| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
This chapter contains generic instructions for synchronizing Oracle Internet Directory with a third-party directory. It contains these topics:
|
Note: This chapter assumes that you are familiar with Chapter 17, "Third-Party Directory Integration Concepts and Considerations". |
|
See Also: The following chapters for step-by-step instructions about configuring integration between Oracle Internet Directory and a specific third-party directory: |
To prepare for synchronization between Oracle Internet Directory and a third-party directory:
Verify that Oracle Internet Directory and your third-party directory are running.
Create a user account in the third-party directory with sufficient privileges to read and write the relevant entries in the containers that will be synchronized. If the directory supports tombstone, the account should also have sufficient privileges to read tombstone entries.
For Import Operations from a Third-Party Directory: Grant the user account read access privileges to the subtree root. The user account must be able to read all objects under the source container (subtree root) in the third-party directory that are to be synchronized with the Oracle directory integration platform. To verify whether a third-party directory user account has the necessary privileges to all objects to be synchronized with Oracle Internet Directory, use the command-line ldapsearch utility to perform a subtree search, as follows:
$ORACLE_HOME/bin/ldapsearch -h directory host -p directory port -b "DN of subtree" -s sub -D "DN of privileged directory user" -w "password for privileged directory user" "objectclass=*"
The return results from the ldapsearch utility should include all objects of interest, including all attributes and values that will be synchronized.
For Export Operations to a Third-Party Directory: Grant the user account the following privileges to the subtree root that is the parent of all the containers to which the Oracle directory integration platform will export users:
Write
Create all child objects
Delete all child objects
|
See Also: Your third-party directory documentation for information how to grant privileges to user accounts |
You must also ensure that Oracle Internet Directory is running with change logging enabled, and that the change log purge duration is set to a minimum of seven days.
|
See Also:
|
This section describes how to create and configure synchronization profiles with express configuration. It contains these topics:
The Directory Integration Assistant (dipassistant) includes an express configuration option that creates two synchronization profiles, one for import and one for export, using predefined assumptions. If the directory integration server is already running, then after enabling the profiles, you can immediately begin synchronizing users and groups between the containers in which users and groups are stored in the third-party directory and cn=users,default_realm/ cn=groups,default_realm in Oracle Internet Directory.
To simplify the configuration, the express configuration option assumes the following:
Entries for users of the default realm in Oracle Internet Directory are located in the container cn=users,default_realm_DN.
Entries for groups of the default realm in Oracle Internet Directory are located in the container cn=groups,default_realm_DN
The Oracle Directory Integration Platform master mapping rules files created during installation are located in $ORACLE_HOME/ldap/odi/conf.
Master domain mapping rules are located in $ORACLE_HOME/ldap/odi/samples.
The logon credential is that of a Oracle Directory Integration Platform administrator with sufficient privileges to configure a profile, a realm, and access controls on the Users container in the Oracle directory server. Members of the Oracle Directory Integration Platform Administrators group (cn=dipadmingrp,cn=dipadmin,cn=directory integration platform,cn=products,cn=oraclecontext) have the necessary privileges.
Perform the following steps to run express configuration and verify that users and groups are synchronizing between cn=users,default_naming_context in the third-party directory and cn=users,default_realm in Oracle Internet Directory:
Run express configuration by following the instructions in "Running Express Configuration".
Express configuration creates two profiles named profile_nameImport and profile_nameExport. By default, both profiles are disabled. Enable the profile_nameImport profile if you need to synchronize from a third-party directory to Oracle Internet Directory and enable the profile_nameExport profile if you need to synchronize from Oracle Internet Directory to a third-party directory. To enable a profile, you use the Directory Integration Assistant (dipassistant) utility with the modifyprofile operation. For example, the following command enables an import profile named myprofileImport:
$ORACLE_HOME/bin/dipassistant modifyprofile -host myhost -port myport -file import.profile -dn bind_DN -passwd password_of_bind_DN -profile myprofileImport odip.profile.status=ENABLE
Start the Oracle directory integration platform by following the instructions described in "Starting, Stopping, and Restarting the Oracle Directory Integration Platform".
Wait until the scheduling interval has elapsed and verify that synchronization has started by entering the following command:
$ORACLE_HOME/bin/ldapsearch -h OID host -p OID port -D "DN of privileged OID user" -w "password of privileged OID user" -b "orclodipagentname=import profile,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s base "objectclass=*" orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime
|
Note: The default scheduling interval is 60 seconds (1 minute). You can use the Directory Integration Assistant (dipassistant) to change the default scheduling interval. For more information, see Chapter 3, "Oracle Directory Integration Platform Administration Tools". |
When synchronization is successfully started:
The value of the Synchronization Status attribute is Synchronization Successful.
The value of the Last Successful Execution Time attribute is the specific date and time of that execution. Note that this must be close to the current date and time.
An example of a result indicating successful synchronization is:
Synchronization successful 20060515012615
|
Note:
|
After verifying that synchronization has started, examine the entries in Oracle Internet Directory and the third-party directory to confirm that users and groups are synchronizing between cn=users,default_naming_context in the third-party directory and cn=users,default_realm in Oracle Internet Directory.
You can run express configuration with either the Directory Integration Assistant (dipassistant) or the Oracle Directory Integration Server Administration tool. The express configuration option with the Oracle Directory Integration Server Administration tool is only available for integrations with Microsoft Active Directory. For all other supported third-party directories, you must run express configuration with the Directory Integration Assistant. How to run express configuration for each tool is described in these topics:
|
Note: While customizing the synchronization profiles for your environment, you may need to add test users and groups to facilitate your deployment effort. Be sure to remove any test users and groups when your are finished customizing and testing your synchronization profiles. |
|
CAUTION: In order to successfully customize your import and export synchronization profiles, do not enable SSL until you have finished with all other configuration tasks. |
This section describes how to run express configuration with the Directory Integration Assistant (dipassistant). You can use this command with any supported third-party directory.
To run express configuration with the Directory Integration Assistant:
Launch the Directory Integration Express Configuration Tool:
$ORACLE_HOME/bin/dipassistant expressconfig [-h oracle_internet_directory_host -p oracle_internet_directory_port -3rdpartyds directory_name -configset configuration_set_entry]
The arguments in the preceding example are listed in Table 18-1.
Table 18-1 Arguments for the Directory Integration Express Configuration Tool
| Argument | Description |
|---|---|
|
|
Host of the Oracle directory server. The default is the local host. |
|
|
Non-SSL port for Oracle Internet Directory. The default is |
|
|
The name of the third-party directory. Enter one of the following values:
|
|
|
Configuration set for Oracle Directory Integration Platform. The default is |
When prompted, enter the following information:
Oracle Internet Directory credentials. You must specify the super user, that is, cn=orcladmin, or any user that is a member of the Oracle Directory Integration Platform Administrators group (cn=dipadmingrp,cn=dipadmin,cn=directory integration platform,cn=products,cn=oraclecontext).
Third-party directory connection details and credentials of a privileged user. When synchronizing with Microsoft Active Directory, the privileged user must have the necessary administrative privileges to read deleted entries.
For Novell eDirectory, OpenLDAP, and Sun Java System Directory, you must also specify the containers to synchronize.
Name to identify the synchronization profiles to be created. For example, if you specify the name abc, then the tool creates two profiles: abcImport and abcExport.
(Optional) Appropriate ACLs on the cn=users container. You can choose to enable users and groups to be managed by Oracle components under the cn=users container. If you customize ACLs in this way, then the original ACLs are saved in $ORACLE_HOME/ldap/odi/archive/profile_name_prefix_useracl.ldif.
This section describes how to run express configuration with the Oracle Directory Integration Server Administration tool. This command is available only for deployments that integrate with Microsoft Active Directory.
To run express configuration with the Oracle Directory Integration Server Administration tool:
Launch the Oracle Directory Integration Server Administration tool by entering:
$ORACLE_HOME/bin/dipassistant -gui
In the Oracle Directory Integration Server Administration tool, expand directory_server, then Integration Profile Configuration, and select Microsoft Active Directory Connector Configuration. The corresponding tab pages appear in the right pane.
In the Microsoft Active Directory Connector Express Synchronization tab page, enter the appropriate values.
Choose Apply.
When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. You can also use the express configuration option of the Directory Integration Assistant (dipassistant) to create additional synchronization profiles, as described in "Running Express Configuration". The import and export synchronization profiles created during the install process or with express configuration are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and a third-party directory. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment, as described in these topics:
Configuring the Third-Party Directory Connector for Synchronization in SSL Mode
Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory
|
See Also: The individual third-party directory integration chapters for information on the sample synchronization profiles that were created during the installation process |
Before customizing the sample synchronization profiles that were created during the installation process, be sure to copy them with the createprofilelike (cpl) command of the Directory Integration Assistant, then enable the copies with the modifyprofile command of the Directory Integration Assistant.
To configure the realm, do the following:
Choose the realm DN structure as described in the section "Choose the Structure of the Directory Information Tree", and, more specifically, in the section "Planning the Deployment".
Select the attribute for the login name of the user. This attribute contains the name of the attribute used for logging in. By default, it is uid. For more information, see the section "Select the Attribute for the Login Name".
If you are integrating with Microsoft Active Directory, and the userprincipalname attribute is used for logging in, then you would map userprincipalname to the uid attribute in Oracle Internet Directory
If you are integrating with Novell eDirectory or OpenLDAP, and the mail attribute is used for logging in, then you would map mail to the uid attribute in Oracle Internet Directory
Set up the usersearchbase and groupsearchbase values in Oracle Internet Directory. These values indicate to the various Oracle components where to look for users and groups in Oracle Internet Directory. They are set to default values during installation. However, you may need to reset these values so that they correspond to the DIT structures in the two directories. Be sure to set them correctly. Otherwise, even if the synchronization seems to function properly, components still may be unable to access users and groups in Oracle Internet Directory.
To illustrate how you might configure the user search base and group search base: In the example in , the value of usersearchbase should be set to cn=users,dc=us,dc=MyCompany,dc=com or one of its parents. Similarly, assuming there is a subtree named groups in the DIT, the multivalued groupsearchbase attribute should be set to both of the following:
cn=groups,dc=us,dc=MyCompany,dc=com or one of its parents
cn=users,dc=us,dc=MyCompany,dc=com
To configure the user search base and group search base, use the Oracle Internet Directory Self-Service Console.
Set up the usercreatebase and groupcreatebase values in Oracle Internet Directory. These values indicate to the various Oracle components where users and groups can be created. They are set to default values during installation.
To illustrate how to configure the user create base and group create base: In the example in , the value of usercreatebase should be set to cn=users,dc=us,dc=MyCompany,dc=com or one of its parents. Similarly, the groupcreatebase should be set to cn=groups,dc=us, dc=MyCompany,dc=com or one of its parents.
To configure the user create base and group create base, use the Oracle Internet Directory Self-Service Console.
|
See Also: The section about modifying configuration settings for an identity management realm in Oracle Identity Management Guide to Delegated Administration |
This section discusses how to customize ACLs for import profiles, export profiles, and for other Oracle components. It contains these topics:
The import profile is the identity used by the Oracle directory integration platform to access Oracle Internet Directory. ACLs must enable the import profile to add, modify, and delete objects in either the users and groups containers or the subtree where entries are accessed. By default, import profiles are part of the Realm Administrators group (cn=RealmAdministrators, cn=groups,cn=OracleContext,realm_DN) in the default realm. This group has privileges to perform all operations on any entry under the DN of the default realm.
You should not need to customize the ACLs for import synchronization with the default realm that is installed with Oracle Internet Directory Release 10g (10.1.4.0.1). If you are upgrading from an earlier version of Oracle Internet Directory, or if the synchronization is with a nondefault Oracle Internet Directory realm, then be sure that the necessary privileges in the proper subtree or containers are granted to the import profiles handling the synchronization.
For an ACL template in LDIF format, see the file $ORACLE_HOME/ldap/schema/oid/oidRealmAdminACL.sbs. If you have not changed the ACLs on the default realm, then this template file can be applied directly after instantiating the substitution variables, replacing %s_SubscriberDN% with the default realm DN in Oracle Internet Directory and replacing %s_OracleContextDN% with cn=OracleContext,default_realm_DN respectively. For example, if realmacl.ldif is the instantiated file, then you can upload it by using the following ldapmodify command:
$ORACLE_HOME/bin/ldapmodify -h OID host -p OID port -D "DN of privileged OID user" -w "password of privileged OID user" -v -f realmacl.ldif
To enable the Oracle directory integration platform to access a third-party directory, you must create an identity in third-party directory. This identity is configured in each export profile.
Default ACLs enable you to create, modify, and delete users and groups, but only in the users and groups containers under the default realm. To synchronize objects in other containers, you must customize the ACLs.
There are sample ACL files that you can use to customize ACLs for Oracle Components. These sample files are installed in the $ORACLE_HOME/ldap/schema/oid directory. They are:
oidUserAdminACL.sbs—Grants necessary rights to the subtree for Oracle components to manage and access users
oidGroupAdminACL.sbs—Grants necessary rights to the subtree for Oracle components to manage and access groups
oidUserAndGroupAdminACL.sbs—Grants the privileges for Oracle components to manage and access users and groups in the subtree.
You can customize your ACL policy to grant privileges on a container-by-container basis with the required rights.
|
See Also: The chapter about access controls in Oracle Internet Directory Administrator's Guide for instructions on customizing ACLs |
Mapping rules, an important part of the synchronization profile, determine the directory information to be synchronized and how it is to be transformed when synchronized. You can change mapping rules at run time to meet your requirements.
Each sample synchronization profile includes default mapping rules. These rules contain a minimal set of default user and group attributes configured for out-of-the-box synchronization.
|
Note: When a synchronization is underway, it relies on the mapping rules configured prior to any changes in the directory. To ensure consistent mapping, you may need to remove an already synchronized entry or perform a full synchronization. |
Mapping rules govern the way data is transformed when a source directory and a destination directory are synchronized. Customize the default mapping rules found in the sample profiles when you need to do the following:
Change distinguished name mappings. The distinguished name mappings establish how the third-party directory DIT maps to the Oracle Internet Directory DIT.
Change the attributes that need to be synchronized.
Change the transformations (mapping rules) that occur during the synchronization.
You can perform any mapping if the resulting data in the destination directory conforms to the schema in that directory.
|
See Also:
|
Once you have established a working synchronization between Oracle Internet Directory and a third-party directory, you can customize the attribute mapping rules for your synchronization profiles to meet the needs of your deployment. When you use express configuration to create import and export synchronization profiles, mapping files are created for each profile in the $ORACLE_HOME/ldap/conf directory. The mapping files are named profile_nameImport.map and profile_nameExport.map. For example, if you enter "abc" when express configuration prompts you for the name of your profile, your import mapping files will be named abcImport.map and abcExport.map.
To customize the attribute mapping rules for your synchronization profiles:
Make a duplicate of the sample mapping rules file. The sample mapping rules files are stored in the $ORACLE_HOME/ldap/odi/conf directory with the extension of map.master for the various profiles.
Edit the sample mapping rules file to make the previously discussed modifications. You can find instructions for editing mapping rules in "Configuring Mapping Rules".
After the changes are made, enter the following command:
$ORACLE_HOME/bin/dipassistant modifyprofile -profile profile_name -host oid_host -port oid_port -dn DN -passwd password odip.profile.mapfile=path_name
For example:
$ORACLE_HOME/bin/dipassistant modifyprofile -profile my_profile
-host my_host -port 3060 -dn cn=orcladmin -passwd welcome1
odip.profile.mapfile=my_profile.map
|
See Also: Thedipassistant section in the Oracle Directory Integration Platform tools chapter of the Oracle Identity Management User Reference |
Wait until the scheduling interval has elapsed, and then check the synchronized users and groups to ensure that the attribute mapping rules meet your requirements.
|
Tip: You may find it helpful to add test users and groups to Oracle Internet Directory or the third-party directory when customizing attribute mapping rules. |
By default, SSL is not enabled for the import and export synchronization profiles created with express configuration. Whether or not you synchronize in the SSL mode depends on your deployment requirements. For example, synchronizing public data does not require SSL, but synchronizing sensitive information such as passwords does. To synchronize password changes between Oracle Internet Directory and a third-party directory, you must use SSL server authentication mode.
|
Note: Be sure that you can successfully synchronize users in non-SSL mode before attempting to configure your synchronization profiles for SSL. |
Securing the channel requires:
Enabling SSL between Oracle Internet Directory and the Oracle directory integration platform
Enabling SSL between the Oracle directory integration platform and the third-party directory
Although you can enable SSL either between Oracle Internet Directory and the Oracle directory integration platform or between that server and the third-party directory, Oracle recommends that you completely secure the channel before you synchronize sensitive information. In certain cases, such as password synchronization, synchronization can occur only over SSL.
Configuring SSL requires the following:
Running the Oracle directory server in SSL mode as described in the chapter on Secure Sockets Layer (SSL) in Oracle Internet Directory Administrator's Guide .
Running the Oracle directory integration platform in the SSL mode as described in Chapter 2, "Security Features in Oracle Directory Integration Platform". The SSL mode should be the same as the one in which Oracle Internet Directory server was started. When starting the Oracle directory integration platform, specify the sslauth parameter to 1 for no authentication or 2 for server authentication. If you do not include the sslauth parameter, the SSL mode defaults to no authentication.
Running the third-party directory server in SSL mode. Communication with a third-party directory over SSL requires SSL server authentication. This requires that both Oracle Internet Directory and the Oracle directory integration platform be run in SSL server authentication mode.
Perform the following steps to configure communication with a connected directory in SSL mode:
In the integration profile, to indicate that the mode of communication is SSL, configure the connectedDirectoryURL attribute in the form of host:port:1. Make sure the port number is the SSL port. The default SSL port number is 636.
Generate a certificate from the connected directory. What is required is the trust point certificate from the server. You do not need to use any external certificate server.
Export the certificates to Base 64 encoded format.
Import the certificates as trust points in the Oracle Wallet by using Oracle Wallet Manager. When you save the wallet, be sure to enable Auto Login by selecting Wallet from the menu bar, and then by selecting the check box next to the Auto Login menu item.
Specify the wallet location in the odi.properties file in $ORACLE_HOME/ldap/odi/conf.
Modify the third-party directory connection information, including the host name and profile, using the Directory Integration Assistant's modifyprofile command, as follows:
$ORACLE_HOME/bin/dipassistant modifyprofile -h hostName -p ssl_port -U ssl_mode -profile profile_name odip.profile.condirurl=ad_host_name:636:1
Enter the following command to create the certWalletPwd file:
dipassistant wpasswd
This command reads the odi.properties file for the location where the certWalletPwd file will be created. Enter the wallet password when prompted.
Use the odisrvreg utility to register the server. The following command demonstrates how to use the odisrvreg utility to register the server in non-SSL mode:
odisrvreg -h hostname -p port -D bindDN -w password
Restart the Oracle directory integration platform in SSL mode by following the instructions "Starting, Stopping, and Restarting the Oracle Directory Integration Platform".
Add a test user and verify that it synchronizes successfully. If the test user does not synchronize successfully, then troubleshoot your SSL configuration.
|
Note: The Oracle Directory Integration Platform does not support SSL in client/server authentication mode. |
|
See Also:
|
To synchronize passwords from Oracle Internet Directory to a third-party directory, you must enable the password policy and reversible password encryption in the Oracle directory server. To do this, assign a value of 1 to the orclPwdPolicyEnable and orclpwdEncryptionEnable attributes in the entry cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,DN_of_realm. You can do this by using either Oracle Directory Manager or ldapmodify by uploading an LDIF file containing the following entries:
dn:cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,DN_of_realm. changetype: modify replace: orclpwdpolicyenable orclpwdpolicyenable: 1 - replace: orclpwdencryptionenable orclpwdencryptionenable: 1
|
See Also: Oracle Internet Directory Administrator's Guide for information on how to set the password policy |
Starting in 10g (10.1.4.0.1), Oracle Directory Integration Platform supports Java-based external authentication plug-ins. Oracle recommends that you use the Java plug-ins instead of the older, PL/SQL-based plug-ins, which only support Microsoft Active Directory and Sun Java System Directory.
The configuration tool for the new plug-ins is a Java program called oidexcfg. You use it to configure Java-based external authentication plug-ins for Microsoft Active Directory, Sun Java System Directory, Novell eDirectory, and OpenLDAP. The tool only sets up an external authentication plug-in to work with a single domain. You must perform additional steps to set up an external authentication plug-in to work with multiple domains.
This section contains these topics:
To configure an external authentication plug-in, you use the extauth operation of the Directory Integration Assistant (dipassistant) utility. See the dipassistant section in the Oracle Directory Integration Platform tools chapter of Oracle Identity Management User Reference for information on how to use the extauth operation.
If you want to set up an external authentication plug-in to work with multiple external authentication domains, you must perform some manual instructions after you run the external configuration tool. Proceed as follows:
Configure the external authentication plug-in as described in "Configuring an External Authentication Plug-in".
Search for the plug-in configuration entries created by the configuration tool in step 1, and redirect the search output to a file. Use an ldapsearch command similar to this:
ldapsearch -p 3060 -D cn=orcladmin -w welcome -s sub -L \
-b "cn=plugin,cn=subconfigsubentry" cn="oidexplg_*_ad" >> output.ldif
The example shows an Microsoft Active Directory cn. Use the correct plug-in cn for the type of plug-in you configured, as shown in Table 18-2. You can use * as a wildcard, as shown in the example.
Table 18-2 Distinguished Names of External Authentication Plug-ins
| Plug-in Type | DN |
|---|---|
|
Microsoft Active Directory |
|
|
Sun Java System Directory |
|
|
Novell eDirectory |
|
|
OpenLDAP |
|
Examine the output file. For an Microsoft Active Directory plug-in, the output file resembles the following:
dn: cn=oidexplg_compare_ad,cn=plugin,cn=subconfigsubentry cn: oidexplg_compare_ad objectclass: orclPluginConfig objectclass: top orclpluginname: oidexplg.jar orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapcompare orclpluginsecuredflexfield;walletpwd: welcome1 orclpluginsecuredflexfield;walletpwd2: welcome orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginattributelist: userpassword orclpluginentryproperties: (!(&(objectclass=orcladobject)(objectclass=orcluserv2))) orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: host.domain.com orclpluginflexfield;walletloc2: /location/wallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: /tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginclassreloadenabled: 0 orclpluginenable: 0 orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com dn: cn=oidexplg_bind_ad,cn=plugin,cn=subconfigsubentry cn: oidexplg_bind_ad objectclass: orclPluginConfigobjectclass: top orclpluginname: oidexplg.jar orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapbind orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginentryproperties: (!(&(objectclass=orcladobject)(objectclass=orcluserv2))) orclpluginclassreloadenabled: 0 orclpluginflexfield;walletloc2: /location/wallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: /tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: host.domain.com orclpluginenable: 0 orclpluginsecuredflexfield;walletpwd: welcome1 orclpluginsecuredflexfield;walletpwd2: welcome orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com
Create a new LDIF file from the output file as follows:
Change the entry names. In the example shown in the previous step, you would change cn=oidexplg_compare_ad,cn=plugin, cn=subconfigsubentry to cn=oidexplg_compare_ad1, cn=plugin,cn=subconfigsubentry and cn=oidexplg_bind_ad, cn=plugin,cn=subconfigsubentry to cn=oidexplg_bind_ad1, cn=plugin,cn=subconfigsubentry.
Change the value for orclpluginenable. Use value 1 if you want to enable it, and use value 0 if you want to disable it.
Change the values for orclpluginflexfield;host and orclpluginflexfield;port for the external directory host name and port number.
Change the value for orclpluginflexfield;isssl. Use value 1 if you want to enable the SSL connection against the external directory, and use value 0 if you want to disable. If you use value 1, you will also need to change the value of orclpluginflexfield;walletloc and orclpluginsecuredflexfield;walletpwd for the wallet location and password.
Change orclpluginflexfield;isfailover. Use value 1 if to set up the failover against a backup external directory. If you use value 1, then you must also change the value of orclpluginflexfield;host2, orclpluginflexfield;port2 for the host name and port number. To use an SSL connection against the backup directory server, you must to change the value for orclpluginflexfield;walletloc2 and orclpluginsecuredflexfield;walletpwd2.
Modify orclpluginsubscriberdnlist for the plug-in invocation naming context.
Modify orclPluginRequestGroup for the plug-in request group. If this attribute is missing in the search out put, then just add the attribute and value in the LDIF file.
Add the modified plug-in configuration entries to the Oracle Internet Directory server. Use a command similar to the following:
$ORACLE_HOME/ldap/bin/ldapadd -h host -p port -D cn=orcladmin \ -w orcladminPwd -v -f input.ldif
