I recently had to integrate Oracle Internet Directory and Active Directory .We used DIP from OID to integrate with AD.
Following are the high level steps for the same.
Following are the high level steps for the same.
1.
Create the AD-OID synchronization profile and
set up the synchronization.
2.
Updating of mapping rules for attributes that
are being synced from AD to OID.
3.
Boot Strap. This step will bring all the users
from AD to OID and the mapping rule should have been applied that we created
already.
4.
Enable the synchronization profile for the sync
to work from AD to OID.
The detailed steps are as follows:-
1.
Create a container for example Oracle Users container with following
LDIF / and ldapadd command. This command has to be executed from the oid boxes,
ldapadd –h hostname –p 3060 –D
cn=orcladmin –w password–f createContainer.ldif
File
– createContainer.ldif
dn:
cn=OracleUsers, cn=Users, dc=xxxxx,dc=net
objectclass:
top
objectclass:
orclContainer
cn:
OracleUsers
pwdpolicysubentry:
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=Oracle
Context,dc=xxxx,dc=net
2. Modify ACI for new container based on ACI for
cn=Users container.
a) Create the
ldif file by executing the command ldapsearch –h hostname –p 3060 –D
“cn=orcladmin” – w password
–b “cn=Users, dc=xxxxx,dc=net” –L –s base “objectclass=*” orclaci
orclentrylevelaci >users_acis_orig.ldif.
b) In the
ldif file modify the base from “cn=Users, dc=xxxx, dc=net” to “cn=Oracle, cn=Users,
dc=lacmta, dc=net” and add the
changetype to modify and operation add for the 2 attributes orclaci and
orclentrylevelaci .
c) Execute
the ldapmodify command. ldapmodify –v –p 3060 –h hostname –D
“cn=orcladmin” –w password
3. Create AD Service Account for OID / DIP Connection to AD w/read privilege to the AD Container
4. Check if AD Service A/c has read privilege on all users + Attributes in container to be sync'd.
5. ldapsearch -h ADhost.XXXXX.net -p 389 -D "oid_svc@XXXXX.net" -w Oracle2ad -b "OU=Users_General,DC=XXXXX,DC=net" objectclass=*
6. OID AD Service Account details :-
dn: CN=SVC\, OID,OU=Users_General,DC=XXXXX,DC=net
userPrincipleName: oid_svc@XXXXX.net
Password: Oracle2ad
Creation of Synchronization Profile
1. Login into Oracle FMW console at http://oidhost:7001/em using the user weblogic.
2. Expand the domain and navigate to Identity and Access.
3. Select DIP .
4. From the DIP drop down list select Administration and then Synchronization profiles.
5. Using the Navigation Path create a new DIP sync profile with a name AD2OID. Fill in the correct AD details.
6. Verify that the details are
correct by clicking in the Test Connection button.
7.
Click OK (upper right corner) to create / save
the Profile
8.. Select AD2OID profile and Click Edit.
9. Navigate
to Filtering Tab and enter
Source Matching Filter – ‘searchfilter=physicalDeliveryOfficename=*’
as below. (No single quotes.) Enter the proper search filter. My case I had to pull records with a physical delivery office name having a value.
11 Click
‘Test Filters’ for any errors.
12 If no
errors found (Check ‘Source Filter Validation Message à Pass: No error). 13 Click Ok.
Update Mapping Rule
1. Create a mapping file for the attributes which will be synced from AD to OID.
2. Sample Mapping file:-
# This file contains the sample map rules. There can be warnings as part of mapping rules validation.
# Please correct the map rules before putting them into production environment.
DomainRules
# %USERBASE%:%USERBASE%:
ou=Users_general,dc=XXXXX,dc=net: cn=OracleUsers,cn=users,dc=XXXXX,dc=net: cn=%, cn=OracleUsers,cn=users,dc=XXXXX,dc=net
###
AttributeRules
# attribute rule common to all objects
objectguid: :binary:top:orclobjectguid:string:orclADObject:bin2b64(objectguid)
ObjectSID: :binary:user:orclObjectSID:string:orclADObject:bin2b64(ObjectSID)
distinguishedName: : :top:orclSourceObjectDN: :orclADObject:
# sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
# userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
# MTA - uid = M+physicalofficedelivery+sn
physicalDeliveryOfficeName,sn: : :user:uid: :inetorgperson:toUpper('M' + physicalDeliveryOfficeName) + sn
# MTA - cn
physicalDeliveryOfficeName,sn: : :user:cn: :person:toUpper('M'+ physicalDeliveryOfficeName) + sn
# Map the SamAccountName to the nickname attr if required
# If this rule is enabled, userprincipalname rule needs to be disabled
# sAMAccountName: : :user:uid: :inetorgperson
# Assign the userprincipalname to Kerberaos principalname
## userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
userPrincipalName: : :user:krbPrincipalName: :orcluserv2
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
SAMAccountName: : :user:orclsamaccountname: : orcladuser:
sn: : :user:sn: : person:
# without which the PORTAL may not function properly
# The next rule shows any attribute of any objectclass can be mapped
# to different attribute of different objectclass so long as the
# schema and syntax are compatible.
displayName: : :user:displayName: :inetorgperson:
givenName: : :user:givenName: :inetorgperson:
## employeeID: : :user:employeeNumber: :inetOrgPerson:
physicalDeliveryOfficeName: : :user:employeeNumber: :inetOrgPerson:
# physicalDeliveryOfficeName: : :user:physicalDeliveryOfficeName: :organizationalPerson:
title: : :user:title: :organizationalPerson:
# mobile: : :organizationalperson:mobile: :inetorgperson:
telephonenumber: : :organizationalperson:telephonenumber: :inetorgperson:
# facsimileTelephoneNumber: : :organizationalperson:facsimileTelephoneNumber: :inetorgperson:
# l: : :user:l: :organizationalperson:
# mail needs to be assigned valid value for default settings in DAS
mail: : :user:mail: :inetorgperson:
# GROUP ENTRY MAPPING RULES
# cn: : :group:cn: :groupofuniquenames:
# displayname needs to be assigned a valid value for default settings on DAS
# SAMAccountName: : :group:displayName: :orclgroup:
# Description needs tobe assigned a valid value for default settings on DAS
# Description: : :group:Description: :groupOfUniqueNames:
# member: : :group:uniquemember: :groupofUniqueNames:
# managedby: : :group:owner: :groupOfUniqueNames:
# sAMAccountName: : :group:orclSAMAccountName: :orclADGroup:
3. Copy the zip fileZIP file to oid server to some location say /home/oracle.
4. Execute the below command :- manageSyncProfiles
update -h hostname -p 7005 -D weblogic -pf AD2OID -params
"odip.profile.mapfile /home/oracle/AD/AD2OID.map"
5. Transcript of session :-
manageSyncProfiles
update -h xXXXXXXX -p 7005 -D weblogic -pf AD2OID -params
"odip.profile.mapfile /home/oracle/AD/AD2OID.map"
[Weblogic
user password]
Connection
parameters initialized.
Connecting
at XXXXXXXx:7005, with userid "weblogic"..
Connected
successfully.
Map
rules "orclodipattributemappingrules" have the following warnings:
Attribute
rule "5" has warning: Source attribute ''physicaldeliveryofficename''
is optional for a required destination attribute ''cn''
Attribute
rule "5" has warning: Source attribute ''sn'' is optional for a
required destination attribute ''cn''
Attribute
rule "6" has warning: Expecting 8 fields; found 7
Assuming default attribute
mapping rule.
Attribute
rule "7" has warning: Source attribute ''samaccountname'' is optional
for a required destination attribute ''orclsamaccountname''
Attribute
rule "8" has warning: Source attribute ''sn'' is optional for a
required destination attribute ''sn''.
Profile
AD2OID successfully updated.
Validate Profile:
You can validate the AD-OID sync profile by
excuting the step below.
1.
manageSyncProfiles validateProfile -h
XXXXX-p 7005 -D weblogic -pf AD2OID
2.
Transcript of command from env:-
[oracle@xxxxxxxxAD]$ manageSyncProfiles validateProfile -h
xxxxxxxx -p 7005 -D weblogic -pf AD2OID
[Weblogic user password]
Connection parameters initialized.
Connecting at xxxxxxx:7005, with userid
"weblogic"..
Connected successfully.
Profile AD2OID has following Error(s) and/or Warning(s):
Map rules "orclodipattributemappingrules" have the
following warnings:
Attribute rule "5" has warning: Source attribute
''physicaldeliveryofficename'' is optional for a required destination attribute
''cn''
Attribute rule "5" has warning: Source attribute ''sn''
is optional for a required destination attribute ''cn''
Attribute rule "6" has warning: Expecting 8 fields;
found 7
Assuming
default attribute mapping rule.
Attribute rule "7" has warning: Source attribute
''samaccountname'' is optional for a required destination attribute
''orclsamaccountname''
Attribute rule "8" has warning: Source attribute ''sn''
is optional for a required destination attribute ''sn''.
3.
Ignore warnings
Boot Strap
The below steps will load all the users from AD
into OID.
1.
Login into the OID box and
execute the below command.
2.
syncProfileBootstrap -host mtaoiddev003 -port
7005 -D weblogic -profile AD2OID_EBSID -lp 5
3.
Transcript of the command
from the dev env.
[oracle@xxxxxxxAD]$ syncProfileBootstrap -host xxxxxxx-port 7005 -D weblogic -profile AD2OID -lp 5
[Weblogic user password]
Connection parameters initialized.
Connecting at xxxxxx:7005, with userid "weblogic"..
Connected successfully.
The bootstrap operation completed, the operation results are:
entries read in bootstrap operation: 7208
entries filtered in bootstrap operation: 0
entries ignored in bootstrap operation: 0
entries processed in bootstrap operation: 6187
entries failed in bootstrap operaton: 1021