful execution of the command by verifying that the output file contains no references tocn=foreignsecurityprincipals in the member attribute. This command performs no attribute-level mapping other than resolving foreign security principal references. |
Use the -bootstrap option of the Directory Integration Assistant to bootstrap the data from Microsoft Active Directory to Oracle Internet Directory.
Task 3: Update the Mapping Rules to Resolve the Foreign Security Principals During Synchronization After bootstrapping, modifications to groups must be reflected in Oracle Internet Directory with the correct group membership values. The fsptodn mapping rule enables you to do this when you synchronize. Modify this mapping rule in every profile that needs foreign security principal resolution. Referring to Example 19-3, the mapping rules must be modified for Domains A and B.
If you do not have DN mapping, then change your mapping rule for the member attribute to the following:
member: : :group:uniquemember: :groupofUniqueNames: fsptodn(member)
If you have DN mapping, then change the mapping rules as follows:
Add the DN mapping rules corresponding to each of the trusted domains. This is used to resolve the correct domain mapping. Referring to Example 19-3, the domainrules in the mapping file for Domain A should have content similar to the following:
DOMAINRULES <Src Domain A >:<Dst domain A1 in OID> <Src Domain B >:< Dst domain B1 in OID> <Src Domain C>:<Dst domain C1 in OID>
Change your mapping rule for the member attribute to:
member:::group:uniquemember::groupofUniqueNames:dnconvert(fsptodn(member))
Upload the mapping file for the different profiles using Directory Integration Assistant (dipassistant).
This section explains how to change the Microsoft Active Directory domain controller to which changes are exported. There are two methods, one for the USN-Changed approach and the other for the DirSync approach.
How to Change the Microsoft Active Directory Domain Controller by Using the USN-Changed Approach
If you are using the USN-Changed approach, then perform the following:
Stop the current running profile. Modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item that you need to update.
Obtain the current value of the highestCommittedUSN by searching the new domain controller's root DSE for the current highest USNChanged value (attribute value of the highestCommittedUSN attribute of the root DSE):
ldapsearch -h host -p port -b "" -s base -D userDN -w password "objectclass=*" highestCommittedUSN
Use Oracle Directory Integration Platform to run a full synchronization from Microsoft Active Directory.
Run ldifde, the command to dump entries from Microsoft Active Directory to Oracle Internet Directory, using the intended LDAP search scope and search filter. Normally, the search filter should be the same as that specified in the running profile. For example, the following search filter is set in the sample properties file. Note that ldifde can be run only from a Microsoft Windows environment.
searchfilter=(&(|(objectclass=user)(objectclass=organizationalunit))(!(objectclass=group)))
Essentially, run ldifde with a search scope and search filter that retrieve all Oracle Internet Directory objects (entries) that were configured to be synchronized with Microsoft Active Directory by the running profile.
Run Oracle Directory Integration Platform to upload the LDIF file generated in Step a using the same profile.
After the full synchronization is completed, update the lastchangenumber attribute with the highestCommittedUSN value obtained in Step 2.
Resume the normal synchronization, that is, incremental synchronization from Microsoft Active Directory using USNChanged attribute.
How to Change the Microsoft Active Directory Domain Controller by Using the DirSync Approach
If you are using the DirSync approach, perform the following steps:
Stop the current profile that is running.
Use the Directory Integration Assistant createlike option to create a new profile exactly the same as the profile already being used. In the newly created profile, modify the Microsoft Active Directory host connection information, that is, host, port, user, password, to point to the new host. Usually, the host name is the only item you need to update.
Resume normal synchronization with the modified profile. Note that all the domain controllers must be in the same Microsoft Active Directory domain.
The Microsoft Active Directory Connector can be used for provisioning users in Microsoft Exchange. This is applicable in deployments having Microsoft Active Directory Server 2000 or later as their identity store.
To configure the Microsoft Active Directory connector for Microsoft Exchange Server, run express configuration with the Directory Integration Assistant (dipassistant) utility, as described in "Running Express Configuration". When you run the dipassistant command, be sure to specify adforexchange as the value assigned to the -3rdpartyds parameter. To further customize your integration with Microsoft Exchange, follow the instructions in "Configuring Advanced Integration with Microsoft Active Directory".
|
See Also: Oracle Application Server MS Office Developer's Guide |
